W
e
b
A
p
p

asasa

WS Cloud Security
From the Point of View of the Compliance

Clouds are finding increased use in core e...
W
e
b
A
p
p

note that logs should be analyzed from time to
time, you should use IDS, find popular software
to protect net...
W
e
b
A
p
p

asasa

hypervisor supports these virtual machines and
presents the hardware pool that it can work with.
Hyper...
W
e
b
A
p
p

in accordance with security best practices, and the
security features are well documented to make it
clear ho...
W
e
b
A
p
p

asasa

ty Program Operating Manual ") or NIST 800-88
("Guidelines for Media Sanitization"). AWS allows
encryp...
W
e
b
A
p
p

bit TLS protection for communications inside datacentres and between end users and customer
VMs. Filtering ro...
W
e
b
A
p
p

asasa

• 	 Sign-In Credentials:
• 	 E-mail Address, and Password to sign in
to AWS web sites, the AWS Managem...
W
e
b
A
p
p

Virtual Instances (Amazon Elastic Compute
Cloud)

EC2 is a web service that provides resizable compute capaci...
W
e
b
A
p
p

asasa

• 	 API calls signed by X509 certificates is a kind
of protection that helps to the Xen keep the diffe...
W
e
b
A
p
p

be attached to different instance. EBS provides
backup feature through the S3. S3 is “unlimited”
storage whil...
W
e
b
A
p
p

asasa

ferred to security on compliance; some of them is
worldwide and some is Russian. In further articles,
...
AWS Security Challenges
Upcoming SlideShare
Loading in …5
×

AWS Security Challenges

1,258 views
1,155 views

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,258
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
12
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

AWS Security Challenges

  1. 1. W e b A p p asasa WS Cloud Security From the Point of View of the Compliance Clouds are finding increased use in core enterprise systems, which mean auditing is the cornerstone expectation. Cloud vendors announce new cloud services, offer new security solutions and refer to the global security standards among of them the requirements look like quite similar. This is series of articles about AWS Cloud Security from the point of view of the compliance to highlight technical requirements of the top Worldwide and Russian security standards for key AWS services, describe how technically prepare to audit and configure AWS services. C loud Computing has been one of the top security topics for the last several years, for enterprise IT departments, as well as other businesses. Cloud Computing offers unlimited storage and other resources with flexibility. The basic idea of the cloud is centralized IT services, with on-demand services, network access, rapid elasticity, scalability and resource pooling. There are known are three models: SaaS, PaaS and IaaS. Each of them can be deployed as a Cloud, Community Cloud, Public Cloud, or Hybrid Cloud. Some security questions about clouds are: how is it implemented, how are data or communication channels secured, how are the cloud and application environments secure, etc. The cloud simply uses well-known protocols like SMTP, HTTP, SSL, TCP/IP etc. to communicate, send email, file handling and other activity. The methods that are compliant as a part of the RFC should indicate that they are OK. Standards like the ISO 27001 series still provide a measure on information security, but as minimum set of security only. Third party organizations like the Cloud Security Alliance (CSA) promote their best practices for cloud security and have a registry of cloud vendors' security controls to help users to make right choice. Cloud security vendors claim that the end-user companies sometimes prefer cost reduction over 10/2012(10) increased security to reduce the operation complexity of their cloud. This eventually ends with a lower amount of cloud security that the end-user will accept. For example, as VM instances are often visible you should configure the server or firewall “somehow” to protect this flow. Another example talks that the term “physical security” does not exist anymore since cloud has come. Nevertheless, it was this way as it had been when the hosting service arrived. Even the new technology is only another way to perform well-known actions; customer must make any improvements than by-default configuration to face cyber-attacks and will eventually succeed. Phishing or SQL injection is not a real concern, because they have been in existence too long and patches have been made available. If the virtual OS is a Windows Server or an Ubuntu server, then the OS has the same security and patch management state as Desktop/Server OS. The virtual server can easily be updated and patched, or even reconfigured. This is acceptable, except in the situation where the cloud vendor notifies you that a patch or update cannot be applied. In addition, it is mere trust than you download or buy on disk. Eventually, they offer solution, e.g. buy & sell suitable security solution (third party solution should be more trustable, than cloud vendor, oh really?), Page 50 http://pentestmag.com
  2. 2. W e b A p p note that logs should be analyzed from time to time, you should use IDS, find popular software to protect network ports but such software often cannot be applied to this case. Someone believes that if classic network object like server can be physical near the company then it is more secure than virtual but it is not true. Significant example is thinking about cloud like the one about home/ work PC connected to internet that directly or via router. When you need protect this PC you do not talk about why is DNS gates are public, if they are trusted and more. You can keep you hosts file as a DNS; several clouds provide end user with the same feature not through the host, but their own DNS routing service. General Cloud and Security Points Security in the cloud is just like traditional security: network security, authentication, authorization, auditing, and identity management. This is not anything new or revolutionary. There are several points about security that are often discussed: • Perimeter network role and location: • Location (city/country) where is the data located/stored in the cloud? • What are the compliance with standards and country regulations? • What type of firewall (guest, mandatory, VPN, other) is used? • Identity and Access Management: • What is the authentication/authorization and role-based access control? • What is the existence of privileged users, or user access for the cloud services? • Are there different access types per each user, application and role? • Data Privacy: • How is data separated from other cloud users? • What type of encryption is used? • Logging and Auditing • Endpoint protection Client security • Misusing as it was shown at the BlackHat Conference like breaking into Wi-Fi network or password brute-forcing The virtualization refers primarily to the hypervisor, while a virtual machine works with a configured and snapshot of an OS image and usually includes virtual disk storage. As all virtual machines require memory, storage, or network, a 10/2012(10)
  3. 3. W e b A p p asasa hypervisor supports these virtual machines and presents the hardware pool that it can work with. Hypervisors isolate the memory and computing resources and allows performing actions without affecting other instances. There are security issues when you are using virtualization in the cloud, no doubt. Each OS running in virtual environment should be patched and monitored like any non-virtual OS. You may use a gateway device that provides the applicable security configuration to the devices connected. You still have to use host-based firewalls and IDS to capture, stop and filter non-allowed activity from applications, network attacks, disable or enable communication between others virtual machines, or to extend the logging system. Like a classic datacentrewhere you have to maintain stability and security by constant monitoring, alerting and reporting about what the customers are doing with the resources, what geographic locations they are coming from, how many users connect at certain times of the day, also, the cloud infrastructure should report misuse or other out-ofpolicy activity taking place. Auditing needs to log and report on all activities taking place in the cloud (elastic computing, storage, VPN, etc.). It really simplifies increasing complex of the clouds. Sometimes, security design failure a single poorly secured service that can easily be compromised to lead to the risk of stealing valuable data, making the services unavailable by DDoS or other interruptions. Accessing solution known as IAM is an important method to authenticate connections and authorizations of the cloud resources. Your IT policy should take into account the broad range of access rights, because it often divides access into all, to owner, and somewhere in between these. Not all clients should have the right to access all data, but staff rights need to be set up so that everyone who is responsible should be approved similar to rolebased access in traditional offices where the end users can have access to the services, and sometimes the controls, while administrators have access to the controls and managed the functionality and performance of the workloads. In the cloud, you will need to think about how you handle inbound connections to the resources required to any services, hosting, and client devices and how they will connect. DMZ and firewalls are a good solution, but belong to different security zones to prevent access to the whole cloud servic10/2012(10) es by attacking gateway. The common network IDS does not necessarily work as well here; it might not work even as it is on classic network. But, it may work to monitor suspicious traffic between virtual machines if the IDS allows network gate or traffic to be moved thought VPN to/from your corporate network where the IDS exists. Another point is performance that may lead to resource allocation problems and open the service to DoS/DDoS attacks. Another filtering method for limiting traffic is firewalling by physical location that isolates different security zones. Network traffic between virtual machines should be encrypted to protect data while in transit. Of course, as the hypervisor has access to all guest OS, and if it is compromised itself, it will have broad impact to the network isolation, but the probability of that is low since all hypervisors very custom. The cloud infrastructure administrator will need to depend on new tools that are cloud aware, and may not be defined by the current IT department. Another security issue deals with the (de-)allocating of resources. If data is written to the storage and was not wiped before, or crashed before reallocation, then there is a data leakage problem on the HDD. It means the IT department needs to rely on reallocation feature and perform clean operations instead of relying on the cloud service. It may need special DOD-tools to run manually, or running processes until OS fires it off (terminates). This may increases operational expenses. In other words, no sensitive information should be stored in the plain text. Using whole volume encryption will protect the physical storage, prevent access to a virtual environment, and finally reduce the risk of exposure. Also, applications may encrypt data in storage, data in RAM, and data during processing to make it more difficult for someone gain access to. Security Overview: Windows Azure vs. Amazon Web Services These two platforms differ by the decision made by each vendor's vision on how the end-users should access their cloud services. Windows Azure makes a data spreading to the cornerstone, via neither storage nor web-server. AWS makes many services more accessibility that are important with merging to the cloud. These different goals have a huge influence on not only the IT policy, but also the API. Both AWS and Azure services were built Page 52 http://pentestmag.com
  4. 4. W e b A p p in accordance with security best practices, and the security features are well documented to make it clear how to use them to design strong protection. Below I examine the security features offered each vendor: Compliance Azure Microsoft complies with the data protection and privacy laws, but only customers are responsible for determining if Windows Azure complies with the country laws and regulations. For example, ISO for Azure covers cloud services (web and VM), storage, and networking. AWS AWS offers compliance with FISMA to allow the government and federal agencies implement AWS solutions and security configurations at their security system. In addition, VPN (Virtual Private Cloud), GovCloud and SSL mechanism sustain a FIPS 140-2. AWS has validated with Level 1 PCI DSS physical infrastructure and such services like EC2, S3, EBS, VPC, RDS, and IAM that allows to the end customers perform storing, processing, transmitting credit card information with properly security. EC2, S3, and VPC as well as AWS datacentres are covered by a global security standard ISO 27001 too. Physical Security Azure Azure designed to be available 24 x 7; their datacentres are managed, monitored, administered by Microsoft and, of course, compliant with applicable industry standards for physical security. Azure staff is limited by the number of operations, and must regularly change access passwords (if performed by administrators). All administrative actions are audited to determine the history of changes. Finally, you can know what services are affected through the Health Dashboard (https://www.windowsazure. com/ru-ru/support/service-dashboard/). AWS AWS datacentres are located throughout the world (US, EU, and Asia) and available 24 x 7 x 365. Actual location is known by those that have a legitimate business need. Amazon datacentres are secured to prevent unauthorized access; the access tickets will immediately be destroyed when someone leaves the company or when they 10/2012(10) continue to be an Amazon employee but promoted to another position. A standard employee, or a third-party contractor, has a minimum set of privileges and can be disabled by the hiring manager. All types of access to any resources logged, as well as its changes, it must be explicitly approved in Amazon's proprietary permission management system. All changes led to revocation of previous access because of explicitly approving type to the resource. Every access grant will revoked since 90 days as it was approved too. Access to services, resources and devices relies on user IDs, passwords and Kerberos. In addition, Amazon mentioned about expiration intervals for passwords. "Physical access is logged and audited and is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means". Staff uses a two-factor authentication while third party contractors escorted by authorized staff have to present signed IDs. Also, Amazon describes important things like fire detection, power or climate control by mentioning UPS to keep services functional 24 hours per day while Microsoft just tells that is. Finally, you can know what services is affected through the AWS Service Health Dashboard (http://status.aws.amazon.com/). Data Privacy Azure Azure runs in multiple datacentres around the world and offers to the customer deploy redundancy and backup features. AWS AWS offers data encryption, backup and redundancy features. For example, services that store data in S3, EBS use redundancy in different physical locations but inside one “Available Zone” except you set-up backup services to duplicate data. This way (not across multiple zones) works EBS, while S3 provide durability across multiple Availability Zones. To extend and fix EBS redundancy users enabled to backup AMI images stored on EBS to the S3. Object deletion executes un-mapping process to prevent remote access. When a storage device has reached the end of its useful life, AWS initiates destroying procedures within DOD 5220.22-M ("National Industrial Securi- Page 53 http://pentestmag.com
  5. 5. W e b A p p asasa ty Program Operating Manual ") or NIST 800-88 ("Guidelines for Media Sanitization"). AWS allows encryption of sensitive data and perform actions before uploads it in S3; additionally, there is no permission to use own and commercial encryption tools. Network Security Azure Microsoft uses a variety of technologies to keep customers away from unauthorized traffic through the firewalls, NAT boxes (load balancers), and filtering routers. Azure relies on 128- Table 1. Cloud security features Type Compliance Cloud Vendor AWS Azure + N/A + N/A + N/A FIPS 140-2 + N/A HIPAA + + Actions & events logging + + Logs audit + + Minimum access rights + + Auto revocation access after N days + N/A Auto revocation access after role changed + N/A Two-factor authentication + N/A Escort + N/A Backup + + Redundancy inside one GeoLocation + N/A Redundancy across several GeoLocation + + Encryption + N/A DoD/NIST Destruction + N/A MITM Protection + + DDoS Protection + N/A Host-Based Firewall (ip,port,mac) + + Mandatory Firewall + + Extended Firewall (Geo, date’n’time) + N/A Hypervisor protection from promiscuous + + Pentesting offer + + Login and Passwords + + SSL + + Cross account IAM + N/A MFA hardware + N/A MFA software + N/A Key-Rotation 10/2012(10) N/A CSA Credentials + NIST Network Security + FISMA Data Privacy + PCI DSS Physical Security ISO 27001 + N/A Page 54 http://pentestmag.com
  6. 6. W e b A p p bit TLS protection for communications inside datacentres and between end users and customer VMs. Filtering routers reject all non-allowed attempts, i.e. addresses and ports that prevent attacks that use "drones" or "zombies" searching for vulnerable servers as the most popular way to break into network. Filtering routers also support configuring back end services to be accessible only from their corresponding front ends. Firewalls restrict incoming and outgoing communication with known IP addresses, ports, protocols. Microsoft offers an authorized penetration testing for customers applications hosted in Windows Azure if requests for it submitted 7 days beforehand at least. AWS AWS forces MITM protection by SSL-protected endpoints for example EC2 generates new SSH host certificates on first boot and log them to the instance's console. EC2 instances designed to be non-spoofed by host-based firewall that restricts traffic with a source IP or MAC address other than its own and block non-allowed traffic (IP, port, geo location, date and time and more). Despite of instance running in promiscuous mode the hypervisor will not deliver any traffic relies on explicit restrictions that protect from traffic capturing on the same physical host on neither EC2 nor VPC. Unauthorized port scans are a violation of the AWS Acceptable Use Policy, however customers permit to Pentest their AWS services that should be proved by IP, port, date and time and login and contact before pentesting with AWS support. Violations may lead to revocation of AWS accounts after investigation by Amazon. Moreover, if illegal activity will AWS customers should inform AWS about that. In addition, AWS has a proprietary DDoS mitigation technique but does not describe any key features of it. AWS IAM enables to manage multiple users, their permissions, password and password policy under one AWS account or among several AWS accounts as unique security credentials. New IAM users as well entire IAM and EC2 has no (“deny” access type) access to all resources by default and deals with explicitly granted permissions only. AWS Multi-Factor Authentication is an additional security to the basic credentials providing by a six-digit single-use code. This code usually generates by an authentication device or similar applications like Google Authenticator. It works very well for AWS account or user accounts within IAM. AWS offers key and certificate rotation on a regular basis to mitigate compromising risk from lost or compromised access keys or certificates. It is available for AWS account or user accounts within IAM too (Table 1). How is AWS Services Secure Access and Credentials An access to applications and services within AWS cloud is protected in multiple ways and it requires special credentials: • Access Credentials: • Access Keys to manage with REST or Query protocol requests to any AWS service API, and S3. The possible states: • Active – Can be used. • Inactive – Cannot be used, but can be moved back to the Active state. • Deleted – Can never be used again • X.509 Certificates to manage SOAP protocol requests to AWS service APIs, except S3 • Key Pairs to manage with CloudFront Credentials Azure Azure provides virtual machines to customers, giving them access to most of the same security options available in Windows Server. Customers use SSL client certificates to control up-dates to their software and configuration. The basic credentials like username and password are common within Azure resources. 10/2012(10) Figure 1. AWS Access Credentials I Figure 2. AWS Access Credentials II Page 55 http://pentestmag.com
  7. 7. W e b A p p asasa • Sign-In Credentials: • E-mail Address, and Password to sign in to AWS web sites, the AWS Management Console, the AWS Discussion Forums, and the AWS Premium Support site, • AWS Multi-Factor Authentication Device as an optional credential that increases the security level to manage with the AWS web site and the AWS Management Console. • Account Identifiers: • AWS Account ID to manage with all AWS service resources except Amazon S3 and looks like 8xxx-xxxx-xxx8 • Canonical User ID to manage with for Amazon S3 resources such as buckets or files only and looks like 64 bytes length string “7xbxxxxxxcdxcxbbxcxxxxxe08xxxxx44xxxaaxdx0xxbxxxxxeaxed8xxxbxd4x” The purpose of the access keys is a management of requests to the AWS product REST, Query APIs, or third-party product with Access Key ID; the Access Key ID is not a secret. EC2 is enabled to use access keys, usually known as SSH key pair and/or X.509 certificates, to interact with the services. The secret/private part of access key is used to retrieve an administrator password, REST and Query APIs, while the X.509 certificate is used with command line operations and SOAP APIs, except S3, which is managed with access keys. When AWS receives a request, the Access Key ID is checked to its own Secret Access Key to validate the signature and confirm that the request sender is legitimate. The key rotation is manually at current moment and looks like: • Make second active credentials. • Update applications and services with new credential. • Move first credential to Inactive. • Check that working with the new credential is OK • Delete the first credential. To add an extra layer of security, use AWS MFA feature that provide a six-digit, single-use code in addition to the email and password. All details, activation hardware or software MFA and more is on link http://aws.amazon.com/mfa. (Figure 1 nad Figure 2, Table 2) Additionally, AWS offers so-called Identity and Access Management that easy integrates with almost of all AWS services, e.g. EC2, S3 and more. IAM provides the following: • Create users and groups under your organization's AWS account • Easily share your AWS account resources between the users in the account • Assign unique security credentials to each user • Granular control user's access to services and resources Table 2. Resource credentials Resource Access type REST or Query API request to an AWS, S3 Access Keys SOAP API request to an AWS X.509 Certificates (except for Amazon) Access to the secure pages or AWS Management Console Amazon E-mail Address and Password with optional AWS Multi-Factor Authentication Manage to EC2 command line tools Your X.509 Certificates Launch or connect to an EC2 Your Amazon EC2 Key Pairs Bundle an Amazon EC2 AMI For Linux/UNIX AMIs: your X.509 Certificates and AWS Account ID to bundle the AMI, and your Access Keys to upload it to Amazon S3. For Windows AMIs: your Access Keys for both bundling and uploading the AMI. Share an EC2 AMI or EBS snapshot The AWS Account ID of the account you want to share with (without the hyphens) Send email by using the Amazon SES SMTP endpoint Your Amazon SES SMTP user name and password Access to the AWS Discussion Forums or AWS Premium Support site Your Amazon E-mail Address and Password 10/2012(10) Page 56 http://pentestmag.com
  8. 8. W e b A p p Virtual Instances (Amazon Elastic Compute Cloud) EC2 is a web service that provides resizable compute capacity in the cloud that allows paying for capacity only and supports OS's like Windows Server, RedHat, OpenSuSE Linux, and more. EC2 allows setting up everything according to OS. Moreover, you are enabled to export preconfigured OS's from VMware, through the AWS console commands, AWS API, or special VMware Connector. It helps to leverage the configuration management or compliance requirements. VM Import/Export is available for use in all Amazon EC2 regions and with VPC even. The final goal is protection from interception and unauthorized actions and EC2 security is designed to protect several attack vectors. • Host OS protection usually includes event logging, multi-factor authentication, regular ac- cess revocation (this case is talking about AWS that manages with host OS set) • Guest OS protection usually includes native firewall (Windows Firewall, IPTables, etc.), basic credentials, such login/email and password, as well as extended by multi-factor authentication based on SSH Version 2 access, EC2 keys that should unique per each virtual instance. • Firewall protection includes pre-configured in a default deny-all mode mandatory inbound firewall that allows the following restriction by protocol by service port by source IP address • This firewall is not controlled through the Guest OS without X.509 certificate and key to authorize changes. Additionally, customers may use and guest OS firewall to filter inbound and outbound traffic. Table 3. Requirements of the Russian Federal Law about Personal Data Requirements AWS Solution Access management Users require using alphanumeric Native AWS solution implemented in IAM and MFA in adpassword long six characters at least dition and special code in addition. All devices (incl. external), instances, Canonical name developed for users and resources and network nodes require identification enabled mainly through IAM, EC2 identifies by tags by logical name Access event logging Login and logout events Date and time of login and logout events Not yet released for IAM and come to EC2 OS solution (Windows, *nix) Credentials used to login Access to the file events Date and time of access to the file events Not yet released for IAM and come to EC2 OS solution (Windows, *nix) User ID/equivalent used to access to the file events Native solution implemented in S3 that provides canonical user id and IP address accessed to the file, date and time or more Allocated drive wiping Additional Physical security, control access management, restriction of employee or third contractor AWS solution described above at physical security and compliance on physical security Backup and restore for protection solution Integrity Native AWS solution on un-mapping, termination, etc. Depend on designed; generally AMI image stored on EBS and backed up into S3 Network packet filtering by date and Native solution implemented in EC2 mandatory firewall time that includes IP, port, protocol, additional solutions of EC2 OS (Windows and *nix), additional IAM solution to Network packet filtering by IP adthe resources enabled geo filtering and date and time fildress tering. Network packet filtering by date and time Network packet filtering by protocol 10/2012(10) Page 57 http://pentestmag.com
  9. 9. W e b A p p asasa • API calls signed by X509 certificates is a kind of protection that helps to the Xen keep the different instances isolated from each other. Moreover, EC2 designed to prevent a mass spam distribution by limitations of sending email. Any wishes about mass email are available through the request by URL (https://portal.aws.amazon.com/gp/aws/html-forms-controller/contactus/ec2-email-limit-rdns-request). The main concept of cloud security is visibility by guest OS firewall, mandatory firewall and geo availability (Regions and Availability Zones) because such zone managed with physically independent infrastructure. Different areas of the world .i.e. USA or EU are known as region in- side of which there several physically independent zones. Each zone is isolated from failures in other; some AWS services is allowed to move data between zones to keep away from failure, some not, but moving across regions is manually only. Virtual Storage (Amazon Simple Storage Service and Elastic Block Store volume) S3 is a simple storage for the Internet with several interfaces (for example, web service and API calls) to store and retrieve data from anywhere. EBS provides so-called block-level storage; in other words, it equals to the physical and logical hard disks. The multiple volumes can be attached to an instance while the same volume cannot Table 4. Requirements of CSA CAI Questionnaire Requirements Data Governance AWS Solution Do you provide a capability to identiAWS provides the ability to tag EC2 resources. A form fy virtual machines via policy tags/meta- of metadata, EC2 tags can be used to create userdata (ex. Tags can be used to limit guest friendly names operating systems from booting/instantiating/transporting data in the wrong country, etc.)? Do you provide a capability to identify hardware via policy tags/metadata/hardware tags (ex. TXT/TPM, VN-Tag, etc.)? Do you have a capability to use system geographic location as an authentication factor? Native solution implemented in EC2 mandatory firewall that includes IP, port, protocol, additional solutions of EC2 OS (Windows and *nix), additional IAM solution to the resources enabled geo filtering and date and time filtering. Can you provide the physical location/ geography of storage of a tenant’s data upon request? AWS currently offers six regions which customer data and servers will be located designated by customers: US East (Northern Virginia), US West (Northern California and Oregon), GovCloud (US) (Oregon), South America (Sao Paulo), EU (Ireland), Asia Pacific(Singapore) and Asia Pacific (Tokyo). Do you allow tenants to define acceptable geographical locations for data routing or resource instantiation? Do you support secure deletion (ex. degaussing / cryptographic wiping) of archived data as determined by the tenant? Native AWS solution on un-mapping, termination, etc. as well as DoD 5220.22-M / NIST 800-88 to destroy data discussed above. Facility Security Are physical security perimeters (fences, walls, barriers, guards, gates, electronic surveillance, physical authentication mechanisms, reception desks and security patrols) implemented? Physical security controls include but are not limited to perimeter controls such as fencing, walls, security staff, video surveillance, intrusion detection systems and other electronic means; compliance with AWS SOC 1 Type 2 and ISO 27001 standard, Annex A, domain 9.1. Information Security Do you encrypt tenant data at rest (on disk/storage) within your environment? Encryption mechanisms for almost of all the services, including S3, EBS, SimpleDB and EC2 and VPC sessions as well as Amazon S3 Server Side Encryption. Do you leverage encryption to protect data and virtual machine images during transport across and between networks and hypervisor instances? 10/2012(10) Page 58 http://pentestmag.com
  10. 10. W e b A p p be attached to different instance. EBS provides backup feature through the S3. S3 is “unlimited” storage while customers size EBS. S3 APIs provide both bucket- and object-level access controls, with defaults that only permit authenticated access by the bucket and/or object creator. As opposed to EC2 where all activity restricted by default, S3 starts with open for all access under current AWS account only that means all buckets and other folders and files should controlled by IAM and canonical user ID that finally authenticates with an HMAC-SHA1 signature of the request using the user's private key. S3 provides Read, List and Write permissions in an own ACL at the bucket level or IAM permissions list those independent and supplements each other. S3 provides file versioning as a kind of protection to restore any version of every object on the bucket. Additionally, “S3 versioning's MFA Delete” feature will request typing the six-digit code and serial number from MFA device. Also, a valuable feature for audit and forensics case is logging S3 events that can be configured per bucket on initialization. These logs will contain information about each access request and include • request type, • the requested resource, • the requestor's IP, • the time and date of the request. EBS restriction access looks similar to the S3; resources are accessible under current AWS Account only, and to the users those granted with AWS IAM (this case may be affected cross AWS Accounts as well if it is explicitly allowed. Snapshots backed up to the S3 and shared enable indirect access (only read permission, not alteration, deletion or another modification) to the EBS. There is an interesting point suitable for forensics that snapshot stored on S3 will keep all deleted data from EBS volume, they were not altered, or DOD wiped. Talking about secure wiping, AWS provides “destroying” data feature via a specific method, such as those detailed in DoD 5220.22M ("National Industrial Security Program Operating Manual") or NIST 800-88 ("Guidelines for Media Sanitization"); AWS perform these actions for S3 and EBS. In case, it is impossible to wipe data after storage disk lifetime such disk will be physically destroyed. Gross Inspection on AWS Compliance from customer side As it is first part of series of articles, I briefly examine several standards and order documents re- On the Net • http://www.windowsecurity.com/articles/Cloud-computing-can-we-trust-how-can-be-used-whilst-being-secure.html – Cloud computing, can we trust it and how can it be used whilst being secure, Ricky M. Magalhaes • http://www.windowsecurity.com/articles/Security-Considerations-Cloud-Computing-Part1.html – Security Considerations for Cloud Computing (Part 1) – Virtualization Platform, Deb Shinder • http://www.windowsecurity.com/articles/Security-Considerations-Cloud-Computing-Part2.html – Security Considerations for Cloud Computing (Part 2), Deb Shinder • http://www.windowsecurity.com/articles/Security-Considerations-Cloud-Computing-Part3.html – Security Considerations for Cloud Computing (Part 3) – Broad Network Access, Deb Shinder • http://www.windowsecurity.com/articles/Security-Considerations-Cloud-Computing-Part4.html – Security Considerations for Cloud Computing (Part 4) – Resource Pooling, Deb Shinder • http://www.windowsecurity.com/articles/Security-Considerations-Cloud-Computing-Part5.html – Security Considerations for Cloud Computing (Part 5) – Rapid Elasticity, Deb Shinder • http://www.windowsecurity.com/articles/Security-Considerations-Cloud-Computing-Part6.html – Security Considerations for Cloud Computing (Part 6) – Metered Services, Deb Shinder • https://www.windowsazure.com/en-us/support/legal/security-overview/ – Technical Overview of the Security Features in the Windows Azure Platform, April 2011 • http://www.baselinemag.com/c/a/Security/Securing-Data-in-the-Cloud/ – Securing Data in the Cloud, Eric Friedberg • http://d36cz9buwru1tt.cloudfront.net/Whitepaper_Security_Best_Practices_2010.pdf – AWS Security Best Practices, January 2011 • http://d36cz9buwru1tt.cloudfront.net/pdf/AWS_Security_Whitepaper.pdf – Amazon Web Services: Overview of Security Processes, May 2011 • https://www.windowsazure.com/en-us/support/trust-center/compliance/ – Trust Center Home, Compliance • http://conventions.coe.int/Treaty/en/Treaties/Html/108.htm – Convention for the Protection of Individuals with regard to Automatic Processing of Personal Datat 10/2012(10) Page 59 http://pentestmag.com
  11. 11. W e b A p p asasa ferred to security on compliance; some of them is worldwide and some is Russian. In further articles, I will provide a detail AWS services’ examination with the most known documents to explain and show if cloud services (mainly AWS and Azure) are so insecure, if configuring with compliance is so complex and if compliance makes a sense for end customers on security. Some requirements and entire documents are going to be discussed will deliberately be used as outdated to highlight comparison. One of them, the Russian Federal Law about Personal Data refers to the “Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data” that was confirmed in 2006. This reference allows storing data out Russia and 1C Company has already offer a cloud solution in accordance with Chapter III about “Transborder data flows” and Article 12 about “Transborder flows of personal data and domestic law”. • The following provisions shall apply to the transfer across national borders, by whatever medium, of personal data undergoing automatic processing or collected with a view to their being automatically processed. • A Party shall not, for the sole purpose of the protection of privacy, prohibit or subject to special authorization transborder flows of personal data going to the another territory. • Nevertheless, each Party shall be entitled to derogate from the provisions of paragraph 2: • insofar as its legislation includes specific regulations for certain categories of personal data or of automated personal data files, because of the nature of those data or those files, except where the regulations of the other Party provide an equivalent protection; • when the transfer is made from its territory to the territory of a non-ing State through the intermediary of the territory of another Party, in order to avoid such transfers resulting in circumvention of the legislation of the Party referred to at the beginning of this paragraph. The Russian law refers to another documents provided several requirements to protection some of them I will examine right now. These requirements divide into three categories based on which data is processed (medical, religion, nationality, etc.) (Table 3). 10/2012(10) Some non-profit organizations try to unify best practices for clouds, help the vendors to improve their security features and provide customers with best choice of solution they need. One of them is CSA that offers range of industry security practitioners, corporations, and associations participate in this organization to achieve its mission. They create so-called “CSA Consensus Assessments Initiative Questionnaire” that provides a set of questions the CSA anticipates a cloud consumer and/or a cloud auditor would ask of a cloud provider. AWS announced that they has completed the CSA CAI (Table 4). Conclusion Some companies have to manage with regulations because of legal proceedings to how the data should be handled, where they should be stored and how the consumer data are protected. On another hand, security audit may uncover the vulnerabilities. Whether audit makes sense or not, there is case when you or someone else have to validate with standard. In these articles, I briefly analyze security features of WS with several requirements. In further articles, I will provide a detail AWS services' examination with the most known documents to explain and show if cloud services (mainly AWS and Azure) are so insecure, if configuring with compliance is so complex and if compliance makes a sense for end customers on security. Yury Chemerkin Yury Chemerkin graduated from RSUH in 2010 (http:// rggu.com/) on the BlackBerry diploma thesis. Currently in the postgraduate program at RSUH on the Cloud Security thesis. Experience in Reverse Engineering, Software Programming, Cyber & Mobile Security Research, Documentation, and as a contributing Security Writer. Also, researching Cloud Security and Social Privacy. The last several years, I have worked on mobile social security, cloud security and compliance, mobile security and forensics; additionally develops solutions based on exploiting, not only OS vulnerabilities, but also third-party products and solutions. Regular blog: http://security-through-obscurity. blogspot.com. Regular Email: yury.chemerkin@gmail.com Skype: yury.chemerkin Page 60 http://pentestmag.com

×