Journal Online
1ISACA JOURNAL Volume 5, 2013©2013 ISACA. All rights reserved.
Cloud computing is a significa...
2 ISACA JOURNAL Volume 5, 2013 ©2013 ISACA. All rights reserved.
fundamental computing resources where the c...
3ISACA JOURNAL Volume 5, 2013©2013 ISACA. All rights reserved.
As a common step toward managing information ...
4 ISACA JOURNAL Volume 5, 2013 ©2013 ISACA. All rights reserved.
Compliance and Audit Control in Cloud Compu...
recovery schemes for the cloud must be effectively in place
in order to prevent data loss, unwanted data overwrite and
IT systems to a services-oriented model. IT personnel want
the same types of control they have in the data center in the
• Tools and services—Cloud computing introduces a number
of new challenges around the tools and services required
to build...
8 ISACA JOURNAL Volume 5, 2013 ©2013 ISACA. All rights reserved.
where its data reside in the cloud applicat...
9ISACA JOURNAL Volume 5, 2013©2013 ISACA. All rights reserved.
today. While an enterprise may be able to lev...
10 ISACA JOURNAL Volume 5, 2013 ©2013 ISACA. All rights reserved.
Figure 3—Identity Access and Federation Wi...
11ISACA JOURNAL Volume 5, 2013©2013 ISACA. All rights reserved.
IAM practices than enterprise customers. To ...
12 ISACA JOURNAL Volume 5, 2013 ©2013 ISACA. All rights reserved.
the SAML service provider strictly reinfor...
ENISA, Cloud Computing Security Risk Assessment,
20 November 2009,
Upcoming SlideShare
Loading in...5

ISACA Journal Publication - Does your Cloud have a Secure Lining? Shah Sheikh


Published on

ISACA Journal Publication Volume 5 written by Shah Sheikh - published in Q4 2013. Based on the Cloud Security Alliance Framework whitepaper titled "Does your Cloud have a Secure Lining?"

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

ISACA Journal Publication - Does your Cloud have a Secure Lining? Shah Sheikh

  1. 1. Journal Online 1ISACA JOURNAL Volume 5, 2013©2013 ISACA. All rights reserved. Cloud computing is a significant step in the Internet’s evolution, providing the means through which everything—from computing power to computing infrastructure, applications, business processes or personal collaboration—can be delivered as a service wherever and whenever needed. The cloud in cloud computing can be defined as the set of hardware, networks, storage, services and interfaces combined to deliver aspects of computing as a service. Cloud service models are based on three categories: Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS). Consumer cloud computing services have been well-established since the Internet has been mainstream. Well-known examples are WebMail services and social networking platforms. However, the adoption of cloud computing in the enterprise sector has been slower. The numerous security risks, concerns and challenges posed have primarily influenced the slow uptake in cloud services, even though they have much to offer. Full assessment of the governance, risk and compliance factors of cloud services by organizations is needed to provide informed judgments. Data and information life cycle, source and origination, transfer, destination, validation, and deletion all need to be understood. Transborder data flow across countries with different cyberlaw jurisdictions needs to be carefully considered, and any sensitive information leakage that results in litigation requires the involvement of cyberlaw legal teams. Periodic rights for third-party audit clauses, frequent reporting mechanisms for security violations and a clearly defined service level agreement (SLA) between an organization and the cloud service provider (CSP) need to be developed. With CSPs utilizing shared pools of resources, virtualization and isolation capabilities need to be questioned along with identity access control and management frameworks. Some of the critical factors to consider are the encryption key life cycle of virtualized environments and the portability of information if the organization decides to move to another CSP. This article introduces a holistic security approach to cloud computing and equips chief information officers (CIOs) and information security executives with the knowledge to understand key security drivers, requirements, risk factors and challenges they are likely to face when migrating the enterprise infrastructure, platform and services to the cloud. Cloud Service Model The typical characteristics of any cloud computing environment are based on multiple concepts, such as rapid provisioning of services, agility of infrastructure, elasticity of computing resources based on demand, a high level of scalability, modularity and performance, multitenancy through virtualization, and compartmentalization and dynamic security. Cloud computing provides enterprise IT economies of scale through effective and efficient utilization of a shared pool of resources to perform IT functions. Offloading complementary IT functions to a cloud service provider allows IT personnel to focus on business-critical activities such as reducing operational expenditures that help manage, maintain and support the IT infrastructure. All IT functions such as applications, networking, security, storage and software work in tandem to provide users with a service based on the client-server model. This client-server model can be delivered through sharing infrastructure, platform and service that are user transparent. With such ground- breaking definitions, typically not found in traditional enterprise architectures, this service model should result in a shift in the way the organization thinks. Infrastructure as a Service The infrastructure provides provisional processing, storage, networks and other Shah H. Sheikh, CISA, CISM, CRISC, CISSP, CCSK, is the cofounder and senior security consultant at DTS Solution, a dynamic start-up organization that provides network and security solutions in the Middle East regional market. Sheikh has more than 10 years of industry experience. Having worked for a service provider, system integrator and multiple technology vendors, Sheikh has extensive knowledge on complete project life cycles that focus around security solutions. Does Your Cloud Have a Secure Lining? A Holistic Security Approach to Cloud Computing
  2. 2. 2 ISACA JOURNAL Volume 5, 2013 ©2013 ISACA. All rights reserved. fundamental computing resources where the consumer can deploy and run arbitrary software, including operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure, but has control over operating systems, storage, and deployed applications, and, possibly, limited control of select networking components (e.g., host firewalls). Platform as a Service The platform allows the consumer to deploy onto the cloud infrastructure consumer-created or acquired applications using programming languages and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure, including network, servers, operating systems or storage, but has control over the deployed applications and, possibly, the application hosting environment configurations. Software as a Service The software allows the consumer to use the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through a thin client interface such as a web browser (e.g., web- based email). The consumer does not manage or control the underlying cloud infrastructure, including network, servers, operating systems, storage or even individual application capabilities, with the possible exception of limited user- specific application configuration settings. Figure 1 provides an example of the different cloud computing services model structures based on the consumer and provider relationship. Deployment Models There are four deployment models for cloud services, with derivative variations that address specific requirements: • Public cloud—The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services. • Private cloud—The cloud infrastructure is operated by a single organization. It may be managed by the organization or a third party, and it may exist onsite or offsite. • Community cloud—The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be managed by the organization or by a third party and it may exist onsite or offsite. • Hybrid cloud—The cloud infrastructure is a composition of two or more clouds (private, community or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load- balancing between clouds). Cloud Computing Risk Management Framework Numerous information security regulations, standards and compliance frameworks have been established and matured over the last decade (e.g., ISO 27002, the Payment Card Industry Data Security Standard [PCI DSS], the US Health Insurance Portability and Accountability Act [HIPAA], the US Sarbanes-Oxley Act). Such industry standards have played a vital role in providing organizations and security professionals with the ability to measure security in the context of business risk; as the awareness, importance and requirements for securing information assets gain more traction, the industry is set to face key challenges when it comes to securing information assets for the cloud. A standardized information security framework specifically for cloud computing does not exist, given the uniqueness in how cloud computing operates. The European Network and Information Security Agency (ENISA),1 for example, has developed a cloud computing risk assessment strategy; however, global adoption and acceptance has been difficult due to the lack of clarity on securing the cloud infrastructure. Security professionals undoubtedly face complexities and challenges when it comes to addressing key security requirements for cloud computing. While any organization should follow its own respective enterprise IT risk management framework in the context of the cloud, other considerations need to be assessed, evaluated and deployed as well. Managing risk appetite when the information resides out of the organization’s control can be problematic and it is imperative that security SLAs are well defined with the cloud provider.
  3. 3. 3ISACA JOURNAL Volume 5, 2013©2013 ISACA. All rights reserved. As a common step toward managing information security risk in the cloud, the following items focus on areas of risk management that should be at the forefront when considering cloud deployment: • Identify the assets for cloud deployment (requirements needed to move to the cloud). • Evaluate assets and measure both the technical and business risk associated with the assets. • Correlate the assets to the type of cloud service and deployment model appropriate for the organization. • Identify the potential data flow. • Develop audit controls that can be delivered to the organization as a self-service or on-demand service by the CSP. • Validate information life cycles (e.g., data encryption and decryption, data residency, retention, deletion) for the asset. • Ensure consistency of authorized use of assets by users between existing in-house and proposed CSP services. • Ensure no lock-in clause for a CSP and the ability for assets to be portable between CSPs. • Ensure data protection from leakage, data residency and malicious CSP administrators. • Examine legal risk and transborder data flow among countries with differing legal jurisdictions. • Ensure that security SLAs with the CSP have clearly defined financial penalty clauses for any violations. Figure 1—Cloud Computing Service Models SaaS PaaS IaaS Host Application, Services and Software Platform and Infrastructure Software Virtualization and Multitenancy Operating System Physical Servers Network and Security Infrastructure Data Center Foundation • Software as a Service • Enterprise email • Hosted IP telephony—VoIP • Hosted teleconferencing • ERP/HR/payroll systems • Electronic health records database system • Federated identity access—cross-domain SSO • Portals • Transactional sites • Virtual desktop profiles • Data center site • Power • Physical access control • HVAC • Data center fabric • Switches, routers and access points • Service layer—application control delivery • Network security • Federated identity access • IPAM, DNS, DHCP, QoS • Physical servers • Storage area network (SAN) • Computer/storage resource • Windows Server 2008 • Redhat Linux Enterprise • Solaris • Partitions/containers • Virtualization—ESX, Hyper-V, XenServer virtual machines • Virtual networking—VRF/virtual routers • Virtual security—virtual firewall systems • Virtual ADC and load balancing • Commercial-off-the-shelf (COTS) platforms • Customized developed platforms • Infrastructure manage software
  4. 4. 4 ISACA JOURNAL Volume 5, 2013 ©2013 ISACA. All rights reserved. Compliance and Audit Control in Cloud Computing Environments When infrastructure/platforms and services are under the control of the organization, ensuring compliance through governance is straightforward—roles and responsibilities are clearly defined, compliance controls are designed and implemented with management approval, and audit of compliance status can easily be tracked and measured. When services are migrated to the cloud, an organization loses control on how compliance is implemented and maintained and this control is relinquished to the CSP. As part of any compliance requirement, a gap analysis must be undertaken to identify how regulatory, legislative and industry compliance can be designed and implemented from day one. It is imperative that any compliance requirements the organization is required to observe are validated and certified before migrating to the cloud. Of the many regulations touching on information technology with which organizations must comply, few were written with cloud computing in mind. Auditors and assessors may not be familiar with cloud computing generally or with a given cloud service in particular. That being the case, it falls upon the cloud customer to understand: • Regulatory applicability for the use of a given cloud service • Division of compliance responsibilities between the CSP and the customer • The CSP’s ability to produce evidence needed for compliance on demand • The cloud customer’s role in bridging the gap between the CSP and the auditor/assessor The following recommendations should be carefully considered by the cloud customer when applying compliance and audit control processes within a cloud environment: • Reserve the right to request an on-demand audit of the services to which the customer is subscribed (a right-to- audit clause). • Comprehensively analyze legal and contractual agreements and terms that address compliance needs. • Analyze the compliance scope to ensure that the compliance regulations to which the organization is subject are not impacted by the use of cloud services. • Examine the impact of regulatory compliance for data security and determine if the data that will move to the cloud are subject to compliance requirements. • Review CSP partners; in certain cases, a CSP may subcontract partial functions (i.e., data processing) to another party. • Determine how to provide on-demand evidence of compliance and how each compliance requirement is being met. Information Life-Cycle Management in the Cloud One of the primary goals of information security is to protect the fundamental data that power an organization’s systems and applications. As an organization transitions to cloud computing, its traditional methods of securing data are challenged by cloud-based architectures. Elasticity, multitenancy, new physical and logical architectures, and abstracted controls require new data security strategies. With many cloud deployments, data are also transferred to external—or even public— environments in ways that would have been unthinkable only a few years ago.2 Key challenges regarding data life-cycle security in the cloud include: • Location of the data—There must be assurance that data, including all copies and backups, are stored only in geographic locations permitted by contract, SLA and/or regulations. For example, use of compliant storage as mandated by the European Union for storing electronic health records can be an added challenge to the data owner and CSP. • Data remanence or persistence—Data must be effectively and completely removed to be deemed “destroyed.” Therefore, techniques to effectively and completely locate data in the cloud, erase/destroy data, and ensure the data have been completely removed or rendered unrecoverable must be available and used when required. • Commingling data with other cloud customers—Data, especially classified/sensitive data, must not be commingled with other customer data without compensating controls while in use, storage or transit. Commingled data are a challenge when concerns are raised about data security and geolocation. • Data backup and recovery schemes for recovery and restoration—Data must be available, and data backup and ” “Traditional methods of securing data are challenged by cloud-based architectures.
  5. 5. recovery schemes for the cloud must be effectively in place in order to prevent data loss, unwanted data overwrite and destruction. It should not be assumed that cloud-based data are backed up and recoverable. • Data discovery—As the legal system continues to focus on electronic discovery, CSPs and data owners must focus on discovering data and assuring legal and regulatory authorities that all data requested have been retrieved. In a cloud environment, if the question of discoverability arises, it is extremely difficult to answer and will require administrative, technical and legal controls when required. • Data aggregation and inference—With data in the cloud, there are added concerns of data aggregation and inference that could result in breaching the confidentiality of sensitive and private information. Therefore, practices must be in place to assure data owners and data stakeholders that their data are protected from subtle breach when data are commingled and/or aggregated, thus revealing protected information (e.g., medical records that contain names and medical information mixed with anonymous data but that contain the same crossover field). Cloud Data Security Life Cycle The cloud data security life cycle is different from information life-cycle management as it reflects the different needs of the security audience. Careful consideration is needed when migrating corporate data to the cloud. The cloud data security life cycle consists of the following six phases: • Create—Classify and assign rights to data, data labeling techniques, digital rights management and watermarking, and user tagging to classify data. • Store—Base data access control on who needs to know, as well as on the database management system (DBMS), the document management system, data encryption and decryption to authorized users, and content discovery tools (such as data loss prevention). • Use—Use activity monitoring and enforcement via log files, rights management and logical controls using DBMS solutions, and data owner notification on change of status. • Share—Use encryption for transit information and signed documents, activity monitoring for shared information, and maintaining integrity for transit data. • Archive—Monitor data residency within storage environments, asset management, tracking and encryption on backup archived information and for data at rest. Archived data should be retrieved only by the data owner. • Destroy—Ensure removal and secure deletion of information by authorized personnel; validate deletion with content discovery. Cryptoshredding and content construction should not be possible. Data Portability and Interoperability Between Cloud Providers The cloud brings new opportunities for enterprises to develop and deploy efficient and compelling services, unlock the potential of the public and private domain data, and reduce costs for information and communications technology (ICT) services. Cloud’s interoperability and portability are key topics of discussion for policy makers, both as a tool to reduce integration costs and to reduce dependence on large ICT vendors. While systems interoperability becomes the primary domain of the CSP, issues around data interoperability still remain important, and perhaps even critical, as enterprise data become increasingly contained within the systems provided through the CSP. Many public cloud networks are configured as closed systems that do not interact with each other. This lack of integration makes it difficult for organizations to consolidate their IT systems in the cloud and realize the resultant productivity gains and cost savings. The issue of cloud portability is important to all enterprises, as they want to ensure that customers can switch CSPs without unreasonable switching costs. Inevitably, when a customer changes the CSP, it is reasonable to assume that there will be a certain amount of switching costs. However, from a cloud portability perspective, it also becomes critical that data are shareable between CSPs, since without the ability to port data, it would become impossible to switch CSPs at all. Policies need to be crafted around data-interoperability- related issues to ensure that data interchange between cloud services is unhindered, as most enterprise users are likely to use heterogeneous CSPs for their needs. Policy makers must focus on data ownership and control issues to ensure that the owners continue to control the destiny of their data. To achieve the economies of scale that will make cloud computing successful, common platforms are needed to ensure users can easily navigate between services and applications regardless of where they are coming from and to enable organizations to more cost-effectively transition their 5ISACA JOURNAL Volume 5, 2013©2013 ISACA. All rights reserved.
  6. 6. IT systems to a services-oriented model. IT personnel want the same types of control they have in the data center in the cloud. When an organization pushes data out to the cloud, it outsources availability and security to the cloud vendor, which is considered a major weakness. Virtualization and Multitenancy Environments The ability to provide multitenant cloud services at the infrastructure, platform or software level is often underpinned by the ability to provide some form of virtualization to create economic scale—utilization of a shared pool of resources to host multiple tenants. However, use of these technologies brings additional security concerns. While there are several forms of virtualization, by far the most common is the virtualized operating system known as virtual machines (VMs). If VM technology is being used in the infrastructure of the cloud services, the organizations must be concerned about compartmentalization, isolation and hardening of those VM systems. The reality of current practices related to management of virtual operating systems is that many of the processes that provide security-by-default are missing and special attention must be paid to replacing them.3 The core virtualization technology itself introduces new attack surfaces in the hypervisor and other management components, but more important is the severe impact virtualization has on network security. VMs now communicate over a hardware backplane, rather than a network.4 As a result, standard network security controls are blind to this traffic and cannot perform monitoring or in-line blocking. These controls need to take a new form to function in the virtual environment. Interference and commingling of data in centralized services and repositories are additional concerns. In theory, a centralized database as provided by a cloud computing service should improve security over data distributed over a vast number and mixture of endpoints; however, this is also centralizing risk, increasing the consequences of a breach. Another concern is the commingling of VMs of different sensitivities and security. In cloud computing environments, the lowest common denominator of security is shared by all tenants in the multitenant virtual environment, unless new security architecture can be achieved that does not “wire in” any network dependency for protection. Virtualization technology has been around for many years and many enterprises already have some form of virtualization deployed within their internal data centers; however, with a CSP that requires providing virtualization in a multitenancy environment, the security risk inevitably increases. Application and Hypervisor Security Cloud environments by virtue of their flexibility, openness and, often, public availability challenge many fundamental assumptions about application security. Some of these assumptions are well understood; many are not. Cloud computing can influence security over the lifetime of an application in many ways—from design, to operations, to decommissioning. It is important that all stakeholders, including application designers, security professionals, operations personnel and technical management, understand how to best mitigate risk and manage assurance within cloud computing applications. Cloud computing is a particular challenge for applications across the layers of SaaS, PaaS and IaaS. Cloud-based software applications require a design rigor similar to applications residing in a classic DMZ. This includes a deep up-front analysis covering all the traditional aspects of managing information confidentiality, integrity and availability. Applications in cloud environments impact and are impacted by the following aspects: • Application security architecture—Consideration must be given to the reality that most applications have dependencies on various other systems. With cloud computing, application dependencies can be highly dynamic, even to the point that each dependency represents a discrete third-party service provider. Cloud characteristics make configuration management and ongoing provisioning significantly more complex than in traditional application deployment. The environment drives the need for architectural modifications to assure application security. • Compliance—Compliance clearly affects data, but it also influences applications (e.g., regulating how a program implements a particular cryptographic function), platforms (perhaps by prescribing operating system controls and settings) and processes (such as reporting requirements for security incidents). • Vulnerabilities—These include not only the well- documented—and continuously evolving—vulnerabilities associated with web apps, but also vulnerabilities associated with machine-to-machine service-oriented architecture (SOA) applications, which are increasingly being deployed in the cloud. 6 ISACA JOURNAL Volume 5, 2013 ©2013 ISACA. All rights reserved.
  7. 7. • Tools and services—Cloud computing introduces a number of new challenges around the tools and services required to build and maintain running applications. These include application management utilities, the coupling to external services, and dependencies on libraries and operating system services, which may originate from CSPs. Understanding the ramifications of who provides, owns, operates and assumes responsibility for each of these is fundamental. Hypervisor security is the process of ensuring the hypervisor (the software that enables virtualization) is secure throughout its life cycle, including during development, implementation, provisioning, management and deprovisioning. The hypervisor that enables virtualization and the use of VMs is a critical component for securing VM assets in the cloud. The hypervisor is the central software that enables VM-to-VM communication and VM-to-external-entity communication; therefore, it is the most critical component in providing security. VM-to-VM communication does not traverse the network infrastructure and remains inside the physical server; therefore, the traditional network security firewalls cannot be deployed for traffic inspection. It is important to give consideration to hypervisor security in the form of a security virtual appliance. A virtual firewall that operates at the hypervisor level provides security among VMs and increases visibility of the communications among authorized VMs. Without such mechanisms in place, the organization is likely to be susceptible to blind attacks. A common hypervisor security deployment is illustrated in figure 2 where products such as the virtual GW (vGW) product from Juniper Networks or Cisco ASA 1000V are providing security to the individual VMs. Security and compliance concerns are first-order priorities for virtualized data center and cloud deployments. Encryption and Key Management Cloud users and providers need to protect against data loss, leakage and theft. Encryption of personal and enterprise data is widely used and, in some cases, mandated by laws and regulations around the world. Cloud customers want the same level of data encryption services for data at rest and in motion and want their providers to encrypt their data to ensure protection—no matter where the data are physically located. Likewise, the CSP needs to protect its customers’ sensitive data to avoid embarrassment and protect its own integrity. Figure 2—Virtual Machine Hypervisor Security Deployment Strong encryption with key management is one of the core mechanisms that cloud computing systems should use to protect data. While encryption itself does not necessarily prevent data loss, safe-harbor provisions in laws and regulations treat lost encrypted data as not lost at all. The encryption provides resource protection while key management enables access to protected resources. One common question that often comes up during cloud computing discussions is where the enterprise data are stored. Data sovereignty raises issues for businesses adopting cloud computing for sensitive data. CSPs often store customer data in various geographical locations to ensure scalability, efficiency and resiliency—often on a common platform shared by multiple tenants. The organization’s data may not reside within the same country as the business, and privacy laws and jurisdictions may vary dramatically among countries and regions. When moving applications to the cloud, the organization must understand not only where its users reside, but also 7ISACA JOURNAL Volume 5, 2013©2013 ISACA. All rights reserved. Virtual Network Physical Security Is “Blind” to Traffic Between Virtual Machines VM1 HYPERVISOR VM2 VIRTUAL SWITCH VM3 ESXHost
  8. 8. 8 ISACA JOURNAL Volume 5, 2013 ©2013 ISACA. All rights reserved. where its data reside in the cloud application—if not precisely, at least in which legal jurisdictions. This information can be difficult to determine, as data are constantly in motion in the cloud. Cloud environments are shared with many tenants, and service providers have privileged access to the data in those environments. Thus, confidential data hosted in a cloud must be protected using a combination of access control, contractual liability and encryption. Of these, encryption offers the benefits of minimum reliance on the CSP and lack of dependence on detection of operational failures. Encrypting Data in Transit Over Networks There is the utmost need to encrypt multiuse credentials, such as credit card numbers, passwords and private keys, in transit over the Internet. Although CSP networks may be more secure than the open Internet, they are, by their very architecture, made up of many disparate components, and disparate organizations share the cloud. Therefore, it is important to protect this sensitive and regulated information in transit even within the CSP’s network. Typically, this can be implemented with equal ease in SaaS, PaaS and IaaS environments. Encrypting Data at Rest Encrypting data on disk or in a live production database has value, as it can protect against a malicious CSP or a malicious cotenant as well as against some types of application abuse. For long-term archival storage, some customers encrypt their own data and then send them as ciphertext to a cloud data storage vendor. These customers then control and hold the cryptographic keys and decrypt the data, if necessary, back on their own premises. Encrypting data at rest is common within IaaS environments, using a variety of provider and third-party tools. Encrypting data at rest within PaaS environments is generally more complex, requiring instrumentation of provider offerings or special customization. Encrypting data at rest within SaaS environments is a feature cloud customers cannot implement directly and need to request from their CSP. Encrypting Data on Backup Media This can protect against misuse of lost or stolen media. Ideally, the CSP implements it transparently. However, as a customer and provider of data, it is the organization’s responsibility to verify that such encryption takes place. One consideration for the encryption infrastructure is dealing with the longevity of the data. Tokenization Emerging technologies that provide complete encryption using standardized encryption algorithms and key management life cycle have seen significant growth. One emerging technology known as tokenization provides the enterprise customer of the CSP the ability to store, retrieve and delete data based on keys that the enterprise holds. No other cotenant—or the CSP, for that matter—has access to the data. Any store, retrieve and delete process of the residence data can be encrypted and decrypted only by keys that are owned by the enterprise customer. Tokenization techniques are now being adopted for PCI DSS compliance.5 Tokenization and Data Residency Tokenization is the process of substituting original (sensitive) data with randomly generated alphanumeric values (tokens). While structurally similar to the original data, these tokens have no mathematic relationship with the original data. The mapping between the original data and tokens is stored in a secure token database, and access to this database is required to reverse the process and retrieve the original data. By retaining original data within the concerned jurisdiction and storing tokens in cloud applications, data residency challenges can be eliminated. Tokenization Eliminates Cloud Data Residency Challenges Tokenization technology allows customers to replace sensitive information with anonymous values (tokens) that respect field formatting and preserve all native features and functionality of compatible cloud solutions, such as searching, sorting and reporting. The token database that stores sensitive information can either be placed behind the enterprise firewall or with a trusted hosting provider in the customers’ jurisdiction. Additional key characteristics include: • Rapid configuration and deployment • High-performance architecture with ultra-low latency • Support for multiple load-balancing and high-availability deployment topologies to address global customer needs • Subscription-based pricing that eliminates up-front capital expenditure • Centralized logging and auditing of user activities in the cloud • Extensible architecture for cross-platform tokenization Federated Identity and Access Management in the Cloud Managing identities of users and access control for enterprise applications remains one of the greatest challenges facing IT
  9. 9. 9ISACA JOURNAL Volume 5, 2013©2013 ISACA. All rights reserved. today. While an enterprise may be able to leverage several cloud computing services without a good identity and access management (IAM) strategy, in the long run, extending an organization’s identity services into the cloud is a necessary precursor toward strategic use of on-demand computing services.6 Supporting today’s aggressive adoption of an admittedly immature cloud ecosystem requires an honest assessment of an organization’s readiness to conduct cloud- based IAM, as well as understanding the capabilities of the organization’s cloud computing providers. Identity Provisioning One of the major challenges for organizations adopting cloud computing services is the secure and timely management of on- boarding (provisioning) and off-boarding (deprovisioning) of users in the cloud. Furthermore, enterprises that have invested in user management processes within an enterprise will seek to extend those processes and practices to cloud services. Authentication When organizations start to utilize cloud services, authenticating users in a trustworthy and manageable manner is a vital requirement. Organizations must address authentication-related challenges such as credential management, strong authentication (typically defined as multifactor authentication), delegated authentication and managing trust across all types of cloud services. Federation In a cloud computing environment, federated identity management plays a vital role in enabling organizations to authenticate their users of cloud services using the organization’s chosen identity provider (IdP). In that context, exchanging identity attributes between the CSP and the IdP in a secure way is also an important requirement. Organizations considering federated identity management in the cloud should understand the various challenges and possible solutions to address those challenges with respect to identity life-cycle management, available authentication methods to protect confidentiality, and integrity while supporting nonrepudiation. Authorization and User Profile Management The requirements for user profiles and access control policy vary depending on whether the user is acting on his/her/ its own behalf (such as a consumer) or as a member of an organization (such as an employer, university, hospital or other enterprise). The access control requirements in SaaS, PaaS and IaaS (SPI) environments include establishing trusted user profile and policy information, using it to control access within the cloud service and doing this in an auditable way. Identity Federation Identity federation builds a trust relationship between applications that reflects business affiliations so that employees can remotely access applications with a single sign-on (SSO), regardless of whether or not the applications are locally or remotely located. Identity federation also protects an employee’s private information. As a first step toward the organization’s cloud initiative, it is recommended to use an identity federation solution with an open-standard solution, such as Security Assertion Markup Language (SAML), to ensure interoperability in a hybrid cloud environment while extending the organization’s internal IAM systems into the cloud. SAML addresses one of the key challenges in how to integrate all cloud computing resources with internal enterprise resources in order to deliver a unified service to employees and customers anywhere and anytime while still maintaining a secure environment. Figure 3 shows the user is accessing many applications on a hybrid cloud computing environment, which goes beyond the boundary of the enterprise data center. The cloud environment must enforce the user’s access control, i.e., outside the data center, and this creates new challenges for the enterprise when adopting cloud computing and transforming its business. Single Sign-on Challenge The enterprise typically uses access management to integrate applications in different domains to an application portal so that the end user can access applications without reauthentication. While access management might work well for the applications within the data center or within the same domain, the cloud computing service typically is external to the data center and is located within a different domain and shared with multiple tenants. Security Challenge Security is another challenge; one example is an access control policy change. Typically, the application is associated with a dedicated IAM solution. Many applications using this approach create duplicated IAM functionality. Therefore, the application’s access control policies reside in multiple
  10. 10. 10 ISACA JOURNAL Volume 5, 2013 ©2013 ISACA. All rights reserved. Figure 3—Identity Access and Federation Within Cloud Computing Environment locations across the network, creating policy management overhead and complexity. Furthermore, an employee often requires multiple roles for different applications, and the duplication of IAM prevents identity provision and enforcement on demand. Finally, the traditional IAM approach cannot fit into a cloud computing platform because the enterprise does not control the CSP’s IAM practices and has even less influence over strict security practices. Identity federation is based on two important concepts: 1. The virtual reunion or assembled identity of a person’s user information (or principal), which is stored across multiple distinct identity management systems. Typically, the user’s name, being a common token, joins the data. 2. A user’s authentication process, which is integrated across multiple IT systems or even organizations For example, a traveler could be a flight passenger and a hotel guest. If the airline and the hotel use a federated identity management system, they have a contracted mutual trust in each other’s user authentication. Initially, the traveler can self-identify as a customer for booking the flight and then this distinct identity can be transferred for hotel reservations. The ultimate goal of identity federation is to enable users of one domain to securely access data or systems of another domain seamlessly, without requiring redundant user administration. This requires that all participating systems use the same protocol to be interoperable. For example, public cloud computing service providers such as Google, Amazon and offer their own IAM interface, which, by default, is not capable of single sign-on (SSO). Private cloud computing service providers may recommend different Identity Provider (IdP) Cloud Service Provider The Organization IDaaS Agent LDAP Queries Active Directory AD Authentication User Entity A Local Identity Store VM Entity A WWW APP DB VM Entity B VM Entity C LDAPS (LDAP Over SSL) One-way Sync Identity Federation
  11. 11. 11ISACA JOURNAL Volume 5, 2013©2013 ISACA. All rights reserved. IAM practices than enterprise customers. To integrate cloud service into an enterprise’s access portal with SSO, the use of an identity federation open standard, such as SAML, is recommended. The SAML protocol decouples both the SAML identity provider and the SAML service provider. This enables the enterprise to have a centralized identity provider that can support many other service providers in a distributed fashion. The SAML identity provider focuses on identity management, access policy management and security token generation, while SAML service providers receive the remote security token, retrieve credential data and reinforce user access policies locally. With the SAML protocol, the enterprise can provide services to other enterprises. Identity federation supports cross-domain SSO and interchanges access control information with a wide range of partners, reflecting business trust relationships. The SAML protocol is interoperable. Because CSPs implement different identity federation protocols or different versions of the same protocol, the enterprise cloud can leverage Security Token Service (STS) to interoperate between these different SSO practices. For example, the SAML assertion token can be converted between SAML 1.1 and SAML 2.0. Identity Authentication Flow Patterns Identity authentication patterns reflect authentication flows between the user and IAM. All participants globally are required to log into a common application platform, creating a fan-in identity authentication flow to applications. Enterprise users can log into a portal and then access different applications using SSO, creating a fan-out identity authentication flow. During mergers and acquisitions, authentication flows between the two companies involved often spill over because each company holds partial identity. In three authentication flows, the IAM is required to handle on-demand requests and do so in high volume. As a result, the enterprise IAM often faces challenges concerning performance and on-demand capacity to meet SLAs. Identity federation does not change the flow of the identity authentication. However, it decouples the authentication process and access control process such that regulating identity authentication occurs at one site and reinforcing authorization occurs at another. This simplifies the IAM infrastructure. Enterprises use identity authentication patterns in the following ways: • To act as the identity provider, processing employee authentications locally. With identity federation, the employees’ service requests fan out to the cloud services. • To build a private cloud data center that hosts services, acting as a service provider. With identity federation, the service requests from different trusted partners fan into this private cloud data center with SSO. • For two companies involved in a merger and acquisition process, where employees’ service requests cross over different domains and data centers with SSO Identity Federation Pattern: Trust Domain The identity federation is about creating a trust domain. This is the trust relationship of identity authentication and authorization that reflects the business relationship. A trust relationship can transfer trust from one party to another, creating a trust domain chain. The user can have different credentials in each application or cloud service. When these applications and cloud services are in a chained trust domain, the SAML identity provider can reconcile different identities, allowing users to access different applications using their appropriate credentials. As in the previous example where a traveler is both a flight passenger and a hotel guest, if both the airline and the hotel use a federated identity management system, they have a contracted mutual trust in each other’s authentication of the passenger/guest. Initially, the traveler can self-identify as a customer when booking a flight and then be transferred for a hotel reservation as an identified customer. The enterprise can leverage this pattern to integrate different cloud services into the enterprise remote access portal to improve overall productivity. SAML Patterns: Identity and Service Providers With the trust partnership, the involved parties can act as an identity provider, which asserts information about the user, or a service provider, which consumes the assertion provided by the identity provider. In SAML integration, the SAML identity provider directly accesses an identity management system such as LDAP or Active Directory, while
  12. 12. 12 ISACA JOURNAL Volume 5, 2013 ©2013 ISACA. All rights reserved. the SAML service provider strictly reinforces application access. An SAML integration pattern decouples the access and the authentication so that access and authentication can collaborate within a trusted domain over the Internet. The enterprise can create a centralized identity service with an identity provider that supports SAML for cross- domain SSO; the enterprise can also implement SAML service provider functionality in the private cloud data center with ease using identity management. Cloud Ready Data Center Cloud computing can vastly improve the performance, scale, agility and security of applications in any data center. This reduces IT costs while improving the user experience. IT services are delivered by infrastructures that are centrally managed and shared through consolidation and virtualization. Any of the standard data center elements—such as servers, appliances, storage and other networking devices—can be contained within a cloud-like architecture. By abstracting the logical from the physical, these elements can be arranged in resource pools that are shared securely across multiple applications, users, departments, suppliers and customers. The resources in these pools can also be dynamically allocated to accommodate the changing capacity requirements of different applications and improve asset utilization levels. Consequently, cloud infrastructures have proven to simplify management, reduce operating and ownership costs, and allow services to be provisioned with unprecedented speed. The characteristics of the cloud-ready data center, or next-generation data center, are based on building simplified, scalable, agile and secure networks with these design objectives. Success in building a cloud-ready data center network requires three steps: 1. Simplify the architecture. Consolidate siloed systems and collapse inefficient tiers using a network fabric and a single network operating system. This gives the organization fewer devices, a smaller operational footprint, reduced complexity, easier management operations and improved application performance. 2. Share the resources. Virtualize network resources to segment the network into simple, logical and scalable partitions for the organization’s various applications and services while using fabric technology to ensure seamless connectivity to those resources regardless of where they are located. Keep privacy, flexibility, high performance and quality of service (QoS) as primary goals. This sharing enables agility for multiple users, applications and services. 3. Secure the data flows. Make sure that integrated and dynamic security services are resident in the network to provide security scale, threat visibility and enforcement. These comprehensive services secure data flows across both physical and virtual environments, while leveraging centralized orchestration to drastically simplify the enforcement of dynamic, application-aware and identity- aware policies, ultimately ensuring better application availability and network performance. It is also important to automate at each step. Whether the organization is running its internal IT infrastructure to be cloud- like or plans to connect with public cloud services, designing a cloud-ready data center network involves removing the restrictions on where the organization places its resources. This gives the organization significant operational advantages that can help it lower costs, increase efficiency, and keep its data center agile enough to accommodate any changes in business or technology infrastructure. Conclusion Numerous information-, network- and application-related security concerns that CIOs face when cloud computing comes up during board meetings have been identified. The strategic decision to migrate to the cloud can be well justified economically and commercially—allowing organizations to focus on their business objectives. However, the main inhibiting factor and slow rate of cloud adoption can be attributed to the lack of security knowledge within the cloud. Innovative cloud-based security technologies, along with international cloud security frameworks, are being developed to address the need, and it is important that information security is at the forefront of any cloud computing discussion. ” “Designing a cloud-ready data center network involves removing the restrictions on where the organization places its resources.
  13. 13. Endnotes 1 ENISA, Cloud Computing Security Risk Assessment, 20 November 2009, risk-management/files/deliverables/cloud-computing-risk- assessment 2 Cloud Security Alliance, education/ccsk/ 3 DTS Solution, 4 Raj, Pethuru; Cloud Enterprise Architecture, Auerbach Publications, 2012 5 Scoping SIG and Tokenization Taskforce, Information Supplement: PCI DSS Tokenization Guidelines, PCI Security Standards Council, August 2011, Tokenization_Guidelines_Info_Supplement.pdf 6 Cloud Security Alliance, SecaaS Implementation Guidance, Category 1: Identity and Access Management, September 2012, initiatives/secaas/SecaaS_Cat_1_IAM_Implementation_ Guidance.pdf The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal. Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content. © 2013 ISACA. All rights reserved. Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited. 13 ISACA JOURNAL Volume 5, 2013 ©2013 ISACA. All rights reserved.