• Share
  • Email
  • Embed
  • Like
  • Private Content
AWS Cloud Security From the Point of View of the Compliance
 

AWS Cloud Security From the Point of View of the Compliance

on

  • 1,551 views

Clouds are finding increased use in core enterprise systems, which mean auditing is the cornerstone expectation. Cloud vendors announce new cloud services, offer new security solutions and refer to ...

Clouds are finding increased use in core enterprise systems, which mean auditing is the cornerstone expectation. Cloud vendors announce new cloud services, offer new security solutions and refer to the global security standards among of them the requirements look like quite similar. This is series of articles about AWS Cloud Security from the point of view of the compliance to highlight technical requirements of the top Worldwide and Russian security standards for key AWS services, describe how technically prepare to audit and configure AWS services.
http://pentestmag.com/pentest-webapp-1212/

Statistics

Views

Total Views
1,551
Views on SlideShare
499
Embed Views
1,052

Actions

Likes
0
Downloads
1
Comments
0

6 Embeds 1,052

http://www.scoop.it 936
http://sto-strategy.com 97
http://s-t-o.squarespace.com 14
http://webcache.googleusercontent.com 3
http://sto-blog.tumblr.com 1
http://translate.googleusercontent.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    AWS Cloud Security From the Point of View of the Compliance AWS Cloud Security From the Point of View of the Compliance Document Transcript

    • W e b A p asasa pWS Cloud SecurityFrom the Point of View of the Compliance Clouds are finding increased use in core enterprise systems, which mean auditing is the cornerstone expectation. Cloud vendors announce new cloud services, offer new security solutions and refer to the global security standards among of them the requirements look like quite similar. This is series of articles about AWS Cloud Security from the point of view of the compliance to highlight technical requirements of the top Worldwide and Russian security standards for key AWS services, describe how technically prepare to audit and configure AWS services.C loud Computing has been one of the top increased security to reduce the operation com- security topics for the last several years, for plexity of their cloud. This eventually ends with a enterprise IT departments, as well as oth- lower amount of cloud security that the end-userer businesses. Cloud Computing offers unlimited will accept. For example, as VM instances are of-storage and other resources with flexibility. The ten visible you should configure the server or fire-basic idea of the cloud is centralized IT services, wall “somehow” to protect this flow. Another ex-with on-demand services, network access, rapid ample talks that the term “physical security” doeselasticity, scalability and resource pooling. There not exist anymore since cloud has come. Nev-are known are three models: SaaS, PaaS and ertheless, it was this way as it had been whenIaaS. Each of them can be deployed as a Cloud, the hosting service arrived. Even the new tech-Community Cloud, Public Cloud, or Hybrid Cloud. nology is only another way to perform well-knownSome security questions about clouds are: how is actions; customer must make any improvementsit implemented, how are data or communication than by-default configuration to face cyber-at-channels secured, how are the cloud and appli- tacks and will eventually succeed. Phishing orcation environments secure, etc. The cloud sim- SQL injection is not a real concern, because theyply uses well-known protocols like SMTP, HTTP, have been in existence too long and patches haveSSL, TCP/IP etc. to communicate, send email, file been made available. If the virtual OS is a Win-handling and other activity. The methods that are dows Server or an Ubuntu server, then the OScompliant as a part of the RFC should indicate that has the same security and patch managementthey are OK. Standards like the ISO 27001 series state as Desktop/Server OS. The virtual serverstill provide a measure on information security, but can easily be updated and patched, or even re-as minimum set of security only. Third party orga- configured. This is acceptable, except in the situ-nizations like the Cloud Security Alliance (CSA) ation where the cloud vendor notifies you that apromote their best practices for cloud security and patch or update cannot be applied. In addition, ithave a registry of cloud vendors security controls is mere trust than you download or buy on disk.to help users to make right choice. Eventually, they offer solution, e.g. buy & sell suit- Cloud security vendors claim that the end-user able security solution (third party solution shouldcompanies sometimes prefer cost reduction over be more trustable, than cloud vendor, oh really?), 10/2012(10) Page 50 http://pentestmag.com
    • W e b A p pnote that logs should be analyzed from time totime, you should use IDS, find popular softwareto protect network ports but such software oftencannot be applied to this case. Someone believesthat if classic network object like server can bephysical near the company then it is more securethan virtual but it is not true. Significant exampleis thinking about cloud like the one about home/work PC connected to internet that directly or viarouter. When you need protect this PC you do nottalk about why is DNS gates are public, if they aretrusted and more. You can keep you hosts file asa DNS; several clouds provide end user with thesame feature not through the host, but their ownDNS routing service.General Cloud and Security PointsSecurity in the cloud is just like traditional security:network security, authentication, authorization, au-diting, and identity management. This is not any-thing new or revolutionary. There are several points about security that areoften discussed:• Perimeter network role and location: • Location (city/country) where is the data lo- cated/stored in the cloud? • What are the compliance with standards and country regulations? • What type of firewall (guest, mandatory, VPN, other) is used?• Identity and Access Management: • What is the authentication/authorization and role-based access control? • What is the existence of privileged users, or user access for the cloud services? • Are there different access types per each user, application and role?• Data Privacy: • How is data separated from other cloud users? • What type of encryption is used?• Logging and Auditing• Endpoint protection Client security• Misusing as it was shown at the BlackHat Con- ference like breaking into Wi-Fi network or password brute-forcingThe virtualization refers primarily to the hypervi-sor, while a virtual machine works with a config-ured and snapshot of an OS image and usual-ly includes virtual disk storage. As all virtual ma-chines require memory, storage, or network, a 10/2012(10)
    • W e b A p asasa phypervisor supports these virtual machines and es by attacking gateway. The common network IDSpresents the hardware pool that it can work with. does not necessarily work as well here; it might notHypervisors isolate the memory and computing work even as it is on classic network. But, it mayresources and allows performing actions with- work to monitor suspicious traffic between virtualout affecting other instances. There are securi- machines if the IDS allows network gate or traf-ty issues when you are using virtualization in the fic to be moved thought VPN to/from your corpo-cloud, no doubt. Each OS running in virtual en- rate network where the IDS exists. Another pointvironment should be patched and monitored like is performance that may lead to resource alloca-any non-virtual OS. You may use a gateway de- tion problems and open the service to DoS/DDoSvice that provides the applicable security config- attacks. Another filtering method for limiting trafficuration to the devices connected. You still have is firewalling by physical location that isolates dif-to use host-based firewalls and IDS to capture, ferent security zones. Network traffic between vir-stop and filter non-allowed activity from applica- tual machines should be encrypted to protect datations, network attacks, disable or enable commu- while in transit.nication between others virtual machines, or to Of course, as the hypervisor has access to allextend the logging system. guest OS, and if it is compromised itself, it will Like a classic datacentrewhere you have to have broad impact to the network isolation, butmaintain stability and security by constant monitor- the probability of that is low since all hypervisorsing, alerting and reporting about what the custom- very custom. The cloud infrastructure adminis-ers are doing with the resources, what geographic trator will need to depend on new tools that arelocations they are coming from, how many users cloud aware, and may not be defined by the cur-connect at certain times of the day, also, the cloud rent IT department.infrastructure should report misuse or other out-of- Another security issue deals with the (de-)allo-policy activity taking place. Auditing needs to log cating of resources. If data is written to the stor-and report on all activities taking place in the cloud age and was not wiped before, or crashed before(elastic computing, storage, VPN, etc.). It really reallocation, then there is a data leakage problemsimplifies increasing complex of the clouds. Some- on the HDD. It means the IT department needstimes, security design failure a single poorly se- to rely on reallocation feature and perform cleancured service that can easily be compromised to operations instead of relying on the cloud ser-lead to the risk of stealing valuable data, making vice. It may need special DOD-tools to run man-the services unavailable by DDoS or other inter- ually, or running processes until OS fires it offruptions. (terminates). This may increases operational ex- Accessing solution known as IAM is an impor- penses. In other words, no sensitive informationtant method to authenticate connections and au- should be stored in the plain text. Using wholethorizations of the cloud resources. Your IT policy volume encryption will protect the physical stor-should take into account the broad range of access age, prevent access to a virtual environment, andrights, because it often divides access into all, to finally reduce the risk of exposure. Also, applica-owner, and somewhere in between these. Not all tions may encrypt data in storage, data in RAM,clients should have the right to access all data, but and data during processing to make it more diffi-staff rights need to be set up so that everyone who cult for someone gain access to.is responsible should be approved similar to role-based access in traditional offices where the end Security Overview: Windows Azure vs.users can have access to the services, and some- Amazon Web Servicestimes the controls, while administrators have ac- These two platforms differ by the decision made bycess to the controls and managed the functionality each vendors vision on how the end-users shouldand performance of the workloads. access their cloud services. Windows Azure In the cloud, you will need to think about how makes a data spreading to the cornerstone, viayou handle inbound connections to the resources neither storage nor web-server. AWS makes manyrequired to any services, hosting, and client devic- services more accessibility that are important withes and how they will connect. DMZ and firewalls merging to the cloud. These different goals have aare a good solution, but belong to different security huge influence on not only the IT policy, but alsozones to prevent access to the whole cloud servic- the API. Both AWS and Azure services were built 10/2012(10) Page 52 http://pentestmag.com
    • W e b A p pin accordance with security best practices, and the continue to be an Amazon employee but promot-security features are well documented to make it ed to another position.clear how to use them to design strong protection. A standard employee, or a third-party contractor,Below I examine the security features offered each has a minimum set of privileges and can be dis-vendor: abled by the hiring manager. All types of access to any resources logged, as well as its changes,Compliance it must be explicitly approved in Amazons propri-Azure etary permission management system. All chang-Microsoft complies with the data protection and pri- es led to revocation of previous access becausevacy laws, but only customers are responsible for of explicitly approving type to the resource. Everydetermining if Windows Azure complies with the access grant will revoked since 90 days as it wascountry laws and regulations. For example, ISO for approved too. Access to services, resources andAzure covers cloud services (web and VM), stor- devices relies on user IDs, passwords and Kerbe-age, and networking. ros. In addition, Amazon mentioned about expira- tion intervals for passwords.AWS "Physical access is logged and audited andAWS offers compliance with FISMA to allow the is strictly controlled both at the perimeter and atgovernment and federal agencies implement AWS building ingress points by professional securitysolutions and security configurations at their se- staff utilizing video surveillance, intrusion detectioncurity system. In addition, VPN (Virtual Private systems, and other electronic means". Staff uses aCloud), GovCloud and SSL mechanism sustain a two-factor authentication while third party contrac-FIPS 140-2. AWS has validated with Level 1 PCI tors escorted by authorized staff have to presentDSS physical infrastructure and such services like signed IDs.EC2, S3, EBS, VPC, RDS, and IAM that allows Also, Amazon describes important things like fireto the end customers perform storing, processing, detection, power or climate control by mentioningtransmitting credit card information with properly UPS to keep services functional 24 hours per daysecurity. EC2, S3, and VPC as well as AWS data- while Microsoft just tells that is. Finally, you cancentres are covered by a global security standard know what services is affected through the AWSISO 27001 too. Service Health Dashboard (http://status.aws.ama- zon.com/).Physical SecurityAzure Data PrivacyAzure designed to be available 24 x 7; their data- Azurecentres are managed, monitored, administered by Azure runs in multiple datacentres around theMicrosoft and, of course, compliant with applicable world and offers to the customer deploy redundan-industry standards for physical security. Azure staff cy and backup features.is limited by the number of operations, and mustregularly change access passwords (if performed AWSby administrators). All administrative actions are AWS offers data encryption, backup and redun-audited to determine the history of changes. Final- dancy features. For example, services that storely, you can know what services are affected through data in S3, EBS use redundancy in different phys-the Health Dashboard (https://www.windowsazure. ical locations but inside one “Available Zone” ex-com/ru-ru/support/service-dashboard/). cept you set-up backup services to duplicate data. This way (not across multiple zones) works EBS,AWS while S3 provide durability across multiple Avail-AWS datacentres are located throughout the ability Zones. To extend and fix EBS redundancyworld (US, EU, and Asia) and available 24 x 7 x users enabled to backup AMI images stored on365. Actual location is known by those that have EBS to the S3. Object deletion executes un-map-a legitimate business need. Amazon datacen- ping process to prevent remote access. When atres are secured to prevent unauthorized access; storage device has reached the end of its use-the access tickets will immediately be destroyed ful life, AWS initiates destroying procedures with-when someone leaves the company or when they in DOD 5220.22-M ("National Industrial Securi- 10/2012(10) Page 53 http://pentestmag.com
    • W e b A p asasa pty Program Operating Manual ") or NIST 800-88 Network Security("Guidelines for Media Sanitization"). AWS allows Azureencryption of sensitive data and perform actions Microsoft uses a variety of technologies tobefore uploads it in S3; additionally, there is no keep customers away from unauthorized trafficpermission to use own and commercial encryp- through the firewalls, NAT boxes (load balanc-tion tools. ers), and filtering routers. Azure relies on 128-Table 1. Cloud security features Type Cloud Vendor AWS Azure Compliance ISO 27001 + + PCI DSS + N/A FISMA + N/A NIST + N/A CSA + N/A FIPS 140-2 + N/A HIPAA + + Physical Security Actions & events logging + + Logs audit + + Minimum access rights + + Auto revocation access after N days + N/A Auto revocation access after role changed + N/A Two-factor authentication + N/A Escort + N/A Data Privacy Backup + + Redundancy inside one GeoLocation + N/A Redundancy across several GeoLocation + + Encryption + N/A DoD/NIST Destruction + N/A Network Security MITM Protection + + DDoS Protection + N/A Host-Based Firewall (ip,port,mac) + + Mandatory Firewall + + Extended Firewall (Geo, date’n’time) + N/A Hypervisor protection from promiscuous + + Pentesting offer + + Credentials Login and Passwords + + SSL + + Cross account IAM + N/A MFA hardware + N/A MFA software + N/A Key-Rotation + N/A 10/2012(10) Page 54 http://pentestmag.com
    • W e b A p pbit TLS protection for communications inside da- AWStacentres and between end users and customer IAM enables to manage multiple users, their per-VMs. Filtering routers reject all non-allowed at- missions, password and password policy undertempts, i.e. addresses and ports that prevent at- one AWS account or among several AWS ac-tacks that use "drones" or "zombies" searching counts as unique security credentials. New IAMfor vulnerable servers as the most popular way users as well entire IAM and EC2 has no (“deny”to break into network. access type) access to all resources by default Filtering routers also support configuring back and deals with explicitly granted permissions on-end services to be accessible only from their cor- ly. AWS Multi-Factor Authentication is an addition-responding front ends. Firewalls restrict incom- al security to the basic credentials providing by aing and outgoing communication with known six-digit single-use code. This code usually gen-IP addresses, ports, protocols. Microsoft of- erates by an authentication device or similar ap-fers an authorized penetration testing for cus- plications like Google Authenticator. It works verytomers applications hosted in Windows Azure well for AWS account or user accounts within IAM.if requests for it submitted 7 days beforehand AWS offers key and certificate rotation on a regu-at least. lar basis to mitigate compromising risk from lost or compromised access keys or certificates. It isAWS available for AWS account or user accounts withinAWS forces MITM protection by SSL-protect- IAM too (Table 1).ed endpoints for example EC2 generates newSSH host certificates on first boot and log them How is AWS Services Secureto the instances console. EC2 instances de- Access and Credentialssigned to be non-spoofed by host-based firewall An access to applications and services within AWSthat restricts traffic with a source IP or MAC ad- cloud is protected in multiple ways and it requiresdress other than its own and block non-allowed special credentials:traffic (IP, port, geo location, date and time andmore). Despite of instance running in promiscu- • Access Credentials:ous mode the hypervisor will not deliver any traf- • Access Keys to manage with REST or Que-fic relies on explicit restrictions that protect from ry protocol requests to any AWS servicetraffic capturing on the same physical host on API, and S3. The possible states:neither EC2 nor VPC. Unauthorized port scans • Active – Can be used.are a violation of the AWS Acceptable Use Pol- • Inactive – Cannot be used, but can beicy, however customers permit to Pentest their moved back to the Active state.AWS services that should be proved by IP, port, • Deleted – Can never be used againdate and time and login and contact before pen- • X.509 Certificates to manage SOAP protocoltesting with AWS support. Violations may lead to requests to AWS service APIs, except S3revocation of AWS accounts after investigation • Key Pairs to manage with CloudFrontby Amazon. Moreover, if illegal activity will AWScustomers should inform AWS about that. In ad-dition, AWS has a proprietary DDoS mitigationtechnique but does not describe any key featuresof it.CredentialsAzure Figure 1. AWS Access Credentials IAzure provides virtual machines to customers, giv-ing them access to most of the same security op-tions available in Windows Server. Customers useSSL client certificates to control up-dates to theirsoftware and configuration. The basic credentialslike username and password are common withinAzure resources. Figure 2. AWS Access Credentials II 10/2012(10) Page 55 http://pentestmag.com
    • W e b A p asasa p• Sign-In Credentials: Key ID is checked to its own Secret Access Key • E-mail Address, and Password to sign in to validate the signature and confirm that the re- to AWS web sites, the AWS Management quest sender is legitimate. The key rotation is Console, the AWS Discussion Forums, and manually at current moment and looks like: the AWS Premium Support site, • AWS Multi-Factor Authentication Device as • Make second active credentials. an optional credential that increases the se- • Update applications and services with new cre- curity level to manage with the AWS web dential. site and the AWS Management Console. • Move first credential to Inactive.• Account Identifiers: • Check that working with the new credential is • AWS Account ID to manage with all AWS OK service resources except Amazon S3 and • Delete the first credential. looks like 8xxx-xxxx-xxx8 • Canonical User ID to manage with for Am- To add an extra layer of security, use AWS MFA azon S3 resources such as buckets or files feature that provide a six-digit, single-use code in only and looks like 64 bytes length string addition to the email and password. All details, ac- “7xbxxxxxxcdxcxbbxcxxxxxe08xxxxx44xxx- tivation hardware or software MFA and more is aaxdx0xxbxxxxxeaxed8xxxbxd4x” on link http://aws.amazon.com/mfa. (Figure 1 nad Figure 2, Table 2)The purpose of the access keys is a manage- Additionally, AWS offers so-called Identity andment of requests to the AWS product REST, Que- Access Management that easy integrates with al-ry APIs, or third-party product with Access Key most of all AWS services, e.g. EC2, S3 and more.ID; the Access Key ID is not a secret. EC2 is en- IAM provides the following:abled to use access keys, usually known as SSHkey pair and/or X.509 certificates, to interact with • Create users and groups under your organiza-the services. The secret/private part of access tions AWS accountkey is used to retrieve an administrator password, • Easily share your AWS account resources be-REST and Query APIs, while the X.509 certificate tween the users in the accountis used with command line operations and SOAP • Assign unique security credentials to each userAPIs, except S3, which is managed with access • Granular control users access to services andkeys. When AWS receives a request, the Access resourcesTable 2. Resource credentials Resource Access type REST or Query API request to an AWS, S3 Access Keys SOAP API request to an AWS X.509 Certificates (except for Amazon) Access to the secure pages or AWS Management Console Amazon E-mail Address and Password with optional AWS Multi-Factor Authentication Manage to EC2 command line tools Your X.509 Certificates Launch or connect to an EC2 Your Amazon EC2 Key Pairs Bundle an Amazon EC2 AMI For Linux/UNIX AMIs: your X.509 Certificates and AWS Ac- count ID to bundle the AMI, and your Access Keys to up- load it to Amazon S3. For Windows AMIs: your Access Keys for both bundling and uploading the AMI. Share an EC2 AMI or EBS snapshot The AWS Account ID of the account you want to share with (without the hyphens) Send email by using the Amazon SES SMTP endpoint Your Amazon SES SMTP user name and password Access to the AWS Discussion Forums or AWS Premium Your Amazon E-mail Address and Password Support site 10/2012(10) Page 56 http://pentestmag.com
    • W e b A p pVirtual Instances (Amazon Elastic Compute cess revocation (this case is talking aboutCloud) AWS that manages with host OS set)EC2 is a web service that provides resizable com- • Guest OS protection usually includes nativepute capacity in the cloud that allows paying for ca- firewall (Windows Firewall, IPTables, etc.), ba-pacity only and supports OSs like Windows Server, sic credentials, such login/email and password,RedHat, OpenSuSE Linux, and more. EC2 allows as well as extended by multi-factor authenti-setting up everything according to OS. Moreover, cation based on SSH Version 2 access, EC2you are enabled to export preconfigured OSs from keys that should unique per each virtual in-VMware, through the AWS console commands, stance.AWS API, or special VMware Connector. It helps • Firewall protection includes pre-configured in ato leverage the configuration management or com- default deny-all mode mandatory inbound fire-pliance requirements. VM Import/Export is avail- wall that allows the following restrictionable for use in all Amazon EC2 regions and with by protocolVPC even. by service port The final goal is protection from interception and by source IP addressunauthorized actions and EC2 security is designed • This firewall is not controlled through the Guestto protect several attack vectors. OS without X.509 certificate and key to autho- rize changes. Additionally, customers may use• Host OS protection usually includes event log- and guest OS firewall to filter inbound and out- ging, multi-factor authentication, regular ac- bound traffic.Table 3. Requirements of the Russian Federal Law about Personal Data Requirements AWS Solution Access management Users require using alphanumeric Native AWS solution implemented in IAM and MFA in ad- password long six characters at least dition and special code in addition. All devices (incl. external), instances, Canonical name developed for users and resources and network nodes require identification enabled mainly through IAM, EC2 identifies by tags by logical name Access event log- Login and logout events Not yet released for IAM and come to EC2 OS solution ging (Windows, *nix) Date and time of login and logout events Credentials used to login Access to the file events Not yet released for IAM Native solution implement- and come to EC2 OS solu- ed in S3 that provides ca- Date and time of access to the file tion (Windows, *nix) nonical user id and IP ad- events dress accessed to the file, User ID/equivalent used to access to date and time or more the file events Allocated drive wiping Native AWS solution on un-mapping, termination, etc. Integrity Physical security, control access AWS solution described above at physical security and management, restriction of employ- compliance on physical security ee or third contractor Backup and restore for protection Depend on designed; generally AMI image stored on EBS solution and backed up into S3 Additional Network packet filtering by date and Native solution implemented in EC2 mandatory firewall time that includes IP, port, protocol, additional solutions of EC2 OS (Windows and *nix), additional IAM solution to Network packet filtering by IP ad- the resources enabled geo filtering and date and time fil- dress tering. Network packet filtering by date and time Network packet filtering by protocol 10/2012(10) Page 57 http://pentestmag.com
    • W e b A p asasa p• API calls signed by X509 certificates is a kind side of which there several physically indepen- of protection that helps to the Xen keep the dif- dent zones. Each zone is isolated from failures ferent instances isolated from each other. in other; some AWS services is allowed to move data between zones to keep away from failure,Moreover, EC2 designed to prevent a mass some not, but moving across regions is manual-spam distribution by limitations of sending ly only.email. Any wishes about mass email are avail-able through the request by URL (https://por- Virtual Storage (Amazon Simple Storagetal.aws.amazon.com/gp/aws/html-forms-con- Service and Elastic Block Store volume)troller/contactus/ec2-email-limit-rdns-request). S3 is a simple storage for the Internet with sev-The main concept of cloud security is visibili- eral interfaces (for example, web service and APIty by guest OS firewall, mandatory firewall and calls) to store and retrieve data from anywhere.geo availability (Regions and Availability Zones) EBS provides so-called block-level storage; inbecause such zone managed with physically in- other words, it equals to the physical and logicaldependent infrastructure. Different areas of the hard disks. The multiple volumes can be attachedworld .i.e. USA or EU are known as region in- to an instance while the same volume cannotTable 4. Requirements of CSA CAI Questionnaire Requirements AWS Solution Data Governance Do you provide a capability to identi- AWS provides the ability to tag EC2 resources. A form fy virtual machines via policy tags/meta- of metadata, EC2 tags can be used to create user- data (ex. Tags can be used to limit guest friendly names operating systems from booting/instan- tiating/transporting data in the wrong country, etc.)? Do you provide a capability to identify hardware via policy tags/metadata/hard- ware tags (ex. TXT/TPM, VN-Tag, etc.)? Do you have a capability to use system Native solution implemented in EC2 mandatory fire- geographic location as an authentica- wall that includes IP, port, protocol, additional solu- tion factor? tions of EC2 OS (Windows and *nix), additional IAM solution to the resources enabled geo filtering and date and time filtering. Can you provide the physical location/ AWS currently offers six regions which customer da- geography of storage of a tenant’s data ta and servers will be located designated by cus- upon request? tomers: US East (Northern Virginia), US West (North- ern California and Oregon), GovCloud (US) (Ore- Do you allow tenants to define accept- gon), South America (Sao Paulo), EU (Ireland), Asia able geographical locations for data Pacific(Singapore) and Asia Pacific (Tokyo). routing or resource instantiation? Do you support secure deletion (ex. de- Native AWS solution on un-mapping, termination, etc. gaussing / cryptographic wiping) of ar- as well as DoD 5220.22-M / NIST 800-88 to destroy da- chived data as determined by the ten- ta discussed above. ant? Facility Security Are physical security perimeters (fences, Physical security controls include but are not limit- walls, barriers, guards, gates, electron- ed to perimeter controls such as fencing, walls, secu- ic surveillance, physical authentication rity staff, video surveillance, intrusion detection sys- mechanisms, reception desks and secu- tems and other electronic means; compliance with rity patrols) implemented? AWS SOC 1 Type 2 and ISO 27001 standard, Annex A, domain 9.1. Information Secu- Do you encrypt tenant data at rest (on Encryption mechanisms for almost of all the services, rity disk/storage) within your environment? including S3, EBS, SimpleDB and EC2 and VPC sessions as well as Amazon S3 Server Side Encryption. Do you leverage encryption to protect data and virtual machine images during transport across and between networks and hypervisor instances? 10/2012(10) Page 58 http://pentestmag.com
    • W e b A p pbe attached to different instance. EBS provides • the requestors IP,backup feature through the S3. S3 is “unlimited” • the time and date of the request.storage while customers size EBS. S3 APIs pro-vide both bucket- and object-level access con- EBS restriction access looks similar to the S3; re-trols, with defaults that only permit authenticated sources are accessible under current AWS Ac-access by the bucket and/or object creator. As count only, and to the users those granted withopposed to EC2 where all activity restricted by AWS IAM (this case may be affected cross AWSdefault, S3 starts with open for all access under Accounts as well if it is explicitly allowed. Snap-current AWS account only that means all buckets shots backed up to the S3 and shared enable in-and other folders and files should controlled by direct access (only read permission, not altera-IAM and canonical user ID that finally authenti- tion, deletion or another modification) to the EBS.cates with an HMAC-SHA1 signature of the re- There is an interesting point suitable for foren-quest using the users private key. S3 provides sics that snapshot stored on S3 will keep all delet-Read, List and Write permissions in an own ACL ed data from EBS volume, they were not altered,at the bucket level or IAM permissions list those or DOD wiped. Talking about secure wiping, AWSindependent and supplements each other. S3 provides “destroying” data feature via a specificprovides file versioning as a kind of protection to method, such as those detailed in DoD 5220.22-restore any version of every object on the bucket. M ("National Industrial Security Program Operat-Additionally, “S3 versionings MFA Delete” feature ing Manual") or NIST 800-88 ("Guidelines for Me-will request typing the six-digit code and serial dia Sanitization"); AWS perform these actions fornumber from MFA device. Also, a valuable feature S3 and EBS. In case, it is impossible to wipe datafor audit and forensics case is logging S3 events after storage disk lifetime such disk will be physi-that can be configured per bucket on initialization. cally destroyed.These logs will contain information about eachaccess request and include Gross Inspection on AWS Compliance from customer side• request type, As it is first part of series of articles, I briefly ex-• the requested resource, amine several standards and order documents re- On the Net • http://www.windowsecurity.com/articles/Cloud-computing-can-we-trust-how-can-be-used-whilst-being-secure.html – Cloud computing, can we trust it and how can it be used whilst being secure, Ricky M. Magalhaes • http://www.windowsecurity.com/articles/Security-Considerations-Cloud-Computing-Part1.html – Security Considera- tions for Cloud Computing (Part 1) – Virtualization Platform, Deb Shinder • http://www.windowsecurity.com/articles/Security-Considerations-Cloud-Computing-Part2.html – Security Considera- tions for Cloud Computing (Part 2), Deb Shinder • http://www.windowsecurity.com/articles/Security-Considerations-Cloud-Computing-Part3.html – Security Considera- tions for Cloud Computing (Part 3) – Broad Network Access, Deb Shinder • http://www.windowsecurity.com/articles/Security-Considerations-Cloud-Computing-Part4.html – Security Considera- tions for Cloud Computing (Part 4) – Resource Pooling, Deb Shinder • http://www.windowsecurity.com/articles/Security-Considerations-Cloud-Computing-Part5.html – Security Considera- tions for Cloud Computing (Part 5) – Rapid Elasticity, Deb Shinder • http://www.windowsecurity.com/articles/Security-Considerations-Cloud-Computing-Part6.html – Security Considera- tions for Cloud Computing (Part 6) – Metered Services, Deb Shinder • https://www.windowsazure.com/en-us/support/legal/security-overview/ – Technical Overview of the Security Featu- res in the Windows Azure Platform, April 2011 • http://www.baselinemag.com/c/a/Security/Securing-Data-in-the-Cloud/ – Securing Data in the Cloud, Eric Friedberg • http://d36cz9buwru1tt.cloudfront.net/Whitepaper_Security_Best_Practices_2010.pdf – AWS Security Best Practices, January 2011 • http://d36cz9buwru1tt.cloudfront.net/pdf/AWS_Security_Whitepaper.pdf – Amazon Web Services: Overview of Secu- rity Processes, May 2011 • https://www.windowsazure.com/en-us/support/trust-center/compliance/ – Trust Center Home, Compliance • http://conventions.coe.int/Treaty/en/Treaties/Html/108.htm – Convention for the Protection of Individuals with re- gard to Automatic Processing of Personal Datat 10/2012(10) Page 59 http://pentestmag.com
    • W e b A p asasa pferred to security on compliance; some of them is Some non-profit organizations try to unify bestworldwide and some is Russian. In further articles, practices for clouds, help the vendors to improveI will provide a detail AWS services’ examination their security features and provide customers withwith the most known documents to explain and best choice of solution they need. One of them isshow if cloud services (mainly AWS and Azure) CSA that offers range of industry security practitio-are so insecure, if configuring with compliance is ners, corporations, and associations participate inso complex and if compliance makes a sense for this organization to achieve its mission. They cre-end customers on security. Some requirements ate so-called “CSA Consensus Assessments Ini-and entire documents are going to be discussed tiative Questionnaire” that provides a set of ques-will deliberately be used as outdated to highlight tions the CSA anticipates a cloud consumer and/orcomparison. One of them, the Russian Federal a cloud auditor would ask of a cloud provider. AWSLaw about Personal Data refers to the “Conven- announced that they has completed the CSA CAItion for the Protection of Individuals with regard to (Table 4).Automatic Processing of Personal Data” that wasconfirmed in 2006. This reference allows storing Conclusiondata out Russia and 1C Company has already of- Some companies have to manage with regula-fer a cloud solution in accordance with Chapter tions because of legal proceedings to how the da-III about “Transborder data flows” and Article 12 ta should be handled, where they should be storedabout “Transborder flows of personal data and do- and how the consumer data are protected. On an-mestic law”. other hand, security audit may uncover the vulner- abilities. Whether audit makes sense or not, there• The following provisions shall apply to the is case when you or someone else have to vali- transfer across national borders, by whatever date with standard. In these articles, I briefly ana- medium, of personal data undergoing automat- lyze security features of WS with several require- ic processing or collected with a view to their ments. In further articles, I will provide a detail AWS being automatically processed. services examination with the most known docu-• A Party shall not, for the sole purpose of the ments to explain and show if cloud services (main- protection of privacy, prohibit or subject to spe- ly AWS and Azure) are so insecure, if configuring cial authorization transborder flows of personal with compliance is so complex and if compliance data going to the another territory. makes a sense for end customers on security.• Nevertheless, each Party shall be entitled to derogate from the provisions of paragraph 2: • insofar as its legislation includes specific regulations for certain categories of person- al data or of automated personal data files, because of the nature of those data or those Yury Chemerkin files, except where the regulations of the Yury Chemerkin graduated from RSUH in 2010 (http:// other Party provide an equivalent protection; rggu.com/) on the BlackBerry diploma thesis. Currently • when the transfer is made from its territo- in the postgraduate program at RSUH on the Cloud Se- ry to the territory of a non-ing State through curity thesis. Experience in Reverse Engineering, Soft- the intermediary of the territory of anoth- ware Programming, Cyber & Mobile Security Research, er Party, in order to avoid such transfers re- Documentation, and as a contributing Security Writer. sulting in circumvention of the legislation of Also, researching Cloud Security and Social Privacy. The the Party referred to at the beginning of this last several years, I have worked on mobile social secu- paragraph. rity, cloud security and compliance, mobile security and forensics; additionally develops solutions based on ex-The Russian law refers to another documents pro- ploiting, not only OS vulnerabilities, but also third-par-vided several requirements to protection some of ty products and solutions.them I will examine right now. These requirements Regular blog: http://security-through-obscurity.divide into three categories based on which da- blogspot.com.ta is processed (medical, religion, nationality, etc.) Regular Email: yury.chemerkin@gmail.com(Table 3). Skype: yury.chemerkin 10/2012(10) Page 60 http://pentestmag.com