The aim of this paper is to make cloud service consumer aware about cloud computing fundamentals, its essential services, service models and deployment options. This also through light on security and risk management piece of CSA trusted cloud reference architecture, cloud control matrix and notorious nine threats and ENISAs top risks to cloud computing. At the end it talks about certifications and attestation part.

1. Cloud Computing -
understanding security risk
and management
The aim of this paper is to make cloud service consumer aware about cloud
computing fundamentals, its essential services, service models and
deployment options. This also through light on security and risk
management piece of CSA trusted cloud reference architecture, cloud
control matrix and notorious nine threats and ENISAs top risks to cloud
computing. At the end it talks about certifications and attestation part.
Author –
Shamsundar
Machale (CISSP)

2. Fig.1 NIST Visual Model of Cloud Computing Definition
Any cloud should demonstrate the certain essential characteristics to
get full benefits of cloud. Any missing essential characteristic would
not give you 100% benefit from cloud computing.
Whatever is not your core, outsource it. Similarly maintaining capex IT
infrastructure, information is not your core so outsource it to some
specialized agency i.e. Cloud Service Provider (CSP)
Multi-tenancy is the fundamental used in resource pooling but keep in
mind that resource pooling is not limited to your server and storage, it
is extended to network connectivity, physical security, administration
of cloud services and last but not least is your facility space. CSP uses
the same infrastructure to provide services to multiple clients from
same or different geographies. This provides great benefit to Cloud
consumer (CC) by not having direct capital investment and pay per use
model of cloud. Only required amount of compute, storage etc. are
provisioned and no extra investment is done by CC. At the same time
resource pooling might become huge risk if attacker uses shared
pooled resource to steal sensitive information processed by CC. this is
possible through attacks such as guest hopping attack or side channel
attack to capture cryptographic keys.
Second essential characteristic is on-demand self-service. The CC
should be able to do the provisioning / de-provisioning of computing
What is definition of Cloud
Computing?
Cloud computing is model for
enabling continent, on-demand
network access to a shared pool
of configuration computing
resources (e.g. networks,
servers, storage, applications,
and services) that can be rapidly
provisioned and released with
minimal management efforts or
services provider interaction
The above NIST definition
defines in what way you can
deploy cloud, what service
offerings you can make available
and what are the essential
characteristics of cloud
Fig. 1 represents the visual
model of above NIST cloud
computing definition.
Let’s take a deeper look into the
definition.

3. resources by themselves with minimum administrative involvement from CSP. The lead time required
doing the provisioning and de-provisioning should be reduced significantly.
Rapid elasticity means CC should be able to do expansion and contraction of services as per their
requirements with immediate effect and it will be charged on pay per usages policy. There should not be
any locking CSP side while reducing the required level of resources.
As there is trend of BYOD and consumerization, people want to access applications locations and end
device independent which essentially means there should not be any restriction on your work location,
it can be work from office, home or cafe and how do you access it, is it through your desktop, laptop,
smartphone or tablet.
Lastly CC should be able to measure services offered by CSP through SLA.
Let’s take a look at service offering models; there are typically three kind of service offering models as
below
IaaS (Infrastructure as a Service) – Here you will get only infrastructure like compute and storage. This is
nothing but plain vanilla virtual machine with operating system e.g. Amazon EC2 and S3, Rackspace etc.
PaaS (Platform as a Service) – Here you expect little bit more from CP which will help in development of
applications on provided infrastructure. It includes development tools, configuration management and
deployment platforms such as Microsoft Azure, Force and Google App engine.
SaaS (Software as a Service) – this is full package of application, CC has to just use it and don’t worry
how and where it is running, who is managing the show? It is pure service such as online CRM system
(Salesforce.com), online office tools (Office 365), online content filtering and messaging etc.
As you move from IaaS to SaaS CC loses control on the services whereas CSP gains more control which is
depicted in below figure.
Fig-2

4. Now we will look at third tier of cloud computing definition which is nothing but deployment options. As
you seen in the above visual model there are four ways in which cloud services can be deployed.
Public Cloud – Available publicly, multiple customers can avail same services with different SLA
commitments
Private Cloud – Build specifically for single customer and available to only one customer
Community Cloud – Services can be offered to same of customers which are forming community such as
cloud services for power generation companies, cloud services for manufacturing industry etc.
Hybrid Cloud – Combination of any of the above
Below table provides more information about the deployment models
Fig.3

5. As mentioned above security of cloud services is joint responsibility
of CC and CSP which purely depends on the service offering.
As per CSA’s “ Trusted cloud Reference Architecture version 2.0 “,
Security and Risk Management is one of the key building block to
focus if you want to build trusted cloud
Fig.4 CSA Trusted cloud security reference arcthitecture
This block basically talks about below domains.
Governance Risk and Compliance - how are you going to manage
governance, risk, audit, vendor, policy and awareness around CSP
support staff?
InfoSec Management – capability management, risk portfolio, risk
dashboard, and residual risk management
Privilege Management Infrastructure – This purely focuses around
how effectively you manage the identities in the cloud. How secure
is your authentication service? How do you manage authorization
and accountability of identities in the cloud? How privilege identities
are handled?
Threat and Vulnerability Management - How do you keep
environment vulnerability free, up to date with latest patches and
assurance on compliance testing to CC.
What is Security for Cloud
Computing?
As per CSA, Security
controls in cloud
computing are, for the
most part, no different
than security controls in
any IT environment.
However, because of the
cloud service models
employed, the operational
models, and the
technologies used to
enable cloud services,
cloud computing may
present different risks to
an organization than
traditional IT solutions.
This means we have to
focus on defense in depth
approach for security in
cloud computing
The focus of defense in
depth approach is always a
data at center and
different type of controls
such as Administrative,
Technical and Physical are
wrapped around data.
For example physical
security has the same
importance in both
traditional data center and
cloud based datacenter.

6. Infrastructure Protection Services - How do you protect your applications, operating systems on
servers, databases, network and end points. What kind of technical controls are put around these? Do
you have perimeter firewall at network level, whether servers are locked down as per hardening
guidelines, do you have Anti-virus, HIPS / HIDS installed at the end points, logging and monitoring
enabled, application level firewall and web content filtering
Data Protection – how well are you managing the data lifecycle, what controls are placed to prevent the
Data loss, how are you protecting your intellectual properties and how effective is your cryptographic
service management.
Policies and Standards – Have you defined information security policies, guidelines based on different
industry standards like ISO 27001. Whether operational security baseline and standard operating
procedures defined and followed within the organization. Whether asset / data classification guidelines
are defined and practiced within team.
CSA has defined the Cloud Controls Matrix which provides fundamental security principles to guide
cloud vendors and to assist cloud customers in assessing the overall security risk of a cloud provider. The
latest version of Cloud Controls Matrix is CCM v3.0.1
As per this control matrix there are 133 controls divided into 16 domains of CSA cloud security.
Fig.5 CCMv3.0.2 Domains
Risk Management is one of the important aspect of cloud computing. There is no different strategy for
management of risk in the cloud. You have to follow the conventional approach of performing the risk
assessment based on certain framework and management of these risk either through risk mitigation by
use of certain controls, transfer, avoid or accept the risk. As per ENISA’s “ Cloud Computing Benefits,
risks and recommendations for information security Rev.B-2012 ” document cloud risks are classified
into three categories “Policy and Organizational Risks”, “Technical Risks”, and “Legal Risks”

7. Below figure represents the top rated risk identified by ENISA based on the probability and impact of the
risk.
Fig.6 ENISA top security risks to cloud computing
If you refer to below table which list down “ The Notorious Nine – Cloud Computing Top Threats in
2013” you will find certain risk / threats are common in both the documents such as Malicious Insider /
Cloud Provider Malicious Insider, shared technology issue / isolation failure, insecure APIs /
Management interface compromise
Fig.7 – Notorious Nine Threats to Cloud Computing
Data Breaches Data Loss
Account
Hijacking
Insecure APIs
Denial of
Service
Malicious
Insiders
Abuse of
Cloud Services
Insufficient
Due Diligence
Shared
Technology
Issues

8. Security Certification and Attestations – CSPcan provide the assurance to CC on current compliance level
with respect to different standards, legal and regulatory requirements through certain security
certifications and attestations.
Below figure provides the security certifications obtained by different CSPs. This is just a reference and
CC is kidnly reuquested to obtain list of current certifications during evaluation of CSP
Fig.8 – Security Certifications and Attestations
Conclusion - Cloud computing is double edged sword which provides good amount of
benefits but only if implemented properly considering all security, governance, privacy and
legal requirements. Risk assessment and due diligence would be the key for cloud
consumers to make their case as success story.

9. References –
“CSA Trusted cloud Reference Architecture version 2.0”
“CSA Cloud Controls Matrix, CCM v3.0.1”
“The Notorious Nine – Cloud Computing Top Threats in 2013”
ENISA’s “Cloud Computing Benefits, risks and recommendations for information security Rev.B-2012”
The Forrester Wave™: Public Cloud Platform Service Providers’ Security, Q4 2014
END OF DOCUMENT