Governance Models – Cloud

Your company has decided to adopt Cloud. Or maybe it was among the ones that relied on virtualised environments before it was even a thing? In either case, cloud security has to be managed. How do you go about that?

Before checking out vendor marketing materials in search of the perfect technology solution, let’s step back and think of it from a governance perspective. In an enterprise like yours, there are a number of business functions and departments with various level of autonomy. Do you trust them to manage business process-specific risk or choose to relieve them from this burden by setting security control objectives and standards centrally? Or maybe something in-between?

Centralised model

1

Managing security centrally allows you to uniformly project your security strategy and guiding policy across all departments. This is especially useful when aiming to achieve alignment across business functions. It helps when your customers, products or services are similar across the company, but even if not, centralised governance and clear accountability may reduce duplication of work through streamlining the processes and cost-effective use of people and technology (if organised in a central pool).

If one of the departments is struggling financially or is less profitable, the centralised approach ensures that overall risk is still managed appropriately and security is not neglected.  This point is especially important when considering a security incident (e.g. due to misconfigured access permissions) that may affect the whole company.

Responding to incidents in general may be simplified not only from the reporting perspective, but also by making sure due process is followed with appropriate oversight.

There are, of course, some drawbacks. In the effort to come up with a uniform policy, you may end up in a situation where it loses its appeal. It’s now perceived as too high-level and out of touch with real business unit needs. The buy-in from the business stakeholders, therefore, might be challenging to achieve.

Let’s explore the alternative; the decentralised model.

Decentralised model

2

This approach is best applied when your company’s departments have different customers, varied needs and business models. This situation naturally calls for more granular security requirements preferably set at the business unit level.

In this scenario, every department is empowered to develop their own set of policies and controls. These policies should be aligned with the specific business need relevant to that team. This allows for local adjustments and increased levels of autonomy. For example, upstream and downstream operations of an oil company have vastly different needs due to the nature of activities they are involved in. Drilling and extracting raw materials from the ground is not the same as operating a petrol station, which can feel more like a retail business rather than one dominated by industrial control systems.

Another example might be a company that grew through a series of mergers and acquisitions where acquired companies retained a level of individuality and operate as an enterprise under the umbrella of a parent corporation.

With this degree of decentralisation, resource allocation is no longer managed centrally and, combined with increased buy-in, allows for greater ownership of the security programme.

This model naturally has limitations. These have been highlighted when identifying the benefits of the centralised approach: potential duplication of effort, inconsistent policy framework, challenges while responding to the enterprise-wide incident, etc. But is there a way to combine the best of both worlds? Let’s explore what a hybrid model might look like.

Hybrid model

3

The middle ground can be achieved through establishing a governance body setting goals and objectives for the company overall, and allowing departments to choose the ways to achieve these targets. What are the examples of such centrally defined security outcomes? Maintaining compliance with relevant laws and regulations is an obvious one but this point is more subtle.

The aim here is to make sure security is supporting the business objectives and strategy. Every department in the hybrid model in turn decides how their security efforts contribute to the overall risk reduction and better security posture.

This means setting a baseline of security controls and communicating it to all business units and then gradually rolling out training, updating policies and setting risk, assurance and audit processes to match. While developing this baseline, however, input from various departments should be considered, as it is essential to ensure adoption.

When an overall control framework is developed, departments are asked to come up with a specific set of controls that meet their business requirements and take distinctive business unit characteristics into account. This should be followed up by gap assessment, understanding potential inconsistencies with the baseline framework.

In the context of the Cloud, decentralised and hybrid models might allow different business units to choose different cloud providers based on individual needs and cost-benefit analysis.  They can go further and focus on different solution types such as SaaS over IaaS.

As mentioned above, business units are free to decide on implementation methods of security controls providing they align with the overall policy. Compliance monitoring responsibilities, however, are best shared. Business units can manage the implemented controls but link in with the central function for reporting to agree consistent metrics and remove potential bias. This approach is similar to the Three Lines of Defence employed in many organisations to effectively manage risk. This model suggests that departments themselves own and manage risk in the first instance with security and audit and assurance functions forming second and third lines of defence respectively.

What next?

We’ve looked at three different governance models and discussed their pros and cons in relation to Cloud. Depending on the organisation the choice can be fairly obvious. It might be emerging naturally from the way the company is running its operations. All you need to do is fit in the organisational culture and adopt the approach to cloud governance accordingly.

The point of this article, however, is to encourage you to consider security in the business context. Don’t just select a governance model based on what “sounds good” or what you’ve done in the past. Instead, analyse the company, talk to people, see what works and be ready to adjust the course of action.

If the governance structure chosen is wrong or, worse still, undefined, this can stifle the business instead of enabling it. And believe me, that’s the last thing you want to do.

Be prepared to listen: the decision to choose one of the above models doesn’t have to be final. It can be adjusted as part of the continuous improvement and feedback cycle. It always, however, has to be aligned with business needs.

Summary

Centralised model Decentralised model Hybrid model
A single function responsible for all aspects of a Cloud security: people, process, technology, governance, operations, etc. Strategic direction is set centrally, while all other capabilities are left up to existing teams to define. Strategy, policy, governance and vendors are managed by the Cloud security team; other capabilities remain outside the Cloud security initiative.
Advantages Advantages Advantages
  • Central insight and visibility across entire cloud security initiative
  • High degree of consistency in process execution
  • More streamlined with a single body for accountability
  • Quick results due to reduced dependencies on other teams

 

  • High level of independence amongst departments for decision-making and implementation
  • Easier to obtain stakeholder buy-in
  • Less impact on existing organisation structures and teams
  • Increased adoption due to incremental change
  • High degree of alignment to existing functions
  • High-priority Cloud security capabilities addressed first
  • Maintains centralised management for core Cloud security requirements
  • Allows decentralised decision-making and flexibility for some capabilities

 

Disadvantages Disadvantages Disadvantages
  • Requires dedicated and additional financial support from leadership
  • Makes customisation more time consuming
  • Getting buy-in from all departments is problematic
  • Might be perceived as not relevant and slow in adoption

 

  • Less control to enforce Cloud security requirements
  • Potential duplicate solutions, higher cost, and less effective control operations
  • Delayed results due to conflicting priorities
  • Potential for slower, less coordinated development of required capabilities
  • Lack of insight across non-integrated cloud infrastructure and services
  • Gives up some control of Cloud security capability implementation and operations to existing functions
  • Some organisation change is still required (impacting existing functions)
Advertisements

Passed my AWS Certified Solutions Architect exam – here’s how you can too

AWS Certified Solutions Architect - Associate certificate

I’ve recently passed my AWS Certified Solutions Architect – Associate exam. In this blog I would like to share some preparation tips that would help you ace it.

  1. Practice

Not only practice makes perfect, some hands-on experience is also a prerequisite for the exam. So there is really no way around that! But what if you didn’t have a chance to use your skills on a real-world project yet? No problem! AWS gives you a opportunity to learn how their cloud components work through AWS Free Tier.  For one year, you can use Amazon EC2 Amazon S3Amazon RDSAWS IoT and many more free of charge,

You want more guidance? Qwiklabs developed a set of labs that specifically designed to help you prepare for this exam. For a small price, you can complete exercises without  even requiring an AWS account or signing up for Free Tier.

  1. Read

I recommend studying AWS Whitepapers to broaden your technical understanding. If you are short on time, focus on these:

  1. Watch

AWS developed a freecself-paced Cloud Practitioner Essential course, to help you develop an overall understanding of the AWS Cloud. You will learn basic cloud concepts and AWS services, security, architecture, pricing, and support.

There is also a YouTube channel with free introductory videos and other noteworthy material.

Exam sample questions can help you check your knowledge and highlight areas requiring more study.

Remember, the best preparation for the exam is practical experience: AWS recommend 1+  years of hands-on experience with their technologies.

When you’re ready, go ahead and schedule an exam here.

Good luck!


Third-party security assessments: applying SABSA

Organisations around the world are increasingly relying on third-party vendors to provide them with competitive advantage. Many companies in a race to optimise processes and reduce costs begin to outsource core functions. This leads to increased risk profile and new challenges of supplier oversight.

Dealing with third-parties has grown bigger than being just a procurement issue. Suppliers companies increasingly rely on, pose not only legal but also reputational risks that cannot be fully transferred. Security and privacy related incidents related to third-party providers are presenting new management challenges. Moreover, regulators are increasingly demanding the management of the third-party risk.

Suppliers, however, have their own challenges. Constant squeeze on costs from their clients reduces the profit margins making it increasingly difficult for vendors to prioritise security requirements implementation.

How do we make sure the suppliers we work with are trustworthy? How do we minimise the risk exposure from a potential incident? What level of assurance is required for a supplier?

These are the questions I’m going to answer in this blog.

Understanding business drivers and goals is essential for developing a third-party risk management approach. By analysing company’s corporate strategy I was able to derive multiple business attributes relevant to the shareholders. One of them stands out: Trusted. I’m going to disregard other attributes and focus on this one for the purposes of this case study. Not only it is important for the company to be trusted by its customers, but trustworthiness is also something I’m going to explore in this blog from the third-party relationship standpoint.

After a workshop with the CIO and IT managers in various business units, I’ve defined the following IT attributes supporting the main business attribute (Trusted): Transparent, Assured and Managed.

How does the security function support the wider IT objectives and corresponding attributes? After a number of workshops and analysing the security strategy document I’ve managed to create a number of security attributes. Below is a simplified example correlating to the business and IT attributes in scope:

1

Dealing with customers and managing relationships with them is one of the core activities of the company.  As discussed above, being trusted by the customers is one of the main values of the organisation. IT department through the implementation of their technology strategy supported the business stakeholders in Sales and Marketing to outsource customer relationship management platform to a third party provider. A cloud-based solution has been chosen to fulfill this requirement.

A combination of attribute profiling, trust modelling and risk analysis is used to assess the degree of assurance required and compare third-party providers. Below is a recommended approach based on the attributes defined.

2

Security attributes mapping

Based on the internal security policy the following questionnaire has been developed to assess the supplier. Responses from the supplier have been omitted to preserve confidentiality. Below is a short excerpt from one of the sections of the questionnaire related to cloud services.

Are terms of services and liabilities clearly defined in service agreements? Governed
Are escrow arrangements in supplier contract agreement and cloud service agreements registered with procurement and documented in cloud service register. Identified
Are physical security and environmental controls present in the data centre that contains company data? Integrated
Are procedures for user authentication, authorization and access termination documented? Access-Controlled
Has the Business Continuity Plan been reviewed and approved by the executive management? Governed
How often is the Business Continuity Plans and Disaster Recovery Plans tested? Available
Is there a specific Recovery Time Objective(s) (RTO) and Recovery Point Objective(s) (RPO)? If yes, specify the RTO and RPO for the company services. Available
Are default settings customized to implement strong encryption for authentication and transmission? Access-Controlled

Attribute compliance is assessed based on the questionnaire answers, as every question is mapped to a specific attribute. Where a specific combination of an attribute corresponds to multiple questions, all answers are rated separately then an average rating for that attribute weight is calculated. Exceptions apply where certain specific questions are identified to have priority (higher level of impact on attribute compliance) over the other questions mapped to the same attribute. Expert judgement is applied to analyse such situations.

Attributes are evaluated with three main levels:

  • High level of compliance with policy (Green),
  • Medium level of compliance with policy (Amber),
  • Low level of compliance with policy (Red)

3

 


Cloud Computing Security – A brief overview of Threats, Vulnerabilities, and Countermeasures

Threats

In 2013 the Cloud Security Alliance released a report, which identifies and describes 9 significant threats to Cloud computing [3]. This report was conducted through a survey of experts and intends to help companies in their Risk assessment. The Cloud Security Alliance (CSA) is one of the first nonprofit organizations that have tried to set up standards for best practices for secure cloud computing. They further try to offer guidance and security education.

The identified threats are listed in accordance to their severity:

1. Data Breaches: Data breaches occur when sensitive information of a company falls into the hands of its competitors and cloud computing introduces new ways of attack [1,3].

2. Data Loss: Data Loss can happen in several ways and is a terrifying thought for businesses. Accidental deletions by the CSP or physical catastrophes are examples of possible ways of loosing data in the cloud. Another example is if the consumer encrypts the data before uploading it to the cloud but then looses the encryption key [1, 3].

3. Account or Service Traffic Hijacking: There are different ways an account can be hijacked such as social engineering. If an attacker is able to get access to an account he can access, for example, sensitive data, manipulate it, and also redirect transactions [3, 9].

4. Insecure APIs: Services provided by CSPs can be accessed through APIs and therefore the security of the cloud depends also highly on the security of these APIs.  Weak credentials, insufficient authorization checks and insufficient input-data validation are some problems that can arise with APIs [3, 9].

5. Denial of Service (DoS): Cloud System Resources are being overused by an attacker, which prevent users from being able to access their data or applications [1, 3].

6. Malicious insiders: This threat refers to the fraud, damage or theft of information and misuse of IT resources caused from inside the CSP [3, 9].

7. Abuse of Nefarious Use:  CSP are known to have weak registration processes and therefore can give easy access to attackers. Possible impacts include decoding and cracking of passwords and executing malicious commands [1, 3].

8. Insufficient due diligence: Some companies do not have the right resources and understanding of the cloud environment to correctly evaluate the risk associated with responsibilities. Some implications can be contractual issues and operational and architectural issues [3].

9. Shared Technology Vulnerabilities: This threat can occur in all service models and refers to the fact that a single vulnerability could compromise the entire provides cloud [3].

Vulnerabilities in the Cloud

Vulnerability is the second factor companies have to consider when assessing the risk of migrating data to the cloud. Even though many types of vulnerabilities exist, when identifying them it is important to make sure they are cloud specific.

What makes a Vulnerability cloud specific?

According to the research conducted in [5] there are several criteria, which can be met by a vulnerability to make it cloud specific.

  • Virtualization, service- oriented architecture and cryptography are examples of core technologies of cloud computing. A Vulnerability is cloud specific if it is frequent and fundamental to these core technologies.
  • Elasticity, resource pooling and pay-as-you go mode are example on the other hand of cloud characteristics [4]. A Vulnerability is cloud specific if its root cause is in one of those characteristics.
  • Another criteria that makes a vulnerability cloud specific is if it hard to implement existing security controls to cloud innovations.
  • The last criteria they mention is that it has to be frequent in established state-of-the-art cloud services

Knowing what makes a vulnerability cloud specific one can then identify vulnerabilities in the cloud. The paper [1] has identified in total 7 major vulnerabilities of cloud computing:

1 Session Riding and Hijacking: This vulnerability is related to web applications weaknesses. Session Hijacking is unauthorized access is gained through a valid session key [8]. Session riding on the other hand is when the attacker sends commands to a web application by tricking the user open an email or to visit a malicious website [1].

2. Reliability and Availability of Service: This vulnerability takes into consideration that cloud computing is not perfect. More and more service are built on top of cloud computing infrastructures. In case of a failure a large amount of Internet based services and applications may stop working. The paper [1] give the example of an event in 2008 when Amazon’s Web Service cloud storage infrastructure went down for several hours. This caused data loss and access issues.

3. Insecure Cryptography: One of the fundamental problems in cryptography is the random generation of numbers. If numbers used in cryptographic algorithm are not truly random flaws can be found easily. The Virtual machines used on the cloud do not have enough sources of entropy and are therefore susceptible to attacks [1].

4. Data Protection and Portability: This vulnerability addresses the questions of what happens with the sensitive data in case of contract termination or in case the CSP goes out of business [1].

5. Virtual Machine Escape: This vulnerability refers to the possibility of breaking out of a virtual machine and interacting with the host operating system. Given that many virtual machine can exist in the same location increases the attack surface for the attacker [1].

6 Vendor Lock-in: The vulnerability lies in companies being dependent on the CSP they have initially chosen. Inconsistencies between CSPs and lack of standards make it hard for companies to switch providers [1].

7. Internet Dependency: Cloud Computing is very much dependent on the Internet. Users usually access services through web browsers. Some critical operation such as Healthcare systems needs to be up and running 24 hours. The question arises in situations where the Internet is not reliable [1].

Countermeasures

 Having identified the risks of cloud computing it is then possible to assess which data or applications should be migrated and how much security is needed. Further, it is possible to come up with countermeasures or safeguards to mitigate these risks. Countermeasures may come in various forms such as policies, procedures, software configurations, and hardware devices [4].

For the threats and vulnerabilities mentioned in this report there exist countermeasures that can help mitigate the risk. Papers such as [6], [3], and [9] give possible solutions to these risks. Some of them are for example Identity and access management guidance for the threat of account or service hijacking [6]. The CSA has issued a report to provide a list of best practices such as separation of duties and identity management [2]. For the threat of data leakage for example the main countermeasure is encryption [8, 6].

Even though there are many countermeasures that have been identified a good practice for companies is to have a good Service Level agreement (SLA) with the CSP. SLAs are the only legal agreement between client and service provider and should cover aspects such as security policies and their implantation and also should discuss legal issues in case of misuse of services [7]. The CSA further has come up with a framework that can assist in looking at the aspects of Governance, Risk and Compliance (GRC) in a company’s IT policy when adopting a new solution. Their framework assists in assessing Clouds provided by CSPs against established best practices and standards.

We have looked at Threats and Vulnerabilities and come to conclude that there are still several issues to cloud computing that need to be solved. Therefore, it is only understandable that companies still view cloud computing skeptical and do not adopt it as an option without consideration. Companies themselves should ensure through service level agreements that they get the security they need. Further we are able to see through organizations such as the Cloud Security Alliance that there are efforts in trying to create standards and help companies in choosing the right provider.

References

[1]       Bamiah, Mervat Adib, and Sarfraz Nawaz Brohi. “Seven Deadly Threats and Vulnerabilities in Cloud Computing.” International Journal of Advanced Engineering Sciences and Technologies (IJAEST) (2011).

[2]       Brunette, Glenn, and Rich Mogull. “Security guidance for critical areas of focus in cloud computing v2. 1.” Cloud Security Alliance (2009): 1-76.

[3]       Cloud Security Alliance, “The Notorious Nine Cloud Computing Top Threats in 2013”, Cloud Security Alliance, 2013, [Online]

[4]       Dahbur, Kamal, Bassil Mohammad, and Ahmad Bisher Tarakji. “A survey of risks, threats and vulnerabilities in cloud computing.” In Proceedings of the 2011 International Conference on Intelligent Semantic Web-Services and Applications, p. 12. ACM, 2011.

[5]       Grobauer, Bernd, Tobias Walloschek, and Elmar Stocker. “Understanding cloud computing vulnerabilities.” Security & Privacy, IEEE 9, no. 2 (2011): 50-57.

[6]       Hashizume, Keiko, David G. Rosado, Eduardo Fernández-Medina, and Eduardo B. Fernandez. “An analysis of security issues for cloud computing.” Journal of Internet Services and Applications 4, no. 1 (2013): 5.

[7]       Kandukuri, Balachandra Reddy, V. Ramakrishna Paturi, and Atanu Rakshit. “Cloud security issues.” In Services Computing, 2009. SCC’09. IEEE International Conference on, pp. 517-520. IEEE, 2009.

[8]       Munir, Kashif, and Sellapan Palaniappan. “Secure Cloud Architecture.” Advanced Computing: An International Journal (ACIJ), 4 (1), 9-22. (2013).

[9]       Yu, Ting-ting, and Ying-Guo Zhu. “Research on Cloud Computing and Security.” In Distributed Computing and Applications to Business, Engineering & Science (DCABES), 2012 11th International Symposium on, pp. 314-316. IEEE, 2012.


Governance, Risk and Compliance in the Cloud research project

cloudaudit_logocai_logo_clipped

ccm-logoctp-logo

A major UK-based telecommunications company proposed to conduct a joint research  with MSc Information Security students at UCL.

The use of cloud computing as a way of providing and consuming on-demand, pay-as-you-consume ICT service has revolutionised the industry.  Services like Amazon EC2 have seen a huge increase in its revenue. However, currently it is the Small and Medium Enterprises (SMEs) that are leading the way in the use of these public Infrastructure as a Service (IaaS) offerings. 

The company envisages that as these services become more mature and secure, they will be adopted and used by more “traditional” enterprises like the finance, health and government sector.

Governance, Risk and Compliance (GRC) plays a very important role in the IT policies of these institutions and as such, for any solution to be adopted by them, these aspects of the IT policies will have to be considered.  Several initiatives have been started to address this issue. The Cloud Security Alliance’s  GRC Stack is one of the most mature and accepted initiative in this area. It consists of four main stacks – Cloud Controls Matrix, Consensus Assessments Initiative, Cloud Audit and Cloud Trust Protocol.

It was very interesting to participate in the series of workshops to investigate how  this framework would impact and be used by the company. This helped me to learn a lot about the telecoms industry and the way they are adopting cloud technologies in a secure way.


PCI DSS Compliance in a Cloud Computing Environment. Part 3

According to the statistical survey [1] security is one of the main concerns for enterprises when making the decision to outsource their applications and infrastructure to the cloud computing environment

The inability to clearly identify where the sensitive data is stored and how it is processed is a major concern of many companies.

The problem becomes more serious when the enterprise processes cards payments and has to comply with regulatory requirements, such as PCI DSS. A need for compliance of the infrastructure with regulatory requirements plays an important role when having to decide whether to move applications or infrastructure to the cloud.

This chapter will identify specific requirements for PCI DSS compliance in a cloud computing environment and will look at research done in the field of continuous auditing.

1. PCI DSS compliance and virtualization

Virtualization, which serves as a foundation for cloud computing, introduces new unique types of risks that must be taken into consideration when deciding on adopting cloud computing in cardholder data environment. [2]

To address these concerns and to achieve PCI DSS compliance in such environment, PCI Security Standards Council issued “PCI DSS Virtualization Guidelines,” providing an example of how scope and responsibility may differ by type of cloud service (Figure 1) [2]

cloud{responsibility

Figure 1 – Area of responsibility by type of cloud service [2]

In their supplement guidance PCI Security Standards Council also focuses on following risks [2]:

– Vulnerabilities in the Physical Environment Apply in a Virtual Environment

– Hypervisor Creates New Attack Surface

– Increased Complexity of Virtualized Systems and Networks

– More Than One Function per Physical System

– Mixing Virtual machines of Different Trust Levels

– Lack of Separation of Duties

– Dormant Virtual Machines

– Virtual machines Images and Snapshots

– Immaturity of Monitoring Solutions

– Information Leakage between Virtual Network Segments

– Information Leakage between Virtual Components

For each risk they provide a set of recommendations, specifically covering compliance aspects of the cloud computing environment.

2. Continuous compliance monitoring in cloud computing environment

Ensuring the compliance of outsourced business processes to regulatory requirements is one of the key problems in the deployment of cloud computing environment [3],  [4]

Some research has been done in the field of developing models to automate the process of continuous auditing in order to ensure adherence to regulatory requirements.

Building on Speeter’s research [5], Chieu, Viswanathan, and Gupta in their work [6], push the concept further and not only provide solutions on gathering information on network and server configuration, but also provide a tool to automate this process and use collected evidence for assurance purposes.

The researchers acknowledge all possible benefits of cloud computing, but mention that “the steps of validating the configuration and security of the target workload for compliance and assuring its quality may be complex and very time consuming.” Emphasizing the difficulties of the validation process when performed manually, the authors present the design of an automation system (Figure 2) to carry out the validation of configuration on target cloud services for compliance [6].

cloud_scheme_app

Figure 2 – Architecture of the automation system for service activation [6]

The authors describe in detail how to use the presented system to collect and verify all collected evidences and ensure adherence with the regulatory requirements in the cloud computing environment. This development makes a large practical contribution, and supports various operating systems and middleware stacks. It also was deployed in shared private enterprise cloud (IBM SmartCloud Enterprise Plus [7]. However, authors acknowledge that the developed system “lacks the flexibility to support the diverse private cloud environments in which different back-end tools may have to be integrated.” [6] Allowing such flexibility may result in wider adoption and use for practical purposes, such as automation of PCI DSS compliance checks.

Acknowledging the contribution of Breaux and Antón’s research [8] Accorsi and Sato claim that there is still no sufficient research results to support creation of a uniform way of expressing the compliance requirements [9]. Moreover, in their paper, the researchers emphasize the absence of tools for automating certification procedures, and that the “multitude of regulations and contractual rules increases the complexity of checking compliance” [9].

The authors analyze some regulatory requirements and develop nine common categories. They then focus on workflows and create Petri net [10], [11], [12], [13] representation of these categories. They use the developed model to check the compliance of a given business process in relation to a given requirements. In case of non-compliance, the developed model gathers necessary evidence and points out to the problem.

Unlike Sadiq, Governatori, Namiri [14], who focus only on a single legislation, Accorsi and Sato present their categorization using several different legislations, which may be beneficial for cloud service providers who need to comply simultaneously with many different regulations. However, in their research, the authors analyze mainly business process design issues and only several legislations, ignoring, for example, PCI DSS and, more importantly, many requirements which may be specific for this legislation.

Hizver and Chiueh in their paper [15] tackle another side of automated compliance monitoring – discovering credit card flow, which is a pre-requisite to the implementation of PCI DSS.

Their research has valuable practical application, because in order to comply with PCI DSS requirements, merchants must understand how credit card data flows in their information technology infrastructure and must document it. This may result in problems with out-of-date and difficult to maintain documentation of this flow when infrastructure changes.

To avoid manual effort, the authors develop a tool that can discover payment card data flow from distributed systems in an automated manner. The foundation of the tool is virtual machine introspection technology [16].

Researchers present and thoroughly analyze the developed tool and show evidence that it can fulfill its purpose, despite the fact that communications between distributed systems are encrypted.

Conclusion

Existing issues with compliance monitoring prevent companies from outsourcing their application and infrastructure to a third party cloud computing environment [17] and slow down the process of realization of the cloud computing potential [19].

Although some positive results are achieved in the field of identifying problems with cloud computing and compliance, more research should be done in the field of automation of continuous monitoring for PCI DSS requirements in a cloud computing environment. Models should be developed and tested to allow companies to ensure their adherence with requirements not only of application, but also of external environment, especially if outsourced to third parties.

References

[1]       IDC Survey (2009) http://blogs.idc.com/ie/?p=730

[2]       PCI DSS Virtualization Guidelines (2011) https://www.pcisecuritystandards.org/documents/Virtualization_InfoSupp_v2.pdf

[3]       ENISA (2009)” Cloud computing—benefits, risks and recommendations for information security”. European Network Information and Security Agency

[4]       Cloud Security Alliance (2013)” Top threats to cloud computing”

http://www.cloudsecurityalliance.org/

[5]       Speeter, Framba, Duncan, Talla, Bullis, (2006) “Configuration management system and method of discovering configuration data”, US Patent Pub. No. 20060179116

[6]       Chieu, Viswanathan, Gupta (2012) “Automation System for Validation of Configuration and Security Compliance in Managed Cloud Services”

[7]       IBM SmartCloud, http://www.ibm.com/cloud-computing/us/en/

[8]       Breaux, Antón (2008) “Analyzing regulatory rules for privacy and security requirements”. IEEE Trans Software Eng 34(1) p.5–20

[9]       Accorsi, Sato (2011) “Automated Certification for Compliant Cloud-based Business Processes” DOI 10.1007/s12599-011-0155-7

[10]    Murata (1989) “Petri nets: properties, analysis and applications”. Proc IEEE 77(4 :p.541–580

[11]    van der Aalst (1998) “The application of Petri nets to workflow management”. Journal of Circuits, Systems, and Computers 8(1): p.21–66

[12]    Katt, Zhang Hafner (2009)” Towards a usage control policy specification with Petri nets”. Springer LNCS 5871: p.905–912

[13]    Huang, Kirchner (2009)” Component- based security policy design with colored Petri nets”. Springer LNCS 5700: p.21–42

[14]    Sadiq, Governatori, Namiri (2007) “Modeling control objectives for business process compliance. Business process management”. Springer LNCS 4714: p.149–164

[15]    Hizver, Chiueh (2011) “Automated Discovery of Credit Card Data Flow for PCI DSS Compliance”,  30th IEEE International Symposium on Reliable Distributed Systems

[16]    Garfinkel, Rosenblum (2003) “A virtual machine introspection based architecture for intrusion detection,” Proc. Network and Distributed Systems Security Symposium,, p. 191-206.

[17]    Chow, Golle , Jakobsson  Staddon, Masuoka, Molina (2009) “Controlling data in the cloud: outsourcing computation without outsourcing control”. In: Proc ACM workshop on cloud computing security. ACM, New York, pp 85–90

[18]    Etro (2009) “The economic impact of cloud computing on business creation, employment and output in Europe”. Review of Business and Economics 54(2):p.179–218


PCI DSS Compliance in a Cloud Computing Environment. Part 2

Cloud computing

Cloud computing recently became a popular topic and has been adopted by many enterprises. The National Institute of Standards and Technology (NIST) has defined cloud computing as follows:  “Cloud computing as a model for enabling convenient, on-demand network access to a shared pool of configurable resources (e.g. networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction” [1]

1. Overview and history

According to Hamdaqa [2] cloud computing is based on two basic paradigms: virtualization, which abstracts the physical architecture and allows use of it as a software and atomic computing, which enables self-management of distributed systems

The basis of cloud computing is a notion of time sharing, [3] developed in the 1950s and allowed shared use of mainframes CPU time through terminal connection.

Later, the availability of cheap computers and high-bandwidth networks, coupled with development hardware virtualization technologies, resulted in the rapid growth of cloud computing [4], [5], [6].

2. Service and deployment models

Cloud service providers (CSPs) offer services, which could be divided into three main categories: Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS). There are also four types of cloud deployment models: Private Cloud, Public Cloud, Hybrid Cloud and Community Cloud. [7], [1] (Figure 1)

NIST_cloud

Figure 1- NIST Visual Model of Cloud Computing Definition [8]

Companies before making a decision on each type of cloud should weigh all benefits and limitations of each type in terms of cost and security, among others.

3. Challenges

Dillon, Wu, and Chang [9] identify the following challenges related to the adoption of cloud computing:

– Security

– Costing Model

– Charging Model

– Service Level Agreement

– What to migrate

However, the authors only briefly discuss each of these areas and focus mainly on the results of survey [10], not paying attention to such sensitive aspects of cloud computing as legal, privacy, compliance, governance, etc.

Zhang, Qi, Lu Cheng, and Boutaba [7] also present only a brief overview of cloud computing technology and discuss core research challenges. The paper does not develop new models or concepts, but instead only analyses current developments and trends.

Although the researchers touch on security issues in general, they focus mainly on basic issues with confidentiality, integrity and availability, failing to address and explore important problems such as compliance in depth.

References

[1]       Mell, and Grance (2011) “The NIST definition of cloud computing”. NIST special publication 800-145

[2]       Hamdaqa (2012). “Cloud Computing Uncovered: A Research Landscape”. Elsevier Press. p. 312. ISBN 0-12-396535-7

[3]       Strachey (1959). “Time Sharing in Large Fast Computers”. Proceedings of the International Conference on Information processing, UNESCO p. 336–341

[4]       “Cloud Computing: Clash of the clouds”. The Economist. (2009). http://www.economist.com/node/14637206?story_id=14637206

[5]        “Gartner Says Cloud Computing Will Be As Influential As E-business”. Gartner. http://www.gartner.com/newsroom/id/707508

[6]       Gruman (2008). “What cloud computing really means”.InfoWorld. http://www.infoworld.com/d/cloud-computing/what-cloud-computing-really-means-031

[7]       Zhang, Cheng, Boutaba. (2010) “Cloud computing: state-of-the-art and research challenges.” Journal of Internet Services and Applications 1, p. 7-18.

[8]       NIST Visual Model of Cloud Computing Definition

[9]       Dillon, Wu, Chang (2010) “Cloud Computing: Issues and Challenges” 24th IEEE International Conference on Advanced Information Networking and Applications

[10]    IDC Survey (2009) http://blogs.idc.com/ie/?p=730