Building a secure enterprise model for cloud computing environment.
Srinivasan, Meena
INTRODUCTION
Cloud computing is one of the most attractive technologies that has
experienced rapid growth where vendors provide services to enterprises
over the Internet. The promising future of cloud can be impeded by
security concerns due to the complex nature of the cloud. This research
will focus on developing secure measures in the cloud computing
environment from an enterprise level perspective. Maturity levels are an
effective way for managers in enterprises to measure the effectiveness
of security for the organization. A number of security maturity models
exist but a good choice is one that is aligned with business needs of an
organization (Urquhart, 2010). The ISO/IEC 27002 framework does not have
any mandatory requirements and the various categories in this framework
will be analyzed for the cloud computing environment. The rest of this
paper is organized as follows: Cloud computing is described in section 2
and the available security measures discussed in section 3. The ISO/IEC
27002 framework is explained in section 4. The application of the
ISO/IEC 27002 framework to the cloud environment is described in section
5 followed by summary in the last section.
WHAT IS CLOUD COMPUTING?
In the cloud environment, computing resources are delivered as
services to enterprises by vendors. Enterprises can access resources
provided by the vendor using the Internet as opposed to hosting and
operating them locally. From this simple definition of cloud, one can
note that cloud computing offers many benefits. The cloud vendor does
the maintenance of hardware and software, and the vendor can provide
adequate resources and storage to enterprises if the demand increases.
This scalability property is an advantage in cloud computing.
Enterprises which use the services of the cloud vendor have an agreement
with the vendor. Cloud vendors can offer software, platform,
infrastructure, storage or combinations of these as services to
enterprises. The enterprises do not have control over many issues in the
cloud environment. Security is a major concern for these enterprises as
many cloud vendors are not transparent on security matters. It is
important that enterprises and the cloud vendors address security issues
and have a negotiation referred to as service level agreements (SLA)
(Creese, Hopkins, Pearson and Shen,2009). Enterprises need to make sure
that SLA negotiations are maintained. In legal issues the enterprise has
to take steps to find violations in the SLA (Chapin, Akridge, 2005).
In the cloud environment, the exact location of the data is hard to
detect and the data may span across different countries and in case of
legal issues are subject to laws of that nation. Cloud vendors may have
multiple tenants and offer multi-tiered services. When enterprises use
clouds, there is a high level of risk due to many enterprises or tenants
sharing the cloud. The cloud vendor must ensure highest level of
security to each of its clients. The cloud service provider may use
different sub vendors for their services. A cloud vendor can provide
infrastructure services but may use another vendor's service for
software and hence the service is multi-tiered. With this of multi-tier
service, the risk associated with each tier is high and with different
vendors, implementing secure measures is complex. These issues must be
addressed by the enterprises in service level agreement with vendors.
An enterprise may be locked in with cloud vendor and transfer of
data or change of vendor may not be easy to accomplish. There are many
issues to be addressed by enterprises in using services of vendors as:
transfer of data if vendor goes out of business, change of applications
or platforms in using vendors, integration of security policies of the
enterprise with vendor security policies, governance and legal issues,
data distribution across multiple vendors. The main threat enterprises
face in cloud computing are attacks by hackers can lead to loss of
confidentiality, integrity or availability of data. The SLA should have
clear answers to how cloud vendors will deal with security and legal
issues, polices, asset control, data transfer and deletion, business
continuity, backups and security policies.
SECURE MEASURES FOR CLOUDS
Many organizations are increasingly shifting to the cloud due to
advantages as low maintenance and savings in cost. Gartner, Inc. had
predicted that sales of global cloud services would grow 16 percent
between 2009 and 2010, from$58.6 billion in 2009 to $68.3 billion in
2010 and global cloud services revenue would be about $148.8 billion in
2014 (Korzeniowski, Jander, 2009). With this tremendous growth for cloud
computing, security is important for continued success of cloud. In a
recent survey (Korzeniowski, Jander, 2009) by Information Week security
concerns ranked highest in use of cloud. Poor secure measures could
impede growth of clouds. Each cloud vendor has different security
procedures. Maturity models are one way to measure progress of a
security program (Creese, Hopkins, Pearson and Shen, 2009). How can an
organization determine if the vendor it plans to use for cloud services
is secure? Enterprises need a way measure security offered by vendors.
Currently there are maturity models
available as, COBIT maturity model, SSE-CMM model, CERT/CSO
Security Capability
Assessment model. These models need to be customized specifically
for the organization and hence it is difficult to compare results from
one organization to another (Chapin, Akridge, 2005) .These models focus
on program elements from engineering or project management background.
The approach use in this research is toward a detailed security maturity
model called the Security Program Maturity Model and has a management
systems approach. It follows the ISO 17799 standards for developing a
complete security program and it involves the existence or number of
elements.
INFORMATION SECURITY MANAGEMENT FRAMEWORK ISO 27002
The International Organization for Standardization (ISO) is a
worldwide federation of national standards bodies from more than 140
countries. ISO 17799 is an international security standard that has been
published by the ISO (International Organization for Standardization)
and the IEC (International ElectroTechnical Commission). ISO 17799
provides a comprehensive security framework and was updated to ISO/IEC
27002 which has many controls within 12 security control clauses and 39
main security categories (ISO/IEC 27002:2005 , 2010). The controls not
organized in any specific criteria are listed in Table I (Chapin,
Akridge, 2005). ISO/IEC 27002 does not provide details on implementation
and does not guarantee complete security using the controls. ISO/IEC
17799, IS 20072 offers guidelines and general principles for improving
information security in organization. ISO 17799 does not have mandatory
requirements. Each control should be given equal importance.
ISO/ IEC 27002 FRAMEWORK FOR CLOUD COMPUTING
This research analyzes the ISO/IEC 27002 framework when enterprises
use services of cloud vendors. The ISO framework includes the three
categories: organizational infrastructure, technical infrastructure and
information protection listed in Figure 1. Figure 2 lists the categories
included in each of broad categories.
[FIGURE 1 OMITTED]
[FIGURE 2 OMITTED]
The Organizational Infrastructure
Organizational Security
The cloud vendor must manage the security processes efficiently.
The vendor must have suitable information system governance procedures
specified in the service level agreements.
Asset Classification and Control
Assets of the enterprises must be specified in the SLA and can
include files software, data and the enterprises need to be sure that
vendors protect their assets and provide them with appropriate level of
security. The vendor or sub vendors must perform periodic evaluations to
ensure that asset control procedures are effective.
Information Security Policy
The cloud vendor must include security policies in the SLA .The
policy should include description and review of the information security
document. The policy must be comprehensive supported by a range of
documentation covering standards and the guidelines.
The Technical Infrastructure
Access control
Vendors must have ways to detect unauthorized activities and
provide security for remote access of data. The vendor must protect
against threats by controlling access to networks, operating systems and
applications by enforcing access control policies that must be specified
in the SLA.
Systems Development and Maintenance
The SLA must ensure the security of the network, confidentiality
and integrity of information. The vendor must take efforts to maintain
security of software for enterprises that use the cloud.
Communications and Operations Management
Security procedures must be built into network operations to
prevent damage to assets and disruption of business activities. The
cloud provider must maintain documented operating procedures for
information systems, protect against malicious code and protect network
services in agreement with SLA.
Physical and Environmental Security
Enterprises need cloud vendors to manage physical threats and use
appropriate security controls to prevent theft of information. The
location of data is unknown in the cloud and facilities should be
located in secure physical and environmental facilities.
Information Security Incident Management Information security
incidents should be properly managed and there should enterprise and
vendor agreements in managing incidents.
Information Protection
Human Resources Security
Enterprises need to make sure that cloud vendors follow policies
and procedures in hiring administrators and users. Training must be
provided to users so they can respond to security incidents in an
effective way. The vendor and enterprise must be aware of policies in
each region if the data are in different regions. The enterprise and the
vendor must take steps to protect assets and these must be followed by
all sub vendors.
Business Continuity Management
Business continuity plans ensure continuity of business operations
when major disasters affect the critical processes in an organization.
The dynamic cloud computing environment involves security risks and
vendors must understand the business continuity needs differ in
enterprises. The enterprise must have independent plans for backups,
migration to other cloud providers in event of disasters.
Compliance
Enterprises need to comply with legal requirements, security
standards and regulations. The use of cloud computing makes it hard to
achieve compliance as the security policies of the enterprise may differ
from that of cloud provider.
Risk Management
Vendors must identify, describe and rank risks in order in
compliance with the enterprise. Risk management should include the risk
analysis and risk evaluation. The elements of the ISO/IEC 27002
categories can be classified into different levels to makes the model
effective. Table 2 shows the four distinct levels which are defined with
increasing protection (Eloff & Eloff, 2003).
CONCLUSION
Cloud computing is a growing field and many enterprises are
shifting to clouds for ease of use and decreased costs. The impedance in
using clouds for businesses is loss of control and inadequate security
measures. Currently there are no effective metrics to measure security
for cloud computing environments. This research applies the ISO/IEC
27002 framework for cloud computing. For further secure measures, the
elements of this framework can be classified into different levels with
varying protections. This is one of the ways enterprises can benchmark
different cloud vendor services for doing businesses using cloud
computing environment.
REFERENCES
Creese, S., P.Hopkins, S. Pearson, S. & Y. Shen (2009), Data
Protection-Aware Design for Cloud Computing, Proceedings of the 1st
International Conference on Cloud Computing, 119--130
Chapin, D. & S. Akridge (2005). How Can Security Be Measured?
Information Systems Control Journal
Eloff, J. &M. Eloff, (2003). Information Security Management--A
New Paradigm, Proceedings of the 2003 annual research conference of the
South African institute of computer scientists and information
technologists on enablement through technology (SAICSIT), 130-136.
ISO/IEC 27002:2005 Information technology--Security
techniques--Code of Practice for Information Security Management.
Retrieved Dec 9, 2010 from
http://www.iso27001security.com/html/27002.html#Section11
Korzeniowski, P., & Jander, M. (2009). Cloud Security,
Information Week. Retrieved April 3, 2011, from
http://www.informationweek.com/news/
security/storage/showArticle.jhtml?articleID=221601449
Urquhart, J. (2008). A maturity model for cloud computing, Cnet
News website. Retrieved March 15, 2010, from
http://news.cnet.com/8301-19413_3-10122295-240.html
Meena Srinivasan, University of District of Columbia
Table: ISO/IEC 27002 CATEGORIES
Overall security management Communications and operations
management
Asset classification and control Organizational security
Human resources security Business continuity management
Physical and environmental Compliance
security
Access control Information security incident
management
System development and Risk assessment and treatment
maintenance
Table 2: Levels of Protection
Level 1: Low Level 2:Minimal Level 3:Adequate Level 4: High
no effort made minimal effort adequate effort high effort by
by vendor to by vendor to by vendor to vendor to
implement implement implement implement
controls controls controls controls and
effective cloud
computing
