Recently Updated Documents

Cloud Computing Security for Tenants

Last updated 1 month ago

Download From Source

APRIL 2015

Cloud Computing Security
for Tenants
Introduction
1.

This document is designed to assist an organisation’s cyber security team, cloud architects and
 business representatives
to jointly perform a risk assessment and use cloud services securely.

2.

Assessors1 validating the security posture of a cloud service offered by Cloud Service Providers
 (CSPs), and CSPs that
want to offer secure cloud services, should refer to the companion
 document Cloud Computing Security for Cloud
Service Providers 2.

3.

Cloud computing, as defined by the U.S. National Institute of Standards and Technology3, offers
 organisations potential
benefits such as improved business outcomes.

4.

Mitigating the risks associated with using cloud services is a responsibility shared between the
 organisation (referred to
as the ‘tenant’) and the Cloud Service Provider, including their
 subcontractors (referred to as the ‘CSP’). However,
organisations are ultimately responsible for
 protecting their data and ensuring its confidentiality, integrity and
availability.

5.

Organisations need to perform a risk assessment 4 and implement associated mitigations before
 using cloud services.
Risks vary depending on factors such as the sensitivity and criticality of
 data to be stored or processed, how the cloud
service is implemented and managed, how the
 organisation intends to use the cloud service, and challenges associated
with the organisation
 performing timely incident detection and response. Organisations need to compare these risks
against an objective risk assessment of using in-house computer systems which might be poorly
 secured, have
inadequate availability or be unable to meet modern business requirements.

6.

The scope of this document covers Infrastructure as a Service (IaaS), Platform as a Service
 (PaaS) and Software as a
Service (SaaS), provided by a CSP as part of a public cloud,
 community cloud and, to a lesser extent, a hybrid cloud or
outsourced private cloud.

7.

This document focuses on the use of cloud services for storing or processing sensitive and
 highly sensitive data. For
Commonwealth entities, and for the purposes of this document,
 sensitive data is defined as unclassified data with a dissemination limiting marker (DLM), such
as OFor Official Use Only (FOUO) orICIAL: Sensitive: Personal (which aligns with the definition of
sensitive information in the Privacy Act 19885). Highly
sensitive data is defined as data classified
 as PROTECTED. Additionally, this document can assist with mitigating risks to
the availability
 and integrity of non-sensitive data, defined for Commonwealth entities as unclassified publicly
releasable data. Mitigations are listed in no particular order of prioritisation.

Page 1 of 4

Cloud Computing Security for Tenants
Risk

Reference
Number

APRIL 2015
Mitigations

Most Effective Risk Mitigations Generally Relevant to All Types of Cloud Services: Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS)

Overarching failure to maintain the confidentiality, integrity and availability of the tenant’s data

1 - General

Use a cloud service that has been assessed15, certified and accredited against the ISM6 at the appropriate classification level, addressing mitigations in the document Cloud Computing Security for Cloud Service Providers2 7.

2 - General

Implement security governance involving senior management directing and coordinating security-related activities including robust change management78, as well as having technically skilled staff in defined security roles.

3 - General

Implement and annually test an incident response plan covering data spills, electronic discovery, and how to obtain and analyse evidence e.g. time-synchronised logs, hard disk images, memory snapshots and metadata89 910.

4 - General

Use ASD-approved cryptographic controls to protect data in transit between the tenant and the CSP e.g. application layer TLS or IPsec VPN with approved algorithms, key length and key management.

5 - General

Use ASD-approved cryptographic controls to protect data at rest on storage media in transit via post/courier between the tenant and the CSP when transferring data as part of on-boarding or off-boarding.

6 - General

Use a corporately approved and secured computer, multi-factor authentication, a strong passphrase, least access privileges135 and encrypted network traffic to administer (and, if appropriate, access) the cloud service.

7 - General

Protect authentication credentials e.g. avoid exposing Application Programming Interface (API) authentication keys placed on insecure computers or in the source code of software that is accessible to unauthorised third parties.

8 - General

Obtain and promptly analyse detailed time-synchronised logs and real-time alerts for the tenant’s cloud service accounts used to access, and especially to administer, the cloud service.

9 - General

Obtain and promptly analyse detailed time-synchronised logs and real-time alerts generated by the cloud service used by the tenant e.g. operating system, web server and application logs.

Tenant’s data compromised in transit by malicious third party

Tenant’s cloud service account credentials compromised by malicious third party9 10 11 12

Tenant’s data compromised by malicious CSP staff or malicious third party
10 - General

Avoid providing the CSP with account credentials (or the ability to authorise access) to sensitive systems outside of the CSP’s cloud such as systems on the tenant’s corporate network.
Tenant’s data compromised by another malicious/compromised tenant14 15 16 17 18 19 20 21 22 23

11 - General

Use multi-tenancy mechanisms provided by the CSP e.g. to separate the tenant’s web application and network traffic from other tenants, use the CSP’s hypervisor virtualisation instead of web server software virtual hosting.

Tenant’s data unavailable due to corruption, deletion10, or CSP terminating the account/service 12 - General

Perform up-to-date encrypted backups in a format avoiding CSP lock-in, stored offline at the tenant’s premises or at a second CSP requiring multi-factor authentication to modify/delete data. Annually test the recovery process.

Tenant’s data unavailable or compromised due to CSP bankruptcy or other legal action

13 - General

Contractually retain legal ownership of tenant data. Perform a due diligence review of the CSP’s contract and financial viability as part of assessing privacy and legal risks 247.

Cloud service unavailable due to tenant’s inadequate network connectivity to the cloud service

14 - General

Implement adequately high bandwidth258, low latency, reliable network connectivity between the tenant (including the tenant’s remote users) and the cloud service to meet the tenant’s availability requirements.

Cloud service unavailable due to CSP error, planned outage, failed hardware or act of nature

15 - General

Use a cloud service that meets the tenant’s availability requirements. Assess the Service Level Agreement penalties, and the number, severity, recency and transparency of the CSP’s scheduled and unscheduled outages.

Cloud service unavailable due to CSP error, planned outage, failed hardware or act of nature
16 - General

Develop and annually test a disaster recovery and business continuity plan to meet the tenant’s availability requirements e.g. where feasible for simple architectures, temporarily use cloud services from an alternative CSP.
Financial consequences of a genuine spike in demand or bandwidth/CPU denial of service

17 - General

Manage the cost of a genuine spike in demand or denial of service via contractual spending limits, denial of service mitigation services and judicious use of the CSP’s infrastructure capacity e.g. limits on automated scaling.

Most Effective Risk Mitigations Particularly Relevant to IaaS
1 - IaaS

Securely configure, harden and maintain VMs with host based security controls2630 e.g. firewall, intrusion prevention system, logging, antivirus software, and prompt patching of software that the tenant is responsible for.

2 - IaaS

Use a corporately approved and secured computer to administer VMs requiring access from the tenant’s IP address, encrypted traffic, and a SSH/RDP PKI key pair protected with a strong passphrase.

3 - IaaS

Only use VM template images provided by trusted sources, to help avoid the accidental or deliberate presence of malware and backdoor user accounts. Protect the tenant’s VM template images from unauthorised changes.

4 - IaaS

Implement network segmentation and segregation2731 e.g. n-tier architecture, using host based firewalls and CSP’s network access controls to limit inbound and outbound VM network connectivity to only required ports/protocols.

5 - IaaS

Utilise secure programming practices for software developed by the tenant328 2933 304.

Cloud service unavailable due to CSP error, planned outage, failed hardware or act of nature

6 - IaaS

Architect to meet availability requirements e.g. minimal single points of failure, data replication, automated failover, multiple availability zones, geographically separate data centres and real-time availability monitoring.

Cloud service unavailable due to genuine spike in demand or bandwidth/CPU denial of service

7 - IaaS

If high availability is required, implement clustering and load balancing, a Content Delivery Network for public web content, automated scaling with an adequate maximum scale value, and real-time availability monitoring.

1 - PaaS

Securely configure and promptly patch all software that the tenant is responsible for.

2 - PaaS

Utilise secure programming practices for software developed by the tenant2835 2936 307.

Cloud service unavailable due to CSP error, planned outage, failed hardware or act of nature

3 - PaaS

Architect to meet availability requirements e.g. minimal single points of failure, data replication, automated failover, multiple availability zones, geographically separate data centres and real-time availability monitoring.

Cloud service unavailable due to genuine spike in demand or bandwidth/CPU denial of service

4 - PaaS

If high availability is required, implement clustering and load balancing, a Content Delivery Network for public web content, automated scaling with an adequate maximum scale value, and real-time availability monitoring.

Tenant’s data compromised by malicious CSP staff or malicious third party

1 - SaaS

Use security controls specific to the cloud service e.g. tokenisation to replace sensitive data with non-sensitive data, or ASD-approved encryption of data (not requiring processing) and avoid exposing the decryption key.

Cloud service unavailable due to genuine spike in demand or bandwidth/CPU denial of service

2 - SaaS

If high availability is required, where possible and appropriate, implement additional cloud services providing layered denial of service mitigation, where these cloud services might be provided by third party CSPs.

Most Effective Risk Mitigations Generally Relevant to All Types of Cloud Services
Overarching failure to maintain the confidentiality, integrity and availability of the tenant’s data

Tenant’s data compromised in transit by malicious third party

Tenant’s cloud service account credentials compromised by malicious third party

11 12 13 14

Tenant’s data compromised by malicious CSP staff or malicious third party

Tenant’s data compromised by another malicious/compromised
Tenant’s data unavailable due to corruption,

deletion26,

tenant16 17 18 19 20 21 22 23 24 25

or CSP terminating the account/service

Financial consequences of a genuine spike in demand or bandwidth/CPU denial of service
Most Effective Risk Mitigations Particularly Relevant to IaaS
Tenant’s Virtual Machine (VM) compromised by malicious third party29

Most Effective Risk Mitigations Particularly Relevant to PaaS
Tenant’s web application compromised by malicious third party

Most Effective Risk Mitigations Particularly Relevant to SaaS

Page 2 of 4

Further information
8.

The Australian Government Information Security Manual (ISM)638 provides guidance for
 mitigations such as ASD-approved cryptographic controls. The Strategies to Mitigate Cyber
 Security Incidents26 39 provide additional guidance
for mitigations such as prompt patching, prompt
 log analysis, securing computers, as well as network segmentation and
segregation.

9.

Commonwealth entities applying the ISM must only use outsourced cloud services listed on the
 Australian Cyber
Security Centre’s Certified Cloud Services List (CCSL)3140. Commonwealth
 entities need to perform accreditation
activities, including reviewing the certification report, to
 determine whether the residual risk of their proposed use of a
cloud service is acceptable.
 Commonwealth entities also need to perform an additional due diligence review of
financial,
 privacy, data ownership, data sovereignty and legal risks2 4.

10.

Additional cloud computing security advice is available at
 https://www.acsc.gov.au/infosec/cloudsecurity.htm.

Contact details
11.

Organisations or individuals with questions regarding this advice can contact the ACSC by
 emailing
asd.assist@defence.gov.au or calling 1300 CYBER1 (1300 292 371).

1

https://www.acsc.gov.au/infosec/irap.htm

2

https://www.acsc.gov.au/infosec/cloudsecurity.htm

3

 https://csrc.nist.gov/publications/detail/sp/800-145/final

4

 https://www.protectivesecurity.gov.au/infgovermnationce/security/Documents/Austra-plianGovernmentInformationSecug-rityMsk-manageme
ntGui/Pages/defaulinet.as.pdfx
5

https://www.oaicsc.gov.au/individualfosec/pirivacy-facp.ht-sm
6
heettps:/general/privwww.acy-fasct-sheet-17-australian-pri.gov.acy-pru/infosec/iplesm/

6
7
https://www.acsc.gov.au/infosec/icloudsecurity.htm/

7

8 https://isc.sans.org/diary/Who+inherits+your+IP+address%3F/18365

8

9 https://securosis.com/blog/cloud-forensics-101

10 https://www.browserstack.com/attack-and-downtime-on-9-November
11
https://www.browserstack.com/attack-and-downtime-on-9-November

10

2 https://www.darkreading.com/attacks-breaches/code-hosting-service-shuts-down-after-cyber-attack/d/d-id/1278743

11

3 https://securosis.com/blog/my-500-cloud-security-screwup

12

4 https://www.theregister.co.uk/2014/05/20/github_oversharing_snafu_nbc_private_keys/

13

5 https://www.acsc.gov.au/publications/protect/Restricting_Admin_Privileges.pdf

14

6 https://www.cvedetails.com/vulnerability-list.php?vendor_id=252&product_id=22134&page=1&order=3

15

7 https://docs.microsoft.com/en-au/security-updates/SecurityBulletins/2013/ms13-092

16

8 https://www.cvedetails.com/vulnerability-list.php?vendor_id=6276&page=1&order=3

17

9 https://access.redhat.com/errata/RHSA-2014:0420

18
20
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0311

Page21 3 of 4

19

https://blog.docker.com/2014/06/docker-container-breakout-proof-of-concept-exploit/

20

2 https://opensource.com/business/14/7/docker-security-selinux

21

3 https://www.theregister.co.uk/2014/11/25/docker_vulnerabilities/

22

4 https://www.theregister.co.uk/2014/12/12/docker_vulnerability/

23

5 https://seclists.org/fulldisclosure/2014/Dec/26
26
https://www.darkreading.com/attacks-breaches/code-hosting-service-shuts-down-after-cyber-attack/d/did/1278743

27 https://www.finance.gov.au/archive/cloud/

25

8 https://www.zdnet.com/article/terra-firma-goes-with-private-cloud-for-virtual-desktops/
1
26

3

29

https://www.browserstack.com/attack-and-downtime-on-9-November
https://www.acsc.gov.au/infosec/top35mitigationstrategies.htm

27

31 https://www.acsc.gov.au/publications/protect/Network_Segmentation_Segregation.pdf
32 https://www.microsoft.com/en-us/sdl
33 https://www.sans.org/top285-software-errors
34 https://www.owasp.org/index.php/OWASP_Proactive_Controls
35
https://www.microsoft.com/en-us/sdl

29
36
https://www.sans.org/top25-software-errors

30
7
https://www.owasp.org/index.php/OWASP_Proactive_Controls
38
https://www.acsc.gov.au/infosec/ism/
319
https://www.acsc.gov.au/infosec/top35mitigationstrategies.htm
40 https://www.acsc.gov.au/infosec/irap/certified_clouds.htm

P41 https://www.finance.gov.au/archive 4 /clof ud/
30

4