Recently Updated Documents

Cloud Computing Security for Cloud Service Providers

Last updated 1 month ago

Download From Source

APRIL 2015

Cloud Computing Security
for Cloud Service Providers
Introduction
1.

This document is designed to assist assessors 1 validating the security posture of a cloud service
 in order to provide
organisations with independent assurance of security claims made by Cloud
 Service Providers (CSPs). This document
can also assist CSPs to offer secure cloud services.

2.

An organisation’s cyber security team, cloud architects and business representatives should
 refer to the companion
document Cloud Computing Security for Tenants 2.

3.

Cloud computing, as defined by the U.S. National Institute of Standards and Technology3, offers
 organisations potential
benefits such as improved business outcomes.

4.

Mitigating the risks associated with using cloud services is a responsibility shared between the
 organisation (referred to
as the ‘tenant’) and the Cloud Service Provider, including their
 subcontractors (referred to as the ‘CSP’). However,
organisations are ultimately responsible for
 protecting their data and ensuring its confidentiality, integrity and
availability.

5.

Organisations need to perform a risk assessment 4 and implement associated mitigations before
 using cloud services.
Risks vary depending on factors such as the sensitivity and criticality of
 data to be stored or processed, how the cloud
service is implemented and managed, how the
 organisation intends to use the cloud service, and challenges associated
with the organisation
 performing timely incident detection and response. Organisations need to compare these risks
against an objective risk assessment of using in-house computer systems which might be poorly
 secured, have
inadequate availability or be unable to meet modern business requirements.

6.

The scope of this document covers Infrastructure as a Service (IaaS), Platform as a Service
 (PaaS) and Software as a
Service (SaaS), provided by a CSP as part of a public cloud,
 community cloud and, to a lesser extent, a hybrid cloud or
outsourced private cloud.

7.

This document focuses on the use of cloud services for storing or processing sensitive and
 highly sensitive data. For
Commonwealth entities, and for the purposes of this document,
 sensitive data is defined as unclassified data with a dissemination limiting marker (DLM), such
as OFor Official Use Only (FOUO) orICIAL: Sensitive: Personal (which aligns with the definition of
sensitive information in the Privacy Act 19885). Highly
sensitive data is defined as data classified
 as PROTECTED. Additionally, this document can assist with mitigating risks to
the availability
 and integrity of non-sensitive data, defined for Commonwealth entities as unclassified publicly
releasable data. Mitigations are listed in no particular order of prioritisation.

Page 1 of 4

Cloud Computing Security for Cloud Service Providers
Risk

Reference
Number

APRIL 2015

Mitigations

Most Effective Risk Mitigations Generally Relevant to All Types of Cloud Services: Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS)

Overarching failure to maintain the confidentiality, integrity and availability of the tenant’s data

Tenant’s data compromised in transit by malicious third party

Tenant’s cloud service account credentials compromised by malicious third party7 8 9 10

1 - General

Obtain certification15 of the cloud service and underlying infrastructure (explicitly addressing mitigations in this document) against the ISM6 at the appropriate classification level required to handle the tenant’s data.

2 - General

Implement security governance involving senior management directing and coordinating security-related activities including robust change management, as well as having technically skilled staff in defined security roles.

3 - General

Implement and annually test an incident response plan providing the tenant with emergency contact details, the ability to access forensic evidence otherwise inaccessible to the tenant, and contractual notification of incidents.

4 - General

Support and use ASD-approved cryptographic controls to protect data in transit between the tenant and the CSP e.g. application layer TLS or IPsec VPN with approved algorithms, key length and key management.

5 - General

Use ASD-approved cryptographic controls to protect data in transit between the CSP’s data centres over insecure communication channels such as public Internet infrastructure.

6 - General

Support and use ASD-approved cryptographic controls to protect data at rest on storage media in transit via post/courier between the tenant and the CSP when transferring data as part of on-boarding or off-boarding.

7 - General

Provide Identity and Access Management e.g. multi-factor authentication and account roles with varying privileges11 for the tenant to use and administer the cloud service via the CSP’s website control panel and API.

8 - General

Support and use ASD-approved cryptographic controls to protect credentials and administrative activity in transit when the tenant uses and administers the cloud service via the CSP’s website control panel and API.

9 - General

Enable the tenant to download detailed time-synchronised logs and obtain real-time alerts generated for the tenant’s cloud service accounts used to access, and especially to administer, the cloud service.

10 - General

Enable the tenant to download detailed time-synchronised logs and obtain real-time alerts generated by the cloud service used by the tenant e.g. operating system, web server and application logs.

11 - General

Disclose the countries and legal jurisdictions where tenant data is (or will be in the coming months) stored, backed up, processed12 and accessed by CSP staff for troubleshooting, remote administration and customer support.

12 - General

Perform background checks of CSP staff commensurate with their level of access to systems and data. Maintain security clearances for staff with access to highly sensitive data13.
Tenant’s data compromised by malicious CSP staff or malicious third party

13 - General

Use physically secure data centres and offices that store tenant data or that can access tenant data14. Verify and record the identity of all staff and visitors. Escort visitors to mitigate them accessing data without authorisation.

14 - General

Restrict CSP staff privileged access to systems and data based on their job tasks115. Require re-approval every three months for CSP staff requiring privileged access. Revoke access upon termination of CSP staff employment.

15 - General

Promptly analyse logs of CSP staff actions that are logged to a secured and isolated log server. Implement separation of duties by requiring log analysis to be performed by CSP staff who have no other privileges or job roles.

16 - General

Perform a due diligence review of suppliers before obtaining software, hardware or services, to assess the potential increase to the CSP’s security risk profile.

17 - General

Use ASD-approved cryptographic controls to protect highly sensitive data at rest. Sanitise storage media prior to repair, disposal, and tenant off-boarding with a non-disclosure agreement for data in residual backups.

Tenant’s data compromised by another malicious/compromised tenant15 16 17 18 19 20 21 22 23 24

18 - General

Implement multi-tenancy mechanisms to prevent the tenant’s data being accessed by other tenants. Isolate network traffic, storage, memory and computer processing. Sanitise storage media prior to its reuse.

Tenant’s data unavailable due to corruption, deletion8, or CSP terminating the account/service

19 - General

Enable the tenant to perform up-to-date backups in a format that avoids CSP lock-in. If an account or cloud service is terminated, immediately notify the tenant and provide them with at least a month to download their data.

Tenant’s data unavailable or compromised due to CSP bankruptcy or other legal action

20 - General

Contractually ensure that the tenant retains legal ownership of their data.

Cloud service unavailable due to CSP’s inadequate network connectivity

21 - General

Support adequately high bandwidth, low latency, reliable network connectivity between the tenant and the cloud service to meet the claimed level of availability as required by the tenant.

Cloud service unavailable due to CSP error, planned outage, failed hardware or act of nature

22 - General

Architect to meet the claimed level of availability as required by the tenant e.g. minimal single points of failure, clustering and load balancing, data replication, automated failover and real-time availability monitoring.

Cloud service unavailable due to CSP error, planned outage, failed hardware or act of nature
23 - General

Develop and annually test a disaster recovery and business continuity plan to meet the claimed level of availability as required by the tenant, e.g. enacted for incidents that cause enduring loss of CSP staff or infrastructure.

24 - General

Implement denial of service mitigations to meet the claimed level of availability as required by the tenant e.g. redundant high bandwidth external and internal network connectivity with traffic throttling and filtering.
Cloud service unavailable due to genuine spike in demand or bandwidth/CPU denial of service
25 - General

Provide infrastructure capacity and responsive automated scaling to meet the claimed level of availability as required by the tenant.

Financial consequences of a genuine spike in demand or bandwidth/CPU denial of service

26 - General

Enable the tenant to manage the cost of a genuine spike in demand or denial of service via contractual spending limits, real-time alerts, and configurable maximum limits for their use of the CSP’s infrastructure capacity.

CSP’s infrastructure compromised by malicious tenant or malicious third party

27 - General

Use corporately approved and secured computers, jump servers, dedicated accounts, strong passphrases and multi-factor authentication, to provide customer support and administer cloud services and infrastructure.

28 - General

Use ASD-approved cryptographic controls to protect credentials and administrative activity in transit over insecure communication channels between the CSP’s data centre and CSP administrator / customer support staff.

CSP’s infrastructure compromised by malicious tenant or malicious third party

29 - General

Implement network segmentation and segregation257 between the Internet, CSP infrastructure used by tenants, the network that the CSP uses to administer cloud services and infrastructure, and the CSP’s corporate LAN.

30 - General

Utilise secure programming practices for software developed by the CSP268 279 2830.

31 - General

Perform secure configuration, ongoing vulnerability management, prompt patching, annual third party security reviews and penetration testing of cloud services and underlying infrastructure.

32 - General

Train all CSP staff, especially administrators, on commencement of employment and annually, to protect tenant data, maintain cloud service availability, and proactively identify security incidents e.g. via prompt log analysis.

Most Effective Risk Mitigations Particularly Relevant to IaaS
Tenant’s Virtual Machine (VM) compromised by malicious third party7

1 - IaaS

Provide network access controls enabling the tenant to implement network segmentation and segregation325, including a network filtering capability to disallow remote administration of their VMs except from their IP address.

2 - IaaS

Provide the tenant with securely configured and patched VM template images. Avoid assigning a weak administrative passphrase to newly provisioned VMs.

1 - PaaS

Harden and securely configure operating system, web server and platform software. Limit inbound and outbound network connectivity to only required ports/protocols. Promptly perform patching and log analysis.

1 - SaaS

Implement security controls specific to the cloud service e.g. for email delivered as a service, provide features including whitelisted content filtering with automated dynamic analysis of emails and email attachments.

2 - SaaS

Implement general security controls2933 e.g. limited inbound and outbound network connectivity to only required ports/protocols, antivirus software updated daily, intrusion prevention systems and prompt log analysis.

Most Effective Risk Mitigations Generally Relevant to All Types of Cloud Services
Overarching failure to maintain the confidentiality, integrity and availability of the tenant’s data

Tenant’s data compromised in transit by malicious third party

Tenant’s cloud service account credentials compromised by malicious third

party7 8 9 10

Tenant’s data compromised by malicious CSP staff or malicious third party

Tenant’s data compromised by another malicious/compromised
Tenant’s data unavailable due to corruption,

deletion26,

tenant16 17 18 19 20 21 22 23 24 25

or CSP terminating the account/service

Cloud service unavailable due to genuine spike in demand or bandwidth/CPU denial of service

Most Effective Risk Mitigations Particularly Relevant to PIaaS
Tenant’s daVirtual Machine (VM) compromised by malicious third party31

Most Effective Risk Mitigations Particularly Relevant to SPaaS
Tenant’s data compromised by malicious third party

Most Effective Risk Mitigations Pagrticularly Relevant to SaaS
Tenant’s data compromised 2by maliciofus third 4party

2

Further information
8.

The Australian Government Information Security Manual (ISM)634 provides guidance for
 mitigations such as ASD-approved cryptographic controls. The Strategies to Mitigate Cyber
 Security Incidents29 35provide additional guidance
for mitigations such as prompt patching, prompt
 log analysis, securing computers, as well as network segmentation and
segregation.

9.

Commonwealth entities applying the ISM must only use outsourced cloud services listed on the
 Australian Cyber
Security Centre’s Certified Cloud Services List (CCSL)306. Commonwealth
 entities need to perform accreditation
activities, including reviewing the certification report, to
 determine whether the residual risk of their proposed use of a
cloud service is acceptable.
 Commonwealth entities also need to perform an additional due diligence review of
financial,
 privacy, data ownership, data sovereignty and legal risks 317.

10.

Additional cloud computing security advice is available at
 https://www.acsc.gov.au/infosec/cloudsecurity.htm.

Contact details
11.

Organisations or individuals with questions regarding this advice can contact the ACSC by
 emailing
asd.assist@defence.gov.au or calling 1300 CYBER1 (1300 292 371).

1

https://www.acsc.gov.au/infosec/irap.htm

2

https://www.acsc.gov.au/infosec/cloudsecurity.htm

3

 https://csrc.nist.gov/publications/detail/sp/800-145/final

4

 https://www.protectivesecurity.gov.au/infgovermnationce/security/Documents/Austra-plianGovernmentInformationSecug-rityMsk-manageme
ntGui/Pages/defaulinet.as.pdfx
5

https://www.oaicsc.gov.au/individuals/privacy-fact-osheetsc/geneiral/privacy-fact-s.heet-17-australian-privacy-principles
m
6

https://www.acsc.gov.au/infosec/ism/

7

 https://www.browserstack.com/attack-and-downtime-on-9-November

8

 https://www.darkreading.com/attacks-breaches/code-hosting-service-shuts-down-after-cyber-attack/d/d-id/1278743

9

 https://securosis.com/blog/my-500-cloud-security-screwup

10

 https://www.theregister.co.uk/2014/05/20/github_oversharing_snafu_nbc_private_keys/

11

 https://www.acsc.gov.au/publications/protect/Restricting_Admin_Privileges.pdf

12

 https://news.defence.gov.au/media/media-releases/defence-optometry-contract-cancelled

13

 https://www.protectivesecurity.gov.au/personnelsecurity/Pages/default.aspx

14

 hhttps://www.protectivesecurity.gov.au/physicalsecurity/Pages/default.aspx

15
https://www.acsc.gov.au/publications/protect/Restricting_Admin_Privileges.pdf
16 https://www.cvedetails.com/vulnerability-list.php?vendor_id=252&product_id=22134&page=1&order=3

16

7 https://docs.microsoft.com/en-au/security-updates/SecurityBulletins/2013/ms13-092

17

8 https://www.cvedetails.com/vulnerability-list.php?vendor_id=6276&page=1&order=3

18

9 https://access.redhat.com/errata/RHSA-2014:0420

Page20 3 of 4

19

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0311

20
1
https://blog.docker.com/2014/06/docker-container-breakout-proof-of-concept-exploit/

21

2 https://opensource.com/business/14/7/docker-security-selinux

22

3 https://www.theregister.co.uk/2014/11/25/docker_vulnerabilities/

23

4 https://www.theregister.co.uk/2014/12/12/docker_vulnerability/

24

5 https://seclists.org/fulldisclosure/2014/Dec/26
26
https://www.darkreading.com/attacks-breaches/code-hosting-service-shuts-down-after-cyber-attack/d/did/125
78743
27 https://www.acsc.gov.au/publications/protect/Network_Segmentation_Segregation.pdf

26

8 https://www.microsoft.com/en-us/sdl

27

9 https://www.sans.org/top25-software-errors
1
28

3

https://www.owasp.org/index.php/OWASP_Proactive_Controls
https://www.browserstack.com/attack-and-downtime-on-9-November
329
https://www.acsc.gov.au/publications/protect/Network_Segmentation_Segregation.pdf
33
https://www.acsc.gov.au/infosec/top35mitigationstrategies.htm
34
https://www.acsc.gov.au/infosec/ism/
305
https://www.acsc.gov.au/infosec/top35mitigationstrategies.htm
36 https://www.acsc.gov.au/infosec/irap/certified_clouds.htm

31

7 https://www.finance.gov.au/archive/cloud/
30
Page 4 of
31

4