e-Security | Vol: 36-12014
© CyberSecurity Malaysia 2014 - All Rights Reserved
65
2. Asset must be made resilient and protected
Asset here refers to the computers and processing systems that either
store or process consumer data. Both the asset and the consumer data itself
must be protected from being tampered physically, stolen or damaged. Things
like offsite backups, redundant servers, and physical security of the cloud data
centres are some of the items that needs to be noted here.
3. Cloud tenants must be separated
Public cloud computing to a certain extent of the definition implies multi-tenancy.
What this means is there exists more than one consumer utilising the same
resources of the cloud service provider. It is therefore critical that separation
between different consumers of the cloud service be established to eliminate
the possibility of either malicious acts or compromised consumers adversely
affecting the confidentiality, availability or integrity of another consumer of the
service.
4. Availability of audit information to consumers
It is important that the consumers have available to them the audit information
so that they may monitor things like access to their service and also access to
the data that is contained within it. This is to allow them to take necessary actions
in case of unexplained data access by potentially unauthorised parties.
5. Secure administration of the cloud service
The consumer should make sure that the methods used by the administrators
of these service providers in managing the operational service are done in a
manner designed to mitigate any risk of exploitation which could jeopardise the
security of the service. Good practices like separation of duties between the
service provisioners and the security administrators is one example.
6. Protection of External Interfaces
It is important to identify all external and any less trusted interfaces connected to
the service so that proper protections are allocated to defend them against
attacks. Since the networks that the cloud service runs on belong to the cloud
provider, sometimes the consumer has no say whenever new connections are
introduced into the network at a later stage. This becomes an important issue
to be considered by the consumer.
7. Authentication and authorisation
Any and all access by both the consumer and the service provider to all
interfaces into the service must follow
e-Security | Vol: 36-12014
© CyberSecurity Malaysia 2014 - All Rights Reserved
66
strict authentication and authorisation processes. Nobody should be exempted
from this requirement so that there is less chance for unauthorised individuals
to do something harmful and also to ensure that actions taken by authorised
individuals can later be traced back to them for accountability purposes.
8. Operational Security
There should be processes and procedures in place by the cloud service provider to
ensure the operational security of the service is well-defined. The processes
and procedures are important so that everybody is aware and can properly
do their work during normal operating conditions as well as during security
disasters.
9. Personnel security
The consumer should make sure that the cloud service provider performs adequate
security screening of their personnel and ensure that those personnel undergo the
correct security training for their role in the cloud provider’s organisation.
10. Secure development of services
Consumers should evaluate and decide whether the cloud service provider
implement secure development practices. One way this can be verified is to insist
on the latest vulnerability and security assessment reports of the services that
the consumer is interested in. This can help to show whether the cloud service
provider consistently identify and mitigate threats to the security of the
service.
Conclusion
Security is the responsibility of both the consumer and the cloud service
provider. This article has attempted to describe some of the security principles
that both the consumer and the provider should be concerned with. There are
additional security principles that will add extra layers of confidence if they
are implemented by the provider but the principles described above should be a
good starting point in the right direction for the consumer.
■
References
1 . h t t p : w w w . m e r r i a m - w e b s t e r . c o m d i c t i o n a r y s e c u r i t y
2 . h t t p : w w w. a c c o u n t i n g c o a c h . c o m b l o g s e p a r a t i o n - o f - d u t i e s - i n t e r n a l - c o n t r o l
3 . h t t p : w w w . s a f e n e t - i n c . c o m d a t a - p r o t e c t i o n v i r t u a l i z a t i o n - c l o u d - s e c u r i t y
s a a s - s e c u r i t y - c l o u d - a c c e s s - c o n t r o l 4 . 4 . h t t p s : d a t a t r a c k e r . i e t f . o r g
d o c u m e n t s L I A I S O N f i l e 1 1 8 1 . d o c [ R e q u i r e m e n t s f o r S e r v i c e P r o t e c t i o n A c r o s s
E x t e r n a l I n t e r f a c e s D r a f t 0 . 3 4 J a n u a r y 2 0 1 1 ]
5 . h t t p s : w w w . g o v . u k g o v e r n m e n t p u b l i c a t i o n s c l o u d - s e r v i c e - s e c u r i t y -
principlescloud-service-security-principles