A Survey on Cloud

Provider Security
Measures
Alex Pucher, Stratos Dimopoulos

Abstract
Cloud computing offers a virtually unlimited amount of resources at flexible pay-as-you-go cost.
Many enterprises take advantage of this model already, but security and privacy concerns limit
the further adoption of the technology. Cloud providers acknowledge these additional needs
of regulated enterprises and government agencies and start offering security certifications
and separate tightly controlled government cloud infrastructure. This paper is a survey of the
published security mechanisms implemented on the most well-known cloud service products
like Amazon AWS, Google App engine, Microsoft Azure etc. Our goal is to identify the levels of
security they provide. We will analyze different aspects of their systems (certification/standards
adherence, authentication/authorization mechanisms, protection from actual attacks etc),
compare them and extract valuable results regarding the security levels they offer.

Contents
Introduction
AMAZON AWS
Overview
Certification/ Standards Adherence[2]
Physical Security
Security Features / Services Security [1]
Rackspace
Overview
Certification/ Standards Adherence [14]
Physical Security
Security Features / Services Security
Privacy
Google Cloud
Overview
Certification/ Standards Adherence
Physical Security
Microsoft Azure
Overview
Certification/ Standards Adherence
Physical Security
Security Features / Services Security
Privacy
Microsoft Office 365
Overview
Certification/ Standards Adherence
Physical Security
Security Features / Services Security
Privacy
Summary
References
Appendix - Standards, Certifications, Terminology

Introduction
The flexibility, lower costs and scalability that cloud services can provide for small and big
companies, in the private or public sector are more than promising. Nevertheless, the security
and privacy concerns are still big enough to limit an even wider adoption of the cloud services.
According to a recent microsoft research [75] 58 percent of the public and 86 percent of
business leaders are excited about the possibilities of cloud computing and on the same
time More than 90 percent of them are worried about security, availability, and privacy of their
data as it rests in the cloud. This shows in the most emphatic way that users want to take
advantage of the new technology without sacrificing the privacy of their data. This is why the big
cloud players are trying to find a solution towards to this direction, having realized that this is the
way to attract new customers.
Cloud computing providers offer different services to their customers like Software as a Service
(SaaS), Platform as a Service (PaaS) and Infrastructure as a Service. In the following picture is
clear what each of them implies in terms of the services provided to the customer.

The different aspects of Cloud computing.1

Exactly because of the scale and variety of the different services provided and accordingly the
different systems involved, it seems impossible to develop one single security solution that
covers everything. Thus, providers often overexaggerate of the security services that they are
able to provide. Its not a long time since Microsoft and Google have been accusing each other
of lying about their Google Apps for Government and Microsoft BPOS (Business Productivity

The image is from a Max Chands presentation, Windows Azure SSP

Online Standard Suite) services respectively [69] [70], being certified for use by federal
agencies under the Federal Information Security Management Act (FISMA). This is only the
tip of the iceberg of an ongoing war that is taking place in the new era of cloud services about
which service deals better with the number one concern of cloud users, security and privacy.
Strong privacy and security guarantees is what the market demands and this is why Cloud
providers are investing in building secure systems and be certified with as many security and
privacy certifications as possible. In the next sections we will describe the services provided by
the big players of the cloud market, namely Amazon, Google , Microsoft and Rackspace and
compare them in terms of their certifications, physical security, security features and privacy
they provide. We also provide an appendix to explain the different certifications, standards,
audits and terminology mentioned through the document.

AMAZON AWS
Overview
Amazon AWS is a cloud computing platform offering an impressive amount of cloud services at
all levels and providing customers with great flexibility regarding pricing and resources. Some
of the most well known Amazon cloud services are EC2 (Amazon Elastic Compute Cloud) [20]
which offers pay-as-you-go computing resources in the cloud, S3 (Simple Storage Service) [21]
and EBS (Elastic Block Store) [22], both storage services in the cloud for different purposes and
database services such as RDS (Relational Database Service) [23], DynamoDB [24], SimpleDB
[25] and ElastiCache [26]. It also offers a lot of monitoring services such as CloudSearch [27]
and SWF (Simple Workflow Service) [28].

Certification/ Standards Adherence[2]

Amazon has a very comprehensive and convincing description of the certifications and
standards that it possesses. The feeling you get by reading their website is that they try to
formalize and structure all the security procedures that they follows. A list of all the certifications/
standards and a brief description of what each ensures is provided in the following section. A
more detailed description of each standard can be found on a dedicated section that follows

SAS 70 Type II audits

Amazon states that it has completed in the past multiple SAS 70 type II audits.

SOC 1/ SSAE 16/ ISAE 3402

The SOC 1 report audit attests that AWS control objectives are appropriately designed and that
the individual controls defined to safeguard customer data are operating effectively. This audit
replaced SAS 70 type II report

SOC 2
Evaluation of controls relevant to: security, availability, processing integrity, confidentiality, and
privacy. Evaluation of the design and operating effectiveness of controls that meet the criteria
for the security principe set by AICPA ( American Institute of Certified Public Accountants) [3].

ISO 27001 certification [4][5]

ISO 27001/27002 is a widely-adopted global security standard that sets out requirements and
best practices for a systematic approach to managing company and customer information thats
based on periodic risk assessments. In order to achieve the certification, a company must show
it has a systematic and ongoing approach to managing information security risks that affect the
confidentiality, integrity, and availability of company and customer information.
ISO 27001 certification Includes all AWS data centers in all regions worldwide

PCI DSS Level 1 service provider (Payment Card Industry & Data Security
Standard) [3]
Merchants and other service providers can now run their applications on Amazons PCIcompliant technology infrastructure for storing, processing, and transmitting credit card
information in the cloud.
PCI Validated Services include:

Amazon Elastic Compute Cloud (EC2)

Amazon Simple Storage Service (S3)
Amazon Elastic Block Storage (EBS)
Amazon Virtual Private Cloud (VPC)
Amazon Relational Database Service (RDS)
Amazon Elastic Load Balancing (ELB)
Amazon Identity and Access Management (IAM)
Underlying physical infrastructure
AWS Management Environment.

ITAR (International Traffic in Arms Regulations)

This regulation is supported by the AWS GovCloud[13]. More information about the regulation
can be found on the Appendix. This regulation basically restricts access to protected data to US
persons and location of the data to US ground.

FIPS 140-2
Another regulation that it is supported by the AWS GovCloud[13]. It is a US government
security standard and it specifies the security requirements for cryptographic modules protecting
sensitive information. Amazons Virtual Private Cloud VPN endpoints and SSL terminations in
AWS GovCloud (US) operate using FIPS 140-2 validated hardware

Safe Harbor
Amazon.com including Amazon Web Services LLC are participants in the Safe Harbor program
developed by the U.S. Department of commerce and the European Union.

Public sector certifications

Amazon holds a FISMA Moderate certification. This is an authorization from the U.S. General
Services Administration to operate at the FISMA Moderate level. More details can be found
on the appendix. Amazon has received a three-year FISMA Moderate authorization for IaaS
(Infrastructure as a Service) from the General Services Administration.
FISMA requires AWS to implement and operate an extensive set of security configurations and
controls. This includes documenting the management, operational, and technical processes
used to secure the physical and virtual infrastructure, as well as the third-party audit of the
established processes and controls.

Guidelines/ Structure for secure practices

Apart from the certifications that Amazon holds for its services it also provides to its customers
a platform on which they can build to apply for other certifications specific to the application they
are using. Healthcare applications compliant with HIPAAS Security and Privacy rules have been
build with AWS [6].
Moreover, Amazon publishes a set of set practices to have its users aware of what Amazon
provides for security and also what they should follow to enhance security when they are
using AWS. In particular AWS has completed the CSA Consensus Assessments Initiative
Questionare with which provides to its customers a reference to the security existing in the AWS
IaaS offerings. Also, AWS commissioned an independent assessment of AWSs compliance
with the MPAA best practices and has achieved the highest maturity rating possible [6].

Physical Security
Only those within Amazon who have a legitimate business need to have such information know
the actual location of these data centers, and the data centers themselves are secured with a
variety of physical controls to prevent unauthorized access.

Security Features / Services Security [1]

Amazon provides a number of features that are commonly used in any server environment to
ensure security. We didnt found anything new or specialized here, but the features mentioned
seem to be enough to provide a high level of security. Furthermore, seems to pay attention even
to very simple features like the reporting of possible vulnerabilities by its customers. As you
will see in the next section even this is done in a very well defined way. Nevertheless, many of
them are configuration options provided to the customer and for this reason is the customers
responsibility to use them in the proper way. An extensive list of the features provided in the
different levels of Amazons platform follows.

Strong cryptographic methods

Amazon is using strong cryptographic methods (names of the methods are not provided) to
authenticate users, HTTPS support and web service interfaces to configure firewalls and other
security features.

Configurable web service interfaces

Configurable web service interfaces are provided to allow the customer to configure firewall
access and network access to their databases. For instance, Amazon RDS allows customers to
run their database instances on Amazons virtual private cloud.

Security Credentials
There are three types of credentials used [8]:
Access credentials (Access keys, X.509 certificates and key pairs)
Sign-in credentials (email address, password, AWS multi-factor authenticated device)
See below for AWS multi-factor authenticated device details.
Account identifiers (account ID and canonical user ID)

AWS Identity and Access Management (IAM)

AWS IAM allows for multiple users creation and permission management. It also eliminates the
need to share passwords or access keys. More details can be found on the Privacy section that
follows. [9]

AWS Multi-Factor Authentication (AWS MFA)

AWS multi-factor authenticated device is provided from a third-party provider, Gevalto and
customers can purchase it to increase their security. Then each time they authenticate need
to provide both AWS email ID and password (1st factor) and the code from the authentication
device (2nd factor)

Key Rotation
Enables access keys and certificates rotation without impact on the applications availability (ie:
supports multiple concurrent access keys and certificates)

Vulnerability Reporting / Penetration Testing Requests

Amazon provides reporting processes for security vulnerabilities [10] and penetration testing
[11]. Despite the fact that this sounds like a very simple task, Amazon puts some sophistication
on this by using the Common Vulnerability Scoring System (CVSS) [35] to evaluate potential
reported vulnerabilities and prioritize the most important ones.
Regarding penetration testing, Amazon give its customers the ability to apply penetration testing
to their services and ofcourse this has to be done after Amazons approve in order to distinguish
from a regular attack.

Security Bulletins
This is a service provided by Amazon in order to notify customers about security and privacy
events with AWS services. [36]

Signed PGP Public Key

As simple as it sounds. This is a PGP key for the customers that wish to use it for added
security. [12]

Network Security
The following are a list of how Amazon deals with potential network vulnerabilities and attacks.

Distributed Denial Of Service (DDoS) Attacks

Proprietary DDoS mitigation techniques are used.
AWSs networks are multi-homed across a number of providers to achieve
Internet access diversity.
Man In the Middle (MITM) Attacks
All of the AWS APIs are available via SSL-protected endpoints which provide
server authentication.
IP Spoofing
Amazon EC2 instances cannot send spoofed network traffic. The AWScontrolled, host-based firewall infrastructure will not permit an instance to send
traffic with a source IP or MAC address other than its own.
Port Scanning
Its a violation of its policy and can be reported. When it is detected it is stopped
and blocked.
Its up to the customer to take appropriate security measures to protect listening
services that may be essential to their application from being discovered by an
unauthorized port scan.
Packet sniffing by other tenants
Even two virtual instances that are owned by the same customer located on the
same physical host cannot listen to each others traffic.
Attacks such as ARP cache poisoning do not work within Amazon EC2 and
Amazon VPC. While Amazon EC2 does provide ample protection against one
customer inadvertently or maliciously attempting to view anothers data, as a
standard practice customers should encrypt sensitive traffic.

Data Privacy [1]

Data access
Amazons supports several mechanisms to configure who, when and where can access the
data. For example Amazon S3, provides 4 different access mechanisms [30].
Identity and Access Management (IAM) policies [34]
IAM enables the creation and management of multiple users under a single
account and their corresponding roles. Moreover there is a capability for identity
federation between customers corporate directory and AWS services, enabling
users to use their corporate identities to grant access to AWS services. To allow
the creation of federate users Amazon allows the creation of temporary security
credentials, comprised of short-lived access keys and session tokens associated
with these keys. The permission of these temporary credentials are at most equal
to the IAM user who created them, but they can also be restricted in more limited
permissions.

Access Control Lists (ACLs)

Add/ remove permission to individual objects

Bucket policies
Same as above but for permissions across some or all of the objects within a
singly bucket
Query string authentication
Capability to share Amazon S3 objects through URLs that are valid for a
predefined time.

VPC (Amazon Virtual Private Cloud)

Amazon VPC [32] let users use a private and isolated portion of the cloud where they can
configure their IP addresses range, create subnets, configure routing tables and gateways
and lunch in this environment various AWS services. In RDS for example users can isolate
their database instances by specifying the IP range they wish to use and connecting to their
infrastructure through encrypted IPsec VPN. This is a service currently supported by all the
RDS DB engines. Another example of the usage of VPC is that users could configure their
S3 data to be accessible only through instances in their VPC. For even better isolation they
can run Amazons EC2 dedicated instances [33] inside the VPC, which ensures isolation on
the hardware level by running hardware dedicated to a single customer. Customers have the
flexibility to mix both dedicated or not dedicated instances inside one VPS or use them in
separate VPCs.

AWS GovCloud(US)
AWS GovCloud [13] is the top level of isolation that Amazon provides. It allows US government
agencies and customers to move more sensitive workloads. It is a separate region (GovCloud
Region) physically and logically accessible by U.S. persons only. Appropriate workloads for the
GovCloud are:
Controlled Unclassified Information (CUI) including ITAR
Government oriented publically available data
Amazon GovCloud adheres to ITAR and supports FIPS 140-2.

Data Encryption
Amazon allows for encryption of personal and business data. On S3 for example all data
uploaded or downloaded is via SSL encrypted endpoints and using the HTTPS protocol. It also
provides a client encryption library[29] for those prefer to manage their own encryption keys (in
this case the keys are encrypted on the client site) and Amazon SSE (Server Side Encryption)
for those who prefer to let Amazon S3 managing their keys[31].

10

History Logs
Amazon allows customers to have the option to enable logs in some of their services (for
example Amazon S3 buckets), a functionality that is helpful to track the requests made and
probably used for auditing purposes.

Rackspace
Overview
Rackspace provides a great variety of cloud services including IaaS and SaaS. Provides to its
clients servers on demand and a RESTful API (OpenStack API [16]) to launch and control the
cloud servers. It also provides cloud hosting services for websites and files (in a partnership
with Akamai [18]), block storage, container-based virtualization and redundant storage for high
performance MySQL database on the cloud, backup services, load balancing, monitoring, free
DNS management and a private cloud for increased privacy. Moreover Rackspace has an open
approach as it is powered by OpenStack[16] the clouds open source operating system and it
also offers hybrid services, combining both cloud and dedicated servers.

Certification/ Standards Adherence [14]

The certifications that Rackspace possesses are not presented in a structured way and it
is also confusing whether they actually possess some of the standards or they agree that
these standards should be met by a cloud vector for potential clients that need them [74].
Certifications that Rackspace holds are ISO 27001/2 based policies that is reviewed at least
annually and possible PCI/DSS and HIPAA-BAA. It is also not clear if they are performing SAS
70 type II and SOC 1 type 1 & 2 audit reports. Moreover there are some general arguments
regarding secure document and media destruction, independent reviews performed by
third parties, continuous monitoring and improvement of the security program and security
organization of the company.

Physical Security
The following is a list of the practices that Rackspace follows to ensure the physical security of
its services:

11

Data center access is limited to only authorized personnel

Badges and biometric scanning for controlled data center access
Security camera monitoring at all data center locations
Access and video surveillance log retention
24x7x365 onsite staff provides additional protection against unauthorized entry
Unmarked facilities to help maintain low profile
Physical security audited by independent firms annually

Security Features / Services Security

Again, Rackspace fails to present its security features in a unified way. Instead there are
security measures and protocols on the descriptions of the various services that it provides.

Network Security
Rackspace incorporates software defined networking and claims that this way customers are
able to create completely isolated networks.

Encryption
AES (Advanced Encryption Standard) is used with 256 bit key for the backup service [17]

Private Containers
Private Containers is a feature provided for the RackSpace Files service and ensures that all
the traffic between the customers application and Cloud Files uses SSL to establish a secure
and encrypted channel.

Modified Medium Trust

RackSpace cloud window environment operates in modified medium trust (instead of full trust)
to protect the security, scalability and performance of the users, by eliminating the potential
for application interference. Applications, under medium trust have no registry access and no
access to the Windows event log. Also both network and file system access is limited.

Privacy
Rackspace offers the private cloud [15] to increase privacy. A server environment based on
OpenStack, downloadable ISO package, that can be hosted on the clients data center, on
rackspace or on a third partys data center and can be managed with or without the support of
Rackspace.

12

Google Cloud
Overview
Googles cloud platform includes the App engine, compute engine, cloud storage, BigQuery,
Cloud SQL, the prediction and the translation APIs. Google employs a multi-layered security
strategy. A distinguished more secure service is the Google Apps for government, for which
we have dedicated a separate section [57]. Google provides information about 13 datacenter
locations [41] and an uptime guarantee of 99.9%. (without specific time range)

Certification/ Standards Adherence

Google doesnt refer to the different standards that it uses to ensure security of its cloud
services. We assume that this is happening because these standards are common with the
other Google services and for this reason they are omitted. Recently they referred to their
blog[] that they completed a SSAE 16 / ISAE 3402 SOC 2 Type II report which covered Apps,
AppsVault, Apps Script, App Engine and the Cloud Storage. Also, there is a reference to the
standards followed by the Google apps for government that support greater security and privacy
than the rest of the cloud services provided by Google.

Google Apps for government

FISMA Moderate (from Dept of Interior)

HIPAA (Webmail). A standard for protecting health information.
PCI DSS (Webmail)
SSAE 16 and ISAE 3402 Type II audit [40]
SAS70
Safe Harbor [73]
Two factor authentication: Google apps for government includes an extra layer of
security with two factor authentication which reduces the danger of having data stealed.

Physical Security
Google claims that only select Google employees have access to the datacenter facilities
and this access is controlled and audited. Heat-sensitive cameras, biometric verification,
authentication mechanisms and permit entry to authorised personnel are some of the measures
Google takes to ensure the security of its data centers.

13

Security Features / Services Security

Google provides a great number of security features and policies to prevent threats and
formalize infrastructure management procedures. As you can see there is no significant
difference between the protection of cloud services and any other traditional system. Everything
that would make sense for the protection of a server or data center is also applied in the Google
cloud.

Malware Protection
Google uses manual and automated scans to find websites that can be the source of malware
or phishing[58]. The blacklists of these scans have been incorporated in many google products
on servers and workstations. Apart from this general statement, Google doesnt specify how this
is adapted to its cloud products.

Monitoring
Network analysis is supplemented by automated analysis of system logs to help determine
whether an unknown threat exists for Google systems.

Vulnerability Management
For vulnerability management many commercial and proprietary products are used to detect
and manage vulnerabilities in a timely manner. Automated and manual penetration tests, quality
assurance processes, software security reviews and external audits are some of the security
measures used. Incident Management

Incident Management
This is a 24/7 service provided by the Google security group to ensure that any security related
event is treated with priority according to its severity and as fast as possible.

Network Security
For network security Google does the following:
Use and management of firewalls and ACL technology
Restricting access of network devices only to authorized personnel
External traffic is routed through custom front-end servers. This helps detect and stop
malicious requests.
Improved monitoring using internal aggregation points
Examination of logs to exploit programming errors

Transport Layer Security

Google uses HTTPS to secure browser connections.

14

Operating System Security

Google uses a modified version of Linux that supports only the necessary services for the
Google products to run.

Privacy
There are is not something specific referred to privacy protection but for the fact that in the
government cloud user data is not scanned and used for displaying ad messages. Users are in
control of who and how they share their data.

Microsoft Azure
Overview
Microsoft Azure is a cloud offering in the IaaS, PaaS and SaaS space. It includes traditional
IaaS Virtual Machine hosting, BLOB storage and software-defined networking and extends to
the PaaS area with hosted web services, database instances and batch-processing frameworks.
Additionally, cross-cutting concerns such as user authentication, reliable messaging and
content-delivery are addressed with specific services. The Azure service is typically accessed
via a REST-API and web interfaces and delivered from 4 datacenters in the US, 2 in Europe
and 2 in Asia.

Certification/ Standards Adherence

Microsoft makes publicly available a summary of their security measures and policies. However,
specifics on their Information Security Policy may only be obtained under a NDA agreement.
Additionally, Microsoft provides the Windows Azure Trust Center web portal which breaks
down certifications per service. For the IaaS offerings Microsoft Azure claims adherence to the
ISO 270001 and HIPAA standard and performs annual SAS70 audits. A SOC 1 type 2 audit for
networking, storage and hosted web services is available under NDA.

15

Physical Security
Microsoft emphasizes the compliance with ISO 270001 in connection with physical security
measures taken. Explicitly, the following procedures are mentioned:
Access control at all facilities
Personal identification with badges or biometrics required at all times
Regular audits of access lists
Video surveillance
Two factor authentication for physical access
Non-advertized datacenter locations
Additionally locked perimeters inside data centers
Off-site equipment and personnel must be authorized by dedicated staff.

Security Features / Services Security

General
Microsoft Azure integrates Microsofts Security Development Lifecycle (SDL) guidelines [60].
Microsoft SDL is a software development security assurance process grouped in seven different
phases. These are training, requirements, design, implementation, verification, release and
response.

Operations Personnel
Other security precautions are background check and security training for personnel, nondisclosure agreements and the least possible privilege enough for the personnel to carry

16

out their duties. Moreover there are multiple levels of monitoring, logging and reporting and
combination of controls to detect malicious activity.

Network administration
Azures internal network is isolated with strong filtering from external traffic. Administration
of the network devices is applied only by authorized personnel. An RPC-accessible API is
provided that accepts commands from SMAPI (Storage Management API). Detailed information
regarding the encryption that can be used while building a product with .net on Windows Azure
can be found on [61]

Privacy
Microsoft privacy is based in a number of principles as described on the privacy in the cloud
white paper [63]. These principles include:
Accountability in handling personal information
Notice to individuals about the data collection procedures
Collection of individuals data only for the reasons provided in the privacy notice
Choice and consent of individuals regarding the collection and use of personal
information
Use and retention of personal information in accordance with the privacy notice
Disclosure or onward transfer to vendors and partners in a security enhanced manner
and only for the purposes provided in the privacy notice
Quality assurance to ensure that personal information is accurate and relevant to the
purpose for which it was collected
Access to individuals to inquire about, view or update their personal data
Enhanced security to help protect against unauthorized access
Monitoring and enforcement of compliance with the privacy policies.
In general the biggest difference between traditional IT services and the cloud is that in the
later case the customer organization are those who control and set policies related to how its
customers or employees data is handled in the cloud. Microsoft has developed data handling
processes in its agreements with business and government customers.
The information provided on Windows Azure Security Overview regarding privacy is limited to
the statement Windows Azure Storage is designed to ensure customer deleted data is faithfully
and consistently erased. As described in the Windows Azure Privacy Statement [62] microsoft
retains the right to replicate data between different sub-regions, if customers havent disable this
feature, but in any case data will not be transferred outside the major geographic region.
Last, Microsoft supports efforts to enable the development of globally consistent policy
frameworks that both support privacy protection and enable data flow from data centers located
in countries with divergent rules and laws.

17

Microsoft Office 365

Overview
Under the label of Office 365 Microsoft offers a range of subscription-based SaaS services
for collaboration and productivity tools. These include hosted instances of their collaboration
products Exchange and SharePoint, online tools for text processing, spreadsheets and
presentations and offer tight integration with their desktop-based Office suite.
The service is offered at different levels of security to fulfill additional requirements of FISMA,
ITAR or EU Model Clauses. The name for the FISMA compliant services is BPOS-Federal.

Certification/ Standards Adherence

Microsoft Office 365 is not differentiated much from the other cloud products of Microsoft, as
you can see in the following list of certifications.

ISO 270001
Safe Harbor
EU Model Clauses
HIPAA-BAA
FISMA (by Broadcasting Board of Governors)
ITAR (by States Department of Agriculture)

Physical Security
The physical security model offered for Microsoft Office 365 is equivalent to Microsoft Azure and
the other cloud products of Microsoft.

Security Features / Services Security

Microsoft Office 365 doesnt differ significantly to the other Microsoft cloud products regarding
the security features that are being offered. These features include malware protection for
servers and customer data, anti-spam service, intrusion detection, microsoft online IDs and
Federated IDs as options for user authentication. Moreover, Microsoft performs regular audits
and proactive monitoring to ensure the security of their systems and predict vulnerabilities
respectively. All connections established to Office 365 are encrypted using 128-bit SSL/TLS
encryption. Encryption is provided on several layers, such as Transport Layer, encryption
between clients and Exchange Online (SSL), Instant Messaging and IM federation. Also there is
support for S/MIME, Active Directory Rights Management Services or PGP. Office 365 currently
does not encrypt data at rest, however, the customer may do so through IRM or RMS.

18

Privacy
Office 365 provides an extensive collection of documentation on data privacy. Some information
is accessible through the Microsoft Trust Center [37] web portal and the Office 365 privacy
whitepaper [38]. The details of the Information Security Policy are only available under NDA.
[39] Specific privacy features are presented in the following list.
Office 365 abides to privacy-relevant standards such as EU Model clauses and HIPAA
Microsoft guarantees not to use customer data for advertising or run data analytics
without the customers consent. This may be an integral part of the license agreement
however.
An auditable and formal process for access of customer data by Microsoft staff is
provided.
Customers can define geographic boundaries for data storage and processing.
Notifications are provided in case changes are required or violations are observed.
The service allows separation of data between the customer and Microsoft consumer
services. There isnt any mention of specific mechanisms however.
Finally, there is a private cloud offering of Office 365 in cooperation with VMWare

19

Summary
On the following table you can see a summary of the different certifications or audits that each
provider is compliant to (Fields with a question mark indicate that is not clear whether the
provider has the certification):
Amazon AWS

Google Cloud

Microsoft
Cloud

RackSpace

SAS 70 Type II
Audits
SOC 1 Type 1 &
2 reports
SOC 2
SSAE 16
standard
ISAE 3402
standard
ISO 27001
certification
PCI/ DSS
HIPAA-BAA
CVSS
Safe Harbor
FISMA
ITAR
FIPS

20

Note that as long as the provider has even one service that complies with a certification we
consider this as the whole cloud of this provider complies with the certification. Of course this is
not true and was actually a reason of legal fights between the different providers but we do this
just for comparison reasons in the high level. For example Microsoft cloud as presented in the
following table includes both Azure and Office 365 and when a certification exists this doesnt
mean that it is applied for both services. Similarly, there are Google Cloud services like gmail for
example that are not ITAR compliant, since gmail servers rely in all over the world and not just
in the US, but we consider Google Cloud to possess these certifications.
Regarding the physical security more or less all providers offer the same level of security.
Furthermore, the physical security provided doesnt differ from the security need for other
traditional data centers.
The security features provided by the major cloud providers differ more in the way they
presented and advertized and less in their actual value. Maybe the details could make the
difference, but details is something that the providers reveal only under a MDA agreement.
Overall, we think that the security features provided are sufficient to protect the systems
involved in a cloud platform. After all, there is no significant difference between the protection of
cloud services and any other traditional system.
When it comes to privacy, Amazon, Microsoft and Google offer solutions with a very high level
of privacy, enough to be used from government agencies and the army. Google misses some of
the certifications needed for this purpose or at least it doesnt publish them online. Rackspace
doesnt provide solutions for the Government and accordingly it doesnt possess the required
certifications.

Conclusion
In this survey we tried to dig into the details of the security and privacy offerings of four big cloud
providers. The security measures provided in the cloud do not differ significantly compared to
any other large-scale, complex system and this is why all the providers we examined in this
survey are certified to provide most of the required security features. An area that they differ
is this of the government sector, for which special and more strict guarantees for privacy
and security is required. Another point that we would like to mention is the difficulties we
encountered to gather and verify this information. In the best case, some of the providers dont
advertise this information in a compact way. Even worse, sometimes they give the impression
that they possess a particular certification for all their services, while in fact this certification
concerns only a part of them. Overall, though we think that there are important steps already
taken in the correct way and that the competition and the maturity of the services as the time
pass will help to settle down most of the concerns that users have regarding the privacy of their
data.

21

References
*All online documents were last checked on 12/12/7
[1] http://media.amazonwebservices.com/pdf/AWS_Security_Whitepaper.pdf
[2] http://media.amazonwebservices.com/AWS_Risk_and_Compliance_Whitepaper.pdf
[3] http://aws.amazon.com/security/pci-dss-level-1-compliance-faqs/
[4] http://www.27000.org/iso-27001.htm
[5] http://aws.amazon.com/security/iso-27001-certification-faqs/
[6] http://www.hhs.gov/ocr/privacy/
[7] http://www.fightfilmtheft.org/facility-security-program.html
[8] https://portal.aws.amazon.com/gp/aws/securityCredentials
[9]http://aws.amazon.com/iam/
[10] http://aws.amazon.com/security/vulnerability-reporting/
[11] http://aws.amazon.com/security/penetration-testing/
[12] https://aws.amazon.com/security/aws-pgp-public-key/
[13] http://aws.amazon.com/govcloud-us/[
[14]http://bd905956a42f6ed96c17-a6046798c661ed27e3d4fdfd1b3c5e5a.r62.cf1.rackcdn.com/
whitepapers/security/Rackspace_Security.pdf
[15] http://www.rackspace.com/cloud/private/
[16] http://www.openstack.org/
[17] http://www.rackspace.com/cloud/public/backup/
[18] http://www.akamai.com/
[19] http://www.rackspace.com/knowledge_center/article/modified-medium-trust-on-cloud-sites
[20] http://aws.amazon.com/ec2/
[21] http://aws.amazon.com/s3/
[22] http://aws.amazon.com/ebs/
[23] http://aws.amazon.com/rds/
[24] http://aws.amazon.com/dynamodb/
[25] http://aws.amazon.com/simpledb/
[26] http://aws.amazon.com/elasticache/
[27] http://aws.amazon.com/cloudsearch/
[28] http://aws.amazon.com/swf/
[29]http://docs.amazonwebservices.com/AWSJavaSDK/latest/javadoc/com/amazonaws/
services/s3/AmazonS3EncryptionClient.html
[30] http://docs.amazonwebservices.com/AmazonS3/latest/dev/UsingAuthAccess.html
[31] http://docs.amazonwebservices.com/AmazonS3/latest/dev/UsingClientSideEncryption.html
[32] http://aws.amazon.com/vpc/
[33] http://aws.amazon.com/dedicated-instances/
[34] http://aws.amazon.com/iam/
[35] http://www.first.org/cvss
[36] https://aws.amazon.com/security/security-bulletins/

22

[37] https://www.microsoft.com/en-us/office365/trust-center.aspx
[38] Privacy in the public cloud: The Office 365 approach (2011) Microsoft
[39] Standard Response to Request for Information - O365 (2011, v2) Microsoft
[40] https://support.google.com/a/bin/answer.py?hl=en&answer=60762
[41] https://www.google.com/about/datacenters/inside/locations/index.html
[42] http://www.sas70.us.com/services/sas70-typeii-audit.php
[43]http://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/pages/
aicpasoc1report.aspx
[44] http://www.ssae-16.com/
[45] http://isae3402.com/
[46] http://www.27000.org/ismsprocess.htm
[47] https://www.pcisecuritystandards.org/index.php
[48]http://searchsecurity.techtarget.com/definition/Federal-Information-Security-ManagementAct
[49] http://www.fisma.org/
[50] http://www.diacap.net/
[51]http://govitwiki.com/wiki/
Defense_Information_Assurance_Certifications_and_Accreditation_Process_(DIACAP)
[52] http://en.wikipedia.org/wiki/International_Traffic_in_Arms_Regulations
[53] http://www.itl.nist.gov/fipspubs/geninfo.htm
[54] http://en.wikipedia.org/wiki/FIPS_140
[55] http://www.first.org/cvss
[56] http://en.wikipedia.org/wiki/CVSS
[57] https://cloud.google.com/files/Google-CommonSecurity-WhitePaper-v1.4.pdf
[58]http://googlewebmastercentral.blogspot.com/2008/10/malware-we-dont-need-nostinking.html
[59]http://static.googleusercontent.com/external_content/untrusted_dlcp/research.google.com/
en/us/pubs/archive/37672.pdf
[60]http://msdn.microsoft.com/en-us/library/windows/desktop/84aed186-1d75-4366-8e618d258746bopq.aspx
[61] http://msdn.microsoft.com/en-us/magazine/ee291586.aspx
[62] http://www.windowsazure.com/en-us/support/legal/privacy-statement/
[63] http://go.microsoft.com/?linkid=9694913&clcid=0x409
[64] http://www.wilmerhale.com/publications/whPubsDetail.aspx?publication=9532
[65] Security in Office 365 Whitepaper: http://tinyurl.com/cj4x4pt
[66] http://searchdatamanagement.techtarget.com/definition/HIPAA
[67]http://searchhealthit.techtarget.com/definition/HIPAA-business-associate-agreementBAA

[68] http://www.privacytrust.org/guidance/safe_harbor.html
[69]
http://gigaom.com/cloud/why-microsoft-and-google-are-fighting-dirty-over-unclesam/
[70]http://blogs.technet.com/b/microsoft_on_the_issues/archive/2011/04/11/google-smisleading-security-claims-to-the-government-raise-serious-questions.aspx
[71] http://broadcast.rackspace.com/downloads/pdfs/RackspaceSAS70.pdf

23

[72]http://c1776742.cdn.cloudfiles.rackspacecloud.com/downloads/pdfs/
Rackspace_SOC1TypellReport.pdf
[73] https://developers.google.com/appengine/terms
[74]http://www.rackspace.com/knowledge_center/whitepaper/moving-your-infrastructureto-the-cloud-how-to-maximize-benefits-and-avoid-pitfalls
[75] http://research.microsoft.com/pubs/80240/dwork-tcc09.pdf

Appendix - Standards, Certifications, Terminology

SAS 70 Type II Audits
The goal of SAS 70 type II audits is to examine operation controls and test operation
effectiveness. These audits usually last from four to ten months or the duration could vary
depending on the project. Going into a type II audit doesnt necessarily means that a company
should first undergo a type I audit. [42]

SOC 1 Type 1 & 2 reports

Soc 1 reports [43] evaluate the effect of the controls at the service organization on the user
entities financial statement assertions. They are important over financial report for purposes of
complying with laws and regulations. There are two types of such reports:
Type 1: report on the fairness of the presentation of managements description of the
service organizations system and the suitability of the design of the controls to achieve
the related control objectives included in the description as of a specified date.
Type 2: report on the fairness of the presentation of managements description of
the service organizations system and the suitability of the design and operating
effectiveness of the controls to achieve the related control objectives included in the
description throughout a specified period.
As you can understand from the above definitions the only difference between these reports is
that type 2 report adds the operating effectiveness to whatever type 1 reports already require.

SOC 2

24

SOC 2 examines the details of data center testing and operational effectiveness.

SSAE 16 standard
These are standards under which the SOC 1 report should be issued. It came as an
enhancement to the SAS70 standard and its most up to date with the new international service
organization reporting standards, the ISAE 3402. [44]

ISAE 3402 standard

International Standard on Assurance Engagements (ISAE) No. 3402, Assurance Reports on
Controls at a Service Organization allows public accountants to issue a report for use by user
organizations and their auditors on the controls at a service organization that are likely to impact
or be a part of the user organizations system of internal control over financial reporting. [45]

ISO 27001 certification

The ISO 27001 defines specific requirements to bring information security under explicit
management control. This means that the security controls of the company are systematically
examined in a unified way. The different security aspects include information security risks,
vulnerabilities but also physical security practices. [46]
The certification usually involves a three-stage external audit process.
The first stage is a preliminary stage used mostly to familiarize the organization with the
auditors.
The second stage is a thorough examination of the design and implementation of the
information security management system. After this stage the ISMS is certified as ISO
27001 compliant.
The third stage includes follow ups and reviews to ensure that the ISMS remains in
compliance with the standard.
In the following diagram the process a company needs to follow to comply with the certification
is described:

25

26

Payment Card Industry (PCI), Data Security Standard (DSS)

The intention of this standard is to help organizations that handle cardholder information for
debit, credit cards etc to proactively protect their customers account data from fraud [47].
Nevertheless, the effectiveness of this standards has been criticized as providing just a minimal
baseline for security.

FISMA
The Federal Information Security Management Act (FISMA) is United States legislation that
defines a comprehensive framework to protect government information, operations and assets
against natural or man-made threats.[48] Depending on the risk level of sensitive information
there are 3 different security categories for FISMA, namely Low, Moderate and High. Each level
has some minimum requirements and builds on the previous one.
FISMA requires federal agencies to have an information security system for their data and
infrastructure. FISMA levels require from cloud companies to implement an extensive set
of security controls, including the documentation of management, operational and technical
processes used to secure the physical and virtual infrastructure and also conducting third party
audits. [49]

Defense Information
(DIACAP)

Assurance

Certification

and

Accreditation

Program

DIACAP[50] is part of the the USA department of defence and ensures that risk management is
applied on information systems. It includes the following 5 phases [51]
Initiate and Plan
Implement and Validate
Make C&A Decisions
Maintain ATO/Reviews
Decommission

ITAR (International Traffic in Arms Regulations)

Anyone related to defense articles, services or data should comply to ITAR, according to the
US government requirements. To be ITAR compliant a company should register with DDTC
(Directorate of Defense Trade Controls) to know what is needed to be ITAR compliant. ITAR
regulations in short prohibit any material related to defense to be shared or resold to non U.S.
persons without previous authorization from the U.S. department of state. [52]

FIPS (Federal Information Processing Standards) publication 140-2

FIPS pronouncement have been developed by the U.S. government to standardize codes as
the DES (Data Encryption Standard) and AES (Advanced Encryption Standards) [53].
The FIPS 104.2 publication is used to accredit cryptographic modules that include both software
and hardware components for use by the departments and agencies of the United States
federal government. Compliance with FIPS 140.2 doesnt necessarily means that a system is

27

secure. There are 4 different levels defined under FIPS [54]:

Level 1: Imposes very limited requirements
Level 2: Adds requirements for physical tamper-evidence and role-based authentication.
Level 3: Builds on level 2 to add physical tamper-resistance and identity-based
authentication.
Level 4: Stronger physical requirements and robustness against environmental attacks

CVSS (Common Vulnerability Scoring System)

CVSS provides a universal open and standardized method for rating IT vulnerabilities [55]. The
CVSS measures three areas [56]:
1. Base Metrics for qualities intrinsic to a vulnerability.
2. Temporal Metrics for characteristics that evolve over the lifetime of vulnerability.
3. Environmental Metrics for characteristics of a vulnerability that depend on a particular
implementation or environment.

HIPAA (Health Insurance Portability and Accountability Act)

HIPAA is the united states health insurance portability and accountability act of 1996. HIPAA
seeks to establish standardized mechanisms for electronic data interchange ( EDI ), security,
and confidentiality of all healthcare-related data. [66]

HIPAA-BAA
This is a contract between HIPAA covered entity and a HIPAA associate to protect personal
health information in accordance with HIPAA guidelines. [67]

EU Model Clauses
The EU model clauses restrict the transfer of personal data to countries outside the European
Economic Area (EEA), unless the recipient is located in a country with an adequate level of
data protection. Notable this doesnt include the US. [64]

Safe Harbor
US-EU Safe Harbor is a streamlined process for US companies to comply with the EU Directive
95/46/EC on the protection of personal data. [68]

28