Professional Documents
Culture Documents
Provider Security
Measures
Alex Pucher, Stratos Dimopoulos
Abstract
Cloud computing offers a virtually unlimited amount of resources at flexible pay-as-you-go cost.
Many enterprises take advantage of this model already, but security and privacy concerns limit
the further adoption of the technology. Cloud providers acknowledge these additional needs
of regulated enterprises and government agencies and start offering security certifications
and separate tightly controlled government cloud infrastructure. This paper is a survey of the
published security mechanisms implemented on the most well-known cloud service products
like Amazon AWS, Google App engine, Microsoft Azure etc. Our goal is to identify the levels of
security they provide. We will analyze different aspects of their systems (certification/standards
adherence, authentication/authorization mechanisms, protection from actual attacks etc),
compare them and extract valuable results regarding the security levels they offer.
Contents
Introduction
AMAZON AWS
Overview
Certification/ Standards Adherence[2]
Physical Security
Security Features / Services Security [1]
Rackspace
Overview
Certification/ Standards Adherence [14]
Physical Security
Security Features / Services Security
Privacy
Google Cloud
Overview
Certification/ Standards Adherence
Physical Security
Microsoft Azure
Overview
Certification/ Standards Adherence
Physical Security
Security Features / Services Security
Privacy
Microsoft Office 365
Overview
Certification/ Standards Adherence
Physical Security
Security Features / Services Security
Privacy
Summary
References
Appendix - Standards, Certifications, Terminology
Introduction
The flexibility, lower costs and scalability that cloud services can provide for small and big
companies, in the private or public sector are more than promising. Nevertheless, the security
and privacy concerns are still big enough to limit an even wider adoption of the cloud services.
According to a recent microsoft research [75] 58 percent of the public and 86 percent of
business leaders are excited about the possibilities of cloud computing and on the same
time More than 90 percent of them are worried about security, availability, and privacy of their
data as it rests in the cloud. This shows in the most emphatic way that users want to take
advantage of the new technology without sacrificing the privacy of their data. This is why the big
cloud players are trying to find a solution towards to this direction, having realized that this is the
way to attract new customers.
Cloud computing providers offer different services to their customers like Software as a Service
(SaaS), Platform as a Service (PaaS) and Infrastructure as a Service. In the following picture is
clear what each of them implies in terms of the services provided to the customer.
Exactly because of the scale and variety of the different services provided and accordingly the
different systems involved, it seems impossible to develop one single security solution that
covers everything. Thus, providers often overexaggerate of the security services that they are
able to provide. Its not a long time since Microsoft and Google have been accusing each other
of lying about their Google Apps for Government and Microsoft BPOS (Business Productivity
Online Standard Suite) services respectively [69] [70], being certified for use by federal
agencies under the Federal Information Security Management Act (FISMA). This is only the
tip of the iceberg of an ongoing war that is taking place in the new era of cloud services about
which service deals better with the number one concern of cloud users, security and privacy.
Strong privacy and security guarantees is what the market demands and this is why Cloud
providers are investing in building secure systems and be certified with as many security and
privacy certifications as possible. In the next sections we will describe the services provided by
the big players of the cloud market, namely Amazon, Google , Microsoft and Rackspace and
compare them in terms of their certifications, physical security, security features and privacy
they provide. We also provide an appendix to explain the different certifications, standards,
audits and terminology mentioned through the document.
AMAZON AWS
Overview
Amazon AWS is a cloud computing platform offering an impressive amount of cloud services at
all levels and providing customers with great flexibility regarding pricing and resources. Some
of the most well known Amazon cloud services are EC2 (Amazon Elastic Compute Cloud) [20]
which offers pay-as-you-go computing resources in the cloud, S3 (Simple Storage Service) [21]
and EBS (Elastic Block Store) [22], both storage services in the cloud for different purposes and
database services such as RDS (Relational Database Service) [23], DynamoDB [24], SimpleDB
[25] and ElastiCache [26]. It also offers a lot of monitoring services such as CloudSearch [27]
and SWF (Simple Workflow Service) [28].
SOC 2
Evaluation of controls relevant to: security, availability, processing integrity, confidentiality, and
privacy. Evaluation of the design and operating effectiveness of controls that meet the criteria
for the security principe set by AICPA ( American Institute of Certified Public Accountants) [3].
PCI DSS Level 1 service provider (Payment Card Industry & Data Security
Standard) [3]
Merchants and other service providers can now run their applications on Amazons PCIcompliant technology infrastructure for storing, processing, and transmitting credit card
information in the cloud.
PCI Validated Services include:
FIPS 140-2
Another regulation that it is supported by the AWS GovCloud[13]. It is a US government
security standard and it specifies the security requirements for cryptographic modules protecting
sensitive information. Amazons Virtual Private Cloud VPN endpoints and SSL terminations in
AWS GovCloud (US) operate using FIPS 140-2 validated hardware
Safe Harbor
Amazon.com including Amazon Web Services LLC are participants in the Safe Harbor program
developed by the U.S. Department of commerce and the European Union.
Physical Security
Only those within Amazon who have a legitimate business need to have such information know
the actual location of these data centers, and the data centers themselves are secured with a
variety of physical controls to prevent unauthorized access.
Security Credentials
There are three types of credentials used [8]:
Access credentials (Access keys, X.509 certificates and key pairs)
Sign-in credentials (email address, password, AWS multi-factor authenticated device)
See below for AWS multi-factor authenticated device details.
Account identifiers (account ID and canonical user ID)
Key Rotation
Enables access keys and certificates rotation without impact on the applications availability (ie:
supports multiple concurrent access keys and certificates)
Security Bulletins
This is a service provided by Amazon in order to notify customers about security and privacy
events with AWS services. [36]
Network Security
The following are a list of how Amazon deals with potential network vulnerabilities and attacks.
AWS GovCloud(US)
AWS GovCloud [13] is the top level of isolation that Amazon provides. It allows US government
agencies and customers to move more sensitive workloads. It is a separate region (GovCloud
Region) physically and logically accessible by U.S. persons only. Appropriate workloads for the
GovCloud are:
Controlled Unclassified Information (CUI) including ITAR
Government oriented publically available data
Amazon GovCloud adheres to ITAR and supports FIPS 140-2.
Data Encryption
Amazon allows for encryption of personal and business data. On S3 for example all data
uploaded or downloaded is via SSL encrypted endpoints and using the HTTPS protocol. It also
provides a client encryption library[29] for those prefer to manage their own encryption keys (in
this case the keys are encrypted on the client site) and Amazon SSE (Server Side Encryption)
for those who prefer to let Amazon S3 managing their keys[31].
10
History Logs
Amazon allows customers to have the option to enable logs in some of their services (for
example Amazon S3 buckets), a functionality that is helpful to track the requests made and
probably used for auditing purposes.
Rackspace
Overview
Rackspace provides a great variety of cloud services including IaaS and SaaS. Provides to its
clients servers on demand and a RESTful API (OpenStack API [16]) to launch and control the
cloud servers. It also provides cloud hosting services for websites and files (in a partnership
with Akamai [18]), block storage, container-based virtualization and redundant storage for high
performance MySQL database on the cloud, backup services, load balancing, monitoring, free
DNS management and a private cloud for increased privacy. Moreover Rackspace has an open
approach as it is powered by OpenStack[16] the clouds open source operating system and it
also offers hybrid services, combining both cloud and dedicated servers.
Physical Security
The following is a list of the practices that Rackspace follows to ensure the physical security of
its services:
11
Network Security
Rackspace incorporates software defined networking and claims that this way customers are
able to create completely isolated networks.
Encryption
AES (Advanced Encryption Standard) is used with 256 bit key for the backup service [17]
Private Containers
Private Containers is a feature provided for the RackSpace Files service and ensures that all
the traffic between the customers application and Cloud Files uses SSL to establish a secure
and encrypted channel.
Privacy
Rackspace offers the private cloud [15] to increase privacy. A server environment based on
OpenStack, downloadable ISO package, that can be hosted on the clients data center, on
rackspace or on a third partys data center and can be managed with or without the support of
Rackspace.
12
Google Cloud
Overview
Googles cloud platform includes the App engine, compute engine, cloud storage, BigQuery,
Cloud SQL, the prediction and the translation APIs. Google employs a multi-layered security
strategy. A distinguished more secure service is the Google Apps for government, for which
we have dedicated a separate section [57]. Google provides information about 13 datacenter
locations [41] and an uptime guarantee of 99.9%. (without specific time range)
Physical Security
Google claims that only select Google employees have access to the datacenter facilities
and this access is controlled and audited. Heat-sensitive cameras, biometric verification,
authentication mechanisms and permit entry to authorised personnel are some of the measures
Google takes to ensure the security of its data centers.
13
Malware Protection
Google uses manual and automated scans to find websites that can be the source of malware
or phishing[58]. The blacklists of these scans have been incorporated in many google products
on servers and workstations. Apart from this general statement, Google doesnt specify how this
is adapted to its cloud products.
Monitoring
Network analysis is supplemented by automated analysis of system logs to help determine
whether an unknown threat exists for Google systems.
Vulnerability Management
For vulnerability management many commercial and proprietary products are used to detect
and manage vulnerabilities in a timely manner. Automated and manual penetration tests, quality
assurance processes, software security reviews and external audits are some of the security
measures used. Incident Management
Incident Management
This is a 24/7 service provided by the Google security group to ensure that any security related
event is treated with priority according to its severity and as fast as possible.
Network Security
For network security Google does the following:
Use and management of firewalls and ACL technology
Restricting access of network devices only to authorized personnel
External traffic is routed through custom front-end servers. This helps detect and stop
malicious requests.
Improved monitoring using internal aggregation points
Examination of logs to exploit programming errors
14
Privacy
There are is not something specific referred to privacy protection but for the fact that in the
government cloud user data is not scanned and used for displaying ad messages. Users are in
control of who and how they share their data.
Microsoft Azure
Overview
Microsoft Azure is a cloud offering in the IaaS, PaaS and SaaS space. It includes traditional
IaaS Virtual Machine hosting, BLOB storage and software-defined networking and extends to
the PaaS area with hosted web services, database instances and batch-processing frameworks.
Additionally, cross-cutting concerns such as user authentication, reliable messaging and
content-delivery are addressed with specific services. The Azure service is typically accessed
via a REST-API and web interfaces and delivered from 4 datacenters in the US, 2 in Europe
and 2 in Asia.
15
Physical Security
Microsoft emphasizes the compliance with ISO 270001 in connection with physical security
measures taken. Explicitly, the following procedures are mentioned:
Access control at all facilities
Personal identification with badges or biometrics required at all times
Regular audits of access lists
Video surveillance
Two factor authentication for physical access
Non-advertized datacenter locations
Additionally locked perimeters inside data centers
Off-site equipment and personnel must be authorized by dedicated staff.
Operations Personnel
Other security precautions are background check and security training for personnel, nondisclosure agreements and the least possible privilege enough for the personnel to carry
16
out their duties. Moreover there are multiple levels of monitoring, logging and reporting and
combination of controls to detect malicious activity.
Network administration
Azures internal network is isolated with strong filtering from external traffic. Administration
of the network devices is applied only by authorized personnel. An RPC-accessible API is
provided that accepts commands from SMAPI (Storage Management API). Detailed information
regarding the encryption that can be used while building a product with .net on Windows Azure
can be found on [61]
Privacy
Microsoft privacy is based in a number of principles as described on the privacy in the cloud
white paper [63]. These principles include:
Accountability in handling personal information
Notice to individuals about the data collection procedures
Collection of individuals data only for the reasons provided in the privacy notice
Choice and consent of individuals regarding the collection and use of personal
information
Use and retention of personal information in accordance with the privacy notice
Disclosure or onward transfer to vendors and partners in a security enhanced manner
and only for the purposes provided in the privacy notice
Quality assurance to ensure that personal information is accurate and relevant to the
purpose for which it was collected
Access to individuals to inquire about, view or update their personal data
Enhanced security to help protect against unauthorized access
Monitoring and enforcement of compliance with the privacy policies.
In general the biggest difference between traditional IT services and the cloud is that in the
later case the customer organization are those who control and set policies related to how its
customers or employees data is handled in the cloud. Microsoft has developed data handling
processes in its agreements with business and government customers.
The information provided on Windows Azure Security Overview regarding privacy is limited to
the statement Windows Azure Storage is designed to ensure customer deleted data is faithfully
and consistently erased. As described in the Windows Azure Privacy Statement [62] microsoft
retains the right to replicate data between different sub-regions, if customers havent disable this
feature, but in any case data will not be transferred outside the major geographic region.
Last, Microsoft supports efforts to enable the development of globally consistent policy
frameworks that both support privacy protection and enable data flow from data centers located
in countries with divergent rules and laws.
17
ISO 270001
Safe Harbor
EU Model Clauses
HIPAA-BAA
FISMA (by Broadcasting Board of Governors)
ITAR (by States Department of Agriculture)
Physical Security
The physical security model offered for Microsoft Office 365 is equivalent to Microsoft Azure and
the other cloud products of Microsoft.
18
Privacy
Office 365 provides an extensive collection of documentation on data privacy. Some information
is accessible through the Microsoft Trust Center [37] web portal and the Office 365 privacy
whitepaper [38]. The details of the Information Security Policy are only available under NDA.
[39] Specific privacy features are presented in the following list.
Office 365 abides to privacy-relevant standards such as EU Model clauses and HIPAA
Microsoft guarantees not to use customer data for advertising or run data analytics
without the customers consent. This may be an integral part of the license agreement
however.
An auditable and formal process for access of customer data by Microsoft staff is
provided.
Customers can define geographic boundaries for data storage and processing.
Notifications are provided in case changes are required or violations are observed.
The service allows separation of data between the customer and Microsoft consumer
services. There isnt any mention of specific mechanisms however.
Finally, there is a private cloud offering of Office 365 in cooperation with VMWare
19
Summary
On the following table you can see a summary of the different certifications or audits that each
provider is compliant to (Fields with a question mark indicate that is not clear whether the
provider has the certification):
Amazon AWS
Google Cloud
Microsoft
Cloud
RackSpace
SAS 70 Type II
Audits
SOC 1 Type 1 &
2 reports
SOC 2
SSAE 16
standard
ISAE 3402
standard
ISO 27001
certification
PCI/ DSS
HIPAA-BAA
CVSS
Safe Harbor
FISMA
ITAR
FIPS
20
Note that as long as the provider has even one service that complies with a certification we
consider this as the whole cloud of this provider complies with the certification. Of course this is
not true and was actually a reason of legal fights between the different providers but we do this
just for comparison reasons in the high level. For example Microsoft cloud as presented in the
following table includes both Azure and Office 365 and when a certification exists this doesnt
mean that it is applied for both services. Similarly, there are Google Cloud services like gmail for
example that are not ITAR compliant, since gmail servers rely in all over the world and not just
in the US, but we consider Google Cloud to possess these certifications.
Regarding the physical security more or less all providers offer the same level of security.
Furthermore, the physical security provided doesnt differ from the security need for other
traditional data centers.
The security features provided by the major cloud providers differ more in the way they
presented and advertized and less in their actual value. Maybe the details could make the
difference, but details is something that the providers reveal only under a MDA agreement.
Overall, we think that the security features provided are sufficient to protect the systems
involved in a cloud platform. After all, there is no significant difference between the protection of
cloud services and any other traditional system.
When it comes to privacy, Amazon, Microsoft and Google offer solutions with a very high level
of privacy, enough to be used from government agencies and the army. Google misses some of
the certifications needed for this purpose or at least it doesnt publish them online. Rackspace
doesnt provide solutions for the Government and accordingly it doesnt possess the required
certifications.
Conclusion
In this survey we tried to dig into the details of the security and privacy offerings of four big cloud
providers. The security measures provided in the cloud do not differ significantly compared to
any other large-scale, complex system and this is why all the providers we examined in this
survey are certified to provide most of the required security features. An area that they differ
is this of the government sector, for which special and more strict guarantees for privacy
and security is required. Another point that we would like to mention is the difficulties we
encountered to gather and verify this information. In the best case, some of the providers dont
advertise this information in a compact way. Even worse, sometimes they give the impression
that they possess a particular certification for all their services, while in fact this certification
concerns only a part of them. Overall, though we think that there are important steps already
taken in the correct way and that the competition and the maturity of the services as the time
pass will help to settle down most of the concerns that users have regarding the privacy of their
data.
21
References
*All online documents were last checked on 12/12/7
[1] http://media.amazonwebservices.com/pdf/AWS_Security_Whitepaper.pdf
[2] http://media.amazonwebservices.com/AWS_Risk_and_Compliance_Whitepaper.pdf
[3] http://aws.amazon.com/security/pci-dss-level-1-compliance-faqs/
[4] http://www.27000.org/iso-27001.htm
[5] http://aws.amazon.com/security/iso-27001-certification-faqs/
[6] http://www.hhs.gov/ocr/privacy/
[7] http://www.fightfilmtheft.org/facility-security-program.html
[8] https://portal.aws.amazon.com/gp/aws/securityCredentials
[9]http://aws.amazon.com/iam/
[10] http://aws.amazon.com/security/vulnerability-reporting/
[11] http://aws.amazon.com/security/penetration-testing/
[12] https://aws.amazon.com/security/aws-pgp-public-key/
[13] http://aws.amazon.com/govcloud-us/[
[14]http://bd905956a42f6ed96c17-a6046798c661ed27e3d4fdfd1b3c5e5a.r62.cf1.rackcdn.com/
whitepapers/security/Rackspace_Security.pdf
[15] http://www.rackspace.com/cloud/private/
[16] http://www.openstack.org/
[17] http://www.rackspace.com/cloud/public/backup/
[18] http://www.akamai.com/
[19] http://www.rackspace.com/knowledge_center/article/modified-medium-trust-on-cloud-sites
[20] http://aws.amazon.com/ec2/
[21] http://aws.amazon.com/s3/
[22] http://aws.amazon.com/ebs/
[23] http://aws.amazon.com/rds/
[24] http://aws.amazon.com/dynamodb/
[25] http://aws.amazon.com/simpledb/
[26] http://aws.amazon.com/elasticache/
[27] http://aws.amazon.com/cloudsearch/
[28] http://aws.amazon.com/swf/
[29]http://docs.amazonwebservices.com/AWSJavaSDK/latest/javadoc/com/amazonaws/
services/s3/AmazonS3EncryptionClient.html
[30] http://docs.amazonwebservices.com/AmazonS3/latest/dev/UsingAuthAccess.html
[31] http://docs.amazonwebservices.com/AmazonS3/latest/dev/UsingClientSideEncryption.html
[32] http://aws.amazon.com/vpc/
[33] http://aws.amazon.com/dedicated-instances/
[34] http://aws.amazon.com/iam/
[35] http://www.first.org/cvss
[36] https://aws.amazon.com/security/security-bulletins/
22
[37] https://www.microsoft.com/en-us/office365/trust-center.aspx
[38] Privacy in the public cloud: The Office 365 approach (2011) Microsoft
[39] Standard Response to Request for Information - O365 (2011, v2) Microsoft
[40] https://support.google.com/a/bin/answer.py?hl=en&answer=60762
[41] https://www.google.com/about/datacenters/inside/locations/index.html
[42] http://www.sas70.us.com/services/sas70-typeii-audit.php
[43]http://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/pages/
aicpasoc1report.aspx
[44] http://www.ssae-16.com/
[45] http://isae3402.com/
[46] http://www.27000.org/ismsprocess.htm
[47] https://www.pcisecuritystandards.org/index.php
[48]http://searchsecurity.techtarget.com/definition/Federal-Information-Security-ManagementAct
[49] http://www.fisma.org/
[50] http://www.diacap.net/
[51]http://govitwiki.com/wiki/
Defense_Information_Assurance_Certifications_and_Accreditation_Process_(DIACAP)
[52] http://en.wikipedia.org/wiki/International_Traffic_in_Arms_Regulations
[53] http://www.itl.nist.gov/fipspubs/geninfo.htm
[54] http://en.wikipedia.org/wiki/FIPS_140
[55] http://www.first.org/cvss
[56] http://en.wikipedia.org/wiki/CVSS
[57] https://cloud.google.com/files/Google-CommonSecurity-WhitePaper-v1.4.pdf
[58]http://googlewebmastercentral.blogspot.com/2008/10/malware-we-dont-need-nostinking.html
[59]http://static.googleusercontent.com/external_content/untrusted_dlcp/research.google.com/
en/us/pubs/archive/37672.pdf
[60]http://msdn.microsoft.com/en-us/library/windows/desktop/84aed186-1d75-4366-8e618d258746bopq.aspx
[61] http://msdn.microsoft.com/en-us/magazine/ee291586.aspx
[62] http://www.windowsazure.com/en-us/support/legal/privacy-statement/
[63] http://go.microsoft.com/?linkid=9694913&clcid=0x409
[64] http://www.wilmerhale.com/publications/whPubsDetail.aspx?publication=9532
[65] Security in Office 365 Whitepaper: http://tinyurl.com/cj4x4pt
[66] http://searchdatamanagement.techtarget.com/definition/HIPAA
[67]http://searchhealthit.techtarget.com/definition/HIPAA-business-associate-agreementBAA
[68] http://www.privacytrust.org/guidance/safe_harbor.html
[69]
http://gigaom.com/cloud/why-microsoft-and-google-are-fighting-dirty-over-unclesam/
[70]http://blogs.technet.com/b/microsoft_on_the_issues/archive/2011/04/11/google-smisleading-security-claims-to-the-government-raise-serious-questions.aspx
[71] http://broadcast.rackspace.com/downloads/pdfs/RackspaceSAS70.pdf
23
[72]http://c1776742.cdn.cloudfiles.rackspacecloud.com/downloads/pdfs/
Rackspace_SOC1TypellReport.pdf
[73] https://developers.google.com/appengine/terms
[74]http://www.rackspace.com/knowledge_center/whitepaper/moving-your-infrastructureto-the-cloud-how-to-maximize-benefits-and-avoid-pitfalls
[75] http://research.microsoft.com/pubs/80240/dwork-tcc09.pdf
SOC 2
24
SOC 2 examines the details of data center testing and operational effectiveness.
SSAE 16 standard
These are standards under which the SOC 1 report should be issued. It came as an
enhancement to the SAS70 standard and its most up to date with the new international service
organization reporting standards, the ISAE 3402. [44]
25
26
FISMA
The Federal Information Security Management Act (FISMA) is United States legislation that
defines a comprehensive framework to protect government information, operations and assets
against natural or man-made threats.[48] Depending on the risk level of sensitive information
there are 3 different security categories for FISMA, namely Low, Moderate and High. Each level
has some minimum requirements and builds on the previous one.
FISMA requires federal agencies to have an information security system for their data and
infrastructure. FISMA levels require from cloud companies to implement an extensive set
of security controls, including the documentation of management, operational and technical
processes used to secure the physical and virtual infrastructure and also conducting third party
audits. [49]
Defense Information
(DIACAP)
Assurance
Certification
and
Accreditation
Program
DIACAP[50] is part of the the USA department of defence and ensures that risk management is
applied on information systems. It includes the following 5 phases [51]
Initiate and Plan
Implement and Validate
Make C&A Decisions
Maintain ATO/Reviews
Decommission
27
HIPAA-BAA
This is a contract between HIPAA covered entity and a HIPAA associate to protect personal
health information in accordance with HIPAA guidelines. [67]
EU Model Clauses
The EU model clauses restrict the transfer of personal data to countries outside the European
Economic Area (EEA), unless the recipient is located in a country with an adequate level of
data protection. Notable this doesnt include the US. [64]
Safe Harbor
US-EU Safe Harbor is a streamlined process for US companies to comply with the EU Directive
95/46/EC on the protection of personal data. [68]
28