CHAPTER 5 DISCUSSION AND ANALYSIS

Transcription

1 CHAPTER 5 DISCUSSION AND ANALYSIS 5. Discussion and Analysis In this chapter, the author, first, would like to discuss about the possible difference in security between IaaS, PaaS, and SaaS. Other than that, the author would like to also discuss about Indonesia s regulation for information and electronic transaction. Finally, the result of data gathering process will be analysed according to Gartner s security assessment framework. 5.1 Discussion This section will discuss about different how cloud vendor provide different kind of security measure for different kind of service model. Moreover, in this section, the author would also discuss about Indonesian constitution and how it helps with securing vendor s and client s rights in terms of electronic transaction in cloud Differences of IaaS, PaaS, and SaaS in terms of security If we try to draw a picture of what layers involved in cloud computing, the result for VDC will typically look like this: 35

2 36 APPLICATION LAYER OPERATING SYSTEM LAYER VIRTUALISATION LAYER PHYSICAL LAYER NETWORK LAYER Picture 0.1 VDC Layers For the one that uses VPS the picture will typically look like the one used by Abc: APPLICATION LAYER OPERATING SYSTEM LAYER 2 VIRTUALISATION LAYER OPERATING SYSTEM LAYER 1 PHYSICAL LAYER NETWORK LAYER Picture 0.1 VPS Layers Each layer presents, not only different responsibility for the vendor, but also different vulnerabilities that needed to be considered.

3 IaaS IaaS model only handle security risks in the physical layer virtualization layer. Above that, the responsibility already moved to the client. In physical server layer, vendor are responsible to make sure that the server is up and running. While on the network layer, vendor is responsible to monitor the network traffic and make sure that the resources are available to the client. Last but not least, in Virtualization layer, vendor is responsible to make sure of a secured multi-tenancy environment. Client s data must be strongly isolated. In IaaS model. client are responsible to handle the security issue from the n. In VDC architecture, virtualization software run directly on top of the physical server, the only probable risks that needed to be taken care of the problem that might be caused by multi-tenancy. This includes data from different client got mixed up, unauthorized user can access client s data, etc. However, in VPS, the virtualisation software runs on top of an operating system. Thus, as an addition to multi-tenancy risks, VPS client must be aware of the vulnerability of the operating system that might cause some issue.

4 38 Picture 0.1 IaaS Security Handling; Yellow = Vendor, White = Client PaaS In PaaS model, for VDC architecture, vendor should handle security problem from the physical layer up to the operating system layer. As an addition to vendor s responsibilities mentioned in the previous section, in Operating System layer, vendor must make sure that the OS is patched and functional. Meanwhile, the client should only be responsible for their own application. On the other hand, for VPS architecture, vendor should handle the security problem up to operating system layer 2. This means there are two possibly different operating system that present different vulnerability that the vendor need to be considered. First thing first, vendor is responsible to patch/update the operating system. If an y

5 39 problem occurred in this layer, vendor will need to be hold responsible. Picture 0.2 PaaS Security Handling; Yellow=Vendor, White=Client

6 SaaSS In SaaS model vendor is responsible for managing the security from the physical layer and all the way to the application layer. As an addition to the responsibility mentioned in the previous section, application layer also add some other responsibility to the vendor. Firstly, the vendor should make sure that the application is always available to the client when needed. In other words, vendor is responsible for the availability of the application. Secondly, the vendor should make sure that the application is functioning properly and the output is correct. However, if this application is a product that comes from a partnerr company, then these responsibilities can be thrown to the company that make the software. Picture 0.1 SaaS Security Handling; Yellow=Vendor, White=Client

7 Indonesia s Constitution about Information and Electronic Transaction Many people said that Indonesia is not yet ready to adopt cloud computing technology because the regulation still is not enough to protect client s right. But what is really the content of UU ITE that might relate to electronic transaction in cloud? The following is the list of some of the verses in UU ITE about electronic transaction: Verse 9 states that every business actor that offers a product through an electronic system has to provide complete and correct information about the product. Based on this verse, client can sue vendor in case the vendor provides a false information about their service just to lure the client to subscribe. Verse 15 of the constitution explains that the owner of the electronic system is responsible to run the system in a reliable and secure manner and it should function properly as it should be. The vendor will be held responsible for all process running in their electronic system. However, this will not be the case if it can be

8 42 proved that the mistake or error was made by the client. This verse protect both client s and vendor s rights. If the mistake is on vendor, then they can be punished. However, if the error is on client, then the vendor will not be held responsible. Verse 18 of the constitution explains that for an international transaction, every actor has the right to choose which country s law will be applied for the transaction. However, this should be written in a form of contract or else the International Civil Law will be applied. Thus, vendor and client should come up with a agreement as to the law that applied for international transactions. This will become important in case vendor s data centre is located outside the country. That is why it is very critical for the client to inquire about the data centre s location before subscribing to any vendor s services.

9 43 Verse 26 of the constitution states that, for every usage of someone s personal data on an electronic media, the person s permission is required. If this right is violated, then the person could file a lawsuit for his/her loss, based on this constitution. Verse 30 of this constitution states that no unauthorized person is allowed to access someone else s computer or electronic system with any way possible, for the purpose of accessing electronic information/document. Verse 31 forbids any individual from doing interception or tapping any private electronic information/document, unless it is done by law enforcement agencies which is done based on the constitution. Verse 33 protects the right of the vendor of electronic system. Every individual, either intentionally or unintentionally did something that resulted in disturbance on the electronic system will get a punishment.

10 44 Verse 35 protects data integrity and availability by forbidding any party to manipulate, create, fabricate, delete, or damage someone else's electronic information/document in order to make it look as authentic. Verse 37 protects electronic system whose location is inside Indonesia s jurisdiction from attack by an individual or party from outside the country. 5.2 Analysis In this section, the author will analyse the result of data gathering that appear in chapter 4. Table 5.1 below will show the summary of the data gathered in chapter 4.

11 45 Tabel SUMMARY OF THE INFORMATION GATHERED FROM CLOUD VENDOR CATEGORY BIZNET IPTEKNET XYZ ABC Priviledge User Access 1. Biznet does not 1. Only client has access 1. Only client has access 1. Only client has access 1. Who can access client s data 2. Who has access to get into the server room 3. How to access have access to client s data 2. Only an Authorized person can access. 3. A person will need to go through authorization their data 2. Only an Authorized person can access. 3. A person will need to go through authorization process. their data 2. Only admin have access to the server room. Plus, xyz s data centre already followed ISO A person will need to their data 2. Data centre already followed ISO A person will need to go through authorization process. the server room process. go through authorization process.

12 46 Compliance 1. Data centre of 1. Data centre of Ipteknet 1. Xyz already acquired 1. Abc already acquired Biznet already already comply with ISO certificate ISO certificate 1. Audit/Certificat comply with ISO ISO ion Data Location All Data Centre that is used All Data Centre that is used to All Data Centre that is used to All Data Centre that is used to 1. Is the data to store clients data is store clients data is located in store clients data is located in store clients data is located in centre located located in Indonesia. Thus, Indonesia. Thus, only Indonesia. Thus, only Indonesia. Thus, only in Indonesia? only Indonesian law Indonesian law applied. Indonesian law applied. Indonesian law applied 2. What law applied. applies in case of security problem? Data Segregation 1. The data is 1. The data is separated 1. The data is separated 1. Vendor ensure data 1. How provider separated using the using the technology using VLAN separation (secure separate data technology of of virtualization. technology multi-tenant system) for each client? virtualization.

13 47 Availability 1. Does the SLA 1. It is written in the SLA 1. It is written in the SLA 1. It is written in the SLA 1. It is written in the SLA contain promise the on server uptime? Recovery 1. BizNet has its own 1. Ipteknet has its own 1. Xyz has its own 1. Abc has its own Disaster Recovery Disaster Recovery site. Disaster Recovery site. Disaster Recovery site. 1. What will site. Client s data Client s data will be Client s data will be Client s data will be happen to your will be backed up backed up backed up backed up data in case of a periodically periodically. periodically. periodically. disaster? Investigative Support 1. server log, 1. server log 1. server log 1. server log 1. What kind of information can be gained from the vendor that

14 48 will be useful for investigation? Long-term Viability 1. Client will be given 1. The data will be given 1. The data will be given 1. The data will be given some time back to the client back to the client free back to the client 1. What will (Approximately a of charge happen to your data in case the vendor s company went bankrupt or not month) to choose what they want to do with their data (either move it or delete it) operating anymore?

15 49 Support in Reducing 1. If requested, Biznet 1. If requested, Ipteknet 1. If requested, xyz can 1. If requested, abc can Risks can provide a can provide a provide a consultaion provide a consultaion consultation and consultaion and and recommendation. and recommendation. 1. Does the recommendation. recommendation. vendor provide any kind of training for increasing security?

16 Privileged User Access Access to Client s Data Client s data can only be accessed by client. Nobody from the vendor could have access to client s data. This provides a level of trust between vendor and the client. Every vendor claims that only client can have access to client s data. For this, all vendors can get a SECURE How to Access the Server Room According to Gartner, privileged user access is all about finding out who on the vendor s side could possibly have access to client s data. This means assessing who have access to client s data in the server, and also the server itself. It is important to ask the vendor about whether or not vendor can access client s data; that can access the server room. Furthermore, method of authentication used to access the server room should also be considered. The ways in which someone may be authenticated fall into three categories. The first one is using something that you know, i.e. password or collections of personal information. The second factor is related to what you have. Examples include a SmartCard and a key. Meanwhile, the third one involves something that you are such as fingerprint and eye retina.

17 51 The use of these factors for authentication then further involved in the categorization of method for authentication [21]. There are three category of methods based on the number of factor used. The first one is called as Single-Factor Authentication as it only uses one of the three factors mentioned above. This authentication method is used in application like where we need only a password and address to login. The second one is Two-Factor Authentication which uses two of the three factors. This kind of authentication is used in our banking transaction using ATM machine. In the transaction using ATM machine, user needs to insert the card (what you have) and then input their password (what you know). Last but not least, the third method of authentication is Three-Factor Authentication. This method of authentication uses all the factors for authenticating a person. For example, to access a room a person might need to have an access card (what you have), enter a four-digit code (what you know), and then put his/her finger for fingerprint authentication (what you are). Out of these three methods, the Biznet and Ipteknet used twofactor authentication. To access the server room a person will need to have an access card and know the password. The other provider did not give an answer to this question when asked by phone or by . However, xyz and abc both already got ISO

18 This means the security of their data centre is already up to the standard. In conclusion the author believes that all vendors deserve a SECURE Who has Access to the server room Only administrator from vendor s company can access the server room. This is the case with Biznet and Ipteknet. For Xyz and Abc, since they already got the ISO certificate, we can assume that access control is already considered to be secure. Thus, every vendor deserves a SECURE. CATEGORY BIZNET IPTEKNET XYZ ABC PRIVILEGED USER ACCESS Access to client s data from vendor SECURE SECURE SECURE SECURE Who has access to get into the server room? SECURE SECURE SECURE SECURE How to access the server room SECURE SECURE SECURE SECURE Table 5.2 Privileged User Access Assessment

19 Compliance Audit/Certification The certification that vendor should ve had related to Information security is ISO ISO which full name is ISO/IEC 27001:2005 standard which defines the requirements for an Information Security Management System (ISMS). The standard is designed to ensure the selection of adequate and proportionate security controls [23]. The existence of this certificate may impact on customer s trust on the vendor s security. Only Xyz and Abc already got the ISO certification. However, Biznet and Ipteknet has also build their data centre in compliance with the ISO Thus, all vendors get a SECURE. CATEGORY BIZNET IPTEKNET XYZ ABC COMPLIANCE Audit/Certification YES YES YES YES Table 5.3 Compliance Assessment

20 Data Location Based on the data gained from the vendors, the servers used to keep client s data are located in Indonesia. So does the Disaster Recovery Site. This is probably to cope with the RPP PITE, which is a draft of constitution about the establishment of information and electronic transaction. In this draft of regulation there are rules for people who own a. electronic system, which requires them to have their data centre located in Indonesia. This is said to be for the sake of guarding national data. For this, all vendors get a YES Since all data centre are located in Indonesia, only Indonesia s regulation applied. This is makes it easier in solving dispute in case of a trouble. Thus, every vendor gets a YES. CATEGORY BIZNET IPTEKNET XYZ ABC DATA LOCATION Is the data centre located in Indonesia? What law applies in case of security problem? YES YES YES YES YES YES YES YES Table 5.4 Data Location Assessment

21 Data Segregation How provider separate data for each client? The virtualization technology is used to separate data from different client. The virtualization make it looks like each client s data is located in different server just like a dedicated server. This creates a secure multi-tenant environment. Biznet, Ipteknet and Abc enforce strong isolation for each VM to separate it. Xyz uses VLAN technology to limit access from one network to another. Thus, every vendor gets a SECURE. CATEGORY BIZNET IPTEKNET XYZ ABC DATA SEGREGATION How provider separate data for each client? SECURE SECURE SECURE SECURE Table 5.5 Data Segregation Assessment

22 Availability Each vendor has their own number of uptime. However, every vendor must put it in the SLA so that it will have a binding power. Turns out that Biznet, Ipteknet, Xyz, and Abc all have put it in the SLA to show their commitment. Thus, all vendors got a YES. AVAILABILITY CATEGORY BIZNET IPTEKNET XYZ ABC Does the SLA contain the promise on server uptime? YES YES YES YES Table 5.6 Availability Assessment Recovery The architecture used by all vendors already provides redundancy. This means that all client s data have already been backed up in to a Disaster Recovery Site. In case of a disaster, and let say the data centre is ruined, vendor will redirect all request to the disaster recovery site while they fix the damage. Each vendor has their own Disaster Recovery Site and back up client s data periodically. This, way in case of a disaster client will not lose their data. For this reason all vendor can be counted as SECURE.

23 57 RECOVERY CATEGORY BIZNET IPTEKNET XYZ ABC What will happen to your data in case of a disaster? SECURE SECURE SECURE SECURE Table 5.7 Recovery Assessment Investigative Support All vendors can provide a server log which contains the list of people who have accessed the server. Thus, all vendors get a YES. CATEGORY BIZNET IPTEKNET XYZ ABC INVESTIGATIVE SUPPORT What kind of information can be gained from the vendor that will be YES YES YES YES useful for investigation? Table 5.8 Investigative Support Assessment

24 Long-Term Viability Long-Term Viability is all about what will happen with client s data if the vendor stops operating. When asked about this, all vendors basically said that the data will be given back to the client. However, it is actually not that simple. There is also a problem of integrating back to in-house. However, the vendor did not explain about this. For that reason all vendor get a NO. CATEGORY BIZNET IPTEKNET XYZ ABC LONG-TERM VIABILITY What will happen to your data in case the vendor s company went bankrupt or not NO NO NO NO operating anymore? Table 5.9 Investigative Support Assessment Support for Reducing Risks When requested, all vendors are willing to help client with consultation to help client in need. Client can ask about how to maintain their infrastructure, what anti-virus should be used, etc. Then vendor staff can provide answers based on their expertise. For this, all vendors will get a YES.

25 59 CATEGORY BIZNET IPTEKNET XYZ ABC SUPPORT IN REDUCING RISKS Does the vendor provide any kind of training for increasing security? YES YES YES YES Table 5.10 Support in Reducing Risks Assessment

26 60 Tabel 5.11 OVERALL ASSESSMENT OF SECURITY MEASURE GIVEN BY VENDOR BASED ON GARTNER S FRAMEWORK CATEGORY BIZNET IPTEKNET XYZ ABC PRIVILEDGE USER ACCESS Access to client s data from vendor SECURE SECURE SECURE SECURE Who has access to get into the server room? SECURE SECURE SECURE SECURE How to access the server room SECURE SECURE SECURE SECURE COMPLIANCE Audit/Certification YES YES YES YES DATA LOCATION Is the data centre located in Indonesia? YES YES YES YES What law applies in case of security problem? YES YES YES YES

27 61 DATA SEGREGATION How provider separate data for each client? SECURE SECURE SECURE SECURE AVAILABILITY Does the SLA contain the promise on server uptime? YES YES YES YES RECOVERY What will happen to your data in case of a disaster? SECURE SECURE SECURE SECURE INVESTIGATIVE SUPPORT What kind of information can be gained from the vendor that will be useful for YES YES YES YES investigation?

28 62 LONG-TERM VIABILITY What will happen to your data in case the vendor s company went bankrupt or not NO NO NO NO operating anymore? SUPPORT IN REDUCING RISKS Does the vendor provide any kind of training for increasing security? YES YES YES YES GRAND TOTAL SECURE/YES : NOT SECURE/NO 8:1 8:1 8:1 8:1 32:4

29 63