Security and Privacy Mechanisms: An Analysis of Cloud Service Providers for the US Government April 13, 2016 Presenter: Carlo Di Giulio Advisor: Dr. Masooda Bashir
Focus of the Research Security and privacy risks and pitfalls in commercial cloud services Help the US Airforce to identify the most secure and convenient Cloud Service Providers (CSPs) to the US Government among the selected ones Spot possible market trends How service providers are addressing government needs
Focus of the Research The research currently focuses on 5 major CSPs
Structure The research is organized in three pillars Norms, regulations, and guidelines Products and services General privacy and security policies
Pillar I: Norms and Guidelines Different level of security, different controls and authorizations
Pillar I: Norms and Guidelines The authorization process to provide a service to the DoD is rather complex Image: The FedRAMP and CC SRG Roadmap (1)
Pillar II: Offering Each CSP offers a number of services that may be classified and compared to others We classified products and services of each service provider into 3 main categories (NIST 500-292): IaaS PaaS SaaS
Pillar II: Offering A few examples CSP Service AWS Microsoft (Azure) Google CS IBM Softlayer VMWare Data Analytics Event Hubs BigQuery vrealize Operations Manager Cloud Monitoring Amazon CloudWatch Cloud Monitoring Monitoring & Reporting Compute Amazon EC2 Cloud Services App Engine Virtual Servers Compute Relational Database Redshift SQL Database Cloud SQL Continuent Identity Management AWS IAM Active Directory Cloud IAM Identity Manager
Pillar III: Policies In order to classify the policies, standardization and classification are required NIST 800 53 FedRAMP Baseline medium - high Frameworks issued by credible NGOs AICPA (SOC 2 criteria) CSA (CCM 3.0.1)
Pillar III: Policies - Examples Do you allow tenants/customers to define password and account lockout policies for their accounts? (IAM 12.9 Indicator, CCM 3.0.1) AWS Identity and Access Management (IAM) lets [the tenant] manage several types of long-term security credentials for IAM users (2) ( ) must at a minimum meet Microsoft internal IT requirements, but an internal organization can increase the strength past this standard (3) Not at this time (4)
Pillar III: Policies - Examples Do you leverage encryption to protect data and virtual machine images during transport across and between networks and hypervisor instances? (EKM 03.02 Indicator, CCM 3.0.1) ( ) option of encrypting customer data transmitted to and from Microsoft datacenters over public networks. ( ) private networks with encryption for replication of non-public customer data between Microsoft datacenters (3) "Yes. ( ) uses AES-256 encryption to encapsulate in-transit workloads. For in-cloud vmotion activities, a dedicated, secure and encrypted network is used exclusively for this purpose ( ) (4) Tenant Control Consideration (5)
Next Steps Conclude the policy analysis Select relevant policy indicators Cross reference policies and services Explore features and differences among services more in detail Collaborate with a Technical SME (CS Grad Student) to specify security criterias for the analysis
Thanks for your Attention! For more information: Carlo Di Giulio: cdigiul2@illinois.edu Dr. Masooda Bashir mnb@illinois.edu
References (1) Bockelman, P. and McDermott, A. (2015). DoD-Compliant Implementations in the AWS Cloud. Reference Architectures. Amazon Web Services, April 2015. Retrieved from https://aws.amazon.com/compliance/dod/ (2) Amazon WS (2016). Amazon Web Services: Risk and Compliance. White Paper. Retrieved from http://aws.amazon.com/compliance/aws-whitepapers/ (3) Microsoft (2015). Standard Response to Request for Information Microsoft Azure Security, Privacy, and Compliance. White Paper. Retrieved from https://cloudsecurityalliance.org/ (4) Vmware (2015). VMware vcloud Air IaaS CAIQ v1.0 - Consensus Assessments Initiative Questionnaire v3.0.1. Retrieved from https://cloudsecurityalliance.org/ (5) Softlayer (2016) CAIQ V1.0 - Consensus Assessments Initiative Questionnaire V3.0.1. Retrieved from https://cloudsecurityalliance.org/