+ All Categories
Home > Documents > Public Cloud Providers

Public Cloud Providers

Date post: 03-Jun-2018
Upload: a6355145
View: 218 times
Download: 0 times
Share this document with a friend

of 47

  • 8/11/2019 Public Cloud Providers



    Analysis of Amazon S3 Cloud Services

    Joseph Beckman

    Matthew Riedle

    Hans Vargas

    Purdue University

    Authors Note

  • 8/11/2019 Public Cloud Providers



    Joseph Beckman, Ph.D. Student, Center for Education and Research in Information

    Assurance and Security (CERIAS), Purdue University

    Matthew Riedle, M.S. Student, Cyber Forensics in Computer Information Technology,

    Purdue University

    Hans Vargas, M.S. Student, Center for Education and Research in Information Assurance

    and Security (CERIAS), Purdue University.

    This research was supported by Dr. Brandeis Marshall and Dr. Melissa Dark as part of

    the INSuRE (The Information Security Research and Education) Research Grant, as well as the

    National Security Agency (NSA) sponsoring and providing unclassified problems to be


    Correspondence concerning this paper should be addressed to Joseph Beckman, Matthew

    Riedle, and Hans Vargas, Purdue University, West Lafayette, IN 47906

    Contact: [email protected], [email protected], [email protected]

  • 8/11/2019 Public Cloud Providers




    Distributed computing is a familiar concept within computer science. Public distributed

    computing, better known as cloud computing services, is a relatively new concept in the

    marketplace. In recent years, individuals, corporations, and government agencies have begun to

    leverage the resources of the Internet to perform tasks that had previously been limited to in-

    house computer networks. Providers of these resources, collectively referred to as Cloud

    Service Providers (CSPs), tout numerous benefits of their use, including the reduction of IT

    costs. Prospective customers, however, should take a serious look at the risks, vulnerabilities,

    and threats that may take place when relocating their resources to the cloud. The impacts of

    cloud usage upon information security as it relates to confidentiality are not well understood, and

    for that reason our research focuses on the Amazon S3 cloud storage service and as a case study

    related to confidentiality from which to provide recommendations for improvement to existing

    cloud security frameworks.

    1Keywords: Amazon S3, AWS, Confidentiality, Cloud Computing, CSP, FedRAMP, 3PAO

  • 8/11/2019 Public Cloud Providers



    Analysis of Amazon S3 Cloud Services


    Previous work2 categorizing risks within cloud computing identified threat and

    vulnerability profiles of three major CSPs, comparing them against security controls required by

    FedRAMP in order to approve the federal agencies migration of services to the cloud. This

    project will focus primarily on federal agencies as the customer base of cloud services, but will

    also take under consideration that private sector customers would benefit from security

    guidelines established by FedRAMP adopters.

    Amazon Web Services (AWS) was one of the first CSPs to be deemed compliant with

    FedRAMP cloud storage service security guidelines which certified Amazons S3 cloud storage

    service for use by United States federal government agencies. This project will attempt to

    describe and explain the existence, usability and effectiveness of these security features related to

    Amazon S3 with respect to the protection of confidentiality within the Infrastructure-as-a-

    Service (IaaS) domain. It will also lay the groundwork for updating and adapting the existing

    guidelines to more efficiently audit CSPs, as well as provide analysis based on open source

    intelligence regarding the realization of vulnerabilities, adoption of remedial actions from

    providers and customers.

    2Vargas, Toriola (2012) Public Cloud Providers: A Risk Matrix.

  • 8/11/2019 Public Cloud Providers




    The aim of this project, through the evaluation of Amazon S3 cloud services and the re-

    evaluation of the FedRAMP cloud services security guidelines, is to bring a greater level of

    security to information stored in the cloud. Increasing the level of security in the cloud is an

    important act to the field of information security, to the United States government, and to anyone

    who uses cloud services. While this project will focus on the cloud security policies and

    processes of the United States federal government, it has the potential to impact much of the

    worlds population because of the widespread use of services like free e-mail, which operates

    mainly as a cloud service.

    Efforts to bring greater security to the cloud face many challenges that will impact this

    project. The nature of cloud services, and one of the greatest benefits of this architecture, is the

    lack of exposure of the systems back-end processes to the user. When evaluating the security of

    such a system, however, the inability to examine these processes directly reduces the

    effectiveness and meaningfulness of a security audit. Additionally, the cloud environment is very

    dynamic; services are added, changed, and removed often as user needs and behaviors change.

    As a result, our ability to produce changes to any security auditing framework that will be

    durable and enduring will be will be limited to studying the effects that are possible to analyze

    from the standpoint of a normal commercial service deployment.

    While not being able to see the full impact of this project, we know that it is a relevant

    issue to everyone. The motivation that is driving us to address this problem is the potential for its

    solution to have wide-ranging impacts on any customer using web storage services.

  • 8/11/2019 Public Cloud Providers



    Previous Work

    An initial work on this project related to Public Cloud Providers was conducted as part of

    the semester Fall-2012. That research presented an overview of the three major cloud service

    providers: Amazon, Microsoft, and Google; and the determination of common threats and

    vulnerabilities. Another important aspect was the evaluation of security controls available to

    mitigate risk, specifically when Federal Agencies were considering transferring services to the

    cloud. Institutions like FedRAMP (based on NIST standards) and CSA were consulted as

    providers of guidelines and benchmarks for security in the cloud, as well as other, more specific

    risk frameworks. As a result, a risk matrix was developed that displayed a match between risk

    and security controls.

    The trend towards moving services to cloud computing is relatively new, existing

    literature on the topic of security in cloud computing tends to focus on one or more of three

    areas: analyzing the security of cloud service providers (CSPs) environments, providing an

    overview of the security landscape of cloud deployment models3, or creating an overall

    framework for a more secure use of the cloud. Each of these three themes is addressed from

    various perspectives, although comparisons tend to be rather straightforward and technical

    (Batten, 2012)(Shraer, 2010)(Agrawal, 2010). Some of the work providing an overview of cloud

    security discusses security in the cloud from the perspective of a particular discipline, such as

    business (Gurkok, 2013). Others focus on aspects of the cloud security landscape like

    institutional impact (Ksherti, 2013), or technical vulnerabilities (Marinescu, 2013). Given the

    variety of missions being addressed by the myriad government agencies that may derive benefit

    from and consider using Infrastructure-as-a-Service in the cloud, literature using all of these

    3IaaS, PaaS, SaaS.

  • 8/11/2019 Public Cloud Providers


  • 8/11/2019 Public Cloud Providers



    levels offered by CSPs. In order to accomplish this, BSI6 guidelines, which established

    minimum-security requirements for cloud providers, were used as they describe security levels

    for the K.O. (knock-out) criteria matrix. These criteria attempts to assess the security level of

    cloud providers, with emphasis on Amazon as a cloud provider. The BSI represents one type of

    benchmark similar to other efforts (FedRAMP in the US) that attempt to determine a security


    Similarly, potential users of cloud services could benefit from the existence of a cloud

    certification authority that ensures the transparency of CSPs with respect to their security levels.

    Such a level of security could be determined by using the K.O. criteria, providing customers with

    better tools to choose cloud providers based on their security capabilities. In an increasing scale,

    more and more CSPs are partnering with specialized security providers, in a Security-as-a-

    Service model, to enhance cloud level of security for their customers. These services are directly

    aimed to increase confidentiality rather than availability7.

    According to Xiaoqi Ma (2012), the analysis of potential security risks related to cloud

    services -as they relate to confidentiality, integrity and availability (CIA)- attempt to provide

    answers focused on privacy. From data privacy protection to data integrity in cloud services, his

    research represents a broad overview of security problems and proposed solutions. In the

    meantime, Behl and Behl (2012) reviews the key challenges of implementing cloud security

    solutions for a dynamic and changing cloud environment; it conducts analysis in order to

    consider detailed specifications of the problem and descriptions of must have features for a

    security solution. Some of the reasons that represent major concerns

    6Federal Office for Information Security (Bundesamt fr Sicherheit in der Informationstechnik).7Ensuring timely and reliable access to and use of information

  • 8/11/2019 Public Cloud Providers



    regarding security are: loss of control while moving services to the cloud, multi-tenancy or the

    co-residence of same logical/physical mediums, and service level agreements (SLAs) as the

    assurance of the right expectations are considered. It further details the need for information

    integrity and privacy as well as identity federation. It concludes by recommending that cloud

    security management should be enhanced in order to better control and manage user data; in

    addition to that, it suggests that security should become a wrapper to all cloud deployment

    models in a multilayer security solution.

    Behl et al. (2012), however, reviews the key challenges of implementing cloud security

    solutions for a dynamic and changing cloud environment. They conduct analysis in order to

    consider detailed specifications of the problem of security in cloud computing and descriptions

    of required features for a security solution. Some areas of major concern regarding security are:

    loss of control while moving services to the cloud, multi-tenancy or the co-residence of same

    logical/physical mediums, and SLAs as the assurance of the right expectations are considered. It

    further details the need for information integrity and privacy as well as identity federation. Behl

    et al. conclude by recommending that cloud security management should be enhanced in order to

    better control and manage user data; and it suggests that security should become a wrapper to all

    cloud deployment models in a multilayer security solution.

    Contrary to some assumptions, moving to a cloud environment does not eliminate the risk

    associated with security. In fact, outsourcing-computing resources to the cloud generates major

    new security and privacy concerns. Moreover, service layer agreements (SLAs) might not

    provide adequate legal protection for cloud computer users, who are often left to deal with events

    beyond their control.

  • 8/11/2019 Public Cloud Providers



    Amazon Computing

    Some of the literature that we sought was related to specific Amazon cloud computing

    services, this effort resulted in the discovery of some literature that brings a light of computing

    services related to Amazon.

    Marinescu (2013) suggests that an in-depth study of cache placement decisions over

    various cloud storage options would be beneficial to a large class of users through data

    persistence, monetary costs, and high performance needs of AWS in order to generate cost-

    effective data placement strategies. Marinescu describes what adequate caching strategies8could

    represent for cloud services. The costs considered are for Amazons S3, EC2


    and EBS


    , and are

    then used to obtain relevant data through a series of experiments for cost evaluation. The

    relevance of this paper is on the analysis of how these different services could be distinguished

    from each other based on the cost effectiveness of each one.

    Garfinkel (2007) article, was considered as a way to show the progress in authentication

    mechanisms, from simple authentication strategy based on the SHA1-HMAC algorithm to

    todays four mechanisms for controlling access to Amazon S3 resources : Identity and Access

    Management (IAM) policies, bucket policies, Access Control Lists (ACLs) and query string


    Abundant information about these four access control mechanisms are available from

    Amazon S3 Access Control11, where each feature and capability are described. With IAM

    policies, customers can grant IAM users fine-grained control to their Amazon S3 bucket or

    8Caches can be deployed to maintain some set of precomputed/intermediate data for reuse. Especially in scientific

    applications, precomputed data could not only replace the need to tirelessly compute redundant information, but it

    can also significantly reduce the amount of data transfer required.9Amazon Elastic Compute Cloud (Amazon EC2)10Amazon Elastic Block Store (Amazon EBS)11

    Access Control. Retrieved from: http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingAuthAccess.html

  • 8/11/2019 Public Cloud Providers


  • 8/11/2019 Public Cloud Providers



    For instance, the cloud security of Dropbox, Google Drive, and Microsoft SkyDrive are

    all compared to have similar weaknesses, mostly pertaining to a lack of user authentication with

    the sharing of data. This could be fixed by looking at how invitations to view the data can be

    rendered useless after they have been activated. Preventing these links from continuing to work

    after the recipient has used them; along with setting up a method to require a password in order

    to use that link will help tighten down the security of sharing data in the cloud. From this

    analysis we found ideas for investigating new security policies for cloud security.

    The first chapter of Yangs and Jias (2014): Security for Cloud Storage Systems,

    explores aspects of cloud technology, defining how they operate with data storage. Several items,

    including on-demand self-service and network access, are already expected by the users of cloud

    services when storing personal data. From there, there are two main threats described to plague

    cloud providers. The first issue pertains to data integrity; users should be confident that the cloud

    provider is correctly managing their personal data, especially after they want to delete it. The

    second issue that arises pertains to access control; this issue is also due to the user being forced

    to trust the cloud server for their access control policies. While the data integrity issue is outside

    of our scope for this project, the access control information presented in this book will be very

    useful in not only assessing the weakness of access control in cloud architectures, but it also

    provides several concepts at how to fix these holes.

  • 8/11/2019 Public Cloud Providers



    A Comparison of Approaches to Cloud Security

    Tajadod et al. (2012) is based on the comparison of two CSPs, and it goes into detail

    exploring those differences. We found relevant information about Amazon S3 as it details its

    services in order to elaborate for the corresponding comparison. This description of security

    features is presented following CIA. For Confidentiality it describes Amazon IAM 12MFA13, and

    Key Rotation. With respect to Integrity, it describes encryption via SSL and HTTPS from client

    and server sides as well as HMAC (hash-based message authentication code). Finally for

    Availability, it specifies the SLA of Amazon as well as data replication capabilities.

    Securing Cloud Services against Attacks

    The securing of cloud services could obey reactive and proactive measures, and in that

    regard Boot, Soknacki, and Somayaji provide an overview of security in the cloud computing

    environment, but approach their overview from the perspective of potential attackers. This

    overview, using descriptive methods, considers the various attacks that can be perpetrated upon a

    client-server model, and then reduces the scope of these attacks to those that would impact the

    current cloud environment, specifically one employing Hypervisor. The authors found that

    attacks relating to denial-of-service, breach of confidentiality, and compromise of data integrity

    are all applicable within the cloud. In relation to data confidentiality, the cloud adds a new threat

    of data colocation to those of typical client-server security issues. Through colocation, an

    12Identity and Access Management.

    13MFA: Multi-Factor Authentication

  • 8/11/2019 Public Cloud Providers



    attacker may be able to gain access to sensitive data residing on a cloud server by gaining access

    to the server through the account of a user using weaker authentication techniques. This paper

    also discuss the possibility of users with administrative-level access compromising sensitive data

    either maliciously or accidentally. Though the authors feel that data encryption and monitoring

    are important steps in ensuring the confidentiality of data in the cloud, these solutions remain

    vulnerable to traffic analysis and cryptographic weaknesses and would require additional burden

    upon cloud providers.

    A document, written by Cem Gurkok (2013) as a chapter in the book, Computer and

    Information Security Handbook, presents a view of cloud computing from a very strategic level.

    Gurkok begins his work with an overview of the types of cloud computing platforms (SaaS,

    IaaS, and PaaS), moves on to discuss security issues common to cloud services, and then

    describes security issues specific to the types of cloud platforms. Gurkoks descriptive methods

    are comprehensive and are able to analyze cloud security through the lens of the CIA triad, while

    subdividing these issues by discipline (legal, technical, etc.), and by operative system

    (infrastructure, operating system, application, etc.). The strategic level of this document provides

    a starting point for the narrowing of our analysis of the problem space.

    Auditing is addressed by Yu, Niu, Yang, Mu, and Susilo (2014) focuses not on cloud

    security itself, rather on the function of auditing cloud services for security. This paper is the

    result of conducting active attacks on cloud services, which showed that current auditing tools,

    such as Oruta and Knox, failed to provide evidence that the authenticity and integrity of stored

    files had been breached. In response, these authors propose a new framework that accounts for

    the actions of an attacker who is active on the system and working against the goals of the

    auditors. Though this work does not speak directly to the framework for security in the cloud

  • 8/11/2019 Public Cloud Providers



    environment, it does present both the security audit process, and its current vulnerabilities. An

    important aspect of our proposed framework, and of any security framework, should be the

    ability to audit and verify the security of the system. Understanding these processes will be

    important to the creation of a robust framework and successful evaluation of the Amazon S3


    Trustworthiness is researched by Shraer et al. (2010) especially after some identified 14

    high-profile incidents as they related to data integrity and consistency and their relationship to

    Confidentiality (through encryption) and availability (through resilience and protection against

    loss). Venus is a service for securing user interactions with untrusted cloud storage, by

    guaranteeing integrity and consistency. Even though this research represents an external

    mechanism that could be added transparently to the cloud storage service (Amazon S3), it

    provides evidence of the capability of this CSP infrastructure being able to support verification

    mechanisms in their commodity cloud storage service. A split-brain simulated attack from a

    system with two clients was performed in order to evaluate how venus detects service violations,

    successfully identifying inconsistencies. This work represents external attempts [to cloud

    providers] that enhance current storage solutions with insignificant overhead added.

    Customers Role in Cloud Security

    The role of customers in the acquisition, configuration, used and allocation of cloud

    services falls under the responsibility of the customers in the exploitation of vulnerabilities.

    Kshertis (2013) paper, from the journal Telecommunications Policy, states that a discrepancy

    exists between the security claims of cloud computing vendors and users of cloud computing

    14Amazon S3s silent data corruption, a privacy breach in Google Docs, and ma.gnolias data loss.

  • 8/11/2019 Public Cloud Providers



    services. His largely descriptive study cites statistics from popular press surveys about the

    security fears of cloud computing users to support his assertion. Ksherti also uses these surveys

    as a jumping off point to discuss the institutions surrounding cloud computing, and how they

    should be modified to build greater levels of security into the fabric of these institutions.

    Specifically, he suggests the formation, through legal, technical, and social means, of a

    normative culture of security in cloud computing. Given the size and diversity of missions within

    the United States federal government, the importance of the culture of use surrounding cloud

    computing in this environment cannot be overstated. This work will inform aspects of the

    modified framework and evaluation of the Amazon S3 service that we provide in our work.

    Security Framework for Cloud Services

    A cloud security framework is presented by Nayak et al. (2012) detailing three phases:

    server initialization, registration, and authentication, of cloud security that benefit from

    incorporating user authentication into the overall cloud models. User authentication is used, in

    the form of usernames and passwords in almost every system that people use on a daily basis,

    such as online shopping, email, and social media. These methods are already applied by AWS in

    their approach to cloud security, and the paper goes into detail about how the messages could be

    laid out between Amazon's authentication servers and the user in order to maximize

    authentication security. In the server authentication phase, each user is assigned a unique SK15

    which is used in further steps to authenticate the users. The second phase, registration, is

    dependent on whether the user is new or not. When a new user opens an Amazon S3 account,

    that user must register with an email address which will need to then be verified by the user.

    15Secret Key

  • 8/11/2019 Public Cloud Providers


  • 8/11/2019 Public Cloud Providers



    is able to successfully authenticate the user, it is always advisable to include an additional

    method of authentication on the chance that it does not work. In their testing, the access control

    policies they designed, based off of personal habit characteristics, proved successful in

    authenticating the user and preventing unauthorized access with a low failure rate.

    While this system is not perfect at achieving authentication, it can prove beneficial to

    Amazon's S3 cloud services. A large portion of the S3 involves data storage, which users want

    quick access to from anywhere, hence using the cloud for their storage. By cloud providers,

    including Amazon S3, implementing the TrustCube dynamics, they will be able to provide

    quicker access for their users, allowing for better consumer satisfaction. The inclusion of user

    habits is also a great method of adding an additional security layer for users who are extremely


    Mouratidis, et. al. (2103) provide a systematic and structured framework to the cloud

    computing framework. Unlike other existing frameworks for cloud computing security, these

    authors approach the topic of cloud provider selection from a decidedly technical perspective.

    Although the approach is technical, descriptions within the work about high-level goal setting

    work well to inform a comprehensive approach to security in this environment. This work is also

    unique because it walks through a case study in building the proposed model. Despite the

    existence of FedRAMP as a tool for evaluation of the security of cloud providers for the United

    States federal government use, the section about secure cloud provider selection will highlight

    areas within FedRAMP that may need augmentation.

  • 8/11/2019 Public Cloud Providers




    Research was conducted on the confidentiality of data stored on the Amazon S3

    Infrastructure-as-a-Service (IaaS) cloud storage environment for the purposes of developing

    guidelines supplemental to FedRAMP that better address issues of confidentiality within this

    environment. Time and financial constraints inherent in the course setting impacted both the

    scope and nature of this research. First and foremost, the overall research methodology was

    descriptive and qualitative as a result. Further, the scope of this project was narrowed to focus

    only on the Amazon S3 storage service, rather than a broader assortment of Amazons cloud

    service offerings, and only on the confidentiality aspect of the service, rather than all aspects of

    the C-I-A triad.

    The key aspect of research during this study was an extensive literature review, which

    began with general research of the cloud computing environment. Ultimately, this review was

    also narrowed necessarily to match the scope of the research question. Beyond narrowing the

    focus of the research to confidentiality metrics and issues relating to the Amazon S3 cloud

    storage service, issues and resolutions to issues that could not be verified either through testing

    or through an independent third-party were also removed from the scope of this research;

    however, Amazon has summarized how it complies with federal privacy laws (Amazon, 2014).

    The research methods supported the following research motive: The cloud computing

    environment is an extremely dynamic space, and several sets of guidelines are being developed

    to promote secure use of cloud storage resources. In this context, the research question to be

    answered in this study is, Are current FedRAMP guidelines sufficient to meet the challenges of

    data confidentiality faced by United States federal government agencies in the Amazon S3 cloud,

  • 8/11/2019 Public Cloud Providers



    or should guidelines be added, changed, or segmented by level of security required for a



    On February 8, 2011, the Chief Information Officer of the United States released the

    Federal Cloud Computing Strategy (FCCS) document (Kundra, 2011) . The goal of this

    document was to set forth a strategy that would increase the efficiency of information technology

    use in the federal government both in terms of cost and time (Kundra, 2011, p. 1) . The FCCS

    policy is designed to work in conjunction with, and in support of, the CIO's February 2010

    Federal Data Center Consolidation Initiative (FDCCI), which seeks to raise data center

    efficiency through the elimination of 800 federal data centers by 2015 (Kundra, 2011, p. 8) .

    Based on estimates by the federal Office of Management and Budget (OMB), 25% of federal IT

    spending was now being targeted for migration to cloud computing environments (Kundra, 2011,

    p. 1).

    Within the Decision Framework for Cloud Migration, the FCCS document does discuss

    security requirements to be considered when agencies make decisions about the type of cloud to

    be used, and the speed at which migration should occur (Kundra, 2011, pp. 11-14) . FCCS

    frames the evaluation criteria for security considerations in the cloud in terms of the Federal

    Information Security Act (FISMA) requirements including, but not limited to Federal

    Information Processing Standards (FIPS), and lays the responsibility for maintaining the

    appropriate level of information security upon the individual agencies (Kundra, 2011, p. 13).

    FCCS does, however, recognize that security (and other) concerns are likely to produce different

    iterations of cloud computing within and among federal agencies by virtue of its recognition of

    NIST's definition of cloud service models (Kundra, 2011, p. 6), and deployment models

  • 8/11/2019 Public Cloud Providers



    (Kundra, 2011, p. 5), including private clouds. It also recognizes the need for a transparent

    security environment between cloud providers and cloud consumers (Kundra, 2011, p. 26), and

    cites the 2010 Federal Risk Authorization Management Program (FedRAMP) as responsible for

    defining requirements for cloud computing security controls, including vulner-ability scanning,

    and incident monitoring, logging and reporting, in support of the secure and transparent cloud

    security environment (Kundra, 2011, p. 26). Also according to the FCCS, the Department of

    Homeland Security will assist in the operational security of federal agencies using cloud services

    by publishing a list of top security threats related to the cloud as needed, whereas NIST will

    assist with continued monitoring of cloud solutions as outlined by the Six Step Risk

    Management Framework (Kundra, 2011, p. 26) cited as Special Publication 800 -37, Revision

    1 (Kundra, 2011, p. 26).

    In the problem space of cloud computing controls exist several solutions frameworks.

    FedRAMP, of course, applies to federal cloud computing and, consequently, plays a significant

    role in defining the solution space. Because of its role as a controls structure for the United States

    federal government, FedRAMP plays a significant role in that function for agencies that work

    with the United States federal government, such as: state agencies, universities, private firms,

    and foreign governments, as well as other entities that may not see the benefit in developing a

    further structure. Despite FedRAMP's stature in the space, various other previously mentioned

    controls structures exist. Organizations such as the Cloud Security Alliance (Cloud Security

    Alliance, 2013), and trade-based professional associations (Mouratidis, 2013) have also proposed

    control sets based on their own needs in cloud security. Our analysis has attempted to combine

    those controls that, in our view, represent the best confidentiality controls for cloud computing

    currently in existence across the community, compare the Amazon S3 service against these

  • 8/11/2019 Public Cloud Providers



    augmented metrics, and return suggestions that are useful not only to Amazon S3, but to the

    cloud computing community broadly. The timeline shownbelow presents Amazons security and

    compliance releases that have impacted the security of the Amazon S3 cloud storage service that

    serve as the basis for the discussion of problems and issues that follows.

  • 8/11/2019 Public Cloud Providers



    Cloud Provider Perspective: Amazon Web Services (AWS)

    AWS Compliance timeline

    This compliance timeline shows security policies implemented and compliance events

    starting in 2009 with HIPAA to the first quarter of 2013 with improvements to IAM policy


    Date Security or Compliance Event Description

    4/3/13 IAM Policy Variables Create policies containing variables that will

    be dynamically evaluated using context fromthe authenticated user's session.

    3/26/13 AWS CloudHSM Use dedicated Hardware Security Module

    (HSM) appliances within the AWS Cloud.

    3/11/13 VPC by default EC2 instances will be launched in a VPC for

  • 8/11/2019 Public Cloud Providers



    new customers. Amazon Virtual Private

    Cloud (Amazon VPC)

    11/19/12 Cross-account API access using

    IAM roles

    Delegate temporary API access to AWS

    services and resources within your AWS

    account without having to share long-term

    security credentials.

    7/10/12 MFA-protected API access Enforce MFA authentication for AWS

    service APIs via AWS Identity and Access

    Management (IAM) policies.

    6/11/12 IAM Roles Simplifies the process for applications to

    secure access AWS service APIs from EC2


    1/30/12 AWS Trusted Advisor Self-service access to proactive alerts that

    identify opportunities to save money,

    improve system performance, or close

    security gaps.

    11/11/11 Compliance Milestone: SOC 1,Type 2 Report

    11/2/11 Support for virtual MFA devices Use a smartphone, tablet, or computer

    running any application that supports the

    open TOTP standard.

    10/4/11 S3 server-side encryption Request encrypted storage when you store a

    new object in Amazon S3 or when an

    existing object is copied.

    9/15/11 Compliance Milestone: FISMA


    8/16/11 AWS GovCloud AWS Region designed to allow US

    government agencies and customers to move

  • 8/11/2019 Public Cloud Providers



    more sensitive workloads into the cloud by

    addressing their specific regulatory and

    compliance requirements.

    8/3/11 AWS Direct Connect Enables you to bypass the public Internetwhen connecting to AWS.

    12/7/10 Compliance Milestone: PCI DSS

    Level 1

    11/18/10 Compliance Milestone: ISO 27001

    9/2/10 AWS Identity and Access

    Management (IAM)

    Enables to securely control access to AWS

    services and resources for your users.

    11/11/09 Compliance Milestone: SAS70

    Type II Audit

    8/31/09 AWS Multi-Factor Authentication


    Provides an extra level of security that can be

    applied to AWS environment.

    8/26/09 Amazon VPC Provision a logically isolated section of the

    Amazon Web Services (AWS) Cloud where

    you can launch AWS resources in a virtual

    network that you define.

    4/6/09 Compliance milestone: white paper

    for HIPAA-compliant data


    For a extended and detailed account of security related improvements to Amazon S3 for the

    current 2014, see Appendix 1:Amazon Web Services (AWS) security updates.For a complete list

    of compliance reports as well as certifications and third-party attestations, see Amazon WebServices. (2014). AWS Risk and Compliance Whitepaper.

  • 8/11/2019 Public Cloud Providers



    Incidents related to Amazon S3 Configurations

    This account of events attempts to present the perspective of security has to be from all

    involved parties. When transferring services to the Cloud, there is a significant transference of

    risk, but this transfer is not absolute and complete. The Customer(s) must remain vigilant to

    the portion of responsibility it controls respect to security. In many cases this means the

    overview of SLAs and ensuring that services are correctly configured to perform as expected

    according to user or groups permissions to data privacy assurances. Following below there are

    listed two reports that show configurations issues related to cloud services, one from the

    customer side and another from the provider.

    August 08, 2011 - Amazon S3 security: Exploiting misconfigurations (TechTarget


    Amazon S3 misconfigurations and what companies should to do to ensure Amazon S3

    security and avoid inadvertent data exposure.A security researcher, Diji Ninja, had an epiphany

    when considering how Amazon S3 storage functioned: If each URL was customized with a

    unique account name, it would be possible to use existing brute force techniques to enumerate

    the Amazon S3 buckets and possibly access the files. The researcher developed a tool to test this

    theory using standard wordlists and running them against the Amazon S3 API. The tool can also

    test whether the Amazon S3 storage bucket has been properly configured for public or private


    Running this tool with a simple word list produces enlightening results that demonstrate

    both an Amazon S3 oversight and the importance of proper customer configuration. The tool

    runs through the wordlist by testing access to bucket URLs in succession in this format:

  • 8/11/2019 Public Cloud Providers


  • 8/11/2019 Public Cloud Providers



    After reviewing the permissions of 12,328 Amazon S3 buckets the Rapid7 team revealed

    that, of the 1,951 'public' ones there were some 126 billion files exposed in all, around 60 percent

    of which were images. However, there were also 28,000 PHP source files (including database

    usernames, passwords and API keys) and 218,000 CSV files (including personal data such as

    email addresses and telephone numbers). 5 million text files, large numbers of which were

    marked as private or confidential and contained sensitive personal credentials; details about the

    organisations concerned and their customers. Getting even more specific on the information that

    was exposed in these buckets, Rapid7 cites examples such as sales records and accounts from a

    large car dealership, source code and development tools from a mobile gaming outfit, sales

    'battlecards' for a large software vendor and assorted cases of employee personal information

    across various spreadsheets.

    The most common exposure was through log backups that were left globally accessible.

    Rapid7 has since worked with Amazon to disclose this misconfiguration as it recommended its

    customers to check their bucket settings unless they really want to openly share their files.

  • 8/11/2019 Public Cloud Providers


  • 8/11/2019 Public Cloud Providers



    framework itself, we remain curious about the potential impact of FedRAMPs recent change in

    jurisdiction from the General Services Administration to the Office of the Chief Information

    Officer. The directives from the CIOs office relating to federal cloud computing strateg y

    suggest that this move is simply administrative, and that the overall direction of FedRAMP will

    remain consistent (Kundra, 2011). Though FedRAMP must constantly evolve to meet the rapidly

    changing security needs in cloud computing, large changes in the framework at this stage would

    disrupt the CIOs vision for government computing in the cloud, and likely make the transition

    of services to the cloud far more difficult.

  • 8/11/2019 Public Cloud Providers



    Problems and Issues

    This study faced two main issues in generating its results. The first and largest of these

    issues was time. Once our group was formed, and our topic assigned, we began to identify the

    problem set. We felt that a broad study of security frameworks across the service groups within

    cloud computing was useful, but narrowed the topic down dramatically in order to be able to

    provide a substantive deliverable by the end of the course term. The short time frame also

    impacted our work by forcing removal from our scope verification and validation of information

    provided by Amazon about the confidentiality of the S3 service, as well as the removal of a

    testing phase related to Amazon's two-factor authentication offering for its cloud services,

    including S3.

    Testing of two-factor authentication was also impacted by the second issue of this study,

    which is funding. Devices or services that may have impacted the confidentiality of S3 could not

    be purchased due to lack of funds. Though the devices that Amazon uses for two-factor

    authentication within the S3 service are relatively inexpensive, many of Amazon's cloud service

    offerings that is targeted toward larger organizations, such as government agencies, are not.

    Without access to these services, or models that would serve as adequate substitutes, we were

    prevented from performing tasks that may have produced significant insight into the security

    structure and function of Amazon's web services due to the possibility of breaking live Amazon

    services. Doing so would have violated the bounds of this project.

  • 8/11/2019 Public Cloud Providers


  • 8/11/2019 Public Cloud Providers



    All organizations using, or considering the use of, cloud services would likely benefit

    from the adoption by standards organizations of a data classification system similar to the

    security clearance system currently used by national security-related agencies in the United

    States government. These levels would be more extensive than the current FedRAMP low, and

    FedRAMP medium designations, and would also incorporate higher levels of security controls

    similar to those found in the DoD cloud security model (DISA, 2014). Classifying data by

    sensitivity for security and privacy purposes could balance the cost of security with the benefit of

    that security at these different levels, especially if developed by consensus both inside and

    outside of the national security apparatus. If cloud security framework systems were augmented

    with these classifications, selection and utilization of cloud services would likely be much more

    straightforward and consequently, more likely to be implemented effectively.

    Moving forward in cloud computing security, it is becoming increasingly important to

    understand the interaction within the cloud among the various services offered. For example,

    because we were not able to test Amazon's cryptographic offerings that claim to encrypt data on

    the service, we recommend that sensitive data be encrypted prior to being uploaded to the cloud;

    however, this recommendation takes on added challenge when data is stored on the cloud by a

    SaaS application that also lives in the cloud. In light of recent challenges with government web

    portals that process highly privacy-sensitive information such aswww.healthcare.govworking in

    support of the Affordable Care Act, it would seem to be unthinkable to implement such a system

    in a private cloud environment. We suggest that, with the proper implementation of strong

    controls and monitoring, even a healthcare.gov cloud may be able to share cloud space with

    other agencies in a relatively secure manner.

  • 8/11/2019 Public Cloud Providers



    Because our time working on this project was so short, and because the cloud computing

    environment is so dynamic, opportunities for future work on this topic abound. Certainly, SaaS

    and PaaS are fertile ground for study, as are the availability and integrity aspects of the C-I-A

    triad, since all of these topics were scoped out of this work. Creation or adoption of the

    information classification system recommended above would also be extremely worthy of


    As more users migrate to these services, and as they begin to store more sensitive

    information within the cloud, it is imperative that the confidentiality of their data is assured. If

    we consider applications where critical health or genetic information is stored using the cloud, or

    where troops in the field use a similar type of service to communicate critical information to

    commanders, the impact of data confidentiality becomes clear. Though we will not be able to

    solve the majority of challenges relating to the confidentiality of data in the cloud environment

    over the course of a single semester, we feel that this project will make a real and lasting

    contribution to the state-of-the-art in this area, and be able to be built upon by future class

    research. Ultimately, we hope to make cloud storage more secure for millions of users


  • 8/11/2019 Public Cloud Providers




    Amazon Web Services. (2014). Amazon Web Services: Risk and Compliance April 2014.

    Retrieved April 10, 2014 from:

    http://d0.awsstatic.com/whitepapers/compliance/AWS_Risk_and_Compliance_Whitepaper.pdf .

    Astrova, I., Grivas, S. G., Schaaf, M., Koschel, A., Bernhardt, J., Kellermeier, M. D. Herr, M.

    (2012). Security of a Public Cloud. 2012 Sixth International Conference on Innovative

    Mobile and Internet Services in Ubiquitous Computing, 564569.


    Behl, A., & Behl, K. (2012). An Analysis of Cloud Computing Security Issues, 109114.

    Chiu, D., & Agrawal, G. (2010). Evaluating caching and storage options on the Amazon Web

    Services Cloud. 2010 11th IEEE/ACM International Conference on Grid Computing, 17

    24. doi:10.1109/GRID.2010.5697949

    Chow, R., Jakobsson, M., Masuoka, R., Molina, J., Niu, Y., Shi, E., & Song, Z. (2010).

    Authentication in the Clouds: A Framework and its, 16.

    Cloud Security Alliance. (2013). SECURITY GUIDANCE FOR CRITICAL AREAS OF

    FOCUS IN CLOUD, 0176.

    Garfinkel, S. (2007). Commodity Grid Computing with Amazons S3 and EC2.

    Gurkok, C. (2013). Securing Cloud Computing Systems. Computer and Information Security

    Handbook 2e(pp. 97124). Elsevier Inc. doi:10.1016/B978-0-12-394397-2.00006-4

    IronBee Open Source Web Application Firewall. (2013).

    Kshetri, N. (2013). Privacy and security issues in cloud computing: The role of institutions and

    institutional evolution. Telecommunications Policy, 37(4-5), 372386.


  • 8/11/2019 Public Cloud Providers



    Kundra, V. (2011). Federal Cloud Computing Strategy.

    Ma, X. (2012). Security Concerns in Cloud Computing. 2012 Fourth International Conference

    on Computational and Information Sciences, 10691072. doi:10.1109/ICCIS.2012.274

    Marinescu, D. (2013). Cloud Computing Theory and Practice: Cloud Security (Chapter 9), 273

    300. doi:10.1016/B978-0-12-404627-6.00009-9

    Mouratidis, H., Islam, S., Kalloniatis, C., & Gritzalis, S. (2013). A framework to support

    selection of cloud providers based on security and privacy requirements.Journal of

    Systems and Software, 86(9), 22762293. doi:10.1016/j.jss.2013.03.011

    Nayak, S. K., Mohapatra, S., & Majhi, B. (2012). An Improved Mutual Authentication

    Framework for Cloud Computing User message, 52(5), 3641.

    Shraer, A., Cachin, C., & Cidon, A. (2010). Venus: Verification for untrusted cloud storage.

    Workshop on Cloud , 1929. Retrieved from


    Tajadod, G., Batten, L., & Govinda, K. (2012). Microsoft and Amazon: A comparison of

    approaches to cloud security, 539544.

    Yang, K., & Jia, X. (2014). Security for Cloud Storage Systems. Springer.

    Yu, Y., Niu, L., Yang, G., Mu, Y., & Susilo, W. (2014). On the security of auditing mechanisms

    for secure cloud storage.Future Generation Computer Systems, 30, 127132.


    United States Defense Information Systems Agency. (2014). DoD Enterprise Cloud Service


  • 8/11/2019 Public Cloud Providers




    APPENDIX 1: Amazon Web Services (AWS) security updates

    Some of the latest security improvements to Amazon Web Services (AWS) for 2014 are

    listed below in order to provide a documented overview of advancements respect providing a

    more secure cloud services.

    April 21, 2014 - AWS accounts access keys

    AWS will remove the ability to retrieve existing secret access keys for your AWS (root) account.

    Secret access keys are, as the name implies, secrets, like your password. Just as AWS doesnt

    allow you to retrieve your password if you forget it, you will no longer be able to retrieve the

    secret access keys for your root account. This is (and always has been) the case with secret

    access keys for IAM users.

    April 2, 2014 - Update to AWS Sign-In

    The sign-in experience for IAM users accessing AWS websites such as the AWS Management

    Console, Support, or Forums. The new sign-in experience continues to provide the same

    functionality as the previous one, but provides a more consistent experience for IAM users when

    signing in to AWS account whether it is on a PC, tablet, or mobile phone.

    April 1, 2014 - RedShift receives FedRAMP Authority to Operate (ATO)

    AWS is excited to announce that Amazon Redshift has successfully completed the FedRAMP

    assessment and authorization process and has been added to our list of services covered under

  • 8/11/2019 Public Cloud Providers



    our US East/West FedRAMP Agency Authority to Operate (ATO) granted by the U.S.

    Department of Health and Human Services (HHS). This is the first new service we've added to

    our FedRAMP program since getting our initial FedRAMP Agency ATO from HHS in May


    With the addition of Redshift we now have six FedRAMP covered services in our US East/West

    FedRAMP package, including: EC2, VPC, S3, EBS, IAM and now Redshift. The US East/West

    FedRAMP package has been updated so that all FedRAMP customers can assess, authorize, and

    use Redshift for their workloads. Redshift is not yet available in the GovCloud (US) region.

    Amazon Redshift is a fast, fully managed, petabyte-scale data warehouse service that makes it

    simple and cost-effective to efficiently analyze all your data using your existing business

    intelligence tools. It is optimized for datasets ranging from a few hundred gigabytes to a petabyte

    or more.

    March 26, 2014 - AWS Secures DoD Provisional Authorization

    AWS has received a DISA Provisional Authorization under the DoD Cloud Security Model's

    impact levels 1-2 for all four of AWS's Infrastructure Regions in the U.S., including AWS

    GovCloud (US). With this distinction, AWS has shown it can meet the DoDs stringent security

    and compliance requirements; and as a result, even more DoD agencies can now use AWSs

    secure, compliant infrastructure. Built on the foundation of the FedRAMP Program, the DoD

    CSM includes additional security controls specific to the DoD. The Defense Information

    Systems Agency (DISA) assessed amazon compliance with additional security controls and

    granted the authorization which will reduce the time necessary for DoD agencies to evaluate and

    authorize the use of the AWS Cloud.

  • 8/11/2019 Public Cloud Providers



    March 18, 2014 - Use AWS CloudFormation to configure Web Identity Federation

    Web identity federation in AWS STS enables you to create apps where users can sign in using a

    web-based identity provider likeLogin with Amazon,Facebook, or Google. Your app can then

    trade identity information from the provider for temporary security credentials that the app can

    use to access AWS.

    The AWS mobile development team created an S3PersonalFileStore sample app for iOS and

    Android that shows you how to use web identity federation to let users store information in

    individual S3 folders.

    March 5, 2014 -High Availability IAM Design Patterns

    AWS Identity and Access Management (IAM) team, provides a tutorial on how to enable

    resiliency against authentication and authorization failures in an application deployed on

    Amazon EC2 using a high availability design pattern based onIAM roles.

    February 27, 2014 -How do I protect cross-account access using MFA?

    AWSannounced support for adding multi-factor authentication (MFA) for cross-account access.

    This practice will demonstrate how to create policies that enforce MFA when IAM users from

    one AWS account make programmatic requests for resources in a different account.

    Many might maintain multiple AWS accounts, Amazon is frequently asked how to simplify

    access management across those accounts. IAM roles provide a secure and controllable

    mechanism to enable cross-account access. Roles allow you to accomplish cross-account access

    without any credential sharing and without the need to create duplicate IAM users. With this

    announcement, you can add another layer of protection for cross-account access by requiring the

    users to authenticate using anMFA devicebefore assuming a role.

  • 8/11/2019 Public Cloud Providers



    February 17, 2014 - Whitepaper: Security at Scale: Logging in AWS

    Security at Scale: Logging in AWS whitepaper is designed to illustrate how AWS CloudTrail

    can help Amazon customers to meet compliance and security requirements through the logging

    of API calls. The API call history can be used to track changes to resources, perform security

    analysis, operational troubleshooting and as an aid in meeting compliance requirements.

    This whitepaper is primarily focused on the functionality of AWS CloudTrail and describes how


    Control access to log files

    Obtain alerts on log file creation and misconfiguration

    Manage changes to AWS resources and log files

    Manage storage of log files

    Generate customized reporting of log data

    The paper also relates these features to major compliance program requirements related to

    logging (e.g. ISO 27001:2005, PCI DSS v2.0, FedRAMP, etc.) and provides a robust compliance

    program index in the appendix for your reference.

    January 15, 2014 -Tracking Federated User Access to Amazon S3 and Best Practices for

    Protecting Log Data

    Auditing by using logs is an important capability of any cloud platform. There are several third

    party solution providers that provide auditing and analysis using AWS logs. Last November

    AWS announced its own logging and analysis service, calledAWS CloudTrail. While logging is

    important, understanding how to interpret logs and alerts is crucial. In this blog post, Aaron

    Wilson, an AWS Professional Services Consultant, explains in detail how to interpret S3 logs

    within a federated access control context.

  • 8/11/2019 Public Cloud Providers



    January 1, 2014 -Amazon Retrospective view of 2013

    IAM: We posted a mixture of prescriptive guidance and detailed explanations about released

    Identity and Access Management features and best practices geared towards practitioners.

    Where's my secret access key?

    A safer way to distribute AWS credentials to EC2

    IAM policies and Bucket Policies and ACLs! Oh My! (Controlling Access to S3


    Guidelines for when to use Accounts, Users, and Groups

    How to rotate access keys for IAM users

    Improve the security of your AWS account in less than 5 minutes

    Securing access to AWS using MFAPart I

    Securing access to AWS using MFAPart 2

    Securing access to AWS using MFAPart 3

    Policies and Permissions: IAM policies and permissions are powerful tools for authorization.

    Therefore, we focused a number of articles to help you fully realize the potential of IAM.

    Generating IAM Policies in Code

    Writing IAM Policies: How to grant access to an Amazon S3 bucket

    IAM policies and Bucket Policies and ACLs! Oh My! (Controlling Access to S3


    Resource-level Permissions for EC2 Controlling Management Access on Specific


    Announcement: Resource Permissions for additional EC2 API actions

    Amazon EC2 Resource-Level Permissions for RunInstances

    Announcing New IAM Policy Simulator A primer on RDS resource-level permissions

    Announcing resource-level permissions for AWS OpsWorks

    Identity Federation: AWS launched three identity federation features and also made several

    smaller announcements

  • 8/11/2019 Public Cloud Providers



    Delegating API Access to AWS Services Using IAM Roles

    Enabling Federation to AWS using Windows Active Directory, ADFS, and SAML


    New AWS web identity federation supports Amazon.com, Facebook, and Google


    Understanding the API options for securely delegating access to your AWS account

    AWS CloudFormation now supports federated users and temporary security


    New playground app to explore web identity federation with Amazon, Facebook, and



    Encrypting data in Amazon S3

    AWS CloudHSM Use Cases (Part One of the AWS CloudHSM Series)


    Auditing Security Checklist for AWS Now Available

    2013 PCI Compliance Package available now

    New Whitepaper: AWS Cloud Security Best Practices

    AWS Achieves First FedRAMP(SM) Agency ATOs

    Other: Several important topics related to AWS Security were partner related and the other two

    were references to other security related material published and distributed in different venues.

    Controlling network access to EC2 instances using a bastion server

    Recap of re:Invent Sessions

    Credentials Best Practices on the AWS Java Developers Blog

    CloudBerry Active Directory Bridge for Authenticating non-AWS AD Users to S3

    Analyzing OS-Related Security Events on EC2 with SplunkStorm

  • 8/11/2019 Public Cloud Providers


  • 8/11/2019 Public Cloud Providers



    Consolidated Confidentiality Security Controls - DETAILED

    Control DomainCCM V3.0

    Control IDControl Specification

    Application &Interface Security

    Data Security /



    Policies and procedures shall be established, and supporting business processes

    and technical measures implemented, to ensure protection of confidentiality,integrity, and availability of data exchanged between one or more system

    interfaces, jurisdictions, or external business relationships to prevent improper

    disclosure, alteration, or destruction. These policies, procedures, processes, and

    measures shall be in accordance with known legal, statutory and regulatory

    compliance obligations.

    Audit Assurance &


    Information System

    Regulatory Mapping


    An inventory of the organization's external legal, statutory, and regulatory

    compliance obligations associated with (and mapped to) any scope and

    geographically-relevant presence of data or organizationally-owned or managed

    (physical or virtual) infrastructure network and systems components shall be

    maintained and regularly updated as per the business need (e.g., change in

    impacted-scope and/or a change in any compliance obligation).

    Business ContinuityManagement &





    Policies and procedures shall be established, and supporting business processes

    and technical measures implemented, for appropriate IT governance and servicemanagement to ensure appropriate planning, delivery and support of the

    organization's IT capabilities supporting business functions, workforce, and/or

    customers based on industry acceptable standards (i.e., ITIL v4 and COBIT 5).

    Additionally, policies and procedures shall include defined roles and

    responsibilities supported by regular workforce training.

    Change Control &






    The use of an outsourced workforce or external business relationship for

    designing, developing, testing, and/or deploying the organization's own source

    code shall require higher levels of assurance of trustworthy applications (e.g.,

    management supervision, established and independently certified adherence

    information security baselines, mandated information security training for

    outsourced workforce, and ongoing security code reviews).

    Change Control &



    Quality Testing


    A program for the systematic monitoring and evaluation to ensure that standards

    of quality and security baselines are being met shall be established for allsoftware developed by the organization. Quality evaluation and acceptance

    criteria for information systems, upgrades, and new versions shall be established

    and documented, and tests of the system(s) shall be carried out both during

    development and prior to acceptance to maintain security. Management shall

    have a clear oversight capacity in the quality testing process, with the final product

    being certified as "fit for purpose" (the product should be suitable for the intended

    purpose) and "right first time" (mistakes should be eliminated) prior to release. It is

    also necessary to incorporate technical security reviews (i.e., vulnerability

    assessments and/or penetration testing) to remediate vulnerabilities that pose an

    unreasonable business risk or risk to customers (tenants) prior to release.

    Data Security &

    Information LifecycleManagment



    Data and objects containing data shall be assigned a classification based on data

    type, jurisdiction of origin, jurisdiction domiciled, context, legal constraints,

    contractual constraints, value, sensitivity, criticality to the organization, third-party

    obligation for retention, and prevention of unauthorized disclosure or misuse.

    Data Security &

    Information Lifecycle


    Information Leakage
