Security Compliance Challenges On Clouds

CTICon-2013 Proceedings of the International Conference on “Diversifying Trends in Technology & Management” Organized by: CYBER TIMES Sponsored by: SEDULITY SOLUTIONS & TECHNOLOGIES Technically Co-Sponsored by: CSI Region-I & Division-I Cyber Times International Journal of Technology & Management Vol. 6, Issue 1, October 2012 – March 2013 ISSN: 2278-7518 EDITOR-IN-CHIEF Dr. Anup Girdhar EDITORIAL ADVISORY BOARD Dr. Sushila Madan Dr. A.K. Saini Mr. Mukul Girdhar EXECUTIVE EDITORS Ms. Kanika Trehan Mr. Rakesh Laxman Patil CSI ADVISORY BOARD Prof. S. V. Raghavan, President, CSI Mr. H. R. Mohan, Vice President, CSI Mr. S. Ramanathan, Hony. Secretary, CSI Mr. Ranga Rajagopal, Hony. Treasurer, CSI Mr. Satish Babu, Immediate Past President, CSI Mr. R. K. Vyas, Regional Vice President, Region-I, CSI Prof. M.N. Hoda, Chairman, Division-I, CSI “Cyber Times International Journal of Technology & Management”. All rights reserved. No part of this journal may be reproduced, republished, stored, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior permission of the publisher in writing. Any person who does any unauthorized act in relation to this journal publication may be liable to criminal prosecution and civil claims for damages. Editorial Office & Administrative Address: The Editor, 310 Suneja Tower-II, District Centre, Janak Puri, New Delhi-110058. ISSN: 2278-7518 Phone: 011-25595729, +91-9312903095 Website: http://journal.cybertimes.in Email: [email protected] Disclaimer: Views and information expressed in the Research Papers or Articles are those of the respective authors. “Cyber Times International Journal of Technology & Management”, its Editorial Board, Editor and Publisher (Cyber Times) disclaim the Responsibility and Liability for any statement of fact or option made by the contributors. The content of the papers are written by their respective authors. The originality and authenticity of the papers and the explanation of information and views expressed therein are the sole responsibility of the authors. However, effort is made to acknowledge source material relied upon or referred to, however; “Cyber Times International Journal of Technology & Management” does not accept any responsibility for any unintentional mistakes & errors. Cyber Times International Journal of Technology & Management, Bi-Annually, Vol.6, Issue 1, has been Published, Printed and Edited by Dr. Anup Girdhar, on behalf of Cyber Times, at 310 Suneja Tower-II, District Centre, Janak Puri, New Delhi-110058. From the Editor’s Desk At the outset, I take this opportunity to thank all the contributors and readers for making “Cyber Times – International Journal of Technology & Management” an outstanding success. The response that we have received from the Researchers, Authors, Academicians, LawEnforcement Agencies and Industry Professionals for sending their Research Papers/ Articles for publication is duly acknowledged across the globe. We are pleased to present the Volume 6, Issue 1, of “Cyber Times International Journal of Technology & Management” which include two parts where Part-1 is for the area of ‘Technology’ and Part-2 is for the area of ‘Management’. Part-1: Technology Cloud Computing, Artificial Intelligence, Wireless Networks, Cyber Security and Network Attacks, Penetration Testing, Cyber Laws, Cyber Crime Investigation, Data Mining, Databases, Mobile Commerce, Software Testing, etc. Part-2: Management Management Strategies, Human Resources, Business Intelligence, Global Retail Industry, Business Process Outsourcing, Indian Economy, Performance Management, Risk Management, International Business, etc. I am sure that this issue will generate immense interest amongst the Readers in different aspects of Technology & Management. We look forward to receive your valuable and future contributions to make this journal a joint endeavor. With Warm Regards, Editor-in-Chief Dr. ANUP GIRDHAR General Information “Cyber Times International Journal of Technology & Management” is published biannually. All editorial and administrative correspondence for publication should be addressed to The Editor, Cyber Times. The Abstracts received for the final publication are screened by the Evaluation Committee for approval and only the selected Papers/ Abstracts will be published in each edition. Further information is available in the “Guidelines for paper Submission” section. Annual Subscription details for obtaining the journal are provided separately and the interested persons may avail the same accordingly after filling the Annual subscription form. This journal is meant for education, reference and learning purposes. The author(s) of this of the book has/have taken all reasonable care to ensure that the contents of the book do not violate any existing copyright or other intellectual property rights of any person/ company/ institution in any manner whatsoever. In the event the author(s) has/have been unable to track any source and if any copyright has been inadvertently infringed, please notify the publisher in writing for the corrective action. Copyright © “Cyber Times International Journal of Technology & Management”. All rights reserved. No part of this journal may be reproduced, republished, stored, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior permission of the publisher in writing. Any person who does any unauthorized act in relation to this journal publication may be liable to criminal prosecution and civil claims for damages. Other Publications: • Cyber Times Newspaper (English) – RNI No: DELENG/2008/25470 • Cyber Times Newspaper (Hindi) – RNI No. DELHIN/1999/00462 Printed & Published by: Cyber Times 310 Suneja Tower-II, District Centre, Janak Puri, New Delhi-110058 Editorial Advisory Board Members Name Dr. Sushila Madan Dr. A. K. Saini Mr. J. R. Ahuja Mr. Mukul Girdhar Mr. Geetesh Madan Dr. Deepak Shikarpur Dr. B. B. Ahuja Prof. M. N. Hoda Dr. S. C. Gupta Dr. S. K. Gupta Dr. K. V. Arya BRIG. Dr. S.S. Narula Dr. Sarika Sharma Dr. S.K.M. Bhagat Dr. Jack Ajowi Dr. Srinivas Sampalli Dr. Ijaz A. Qureshi Aryya Bhattacharyya Designation, Organization/ University Associate Professor, Delhi University Professor, GGS IP University Former Consultant, AICTE Vice President, Sedulity Solutions Q.A. Consultant with Tesco Bank, Newcastle Chairman Board of Studies, Pune University Deputy Director,COE Pune Director, Bharati Vidyapeeth's (BVICAM) Director, NIEC, GGS IP University Professor, IIT Delhi Associate Professor, IIITM, Gwalior Director, Gitarattan International Bussiness School Director, JSPM'S ENIAC Institute of CA, Pune Prof. & Head, MIT Academy of Engg., Pune Jaramogi Oginga Odinga University of Sci. & Tech. Professor, Dalhousie University, Halifax V.P. Academic Affairs, JFK Inst. of Tech. and Mgmt. Director, CIP, Columbus State University Country India India India India UK India India India India India India India India India Kenya Canada Pakistan US Dr. M. M. Schiraldi Assistant Professor, 'Tor Vergata' University of Rome Italy Executive Editorial Advisory Board Members Name Ms. Kanika Trehan Mr. Rakesh Laxman Patil Adv. Tushar Kale Adv. Neeraj Aarora Mr. Sanjeev Sehgal Mr. Rajinder Kumar Bajaj Dr. B. M. Patil Dr. R. K. Sharma Dr. Rajesh S. Prasad Dr. Binod Kumar Dr. Vimal Mishra Dr. V.N. Wadekar Dr. M.D. Goudar Dr. Mohd. Rizwan Alam Dr. Y.P. Singh Designation, Organization/ University Editor - Cyber Times, New Delhi Editor - Cyber Times, Pune Cyber Lawyer, Pune Cyber Lawyer, New Delhi HOD, SJP Polytech, Damla, Haryana GM, Satake India Engg. Pvt. Ltd., (Japan) Associate Professor MIT, Pune Professor, Bharati Vidyapeeth,(BVIMR), N. Delhi Professor, DCOER, Pune University Associate Professor, MIT Academy of Engg, Pune Head, UPTE, UP Prof. & Head, MIT college of Engg. CMSR, Pune Associate Prof. & Head, Pune University Sr. Lecturer, Amity University Director, KLSIET, UP Country India India India India India India India India India India India India India Dubai India PART-I TECHNOLOGY CONTENTS SECTION-I Research Papers 1. Symbiotic Association Between Cyber Security and Website Testing 01 Rajiv Chopra & Dr. Sushila Madan 2. Hybrid Approach of Face Recognition 06 B. Mohd. Jabarullah, Sandeep Saxena, Dr. C N Kennedy Babu & Dr. Mansaf Alam 3. An Improved and Scalable Digital Image Encryption Method Based on One-Dimensional Random Scrambling 13 Madhu Rohini V, Balaji Venkatesh, A. Bhavana, N. Ravi Shankar & M. Seshu Kumar 4. Key Compromise Resilient Privacy Provisioning in Vertically Partitioned Data 18 S KumaraSwamy, Manjula S H, K R Venugopal, Iyengar S S & L M Patnaik 5. Security Against Keyloggers Using Pattern Based Locking Systems 30 Purnesh Tripathi 6. Two Factor Based Authentication Using Keystroke Biometrics 35 Shaveta Tatwani, Neeru Dubey, Nitya Vij, Tanvi Jain & Priyanka 7. Social Networking and Media: Current Applications and Considerations 42 Ishita Khar & Dr. Sharmishtha Bhattacharjee 8. Cloud Computing- A Breakthrough In The Obsolete Methods of Computing 48 Mr. Shahnawaz Sarwar & Miss Aiman Zubair 9. A Comprehensive Approach of Wireless Data Glove Using Gesture Recognition Technique towards Development of a Supporting System for Aged And Disabled People 53 Prof. Shantanu A. Lohi, Prof. Harish Gorewar, Prof. R. N. Jogekar & Prof. Sandeep S. Ganorkar 10. Experimental Analysis of Stabilizing B.C. Soil with Murrum and Rice Husk Ash B D Ramteke & Neetu B Ramteke Cyber Times International Journal of Technology & Management Vol.6 Issue 1, October 2012 – March 2013 63 11. Analytical Study of Attacks on Manets Based On Layered Architecture 66 Tushar Saxena & Nandini Deb 12. Impact of E-Learning And Knowledge Management In Indian Rural Education 73 Shallu Joshi 13. Performance Analysis of SCTP Based Remote Monitoring Systems against Service Failures 79 Piyush Yadav, Amit Sehgal & Rajeev Agrawal 14. Cloud Computing: ‘Analyses of Risk Involved in Cloud Environment’ 87 Sonali Bajaj & Dr. Sharad Saxena 15. Ann Based Fault Detection & Classification of A 400 Kv Electrical Transmission Line 95 Gaurav Gangil & Prof. Rakesh Narvey 16. Design & Analysis of Documentation Taxonomy Approach with Algorithmic Fusion towards Ambiguity Free Results for English Idiolect 102 Snehal A. Lohi & Prof. Rishi Kant Malviya 17. Computing Network Reliability where Nodes are Imperfectly Reliable and Links are Perfectly Reliable 108 Moirangthem Marjit Singh 18. Predicting the Consumption Behavior of Smart Phones Using Social Media 114 Disha Verma & Kanika Minocha 19. An Experimental Approach to Study the Terminal Fall Velocity of Particles in Different Types of Fluids 121 M. N. Umare, Prof. (Dr.) A. G. Bhole & Dr. D. P. Singh 20. Qualitative Analysis of Different Routing Protocols in Mobile Ad Hoc Network 126 Tushar Saxena, Rahul Raj & Prabhat Kumar 21. An Online Fuzzy Expert System using Rule Advancement Strategy for Specific Domain 135 Abhishek Goel, Arun Solanki & Ela Kumar 22. Green Database 141 Pranav Kharbanda, Varun Chauhan & Sumit Jain 23. Re-Ranking Web Search Result for Semantic Searching 148 Rutuja Ajmire, Prof.A.V.Deorankar & Dr. P. N. Chatur 24. Implementation of Automatic Wrapper Adaptation System Using Dom Tree for Web Mining 154 A. A. Tekale, Dr. Rajesh Prasad & S. S. Nandgaonkar 25. DDA Based Approach For Object Tracking & Detection In Large Motion Videos 164 Dimple Chawla Cyber Times International Journal of Technology & Management Vol.6 Issue 1, October 2012 – March 2013 26. Security Compliance Challenges On Clouds 172 Yury Chemerkin 27. Modern Media: A Tool For Elt In Intercultural Communication 198 Kumari Pragya 28. Mircostrip Antenna Design Analysis Using Neural-Network 206 Shyam Babu 29. Efficient Auto Code Generation from UML Diagrams Using Semantic Platform and DSL Semantic Annotations 214 Prof. Sonali R. Idate & Prof. kavita B. Supugade 30. Data Mining: Tools and Techniques 222 Swati Aggarwal & Preeti Raheja 31. Unraveling The Challenges Faced By Indian E-Governance 231 Priyanka Tayal & Dr. Alpana Kakkar 32. Intelligent and Synchronized Signal System for Urban Areas 239 Prashant Pathak 33. Various Methods Of Wireless Power Transmission Technologies for Solar Power Satellites 242 Guru Raj C, Amita Murthy & Kendaganna Swamy 34. Efficient Method for Detection & Mitigation of Inconsistencies from a 249 all UML Diagrams Based on Description Logic Rules During the Owl Generation Prof. Sonali R. Idate & Prof. Nilam I. Dalvi 35. Availability Analysis of Various Systems of Brewary Plant-A Review 255 Sunil Kadiyan, Deepanjali Nimker & Uma Gautam 36. Power Quality Analysis Using Various Techniques: A Review 263 Rajeev Kumar Chauhan & J. P. Pandey 37. A Review on Different Iii-V Multijunction Solar Cells 271 Kiran balaji P.S, Shashiraj yadav & Kendaganna swamy 38. Neural Steganography: An Aes-256 Bit PRP & Pseudo Random Hash Based Neural Cryptographic Technique for Image Steganography 278 Gaurav Indra, Chesta Agarwal, Pawandeep Kaur & Aastha Diwan 39. Demand Forecasting Of Spare Parts Store By Moving Average Method and Verification By Exponential Method 287 Sharda Pratap Shrivas, S.Gangopadhayay & Aruna Thakur 40. Data Mining: A Mode To Reform Today’s Higher Learning Institutions Through Performance Indicators Meenu Chopra & Dr. Mamta Madan Cyber Times International Journal of Technology & Management Vol.6 Issue 1, October 2012 – March 2013 292 SECTION-II RESEARCH ARTICLES 41. Cyber Crime: A Challenge Ahead With Special Reference to Chandigarh Police 298 Narinder Singh 42. “Killed Two Birds With One Stone: Secure Data With Cloud” 307 Smita Bajpai 43. Analysis Of Tests Laid Down By Courts To Determine Copyright Violation In Computer Software 319 Mr. Atmaram Fakirba Shelke 44. CYBER LAW: Various aspects of Cyber Legal System 326 S. Sai Sushanth SECTION-III CASE STUDY 45. A Comparative Study of Various CPU Scheduling Simulator 335 Ms. Prerna Ajmani & Ms. Amanpreet Kaur 46. Penetration Testing/ Cyber Security Assessment - XYZ Company Parveen Sadotra & Dr. Anup Girdhar Cyber Times International Journal of Technology & Management Vol.6 Issue 1, October 2012 – March 2013 340 SECTION-I RESEARCH PAPERS Cyber Times International Journal of Technology & Management Vol.6 Issue 1, October 2012 – March 2013 Cyber Times International Journal of Technology & Management Vol.6 Issue 1, October 2012 – March 2013 SECTION-II RESEARCH ARTICLES Cyber Times International Journal of Technology & Management Vol.6 Issue 1, October 2012 – March 2013 SECTION-III CASE STUDY Cyber Times International Journal of Technology & Management Vol.6 Issue 1, October 2012 – March 2013 SECURITY COMPLIANCE CHALLENGES ON CLOUDS Yury Chemerkin Independent Security Researcher / PhD in progress Russian State University for the Humanities (RSUH), Moscow, Russia Email: [email protected] ABSTRACT Today cloud vendors provide amount features of integration and optimization in many fields like business or education; there many way to adopt it for medical purposes, maintaining medical records, or monitoring patients. Not all cloud solutions totally changed an original security paradigm and customers still need to manage the accessibility, monitoring and auditing. The security and privacy becomes very important issue led the customers choose an appropriate security level. The compliance part of security is a cornerstone idea especially when the cloud vendors talk and refer to worldwide security standards, best practices. Keywords: cloud security, compliance, amazon web services, aws, csa cloud controls matrix, csa, cmm, caiq, csa consensus assessments initiative questionnaire I. INTRODUCTION Cloud Computing has been one of the top security topics for the last several years. The clouds increasing popularity [1] is based on flexibility of virtualization as a technology for replacing and improving of complex parts of systems reducing unnecessary computation and usage of existing resources. Besides the well-known threats, the clouds introduce new security and management level. Clouds transform small application into the large infrastructure let managing by itself (IaaS) to quick and easy access to any data. Cloud security vendors (not only cloud vendors, almost of all kind of vendors) claim that the end-user companies prefer a cost reduction instead the security to reduce the operation complexity of their clouds (or systems) that eventually ends with a lower amount of security that the end-user will accept. Some security questions about clouds are: how is it implemented, how are the data or communication channels secured, how are the cloud and application environments secure, etc. For example, the well-known phrase “physical security does not exist in clouds” make no serious sense because it was this way as it had been when the hosting service arrived. Customer must make any improvements than by-default configuration with each new technology. If the virtual OS is a Windows Server, then the OS has the quite similar security and patch management state as Desktop/Server OS. In addition, it is mere trust than downloading and buying third-party solutions and it might be more trustable, than cloud vendor (they are all third-party solutions).The cloud simply uses well-known protocols like SMTP, HTTP, SSL, TCP/IP etc. to communicate, send email, file handling and other activity. The methods that are compliant as a part of the RFC should indicate that they are OK. Standards like the ISO 27001 series still provide a measure on information security, but as minimum set of security only. However, a key problem is a lack of a systematic analysis on the security and privacy for such cloud services. Third party organizations like the Cloud Security Alliance (CSA) promote their best practices and questionnaires to improve a cloud security and have a registry of cloud ›„‡”‹‡• –‡”ƒ–‹‘ƒŽ ‘—”ƒŽ‘ˆ‡ Š‘Ž‘‰›Ƭƒƒ‰‡‡– ‘ŽǤ͸ ••—‡ͳǡ –‘„‡”ʹͲͳʹȂƒ” ŠʹͲͳ͵ 172 vendors' security controls to help the users to make a right choice on security field. This research examines and highlights security things are background for cloud security, for best practices and security standards, those aspects the customers rely as a trustable level and minimal security set at least. Enterprises need to comply with of the different regulations and standards (PCI, CSA, HIPAA, ISO etc.) as well as they need to prove compliance with security standards. The aim of research is examination issues in the security standards, regulations and best practices (if they are) let the cloud vendors or their customers successfully pass the cloud audit checks and claim about a compliance having difference security features between clouds not to mention the different configurations that meet with different business needs and processes.The general guidelines in such documents operate at the high level that makes unclear these guidelines missing the useful security countermeasures and adding a superfluity in the customer’s vision about the system (cloud) which they apply it to. II. RELATED WORK Nowadays, AWS is one of the most popular cloud platforms. It offers a virtual computing, storage, VPN, archiving, monitoring, health-watching, email and others services environment for a user to run applications, store data, operates with events and deliver event-data due the different services and by different ways. AWS offers many services more accessibility that is important with merging to the cloud. GAE [5] is one more cloud to run web applications written using interpretation and scripts languages like Java/Python but it has limited features (security and the rest). Windows Azure makes a data spreading to the cornerstone, via neither storage nor webserver [6]. These different goals have a huge influence on the security while all of them were built in accordance with best practices, and have security controls are well documented. As we have enough security problems and the greater quantity of security solutions to solve these problems on one hand and standards with best practices that successfully applied to the clouds (according to the cloud vendors) on another hand, it should be analyzed whether it is so difficult to pass the cloud compliance audit in accordance with these documents. In this paper, the AWS services are going to be examined as the most similar to known existing technologies. The modern recommendations for clouds are quite similar to given in the Table I at least but improved to the low details like “you should choose the cloud vendor that offers an encryption but you cannot choose those vendors that offer the strong encryption e.g. AES” the make a little sense. The answer “why” is relied on the customers willingness to see an action-to-do like ‘whether they should rely on this AES encryption or they need encrypt their data before uploading’. It successfully works when the customers need to cover all clouds (however, it is obliged to provide more details) to choose those provided the more security but it is bad for clouds are provided many services and security features because it is basic rules only. TABLE 1: THE COMMON SECURITY RECOMMENDATIONS Object Data Ownership Data Segmentation Data Encryption Backup/Recovery Data Destruction Access Control What to do Full rights and access to data An isolation data from other customers’ data A data encryption in transit/memory/storage, at rest An availability for recovery An Ability to securely destroy when no longer needed Who has access to data? ›„‡”‹‡• –‡”ƒ–‹‘ƒŽ ‘—”ƒŽ‘ˆ‡ Š‘Ž‘‰›Ƭƒƒ‰‡‡– ‘ŽǤ͸ ••—‡ͳǡ –‘„‡”ʹͲͳʹȂƒ” ŠʹͲͳ͵ 173 Log Management Incident Response Security Controls Patch Management A data access that logged and monitored regularly Are there processes and notifications in place for incidents (including breaches) that affect data? An appropriate security and configuration control to data protection Patching for the latest vulnerabilities and exploits? One more example is how such documents may substitute the customer understanding. NIST [25] talks about cloud limits on security: “the ability to decide who and what is allowed to access subscriber data and programs … the ability to monitor the status of a subscriber’s data and programs …” may follow the idea “no one cloud provides such abilities” by mistake without a knowledge about cloud infrastructure. Another misthought is about cloud firewall takes place with opinion that cloud features are useless due the following statement: a cloud firewall should provide a centralized management, include pre-defined templates for common enterprise server types and enable the following: x Source and Destination Addresses & Ports filtering x Coverage of protocols, DoS prevention x An ability to design policies per network interface x Location checks to monitoring who and where were accessed to the data Besides such detailed ‘how-to’ sets, there are enough statements that the clouds can’t provide with it, so it is still like a security hole, while some of them (ex. AWS) provides these features. The Table II [7] shows a brief difference between AWS and Azure on compliance vs. documented technologies to secure and protect data. As a part of ‘non-transparency’, it is quite interesting that the different offered security features and controls have passed e.g. ISO 27xxxx, while the cloud difference (comparingeach other) looks like a medium reduction.The cloud attributes examined [2] are backup, encryption, authentication, access controls, data isolation and monitoring, security standards, disaster recovery, client-side protection, etc. In addition, the paper provided a mediumdetailed comparison what exactly each cloud vendor offers to their clients (AWS, Azure, GAE). Authors presented the cloud security/privacy attributes mapped to NIST guidelines that helps in examining security standards. The [3], [4] give a brief examination of AWS S3 and GAE [26] provide us with more details but a summary comparison over [2-6], [10], [12], [15], [21] makes clear that AWS offers the most powerful and flexible features and services, however AWS was not examined deeply (FAQs examination only) over [2-6] than [7], [45]. TABLE 2: COMPLIANCE DIFFERENCE BETWEEN AWS AND AZURE Type Compliance Physical Security Data Privacy Network ISO 27001, CSA, HIPAA PCI DSS, FISMA, FIPS 140-2, NIST Actions, events logging, logs audit Minimum access rights Auto revocation access after N days, role changed, MFA, escort Backup, redundancy across the location Redundancy inside one geo location, encryption, DoD/NIST Destruction MITM Protection, Host-Based Firewall (ip,port,mac), Cloud Vendor AWS Azure + + + N/A + + + + + N/A + + + N/A + + ›„‡”‹‡• –‡”ƒ–‹‘ƒŽ ‘—”ƒŽ‘ˆ‡ Š‘Ž‘‰›Ƭƒƒ‰‡‡– ‘ŽǤ͸ ••—‡ͳǡ –‘„‡”ʹͲͳʹȂƒ” ŠʹͲͳ͵ 174 Cloud Vendor AWS Azure Type Security Credentials Mandatory Firewall, Hypervisor protection from promiscuous Pentesting offer of services Pentesting offer of apps DDoS Protection, featured firewall Login and Passwords, SSL Cross account IAM, MFA hardware/software, Key Rotation Such recommendations may also advise the different sanitizing technique to use on client of cloud side. Effective and efficient sanitization is a forensics statement. There are a lot of methods and techniques but some of them rely on brute-force wiping that extremely useless for the clouds due financial matters. The ERASERS proposed in [43] computes the entropy of each data block in the target area and wipes that block specified number of passes and pattern then. Patterns and entropy are valuable because the file types (docx, mp3, odf, pgp, acid*) have a quite different characteristics. It means that ERASERS has many subpopulations which of them applied to certain cases. It gives a faster wiping vs. regular brute force methods of overwriting. As the disk sizes increase up to petabyte scale (recently AWS offer such storage), the brute force methods is becoming near impossible in time. Many drives contain areas do not have data needing overwriting, as known as for SSD that shuffles data between data block every time, but keeps the encrypted area untouched. According to NIST SP800-88 [44], “studies have shown that most of data can be effectively cleared by one overwrite with random data rather than zeroing”. The original version of DoD 5220.22-M (AWS implements this one) recommends a 3-pass wipe with one pass of a uniform character, one pass of its complement, and one pass of random characters, while the current DoD 5220.22M does not specify the number of passes or the pattern. As the ERASERS shows the good results, it should be implemented to the AWS EC2 or other cloud VM services as an + + + + + N/A + + N/A additional and lower-cost protection (surely, the price differs but it downs each time). The one of the most serious work on AWS security [27] gives results as a "black box" analysis methodology in regards to the control interfaces (AWS EC2 and S3) compromised via the novel signature wrapping and advanced XSS techniques, HTML injections, as well as SOAP issues with validation and man-in-the-middle attacks. Authors also examined the possible way of protection and found that AWS EC2 & S3 services do not provide the suitable opportunities to implement their solutions. Despite of that, there was found solutions based on available (native) security features of AWS to protect against these attacks [28]: x Utilizing the SSL/HTTPS only with certificate validation and utilizing API access mechanisms like REST/Query instead of SOAP x Activating access via MFA and creating IAM accounts limited in access, AWS credentials rotation enhanced with Key pairs and X.509 certificates x Limiting IP access enhanced with API/SDK & IAM The virtualization refers to a hypervisor, while a virtual machine works with a configured snapshot of an OS image and requires well-known shared resources like memory, storage, or network. It is generally agreed that, despite of the hypervisors are isolating these shared resources without affecting other instances, the VMs can be trusted in few cases only, while it is vulnerable to the most known XEN attacks, however no one XEN vulnerability was not ›„‡”‹‡• –‡”ƒ–‹‘ƒŽ ‘—”ƒŽ‘ˆ‡ Š‘Ž‘‰›Ƭƒƒ‰‡‡– ‘ŽǤ͸ ••—‡ͳǡ –‘„‡”ʹͲͳʹȂƒ” ŠʹͲͳ͵ 175 applied to the AWS services according to the [29] as an example. This brings us to understanding the term “customize” in regards to the clouds. Other ability to control due the Intel AMT commands [30] or else is applied for VMware but there is not known successful implementations for AWS, Azure, GAE or other clouds. Also may have a serious performance problems due overloading the virtual OS with analysing CPU commands and system calls, regardless of where the trusted/untrusted control agents are, multiplied by known issues the best of all demonstrated in case of GPU [31]. There are security virtualization issues even in clouds, no doubt and it should be taken in consideration that clouds have a builtsecurity configuration to protect against most known attacks or new-coming, it still need to be patched or monitored installed and managed the host-based firewalls and IDS, etc. One exciting example [32] talks about an incorrect behavior in the SSL certificate validation mechanisms of AWS SDK for EC2, ELB, and FPS. Despite of that, AWS has updated all SDK (for all services) to redress it [33]. III. EXAMINATION THE CSA DOCUMENTS ON CLOUDS The CSA documents provide vendors and their customers with a medium-detailed overview what the statements do the cloud security & compliance features applied to as it defined in the Cloud Security Alliance (CSA) and Cloud Control Matrix (CCM). The cloud vendors or 3rd party cloud providers may announce that their services operate in according to these recommendations: However, the customers have a responsibility to control their environment and define whether it is really configured in compliance to CSA best practices. In other words, how much are cloud controls and configurations transparent to the appropriate policies and procedures in accordance with their regulatory requirements. Here the regulations meet the technical equipment as a public technical proof is going to be examined at first from that point. Each control ID will be kept to find it CAIQ [35] & CCM [34], while his explanation is rewritten to reduced amount of text and grouped by domain/control group, similar questions/metrics. Also, the CID covers a CAIQ and CCM together. TABLE 3: AWS SOLUTIONS AGAINST A CAIQ CID CO-01.1 CO-02.1-7 CO-03.1-2 Questions Any certifications, reports and other relevant documentation in regards to the standards An ability to provide the tenants the 3rd party audit reports, and conduct the network/application cloud penetration tests as well as internal/external audits regularly (in regards to the guidance) with results AWS Response AWS has this one and provides it under NDA. AWS engages with independent auditors reviewing their services and provides the customers with the relevant 3rd party compliance/attestations/certifications reports under NDA. Such audit covers regularly scans of their (non-customer) services for vulnerabilities [41-42] the customers are also available to make pentest [40] of their own instances due the tentative agreement. An ability to perform the Customers are able to perform it due the vulnerability tests for customers permission (writing email with the (means their own tests) on instances IDs and period) request via ›„‡”‹‡• –‡”ƒ–‹‘ƒŽ ‘—”ƒŽ‘ˆ‡ Š‘Ž‘‰›Ƭƒƒ‰‡‡– ‘ŽǤ͸ ••—‡ͳǡ –‘„‡”ʹͲͳʹȂƒ” ŠʹͲͳ͵ 176 applications and networks. CO-04.1 CO-05.1-2 CO-06.1 CO-07.1 CO-08.1 DG-01.1 DG-02.1-5 DG-03.1 DG-04.1-2 DG-05.1-2 AWS Vulnerability/Penetration Testing Request Form [40] A person is responsible to contact AWS does contact with local authorities, local authorities in accordance industry organizations, and regulatory with contracts and appropriate bodies in according to the ISO 27001. regulations. An ability to logically split the Despite of the flat space implemented in tenants data into the segments AWS services, all data stored by the (additionally, due the encryption) customers has canonical isolation by path as well as data recovering for and additional security capabilities like specific customers in case of the permissions, personal entry points to access the data as well as MFA. AWS failure or data loss encryption mechanisms are available for S3 (Server Side Encryption), EBS (encryption storage for EC2 AMIs), SimpleDB, EC2 (due the EBS plus SSL), VPC (encrypted connections and sessions). Additionally, the customer can use any cloud services offered a backup from and to AWS services like SME Storage for various cloud vendors (AWS S3, Azure, Dropbox, etc.) or Veeam Backup Cloud Edition for VMs (AWS, Azure, etc.) Documented policies on a It is in alignment with COBIT, ISO tenant’s intellectual property 27002 and PCI Data Security Standards protection An implementation of structured Depends on the customers’ needs and data-labeling standard their requirements. An identifying ability of the VM The tenants are featured to apply any via policy tags/metadata to metadata and tagging to the EC2 VMs to perform any quality set the user-friendly names and enhance control/restrict actions like searchability. identifying hardware via policy AWS offer several regions (partially is in and tags/metadata, using the geo [38]) and which one can be chosen at the location as an authentication, beginning of data pulling. Each of them providing a physical geo location, is covered by geo location policy and allowing to choose suitable geo access as well as is able to be restricted locations for resources and data by SSL, IP address and a time of day. They offer move data between each other routing directly by the customers or via API and SDK Any policies and mechanisms for As the customers retain ownership, they labeling, handling and security of are responsible to implement it. data The technical capabilities to The customers have capability manage enforce tenant data retention retention, control, and delete their data policies and documented policy except case when AWS must comply with law. on government requests A secure deletion (ex. degaussing At the end of a storage useful life, AWS ›„‡”‹‡• –‡”ƒ–‹‘ƒŽ ‘—”ƒŽ‘ˆ‡ Š‘Ž‘‰›Ƭƒƒ‰‡‡– ‘ŽǤ͸ ••—‡ͳǡ –‘„‡”ʹͲͳʹȂƒ” ŠʹͲͳ͵ 177 DG-06.1 DG-07.1-2 DG-08.1 FS-01.1 FS-02.1 FS-03.1 FS-05.1 FS-04.1 FS-06.1 FS-07.1 / cryptographic wiping) and performs a decommissioning process to providing the procedures how a prevent data exposing via DoD 5220.22cloud vendor handles this deletion M/NIST 800-88 techniques. In additional the device will be degaussed or physically destroyed. A replication of production in AWS provides the ability to (nonnon-production environments )production delegates the responsibility to the customers to manage it. A presence of the controls to There were not known the serious prevent data leakage / security bugs of AWS environment compromising between AWS’ successfully applied or that cannot ‘patched’ by using the implemented PCI tenants controls [27-29], and other security controls that make the customer resources segmented from each other. As well, a hypervisor is designed to restrict non-allowed connections between tenant resources that has validated by independent PCI QSA with PCI DSS 2.0 according to AWS An availability of control health AWS provides the independent auditor data to implementation a reports under NDA and customers on continuous monitoring to validate their own systems can build a continuous monitoring of logical controls the services status additionally implementing [38]. Any ‘evidence’ if the policies are AWS is certified by independent auditors established for having safe and to confirm alignment with AWS SOC 1 secure working environment in Type II and ISO 27001 certification offices and other areas? standard (domain 9.1) A background verification (ex. According to AWS they perform such criminal) of AWS employees, checks in comply with law contractors and 3rd parties An implementation of the AWS has been implemented the various physical security perimeters, physical security controls like fencing, providing the secure areas walls, security staff, video surveillance, controlling from unauthorized intrusion detection systems and other electronic means in alignment ISO personnel actions 27001. It extends by utilizing video surveillance and requirement to pass twofactor authentication a minimum two times to access datacenter floors for staff. A ability to provide the customers AWS imposes not to move a customers' a knowledge which geo locations content from them without notifying in are under traversing into/out of it compliance the law. The rest is similar to the DG-02.5. in regards the law Availability of docs that explain AWS imposes control the customers to if and where data may be moved manage the data locations. Data will not between different locations, (e.g. be moved between different regions, only backups) and repurpose inside that were chosen to prevent equipment as well as sanitizing of failure. The rest is similar the DG-05.1-2 ›„‡”‹‡• –‡”ƒ–‹‘ƒŽ ‘—”ƒŽ‘ˆ‡ Š‘Ž‘‰›Ƭƒƒ‰‡‡– ‘ŽǤ͸ ••—‡ͳǡ –‘„‡”ʹͲͳʹȂƒ” ŠʹͲͳ͵ 178 FS-08.1-2 HR-01.1 HR-02.1-2 HR-03.1 IS-01.1 IS-02.1 IS-03.1-3 IS-04.1-3 IS-05.1 IS-06.1-2 IS-07.1-2 IS-08.1-2 resources (talks about the AWS side only) An inventory of critical assets, The hardware assets monitored by the critical supplier relationships AWS personnel and maintain the relationships with all AWS suppliers are possible in comply ISO 27001 (domain 7.1) for additional details. A background verification (ex. Similar to the FS-02.1. Also, AWS does criminal) of AWS employees publish the Company’s Code of Business The security courses and training Conduct and Ethics internally and employees regularly train employees that documented and validated periodically. Other responsibility is shared across HR A description of ISMP in the AWS does publish (under NDA) the documents with clear direction, documentation about it in alignment ISO assignment, verification for and certified by independent auditors as supporting information security well as the policies based upon the that comply with ISO- COBIT/ISO 27001/PCI DSS 27001/22307, CoBIT, etc. Any documents shown the evidence of mapping it in comply to the regulations An ability to provide the Customers are able [11] to use their own documents with security VMs due the image importing via AWS recommendations per each VM Import, as well as AWS component, importing the trusted Import/Export accelerates moving large VMs as well as capability to amounts of data into/out in case of continuously monitor and report backup or disaster recover. The rest is similar to the DG-08.1 in order to ISO the compliance (domain 12.1, 15.2) An ability to notify the customers Despite of AWS provides a lot of howon information security/privacy to-docs, binary & sources [8-24], [28-29] polices changes are regularly updated, it’s better to subscribe to the news via RSS and email, because there is no other directly way to be notified Any sanctions for employees who According to AWS If violation happens, have violated security policies the appropriate disciplinary action is followed Established controls to remove According to AWS docs, any ‘redundant’ the employees access which is no access is automatically revoked when an longer required and how quickly employee’s record is terminated or it removes. changed with his job functions in Amazon’s HR system. If employee was not fired he will be reassigned with new access rights that reviewed every 90 days A docs described how the cloud The customers as data owners are vendor grant and approve access responsible for the development, content, to tenant data and if provider & operation, maintenance, and use of their tenant data classification content. methodologies is aligned with ›„‡”‹‡• –‡”ƒ–‹‘ƒŽ ‘—”ƒŽ‘ˆ‡ Š‘Ž‘‰›Ƭƒƒ‰‡‡– ‘ŽǤ͸ ••—‡ͳǡ –‘„‡”ʹͲͳʹȂƒ” ŠʹͲͳ͵ 179 IS-09.1-2 IS-10.1-3 IS-11.1-2 IS-12.1-2 IS-13.1 IS-14.1 IS-15.1 IS-16.1-3 IS-17.1-3 IS-18.1-2 IS-19.1-4 each other A revocation/modification of user access to data upon any change in status of employees, contractors, customers, etc. A certification of entitlements for system administrators (exclusive tenants), with remediation case of inappropriateness of it and a security awareness training program for cloud-related issues for administrators, engineers A participation in the security groups with benchmarking the controls against standards A documentation clarifying the difference between administrative responsibilities vs. those of the tenant A responsibilities for maintaining awareness of and complying with security policies, procedures and standards that are relevant to an area of responsibility with providing docs how maintains the segregation of duties Informing the users of their responsibilities in regards to the security policies, standards, regulations and rules how to keep the equipment Any policies to address the conflicts of interests on SLA, tamper audit, software integrity, and detect changes of VM configurations Ability to create and manage unique encryption keys per a tenant, to encrypt data to an identity without access to a public key certificate (identity based encryption) as well, to protect a tenant data due the network transmission, VMs, DB and other data via encryption, and maintain key management Amazon provides enough security control to maintain an appropriate security policy and permissions not to let spreading the data if it is explicitly not allowed that also built by AWS. The rest is similar to the IS-07.1-2 in regards AWS staff AWS reviews the access grants every 90 days and reapproves or assign explicitly the new access grants if it is the same even. (SOC 1 Type II report, ISO 27001, domain 11.2). A training course are quite similar to the IS-06.1-2 AWS policies is based on COBIT, ISO 27001/27002 and PCI DSS AWS provides these roles among the general security documents (it means not among the specific services documents) Each employee have a Company's Code of Business Conduct and Ethics and have to complete a periodic training. Customers should manage the segregations of duties by themselves. The rest are certified by certified by independent auditors AWS provides the various ways to train (newly hired employee; others by the emails in AWS intranet) the employees understand their roles and responsibilities that certified by independent auditors AWS provides the details AWS SOC 1 Type II report in compliance with ISO 27001 (domain 8.2, 11.3) that validated by independents auditors If keys created on server side, AWS creates the unique keys and utilizes it, if it did on client side due the own or 3rd party solutions, the customers can manage it only. AWS encryption mechanisms are available for S3 (Server Side Encryption), EBS (encryption storage for EC2 AMIs), SimpleDB, EC2 (due the EBS plus SSL), VPC (encrypted connections and sessions), etc. ›„‡”‹‡• –‡”ƒ–‹‘ƒŽ ‘—”ƒŽ‘ˆ‡ Š‘Ž‘‰›Ƭƒƒ‰‡‡– ‘ŽǤ͸ ••—‡ͳǡ –‘„‡”ʹͲͳʹȂƒ” ŠʹͲͳ͵ 180 IS-20.1-6 An ability to perform vulnerability scans in regards to the recommendations on application-layer, network-layer, local OS layer and patching then. Providing the info about issues to AWS who makes it public IS-21.1-2 Availability of AV solutions and updated signatures, list or behavioral patterns. A document specifying the roles and responsibilities of AWS and tenets due handling security incidents? An ability of SIEM to merge data sources (app logs, firewall logs, IDS logs, physical access logs, etc.) for granular analysis and alerting. Additional providing an isolation of the certain customers due incident. A capability to freeze of data from a specific point in time, use the forensic data collection and analysis techniques. IS-22.1 IS-23.1-2 IS-24.1-4 IS-25.1-2 IS-26.1-3 IS-27.1-2 IS-28.1-2 IS-29.1 An ability to monitor affecting of security incidents and share the results with the customers An ability to collect or create metadata about the customers data and provide a documentation making clear what and how may utilize An ability to provide the monitoring system to check the privacy breaches, notify the customers, and provide a confirmation that privacy policy aligned with industry standards An ability to use an open encryption (3DES, AES, etc.) to let tenants to protect their data on storage and transferring over public networks. As well, an availability of logging, monitoring and restriction any Similar to the CO-03.1-2 but more detail that means the customers are should performing vuln scan and patching despite of the VMs’ OS are coming with the latest updates; they are obliged to come to the agreement with AWS and not violate the Policy. Also similar to the CO-02.6-7 on providing the results [40],[41-42] AWS does manage AV solutions & updates in compliance to ISO 27001 that confirmed by independent auditors AWS have this one in compliance with ISO and provides the AWS SOC 1 Type Report AWS have this one in compliance with ISO and provides the results with AWS SOC 1 Type II Report. AWS has the incident response program in compliance too. Even the customers’ data stored with strong isolation from AWS side and restrictions made by them, additional materials (SOC 1 Type II report) must be requested to clarify all questions on forensics. All data should be encrypted on client side, because it leads to the customers participation with law directly as AWS do not have the keys in this case. AWS does it in alignment with ISO 27001 that validated by independent auditors According to AWS, the customers manage and control their data only The customers are responsible handling the security and privacy for AWS encryption mechanisms are available for S3 (Server Side Encryption), EBS (encryption storage for EC2 AMIs), SimpleDB, EC2 (due the EBS plus SSL), VPC (encrypted connections and sessions). Customers may use third-party encryption ›„‡”‹‡• –‡”ƒ–‹‘ƒŽ ‘—”ƒŽ‘ˆ‡ Š‘Ž‘‰›Ƭƒƒ‰‡‡– ‘ŽǤ͸ ••—‡ͳǡ –‘„‡”ʹͲͳʹȂƒ” ŠʹͲͳ͵ 181 IS-30.1 IS-31.1-2 IS-32.1 IS-33.1-2 IS-34.1-3 LG-01.1 LG-02.1-3 OP-01.1 OP-02.1 OP-03.1-2 access to the management technologies too as well as rely on the systems controlled hypervisors, AWS APIs are available via SSLfirewalls, APIs, etc.) protected endpoints. AWS has a logging feature, delineates the minimum standards for logical access to AWS resources and provides details with AWS SOC 1 Type II report Securing and providing the AWS systems are design to protect console but the dedicated secure networks to management establish a management access to administrators must use MFA devices to gain access to the clouds. In additional, clouds for administrators? every 90 days their access rights are reviewed, as well as all such actions are reviewed and audited. An ability to collect and utilize AWS does utilize data in compliance ISO the data and provide the tenants 27001 that validated by an independent auditors with reports Any restrictions in regards to AWS has this one, delineates the using the portable/mobile minimum rights for logical access to devices/PDA and to prevent AWS resources and provides details with unauthorized access to your AWS SOC 1 Type II report application, program or object source code An ability to monitor and AWS has this one and provides details segment/restrict the key utilities with AWS SOC 1 Type II report. AWS managed virtualized partitions examines such attacks and provides (ex. shutdown, clone, etc.) as well information if they apply in section as ability to detect attacks (blue “Security Bulletins” [36]. An example of pill, etc.) to the virtual key blackbox attack [27],[28] was given in components and prevent from the Section II of this paper with a native them security features as a solution Periodically reviewing the NDA Amazon Legal Counsel reviews 3rd party and others requirements and agreements and NDA according to the agreements by legal counsel. An business needs. AWS does not leverage ability to monitor outsourced any 3rd party cloud providers to deliver providers in compliance with AWS services to the customers. laws per country. Any policies, system According to AWS, the policies are documentation are available for alignment with AWS Information all personnel to support services Security framework based upon the operations roles with an COBIT framework, ISO 27001 standard information system and the PCI DSS requirements. Such documentation to the authorized docs are available through the Amazon's Intranet site. personnel An ability to provide the AWS does not disclose the capacity documentation regarding what management practices but publishes SLA levels of system (network, to communicate instead storage, memory, I/O, etc.) oversubscription may maintain and restrict ›„‡”‹‡• –‡”ƒ–‹‘ƒŽ ‘—”ƒŽ‘ˆ‡ Š‘Ž‘‰›Ƭƒƒ‰‡‡– ‘ŽǤ͸ ••—‡ͳǡ –‘„‡”ʹͲͳʹȂƒ” ŠʹͲͳ͵ 182 OP-04.1-5 A capability to perform independent hardware/software restore, and replicate recovery actions, move and port to another cloud vendor RI-01.1-2 RI-02.1-2 RI-03.1-2 RI-04.1 A cloud insurance by a 3rd party for the losses in regards to the cloud vendors, tenants (due the SLA) in alignment with the documents procedures reviewed annually at least considering all risk categories (e.g., audit results, threat and vulnerability analysis, & regulatory compliance) An ability to provide a multifailure disaster recovery, monitor a service continuity with upstream providers in the event of provider failure and to share the redundancy plans with your tenants Any policies for new development acquisitions An ability to obtain a documentation that describes the customers responsibilities within it, quality assurance process An ability to examine the standards of quality against software development and detect the source code security defects An ability to restrict the installation of unauthorized software onto clouds A minimization risk due disaster recovery policies, SLA, security metrics, business continuity plans to test the environment regularly; technical solutions providing a performance and health visibility with failover capability to other provides as well as physical protection against damage from natural causes, power failures, and network disruptions. Additionally, an ability to find out RI-05.1-7 RM-01.1 RM-02.1 RM-03.1 RM-04.1-2 RM-05.1 RS-01.1 RS-04.1 RS-02.1-3 RS-03.1-2 RS-05.1 RS-06.1 RS-07.1 RS-08.1-2 The customers should use an EBS Snapshot functionality to manage the VM images. Also, they allowed [11] to export their AMIs to use on premise or at another provider as well as import their VMs, as well as AWS Import/Export accelerates moving large amounts of data in/out in case of backup or disaster recover AWS provides the detailed customer remuneration for losses in SLA. The rest internal procedures of managing and mitigation the risks in alignment ISO 27001 (domain 4.2, 5.1) validated by independent auditors and a few details among the AWS risks documents. Any updates to such procedures occur each year AWS has several geo regions each of them has several independent Availability Zones designed to move customer data traffic away from the affected area [37]. All new developed resources certified by independent auditors in regards to ISO. All details provided with AWS SOC 1 Type II report. The standards of quality are part of SDLC in compliance ISO 27001 (domain 10.1) The standards of quality are part of SDLC in compliance ISO 27001 (domain 10.1), however AWS does not generally outsource development of software AWS does monitor the malicious software in compliance with ISO 27001 (domain 10.4). Such policies are in alignment with ISO 27001 ( domain 14.1); AWS provides a Cloudwatch services to monitor the state of AWS EC2, EBS, ELB, SQS, SNS, DynamoDB, Storage Gateways as well as a status history [38]. AWS provides several Availability Zones in each of six regions to prevent failures, but the customers are responsible to manage it across regions or other clouds vendors via API and SDK. A physical protection is in compliance ISO 27001 ›„‡”‹‡• –‡”ƒ–‹‘ƒŽ ‘—”ƒŽ‘ˆ‡ Š‘Ž‘‰›Ƭƒƒ‰‡‡– ‘ŽǤ͸ ••—‡ͳǡ –‘„‡”ʹͲͳʹȂƒ” ŠʹͲͳ͵ 183 SA-01.1 SA-02.1-7 SA-03.1 SA-04.1-3 SA-05.1 SA-06.1-2 SA-08.1 SA-07.1 SA-09.1-4 SA-10.1-3 SA-11.1 the transport route of the customers data Any security/regulatory requirements addressed to the industry certifications on granting access A capability to use the SSO, an identity management system, MFA Policy Enforcement Point capability (ex. XACML), to delegate authentication capabilities, to support identity federation standards (SAML, SPML, WS-Federation, etc.), use 3rd party identity assurance services Any industry standards as a background for a Data Security Architecture (FedRAMP, etc.), standards (BSIMM, NIST, etc.) to build-in security for (SDLC), tools detecting the security defects and verify the software. An availability of I/O integrity routines for the application interfaces and DB to prevent errors and data corruption An environment separation for SaaS, PaaS, IaaS and providing the how-to-docs A MFA features and strong requirement for all remote user access A segmentation of system and network environments with a compliance, law, protection, and regulatory as well as a protection of a network environment parameter and 27002. Information about the transport routes is similar to the FS-06.1 The requirements are in compliance with ISO 27001(domain 6.2) and reviewed by an independent auditors AWS IAM [21-24] provides the securely access and roles to the resources with features to control access, create unique entry points of users, cross AWSaccounts access due API/SDK or IAM console, create the powerful permissions with duration and geo auth. AWS offers identity federation and VPC tunnels led to utilizing existing corporate identities to access, temporary security credentials. Additionally, the customers may avoid the mistakes and risks by using an AWS Policy Generator and MFA devices [39]. Covered the services are AWS Auto Scaling, CloudFormation, CloudFront, CloudSearch, CloudWatch, DynamoDB, EBS, EC2, Elastic Beanstalk, ElastiCache, ELB, Elastic MapReduce, RDS, Route 53, S3, SES, SQS, SNS, SimpleDB, Storage Gateway, VPC AWS Security based upon the best practices and standards (ISO 27001/27002, CoBIT, PCI DSS) that certified by independent auditors to build threat modeling and completion of a risk assessment as a part of SDLC. AWS implements this one through all phases including transmission, storage and processing data in compliance to ISO 27001 (domain 12.2) that certified by independent auditors. AWS provides a lot of how-to-docs, binary & sources (as an example [824],[28-29]) MFA is not strong and depends on the customer configuration [39] An internal segmentation is in alignment with ISO and similar to the CO-05.1-2 while external is a part of the customer responsibility. Internally, a traffic restriction is too and has ‘deny/allow’ option in EC2/S3 by default (but the explicitly cfg is recommended), etc. ›„‡”‹‡• –‡”ƒ–‹‘ƒŽ ‘—”ƒŽ‘ˆ‡ Š‘Ž‘‰›Ƭƒƒ‰‡‡– ‘ŽǤ͸ ••—‡ͳǡ –‘„‡”ʹͲͳʹȂƒ” ŠʹͲͳ͵ 184 SA-12.1 SA-13.1 SA-14.1-3 SA-15.1-2 Externally, the customers are able to use SSL, encryption key, encryption solutions, security policies to explicitly approve the security settings (AWS, 3rd party or their own) according to the security docs, whitepapers A NTP or other similar services AWS services rely on the internal system clocks synchronized via NTP An equipment identification is as AWS provides such ability, for example a method to validate connection due the AWS metadata, geo tags and authentication integrity based on other tags created by the customers known location Any host and network IDS to Similar to the IS-22.1 and IS-23.1-2 detect, investigate in case of incidents with audit of an user access (authorized personnel) A mobile code authorization The customers are responsible to manage before its installation, prevention it to meet their requirements. from executing and using to a clearly defined security policy TABLE 4: AWS SOLUTIONS AGAINST A CCM CID CO-01 CO-02 CO-03 CO-04 CO-05 Control Specification Audit plans, activities and operational action items focusing on data duplication, access, and data boundary limitations with aim to minimize the risk of business process disruption. Independent reviews shall be performed annually/planned intervals to aim a high effective compliance policies, standards and regulations (i.e., internal/external audits, certifications, vulnerability and penetration testing) 3rd party service providers shall demonstrate compliance with security due; their reports and services should undergo audit and review. Responsible persons to contact with local authorities in accordance with business and customer requirements and compliance requirements. The organization's approach to meet known requirements, and adapt to new mandate shall be AWS Response AWS has appropriate technical solutions, internal controls to protect customer data against alteration/destruction/loss/etc. Any kind of additional audit information is provided to the customers under NDA AWS shares 3rd audit reports under NDA with their customers. Such audit covers regularly scans of their (noncustomer) services for vulnerabilities [41-42] while the customers are allowed to request for a pentest [40] of their own instances AWS requires to meet important privacy and security requirements conducting 3rd parties in alignment ISO 27001 (domain 6.2) AWS maintains contacts with external parties in alignment with ISO standards Updates to AWS security policies, procedures, standards and controls occur on an annual basis in alignment with the ›„‡”‹‡• –‡”ƒ–‹‘ƒŽ ‘—”ƒŽ‘ˆ‡ Š‘Ž‘‰›Ƭƒƒ‰‡‡– ‘ŽǤ͸ ••—‡ͳǡ –‘„‡”ʹͲͳʹȂƒ” ŠʹͲͳ͵ 185 CO-06 DG-01 DG-02 DG-03 DG-04 DG-05 DG-06 DG-07 DG-08 explicitly defined, documented, ISO 27001 standard. and kept up to date for each information system element in the organization. Information system elements may include data, objects, applications, infrastructure and hardware A policy to safeguard intellectual AWS will not disclose customer data to a property 3rd party unless it is required by law and will not use data except to detect/repair problems affecting the services All data shall be designated with Customers are responsible for stewardship with assigned maintaining it regarding their assets responsibilities defined, documented and communicated. Data, and objects containing data, AWS allows customers to classify their shall be assigned a classification resources by themselves (ex. applying based on data type, jurisdiction of any metadata and tagging to the origin, jurisdiction domiciled, etc. EC2VMs to set the user-friendly names & enhance searchability) Policies/mechanisms for labeling, Similar to DG-02 handling and security of data and objects which contain data Policies for data retention and AWS infrastructure is validated regularly storage as well as implementation any purposes in alignment with security of backup or redundancy standards and featured by AWS EBS and mechanisms to ensure compliance Glacier (for data archiving and backup), with regulatory and other but the customers have capability requirements that validated manage it due the API/SDK regularly Policies and mechanisms for the AWS rely on best practices to wipe data secure disposal and complete via DoD 5220.22-M/NIST 800-88 removal of data from all storage techniques; if it is not possible the media, ensuring data is not physical destruction happens recoverable by any computer forensic means. Production data shall not be AWS has implemented the segmentation replicated or used in non- of customers data to prevent its movement by default, however the endproduction environments. users are responsible to manage the right sharing permissions Security mechanisms to prevent AWS has implemented logical data leakage. (permissions) and physical (segmentation) controls to prevent data leakage. (ex. a hypervisor is designed to restrict non-allowed connections between tenant resources that has validated by independent PCI QSA in alignment with PCI DSS 2.0 requirements) Risk assessments associated with AWS provides the independent auditor ›„‡”‹‡• –‡”ƒ–‹‘ƒŽ ‘—”ƒŽ‘ˆ‡ Š‘Ž‘‰›Ƭƒƒ‰‡‡– ‘ŽǤ͸ ••—‡ͳǡ –‘„‡”ʹͲͳʹȂƒ” ŠʹͲͳ͵ 186 FS-01 data governance requirements reports under NDA and customers on shall be conducted at planned their own systems can build a continuous intervals monitoring of logical controls additionally implementing [38]. Procedures for maintaining a safe AWS controls any access to buildings, and secure working environment room and other areas, has a strong in offices, rooms, facilities and requirement to pass two-factor authentication. All procedures are secure areas. validated by independent auditors FS-02 Physical access to information assets and functions by users and support personnel shall be restricted. FS-03 FS-05 An implementation of the physical security perimeters, providing the secure areas controlling from unauthorized personnel actions FS-04 Ingress and egress to secure areas shall be constrained and monitored by physical access control mechanisms to ensure that only authorized personnel are allowed access. Policies and procedures shall be established for securing and asset management for the use and secure disposal of equipment maintained and used outside the organization's premise. A complete inventory of critical assets shall be maintained with ownership defined and documented. FS-06 FS-07 FS-08 HR-01 HR-02 AWS regularly train employees in regards their roles vs. those customers that documented and validated periodically. Also, any ‘redundant’ access is automatically revoked when an employee’s record is terminated or changed with his job functions in Amazon’s HR system. If employee was not fired he will be reassigned with new access rights that reviewed every 90 days AWS has been implemented the various physical security controls like fencing, walls, security staff, video surveillance, intrusion detection systems and other electronic means in alignment ISO 27001. It extends by utilizing video surveillance and requirement to pass twofactor authentication a minimum two times to access datacenter floors for staff. Similar to the FS-03/FS-05 AWS imposes control the customers to manage the data locations. Data will not be moved between different regions, only inside that were chosen to prevent failure. AWS maintains a formal policy that requires assets, the hardware assets monitored by the AWS personnel and maintain the relationships with all AWS suppliers are possible in comply ISO 27001 (domain 7.1) for additional details. An employment candidates According to AWS they perform such background verification in checks in comply with law. Every ›„‡”‹‡• –‡”ƒ–‹‘ƒŽ ‘—”ƒŽ‘ˆ‡ Š‘Ž‘‰›Ƭƒƒ‰‡‡– ‘ŽǤ͸ ••—‡ͳǡ –‘„‡”ʹͲͳʹȂƒ” ŠʹͲͳ͵ 187 HR-03 regards to local laws, regulations, etc. Any agreements prior to granting individuals physical or logical access to facilities, systems or data, employees, contractors, 3rd party users, etc. Define the roles and responsibilities for performing employment termination or change in employment procedures IS-01 IS-02 IS-03 An implementation of ISMP included administrative, technical, and physical safeguards to protect assets and data from loss, misuse, unauthorized access, disclosure, alteration, and destruction An implementation of baseline security requirements for applications/DB/systems/network in compliance with policies/regulations/standards. An information security policy review at planned intervals IS-04 IS-05 IS-06 A sanction policy for violation security policies IS-07 An implementation of user access policies to apps, DB, and the rest in accordance with security, compliance and SLA. Documented policies for granting/revoking access to apps, DB, and the rest in accordance with security, compliance and SLA A revocation/modification of user access to data upon any change in status of employees, contractors, customers, etc. IS-08 IS-09 employee is provided with Company’s Code of Business Conduct and Ethics internally and regularly trained. Employee or a third-party contractor has a minimum set of privileges and can be disabled by the hiring manager. All types of access to any resources logged, as well as its changes, it must be explicitly approved in Amazon's proprietary permission management system. All changes led to revocation of previous access because of explicitly approving type to the resource AWS implements ISMS to address security/privacy best practices and provides details under NDA the appropriate documentation Baseline security requirements are technically implemented with ‘deny’ configuration by default and documents among the AWS security documents for all services (ex. [8-24]) Despite of AWS provides a lot of howto-docs, binary & sources [8-24], [28-29] are regularly updated, it’s better to subscribe to the news via RSS and email, because there is no other directly way to be notified by AWS According to AWS If violation happens, the appropriate disciplinary action is followed All AWS services featured by IAM that provides powerful permissions items with predefined templates; the rest similar to the FS-02, HR-03, IS-04 Similar to the IS-07 Any access is automatically revoked when an employee’s/3rd contributor record is terminated or changed with his job functions in Amazon’s HR system. If employee/3rd contributor was not fired he will be reassigned with new access rights that reviewed every 90 days ›„‡”‹‡• –‡”ƒ–‹‘ƒŽ ‘—”ƒŽ‘ˆ‡ Š‘Ž‘‰›Ƭƒƒ‰‡‡– ‘ŽǤ͸ ••—‡ͳǡ –‘„‡”ʹͲͳʹȂƒ” ŠʹͲͳ͵ 188 IS-10 IS-11 IS-12 IS-13 IS-14 IS-15 IS-16 IS-17 IS-18 IS-19 IS-20 All levels of user access shall be reviewed by management at planned intervals and documented while a security awareness training program shall be established for all contractors, 3rd parties and employees and mandated when appropriate. Industry security knowledge and benchmarking through networking, specialist security forums, and professional associations Roles and responsibilities of contractors, employees and 3rd party users shall be documented as they relate to information assets and security. A responsibilities for maintaining awareness of and complying with security policies, procedures and standards that are relevant to manager area of responsibility with providing a documentation how maintains the segregation of duties Informing the users of their responsibilities in regards to the security policies, standards, regulations and rules how to keep the equipment Documented procedures for clearing visible documents containing sensitive data when a workspace is unattended and enforcement of workstation session logout for a period of inactivity. Implemented policies/mechanisms allowing data encryption in storage (e.g., file servers, databases, and enduser workstations) and data in transmission (e.g., system interfaces, over public networks, and electronic messaging) as well, key management too Similar to the HR-02, HR-03 AWS is a member of industry organizations and organizers events Similar to the HR-03 Each employee have a Company's Code of Business Conduct and Ethics and have to complete a periodic training. Customers should manage the segregations of duties by themself. The rest are certified by certified by independent auditors AWS provides the various ways to train (newly hired employee; others by the mails in AWS intranet) the employees understand their roles and responsibilities that certified by independent auditors Similar to the IS-16 If keys created on server side, AWS creates the unique keys and utilizes it, if it did on client side due the own or 3rd party solutions, the customers can manage it only. AWS encryption mechanisms are available for S3 (Server Side Encryption), EBS (encryption storage for EC2 AMIs), SimpleDB, EC2 (due the EBS plus SSL), VPC (encrypted connections and sessions), etc. Implemented policies and AWS provides their services with the mechanisms for vulnerability and latest updates, performs analyzing ›„‡”‹‡• –‡”ƒ–‹‘ƒŽ ‘—”ƒŽ‘ˆ‡ Š‘Ž‘‰›Ƭƒƒ‰‡‡– ‘ŽǤ͸ ••—‡ͳǡ –‘„‡”ʹͲͳʹȂƒ” ŠʹͲͳ͵ 189 IS-21 IS-22 IS-23 IS-24 IS-25 IS-26 IS-27 IS-28 IS-29 IS-30 patch management on side of software updates on their criticality as apps, system, and network well as customer partially ability to devices perform vuln scans and patching despite of that and not violate the Policy [40],[41-42] A capability of AV solutions to AWS does manage AV solutions & detect, remove, and protect updates in compliance to ISO 27001 that against all known types of confirmed by independent auditors. malicious or unauthorized Additionally, customers should maintain software with antivirus signature their own solutions to meet their requirements updates at least every 12 hours. Policies and procedures to triage AWS has defined role responsibilities security related events and ensure and incident handling in internal timely and thorough incident documents in compliance with ISO and management. provides the AWS SOC 1 Type Report Information security events shall AWS contributes with it over [40-42] be reported through predefined communications channels in a prompt and expedient manner in compliance with statutory, regulatory and contractual requirements Availability mechanisms to AWS provides it in alignment with ISO monitor and quantify the types, 27001 that validated by independent volumes in case of information auditors security incidents. Policies and procedures shall be According to AWS, the customers established for the acceptable use manage and control their data only unless of information assets. it needs due the law requirements or troubleshooting aimed at fix services issues Employees, contractors and 3rd party users must return all assets owned by the organization within a defined and documented time frame once the employment, contract or agreement has been terminated. A protection of e-commerce related data traversing over public networks. Strong segmentation and restriction due access to, and use of, audit tools that interact with the organizations information systems to prevent compromise and misuse of log data. User access to diagnostic and configuration ports shall be N/A There is no information that AWS involve in e-commerce solutions. Internal audit tools are restricted to AWS personnel to have only the access they need to perform specific tasks; each access is reviewed every 90 days. Administrators are required to use MFA to access such hosts that are designed ›„‡”‹‡• –‡”ƒ–‹‘ƒŽ ‘—”ƒŽ‘ˆ‡ Š‘Ž‘‰›Ƭƒƒ‰‡‡– ‘ŽǤ͸ ••—‡ͳǡ –‘„‡”ʹͲͳʹȂƒ” ŠʹͲͳ͵ 190 IS-31 IS-32 IS-33 IS-34 LG-01 LG-02 OP-01 OP-02 OP-03 OP-04 RI-01 RI-02 RI-03 RI-04 restricted to authorized protect and continue have this access individuals and applications. unless no longer has a business need. All such access is logged, audited and reviewed every 90 days. Network and infrastructure SLA SLAs validated and certified by (in-house or outsourced) shall independent auditors; utilization of clearly document security customer services housed in the cloud is controls, capacity and other not mined. requirements. Policies and mechanism to limit AWS has this one, delineates the access to sensitive data minimum rights for logical access to (especially an application, AWS resources and provides details with program or object source code) AWS SOC 1 Type II report from portable and mobile devices Utility programs capable of AWS provides internal system tools potentially overriding system, provided to perform specific tasks; each object, network, virtual machine access is reviewed every 90 days. and application controls shall be restricted. Periodically reviewing the NDA Amazon Legal Counsel reviews 3rd party and others requirements and agreements and NDA according to the agreements by legal counsel. An business needs. AWS does not leverage ability to monitor outsourced any 3rd party cloud providers to deliver providers in compliance with AWS services to the customers. laws per country. Any policies, system According to AWS, the policies are documentation are available for alignment with AWS Information all personnel to support services Security framework based upon the operations roles with an COBIT framework, ISO 27001 standard information system and the PCI DSS requirements. Such documentation to the authorized docs are available through the Amazon's personnel to ensure the following: Intranet site. • Configuring, installing, and operating the information system • Effectively using the system’s security features The availability, quality, and AWS manages capacity and utilization adequate capacity and resources data in compliance to ISO 27001 that shall be planned, prepared, and certified by independent auditor measured to deliver the required system performance. Policies and procedures shall be AWS has continuity policies developed established for equipment in order to ISO 27001 (domain 14.1) and maintenance ensuring continuity provides details in AWS SOC 1 report and availability of operations. A cloud insurance by a 3rd party AWS provides the detailed customer for the losses in regards to the remuneration for losses in SLA. The rest cloud vendors, tenants (due the internal procedures of managing and SLA) in alignment with the mitigation the risks in alignment ISO documents procedures reviewed 27001 (domain 4.2, 5.1) validated by ›„‡”‹‡• –‡”ƒ–‹‘ƒŽ ‘—”ƒŽ‘ˆ‡ Š‘Ž‘‰›Ƭƒƒ‰‡‡– ‘ŽǤ͸ ••—‡ͳǡ –‘„‡”ʹͲͳʹȂƒ” ŠʹͲͳ͵ 191 RI-05 RM-01 RM-02 RM-03 RM-04 RM-05 annually at least considering all risk categories (e.g., audit results, threat and vulnerability analysis, and regulatory compliance) The identification, assessment, and prioritization of risks posed by business processes requiring 3rd party access to the organization's information systems and data shall be followed by coordinated application of resources to minimize, monitor, and measure likelihood and impact of unauthorized or inappropriate access. Compensating controls derived from the risk analysis shall be implemented prior to provisioning access. Any policies for new development acquisitions Changes to the production environment shall be documented, tested and approved prior to implementation. A program for the systematic monitoring and evaluation to ensure that standards of quality are being met shall be established for all software developed by the organization. A program for the systematic monitoring and evaluation to ensure that standards of quality are being met shall be established for all outsourced software development. The development of all outsourced software shall be supervised and monitored by the organization and must include security requirements, independent security review of the outsourced environment by a certified individual, certified security training for outsourced software developers, and code reviews. An implementation of policies and mechanisms to restrict the installation of unauthorized independent auditors and a few details among the AWS risks documents. Any updates to such procedures occur each year Employee or a third-party contractor has a minimum set of privileges and can be disabled by the hiring manager. All types of access to any resources logged, as well as its changes, it must be explicitly approved in Amazon's proprietary permission management system. All changes led to revocation of previous access because of explicitly approving type to the resource OR Similar to the HR-02 All new developed resources certified by independent auditors in regards to ISO. All details provided with AWS SOC 1 Type II report. The standards of quality are part of SDLC in compliance ISO 27001 (domain 10.1) The standards of quality are part of SDLC in compliance ISO 27001 (domain 10.1) that certified and validated by independent auditors, however AWS does not generally outsource development of software AWS does monitor the malicious software in compliance with ISO 27001 (domain 10.4). ›„‡”‹‡• –‡”ƒ–‹‘ƒŽ ‘—”ƒŽ‘ˆ‡ Š‘Ž‘‰›Ƭƒƒ‰‡‡– ‘ŽǤ͸ ••—‡ͳǡ –‘„‡”ʹͲͳʹȂƒ” ŠʹͲͳ͵ 192 RS-01 RS-02 RS-03 RS-04 RS-05 RS-06 RS-07 RS-08 SA-01 A-02 software. Documented policy and procedures defining continuity and disaster recovery shall be put in place to minimize the impact of a realized risk event on the organization to an acceptable level and facilitate recovery of information assets through a combination of preventive and recovery controls, in accordance with regulations and standards. Physical protection against damage from natural causes and disasters as well as deliberate attacks including fire, flood, etc. shall be implemented. Prior to granting customers access to data, assets and information systems, all identified security, contractual and regulatory requirements for customer access shall be addressed and remediated. An implementation of user credential and password controls for apps, DB, server and network infrastructure, requiring the following minimum standards Such policies are in alignment with ISO 27001 ( domain 14.1); AWS provides a Cloudwatch services to monitor the state of AWS EC2, EBS, ELB, SQS, SNS, DynamoDB, Storage Gateways as well as a status history [38]. AWS provides several Availability Zones in each of six regions to prevent failures, but the customers are responsible to manage it across regions or other clouds vendors via API and SDK. A physical protection is in compliance ISO 27001 and 27002. Information about the transport routes is similar to the FS-06.1 Prior to using AWS services, customers are required to review and agree to a SLA AWS IAM [21-24] provides the securely access and roles to the resources with features to control access, create unique entry points of users, cross AWSaccounts access due API/SDK or IAM console, create the powerful permissions with duration and geo auth. AWS offers identity federation and VPC tunnels led to utilizing existing corporate identities to access, temporary security credentials. Additionally, the customers may avoid the mistakes and risks by using an AWS Policy Generator and MFA devices [39]. Covered the services are AWS Auto Scaling, CloudFormation, CloudFront, CloudSearch, CloudWatch, DynamoDB, EBS, EC2, Elastic Beanstalk, ElastiCache, ELB, Elastic MapReduce, RDS, Route 53, S3, SES, SQS, SNS, SimpleDB, Storage Gateway, VPC. IAM allows creating and handling the sets defined in accordance with the subrules of SA-02 (in original version of CMM). On AWS Side it is similar to FS-02 except ‘training’ ›„‡”‹‡• –‡”ƒ–‹‘ƒŽ ‘—”ƒŽ‘ˆ‡ Š‘Ž‘‰›Ƭƒƒ‰‡‡– ‘ŽǤ͸ ••—‡ͳǡ –‘„‡”ʹͲͳʹȂƒ” ŠʹͲͳ͵ 193 SA-03 SA-04 SA-05 SA-06 SA-08 SA-07 SA-09 SA-10 SA-11 SA-12 SA-13 SA-14 Implemented policies and mechanisms designed in accordance with industry accepted security standards to ensure security and integrity of data exchanged between system interfaces to prevent disclosure, alteration or destruction complying with legislative, regulatory, and contractual requirements. An availability of I/O integrity routines for the application interfaces and DB to prevent errors and data corruption A segmentation of production and non-production environments to prevent unauthorized access, to restrict connections between trusted and untrusted networks for use of all services, protocols, and ports allowed A requirement of MFA for all remote user access. A system and network environments separation via firewalls in regards to isolation of sensitive data, restrict unauthorized traffic, enhanced with strong encryption for authentication and transmission, replacing vendor default settings (e.g., encryption keys, passwords, SNMP community strings, etc.) AWS Security based upon the best practices and standards (ISO 27001/27002, CoBIT, PCI DSS) that certified by independent auditors to build threat modeling and completion of a risk assessment as a part of SDLC. AWS implements this one through all phases including transmission, storage and processing data in compliance to ISO 27001 (domain 12.2) that certified by independent auditors. AWS provides a lot of how-to-docs, binary & sources (as an example [824],[28-29]) MFA is not by default and depends on the customer configuration [39] An internal segmentation is in alignment with ISO and similar to the CO-05.1-2 while external is a part of the customer responsibility. Internally, a traffic restriction is too and has ‘deny/allow’ option in EC2/S3 by default (but the explicitly cfg is recommended), etc. Externally, the customers are able to use SSL, encryption key, encryption solutions, security policies to explicitly approve the security settings (AWS, 3rd party or their own) according to the security docs, whitepapers An external accurate, externally AWS services rely on the internal system agreed upon, time source shall be clocks synchronized via NTP used to synchronize the system clocks of all relevant informationprocessing systems (US GPS & EU Galileo Satellite Network) A capability of an automated AWS provides such ability, for example equipment identification as a part due the metadata, geo tags and other tags created by the customers of authentication. Audit logs recording privileged AWS have this one in compliance with user access activities, shall be ISO and provides the results with AWS retained, complying with SOC 1 Type II Report. AWS has the applicable policies and incident response program in compliance regulations, reviewed at least too. Even the customers’ data stored with ›„‡”‹‡• –‡”ƒ–‹‘ƒŽ ‘—”ƒŽ‘ˆ‡ Š‘Ž‘‰›Ƭƒƒ‰‡‡– ‘ŽǤ͸ ••—‡ͳǡ –‘„‡”ʹͲͳʹȂƒ” ŠʹͲͳ͵ 194 daily and file integrity (host) and network intrusion detection (IDS) tools implemented to help investigation in case of incidents. SA-15 strong isolation from AWS side and restrictions made by them, additional materials (SOC 1 Type II report) must be requested to clarify all questions on forensics. All data should be encrypted on client side, because it leads to the customers participation with law directly as AWS do not have the keys in this case. A mobile code authorization The customers are responsible to manage before its installation, prevention it to meet their requirements. from executing and using to a clearly defined security policy IV. CONCLUSION Any complex solutions and systems like AWS, Azure, or GAE tend to prone to securitycompromise, because they have to operate large-scale computations, dynamic configuration. Clouds vendors do usually not disclose the technical details on security to the customers, thus raising question how to verify with appropriate requirements. The cloud security depends on whether the cloud vendors have implemented security controls that documented and enhanced with policy. However, there is a lack visibility into how clouds operate; each of them differs from other in levels of control, monitoring and securing mechanisms that widely known for non-cloud systems. The potential vulnerability requires a high degree of security combined with transparency and compliance. AWS relies on security frameworks based on various standards that certified by third auditors and help the customers to evaluate if/how AWS meets the requirements. CAIQ/CCM provides equivalent of recommendations over several standards. The bad is allowing vendors to provide fewer public details taking it to NDA reports and writing general explanations multiplied by general standards recommendations (even in modern documents like CSA).. CAIQ provides more details on security and privacy than matrix aligned to Cloud Security Guidance in 13 domains. Besides the details from 3rd party audit reports customers may require assurance in order t o local laws and regulations. It is quite complicated of reducing the implementation and configuration information as a part of proprietary information (that is not bad or good, just complicated). In other words it may call for specific levels of audit logging, activity reporting, security controlling and data retention that are often not a part of SLA offered by providers. A result of an examination of AWS security controls against Russian security standards/regulations shown in [45] and partially in [7] is successfully passing standards by use of native security features implemented in AWS Console, CLI and API/SDK only. It additionally includes cases that the current AWS security features should to be enhanced via third party security solutions like national encryption on client side before uploading data and ability to indirectly comply with requirements. Talking about security enhance, not only security controls belong to cloud layer (outside the VMs) should be used to protect data, communications, memory etc. but also internal OS controls and third party solutions together. However, it excludes obsolescent clauses and cases we need ‘just wait’ a solution from AWS of inability to build and implement appropriate and their promise to ‘release it soon’ in FAQ or others documents. OS and third party solutions are ›„‡”‹‡• –‡”ƒ–‹‘ƒŽ ‘—”ƒŽ‘ˆ‡ Š‘Ž‘‰›Ƭƒƒ‰‡‡– ‘ŽǤ͸ ••—‡ͳǡ –‘„‡”ʹͲͳʹȂƒ” ŠʹͲͳ͵ 195 known for non-clouds system allow protecting critical and confidential information is present in different system, configuration and other files to avoid alteration, exposing, accessing of them. Examination cloud solutions like Azure, BES with AWS & Azure, and Office365 with Cloud BES against other standards (incl. Russians docs) is a part of further research, however the signification direction is improving existing CSA and NIST recommendations in order to enhance transparency via utilization primarily technical requirements: on cloud layer, on inter-VM/DB & inter-cloud-services layer, and on VM/DB layer. REFERENCES [5] Google cloud services – App Engine”. [Online resource: http://www.google.com/enterprise/cloud/appengi ne/, Accessed:23-November-2012] [6] “Technical Overview of the Security Features in the Windows Azure Platform”. [Online resource: http://www.google.com/enterprise/cloud/appengi ne/, Accessed:23-November-2012] [7] Y. Chemerkin, “AWS Cloud Security from the point of view of the Compliance”, PenTest Magazine, Software Press Sp. z o.o. Sp. Komandytowa Warszawa, vol. 2 10 Issue 10/2012 (12) ISSN 2084-1116, pp. 50-59, December 2012 [8] “Amazon EC2 User Guide. [Online resource: http://docs.aws.amazon.com/AWSEC2/latest/Us erGuide/, Accessed:05-December-2012] [9] “Amazon EC2 Microsoft Windows Guide. [Online resource: http://docs.aws.amazon.com/AWSEC2/latest/Wi ndowsGuide/, Accessed:05-December-2012] [10] “Amazon EC2 Microsoft API Reference. [Online resource: http://docs.aws.amazon.com/AWSEC2/latest/AP IReference/, Accessed:05-December-2012] [11] “AWS Import/Export Developer Guide. [Online resource: http://aws.amazon.com/documentation/importex port/, Accessed:16-December-2012] [12] “Amazon Virtual Private Cloud Network Administrator Guide. [Online resource: http://docs.aws.amazon.com/AmazonVPC/latest/ NetworkAdminGuide, Accessed:05-December2012] [13] “Amazon Virtual Private Cloud User Guide. [Online resource: [1] P. Mell and T. Grance. The NIST definition of cloud computing. recommendation of the national institute of standards and technology, NIST, 2011 [2] Abdullah Abuhussein, Harkeerat Bedi, Sajjan Shiva, “Evaluating Security and Privacy in Cloud Computing Services:A Stakeholder’s Perspective”, The 7th International Conference for Internet Technology and Secured Transactions (ICITST-2012), pp. 388 – 395, December 2012 [3] Jun Feng, Yu Chen, Pu Liu, “Bridging the Missing Link of Cloud Data Storage Security in AWS,” 7th Consumer Communications and networking Conference (CCNC), pp.1-2, Januray 2010 [4] Yan Hu, Fangjie Lu, Israr Khan, Guohua Bai, "A Cloud Computing Solution for Sharing Healthcare Information”, The 7th International Conference for Internet Technology and Secured Transactions (ICITST-2012), pp. 465 – 470, December 2012“ http://docs.aws.amazon.com/AmazonVPC/latest/ UserGuide, Accessed:05-December-2012] [14] “Amazon Direct Connect User Guide. [Online resource: http://docs.aws.amazon.com/DirectConnect/lates t/UserGuide/, Accessed:05-December-2012] [15] “Amazon Direct Connect API Reference . [Online resource: http://docs.aws.amazon.com/DirectConnect/lates t/APIReference/Welcome.html, Accessed:05December-2012] [16] “Amazon S3 Developer Guide. [Online resource: http://docs.aws.amazon.com/AmazonS3/latest/de v/, Accessed:20-December-2012] [17] “Amazon S3 API Reference. [Online resource: http://docs.aws.amazon.com/AmazonS3/latest/A PI/, Accessed:20-December-2012] [18] “Amazon S3 Console User Guide. [Online resource: http://docs.aws.amazon.com/AmazonS3/latest/U G/, Accessed:20-December-2012] [19] “Amazon Glacier Developer Guide. [Online resource: http://docs.aws.amazon.com/amazonglacier/lates t/dev/, Accessed:20-December-2012] [20] “Amazon Storage Gateway. [Online resource: http://docs.aws.amazon.com/storagegateway/late st/userguide/WhatIsStorageGateway.html, Accessed:20-December-2012] [21] “Amazon IAM API Reference. [Online resource: http://docs.aws.amazon.com/IAM/latest/APIRefe rence/, Accessed:29-December-2012] [22] “Amazon Using Temporary Security Credentials. [Online resource: http://docs.aws.amazon.com/IAM/latest/UsingS TS/, Accessed:29-December-2012] ›„‡”‹‡• –‡”ƒ–‹‘ƒŽ ‘—”ƒŽ‘ˆ‡ Š‘Ž‘‰›Ƭƒƒ‰‡‡– ‘ŽǤ͸ ••—‡ͳǡ –‘„‡”ʹͲͳʹȂƒ” ŠʹͲͳ͵ 196 [23] “Amazon AWS Security Token Service API Reference. [Online resource: http://docs.aws.amazon.com/STS/latest/APIRefe rence/, Accessed:29-December-2012] [24] “Amazon Command Line Reference. [Online resource: http://docs.aws.amazon.com/IAM/latest/CLIRefe rence/, Accessed:29-December-2012] [25] “DRAFT Cloud Computing Synopsis and Recommendations,” NIST Special Publication 800-146. [Online resource: http://csrc.nist.gov/publications/drafts/800146/Draft-NIST-SP800-146.pdf, Accessed:06January-2013] [26] “Security Whitepaper. Google Apps Messaging and Collaboration Products”, [Online resource: http://cryptome.org/2012/12/google-cloudsec.pdf, Accessed:23-November-2013] [27] Juraj Somorovsky, Mario Heiderich, Meiko Jensen, Jorg Schwenk, Nils Gruschka, Luigi Lo Iacono, "All Your Clouds are Belong to us – Security Analysis of Cloud Management Interfaces", 3rd ACM workshop on Cloud computing security workshop (CCSW), pp. 3-14, October 2011 [28] “Reported SOAP Request Parsing Vulnerabilities”, [Online resource: https://aws.amazon.com/security/securitybulletins/reported-soap-request-parsingvulnerabilities-reso/, Accessed 15-January-2013] [29] “Xen Security Advisories”, [Online resource: https://aws.amazon.com/security/securitybulletins/xen-security-advisories/, Accessed 15January-2013] [30] “The Essential Intelligent Client”, [Online resource: http://www.vmworld.com/servlet/JiveServlet/do wnloadBody/5700-102-18823/Intel%20The%20Essential%20Intelligent% 20Client.pdf, Accessed 15-January-2013] [31] Cracking Passwords in the Cloud: Breaking PGP on EC2 with EDPR [Online resource: http://news.electricalchemy.net/2009/10/cracking -passwords-in-cloud.html/, Accessed 22November-2013] [32] “The most dangerous code in the world: validating SSL certificates in non-browser software”, 19th ACM Conference on Computer and Communications Security, pp. 38-49, October 2012 [33] “Reported SSL Certificate Validation Errors in API Tools and SDKs”, [Online resource: https://aws.amazon.com/security/securitybulletins/reported-ssl-certificate-validationerrors-in-api-tools-and-sdks/, Accessed 15- January-2013] [34] “CSA Cloud Controls Matrix v1.3” [Online resource: https://cloudsecurityalliance.org/research/cai/, Accessed 22-January-2013] [35] “CSA Consensus Assessments Initiative Questionnaire v1.1” [Online resource: https://cloudsecurityalliance.org/research/cai/, Accessed 22-December-2012] [36] “AWS Securtiy Bulletins” [Online resource: https://aws.amazon.com/security/securitybulletins/, Accessed 16-February-2013[ [37] “Products and Services by Region with AWS Edge Locations” [Online resource: http://docs.aws.amazon.com/AWSEC2/latest/Us erGuide/using-regions-availability-zones.html, Accessed 10-February-2013] [38] “AWS Services Health Status with the history status” [Online resource: http://status.aws.amazon.com/, Accessed 16February-2013] [39] “AWS MFA” [Online resource: http://aws.amazon.com/mfa, Accessed 16February-2013] [40] “AWS Vulnerability/Pentesting Request Form” [Online resource: https://portal.aws.amazon.com/gp/aws/htmlformscontroller/contactus/AWSSecurityPenTestReque st, Accessed 16-February-2013] [41] “AWS Abuses reports (EC2, other AWS services)” [Online resource: https://portal.aws.amazon.com/gp/aws/htmlforms-controller/contactus/AWSAbuse, Accessed 16-February-2013] [42] “AWS Vulnerability Reporting” [Online resource: https://aws.amazon.com/security/vulnerabilityreporting/, Accessed 16-February-2013] [43] Jeffrey Medsger, Avinash Srinivasan, "ERASEEntRopy-based SAnitization of SEnsitive Data for Privacy Preservation", The 7th International Conference for Internet Technology and Secured Transactions (ICITST-2012), pp. 427 – 432, December 2012 [44] R. Kissel, M. Scholl, S. Skolochenko, and X. Li, “Guidelines for media sanitization: Recommendations of the national institute of standards and technology,” in NIST SP 800-88 Report, 2006 [45] Y. Chemerkin, “Analysis of Cloud Security against the modern security standards”, draft (is going to be published in PenTest Magazine, Software Press Sp. z o.o. Sp. Komandytowa Warszawa in April-May ›„‡”‹‡• –‡”ƒ–‹‘ƒŽ ‘—”ƒŽ‘ˆ‡ Š‘Ž‘‰›Ƭƒƒ‰‡‡– ‘ŽǤ͸ ••—‡ͳǡ –‘„‡”ʹͲͳʹȂƒ” ŠʹͲͳ͵ 197 CALL FOR PAPERS At the outset, I take this opportunity to introduce “Cyber Times – International Journal of Technology & Management” which is a platform to provide an innovative view of Technology, Management thinking, Realistic Research Studies and various Management Practices in the Indian and Global perspective. “Cyber Times – International Journal of Technology & Management”, is a Bi-Annual Journal and invites original research papers from different Research Scholars, Faculty Members, and Industry Professionals in various domains of Technology, Management, Science and all other categories. The detailed guidelines are attached along with this copy of journal for the submission of research Paper for Publication. Last date of Abstract Submission: 30th July’ 2013 Last date of Full Paper Submission: 30th August’ 2013 (Without Late Fee) Last Date of Full Paper Submission: 15th September’2013 (With Late Fee) Note: • The papers received for the final publication will be screened by the Evaluation Committee for approval and only the selected Papers will be published in the coming edition. Further information is available on the website (http://journal.cybertimes.in) under the “Guidelines for paper Submission” section. You are cordially invited to contribute your Research Paper for the publication in our next edition. Authors are encouraged to submit their Research work document via Email. Abstract, and Full Length Paper should be sent in .doc or .docx as an attachment separately to [email protected] Moreover, in case of any further queries; please feel free to contact us and we’ll be happy to assist you in a better way. Looking for a Long-Term Association Thanks & Regards, Dr. ANUP GIRDHAR Editor-in-Chief (CYBER TIMES) Cyber Times International Journal of Technology & Management Cyber Times International Journal of Technology & Management Guidelines to write Research Papers 1. RESEARCH PAPER TITLE: The title of the paper should be in Times New Roman with Font Size 24. It should be Bold Typed, Centered Aligned and Fully Capitalized. 2. AUTHOR NAME (S) & INFORMATION: The author (s) Full Name (with initials), Designation, Address, Mobile/ Landline numbers, and E-mail/ Alternate Email Address should be in Italic & 12-Point with Times New Roman Font. 3. ABSTRACT: The abstract should not be more than 200-250 words and should be in full Italics. The abstract must be illuminating and explain the Purpose, Scope & Conclusion of the research paper. 4. KEYWORDS: Abstract must be followed by a list of keywords. It should be 12-point with Times New Roman Font. Keywords should be arranged in alphabetic order separated by commas. 5. RESEARCH PAPER: Research Paper should be prepared in US ENGLISH on a standard A4 size in PORTRAIT PAPER SETTING. The paper should be typed with Double Column, Single-Line Spacing, 12 font, Times New Roman, and 1” margin on all four sides of the page, MS Word compatible format text. It should be free from all the grammatical, spelling and punctuation errors and must be edited carefully with the support of your Guide. It should not be more than 10-12 pages. 6. HEADINGS: All the headings should be in14 point Times New Roman Font. The heading text should be in Bold, Left Aligned and Fully Capitalized. 7. SUB-HEADINGS: All the sub-headings should be in 12 point Times New Roman Font. The sub-heading text should be in Bold, Left Aligned and Fully Capitalized. 8. FIGURES & TABLES: The Figure & Table headings should be in 10 point Times New Roman Font. It should be in Bold, Centre Aligned and Tittle Case. The figures & Tables should be Self-Made, Simple, Crystal clear, centered aligned, separately numbered & self-explained. Sources of data should be mentioned below the table/ figure and it should be ensured that the tables/ figures are referred to, from the main text. 9. EQUATIONS: These should be consecutively numbered in parentheses, horizontally centered with equation number placed at the right. 10. REFERENCES: The list of all references should be arranged alphabetically. The author (s) should mention the actual utilized references in the preparation of Research Paper only and should also mention it with numbering ([1] [2]) wherever it is used throughout the paper. The title of books and journals should be in Italics. Double quotation marks should be used for Titles of Journals, Articles, Book Chapters, Dissertations, Reports, Working Papers, Unpublished material, etc. Cyber Times International Journal of Technology & Management Cyber Times International Journal of Technology & Management “SEDULITY SOLUTIONS & TECHNOLOGIES” is an ISO 9001:2008 Certified Organization. It is a channel to provide the best Technical Solutions to various Corporate, Law-Enforcement Agencies, Private/ Govt. Institutions etc. We offer innovative technical solutions with an indepth security & Legal countermeasures that has helped various Govt. and Private sector professionals, to provide advanced knowledge in terms of securing their Networks. Our Expertise Team has been well recognized with their excellent performance many times in everything it undertakes, be it Penetration Testing, IT Audits, E-Learning Solutions, Website Developments, Cyber Security AMC’s via Sedulity Operating System, Consultancies and HiTech Trainings, Placement Activities, etc. Services/ Solutions/ Products Offered are as follows: • • • • • • • • • • • Penetration Testing IT Auditing Cyber Crime Investigation Network Security Security AMC’s Server Configurations (File Sever, SMS Server, Web Server, Database Server, EMail Server, Proxy Server, and many more….) Hi-Tech Industrial Trainings for Engineering Faculties, Students, Corporate & Govt. Professionals. Secure Web development E-Learning Solutions via Web Portals and Products. SEO Sedulity Operating System (Editions available for Corporate, Developers, Ethical Hackers, and Cyber Forensics) available in 32/ 64 bit, Client/ Server and many more……. For More details; Contact: Ph: 011-45651674, +91-9811572430 Email: [email protected] Website: http://sedulitygroups.com Cyber Times International Journal of Technology & Management Vol.6 Issue 1, October 2012 – March 2013