Security Compliance Challenges On Clouds

CTICon-2013
Proceedings of the
International Conference on
“Diversifying Trends in
Technology & Management”
Organized by:
CYBER TIMES
Sponsored by:
SEDULITY SOLUTIONS & TECHNOLOGIES
Technically Co-Sponsored by:
CSI Region-I & Division-I
Cyber Times International Journal of
Technology & Management
Vol. 6, Issue 1, October 2012 – March 2013
ISSN: 2278-7518
EDITOR-IN-CHIEF
Dr. Anup Girdhar
EDITORIAL ADVISORY BOARD
Dr. Sushila Madan

Dr. A.K. Saini
Mr. Mukul Girdhar
EXECUTIVE EDITORS
Ms. Kanika Trehan

Mr. Rakesh Laxman Patil
CSI ADVISORY BOARD
Prof. S. V. Raghavan, President, CSI

Mr. H. R. Mohan, Vice President, CSI
Mr. S. Ramanathan, Hony. Secretary, CSI
Mr. Ranga Rajagopal, Hony. Treasurer, CSI
Mr. Satish Babu, Immediate Past President, CSI
Mr. R. K. Vyas, Regional Vice President, Region-I, CSI
Prof. M.N. Hoda, Chairman, Division-I, CSI
“Cyber Times International Journal of Technology & Management”. All rights reserved. No
part of this journal may be reproduced, republished, stored, or transmitted in any form or by
any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior
permission of the publisher in writing. Any person who does any unauthorized act in relation
to this journal publication may be liable to criminal prosecution and civil claims for damages.
Editorial Office & Administrative Address:
The Editor,
310 Suneja Tower-II,
District Centre, Janak Puri,
New Delhi-110058.
ISSN: 2278-7518
Phone: 011-25595729, +91-9312903095
Website: http://journal.cybertimes.in
Email: [email protected]
Disclaimer: Views and information expressed in the Research Papers or Articles are those of
the respective authors. “Cyber Times International Journal of Technology & Management”,
its Editorial Board, Editor and Publisher (Cyber Times) disclaim the Responsibility and
Liability for any statement of fact or option made by the contributors. The content of the
papers are written by their respective authors. The originality and authenticity of the papers
and the explanation of information and views expressed therein are the sole responsibility of
the authors. However, effort is made to acknowledge source material relied upon or referred
to, however; “Cyber Times International Journal of Technology & Management” does not
accept any responsibility for any unintentional mistakes & errors.
Cyber Times International Journal of Technology & Management, Bi-Annually, Vol.6, Issue 1, has been
Published, Printed and Edited by Dr. Anup Girdhar, on behalf of Cyber Times, at 310 Suneja Tower-II, District
Centre, Janak Puri, New Delhi-110058.
From the Editor’s Desk
At the outset, I take this opportunity to thank all the contributors and readers for making
“Cyber Times – International Journal of Technology & Management” an outstanding
success.
The response that we have received from the Researchers, Authors, Academicians, Law-
Enforcement Agencies and Industry Professionals for sending their Research Papers/ Articles
for publication is duly acknowledged across the globe.
We are pleased to present the Volume 6, Issue 1, of “Cyber Times International Journal of
Technology & Management” which include two parts where Part-1 is for the area of
‘Technology’ and Part-2 is for the area of ‘Management’.
Part-1: Technology
Cloud Computing, Artificial Intelligence, Wireless Networks, Cyber Security and Network
Attacks, Penetration Testing, Cyber Laws, Cyber Crime Investigation, Data Mining,
Databases, Mobile Commerce, Software Testing, etc.
Part-2: Management
Management Strategies, Human Resources, Business Intelligence, Global Retail Industry,

Business Process Outsourcing, Indian Economy, Performance Management, Risk
Management, International Business, etc.
I am sure that this issue will generate immense interest amongst the Readers in different
aspects of Technology & Management.
We look forward to receive your valuable and future contributions to make this journal a joint
endeavor.
With Warm Regards,
Editor-in-Chief
Dr. ANUP GIRDHAR

General Information
“Cyber Times International Journal of Technology & Management” is published bi-
annually. All editorial and administrative correspondence for publication should be
addressed to The Editor, Cyber Times.
The Abstracts received for the final publication are screened by the Evaluation
Committee for approval and only the selected Papers/ Abstracts will be published in
each edition. Further information is available in the “Guidelines for paper
Submission” section.
Annual Subscription details for obtaining the journal are provided separately and the
interested persons may avail the same accordingly after filling the Annual
subscription form.
This journal is meant for education, reference and learning purposes. The author(s) of
this of the book has/have taken all reasonable care to ensure that the contents of the
book do not violate any existing copyright or other intellectual property rights of any
person/ company/ institution in any manner whatsoever. In the event the author(s)
has/have been unable to track any source and if any copyright has been inadvertently
infringed, please notify the publisher in writing for the corrective action.
Copyright © “Cyber Times International Journal of Technology & Management”. All

rights reserved. No part of this journal may be reproduced, republished, stored, or
transmitted in any form or by any means, electronic, mechanical, photocopying,
recording, or otherwise, without the prior permission of the publisher in writing. Any
person who does any unauthorized act in relation to this journal publication may be
liable to criminal prosecution and civil claims for damages.
Other Publications:
• Cyber Times Newspaper (English) – RNI No: DELENG/2008/25470
• Cyber Times Newspaper (Hindi) – RNI No. DELHIN/1999/00462
Printed & Published by: Cyber Times

310 Suneja Tower-II, District Centre,
Janak Puri, New Delhi-110058
Editorial Advisory Board Members
Name Designation, Organization/ University Country

Dr. Sushila Madan Associate Professor, Delhi University India
Dr. A. K. Saini Professor, GGS IP University India
Mr. J. R. Ahuja Former Consultant, AICTE India
Mr. Mukul Girdhar Vice President, Sedulity Solutions India
Mr. Geetesh Madan Q.A. Consultant with Tesco Bank, Newcastle UK
Dr. Deepak Shikarpur Chairman Board of Studies, Pune University India
Dr. B. B. Ahuja Deputy Director,COE Pune India
Prof. M. N. Hoda Director, Bharati Vidyapeeth's (BVICAM) India
Dr. S. C. Gupta Director, NIEC, GGS IP University India
Dr. S. K. Gupta Professor, IIT Delhi India
Dr. K. V. Arya Associate Professor, IIITM, Gwalior India
BRIG. Dr. S.S. Narula Director, Gitarattan International Bussiness School India
Dr. Sarika Sharma Director, JSPM'S ENIAC Institute of CA, Pune India
Dr. S.K.M. Bhagat Prof. & Head, MIT Academy of Engg., Pune India
Dr. Jack Ajowi Jaramogi Oginga Odinga University of Sci. & Tech. Kenya
Dr. Srinivas Sampalli Professor, Dalhousie University, Halifax Canada
Dr. Ijaz A. Qureshi V.P. Academic Affairs, JFK Inst. of Tech. and Mgmt. Pakistan
Aryya Bhattacharyya Director, CIP, Columbus State University US
Dr. M. M. Schiraldi Assistant Professor, 'Tor Vergata' University of Rome Italy
Executive Editorial Advisory Board Members
Name Designation, Organization/ University Country

Ms. Kanika Trehan Editor - Cyber Times, New Delhi India
Mr. Rakesh Laxman Patil Editor - Cyber Times, Pune India
Adv. Tushar Kale Cyber Lawyer, Pune India
Adv. Neeraj Aarora Cyber Lawyer, New Delhi India
Mr. Sanjeev Sehgal HOD, SJP Polytech, Damla, Haryana India
Mr. Rajinder Kumar Bajaj GM, Satake India Engg. Pvt. Ltd., (Japan) India
Dr. B. M. Patil Associate Professor MIT, Pune India
Dr. R. K. Sharma Professor, Bharati Vidyapeeth,(BVIMR), N. Delhi India
Dr. Rajesh S. Prasad Professor, DCOER, Pune University India
Dr. Binod Kumar Associate Professor, MIT Academy of Engg, Pune India
Dr. Vimal Mishra Head, UPTE, UP India
Dr. V.N. Wadekar Prof. & Head, MIT college of Engg. CMSR, Pune India
Dr. M.D. Goudar Associate Prof. & Head, Pune University India
Dr. Mohd. Rizwan Alam Sr. Lecturer, Amity University Dubai
Dr. Y.P. Singh Director, KLSIET, UP India
PART-I
TECHNOLOGY
CONTENTS
SECTION-I
Research Papers
1. Symbiotic Association Between Cyber Security and Website Testing 01

Rajiv Chopra & Dr. Sushila Madan
2. Hybrid Approach of Face Recognition 06

B. Mohd. Jabarullah, Sandeep Saxena, Dr. C N Kennedy Babu & Dr. Mansaf Alam
3. An Improved and Scalable Digital Image Encryption Method Based 13

on One-Dimensional Random Scrambling
Madhu Rohini V, Balaji Venkatesh, A. Bhavana, N. Ravi Shankar & M. Seshu Kumar
4. Key Compromise Resilient Privacy Provisioning in Vertically Partitioned Data 18

S KumaraSwamy, Manjula S H, K R Venugopal, Iyengar S S & L M Patnaik
5. Security Against Keyloggers Using Pattern Based Locking Systems 30

Purnesh Tripathi
6. Two Factor Based Authentication Using Keystroke Biometrics 35

Shaveta Tatwani, Neeru Dubey, Nitya Vij, Tanvi Jain & Priyanka
7. Social Networking and Media: Current Applications and Considerations 42

Ishita Khar & Dr. Sharmishtha Bhattacharjee
8. Cloud Computing- A Breakthrough In The Obsolete Methods of Computing 48

Mr. Shahnawaz Sarwar & Miss Aiman Zubair
9. A Comprehensive Approach of Wireless Data Glove Using Gesture 53

Recognition Technique towards Development of a Supporting System
for Aged And Disabled People
Prof. Shantanu A. Lohi, Prof. Harish Gorewar, Prof. R. N. Jogekar
& Prof. Sandeep S. Ganorkar
10. Experimental Analysis of Stabilizing B.C. Soil with Murrum and Rice 63
Husk Ash
B D Ramteke & Neetu B Ramteke
Cyber Times International Journal of Technology & Management

Vol.6 Issue 1, October 2012 – March 2013
11. Analytical Study of Attacks on Manets Based On Layered Architecture 66
Tushar Saxena & Nandini Deb
12. Impact of E-Learning And Knowledge Management In Indian 73

Rural Education
Shallu Joshi
13. Performance Analysis of SCTP Based Remote Monitoring Systems 79

against Service Failures
Piyush Yadav, Amit Sehgal & Rajeev Agrawal
14. Cloud Computing: ‘Analyses of Risk Involved in Cloud Environment’ 87

Sonali Bajaj & Dr. Sharad Saxena
15. Ann Based Fault Detection & Classification of A 400 Kv Electrical 95

Transmission Line
Gaurav Gangil & Prof. Rakesh Narvey
16. Design & Analysis of Documentation Taxonomy Approach with 102

Algorithmic Fusion towards Ambiguity Free Results for English Idiolect
Snehal A. Lohi & Prof. Rishi Kant Malviya
17. Computing Network Reliability where Nodes are Imperfectly Reliable 108
and Links are Perfectly Reliable
Moirangthem Marjit Singh
18. Predicting the Consumption Behavior of Smart Phones Using Social Media 114
Disha Verma & Kanika Minocha
19. An Experimental Approach to Study the Terminal Fall Velocity of 121

Particles in Different Types of Fluids
M. N. Umare, Prof. (Dr.) A. G. Bhole & Dr. D. P. Singh
20. Qualitative Analysis of Different Routing Protocols in Mobile Ad Hoc Network 126
Tushar Saxena, Rahul Raj & Prabhat Kumar
21. An Online Fuzzy Expert System using Rule Advancement Strategy for 135
Specific Domain
Abhishek Goel, Arun Solanki & Ela Kumar
22. Green Database 141

Pranav Kharbanda, Varun Chauhan & Sumit Jain
23. Re-Ranking Web Search Result for Semantic Searching 148

Rutuja Ajmire, Prof.A.V.Deorankar & Dr. P. N. Chatur
24. Implementation of Automatic Wrapper Adaptation System Using 154

Dom Tree for Web Mining
A. A. Tekale, Dr. Rajesh Prasad & S. S. Nandgaonkar
25. DDA Based Approach For Object Tracking & Detection In Large Motion Videos 164
Dimple Chawla

26. Security Compliance Challenges On Clouds 172
Yury Chemerkin
27. Modern Media: A Tool For Elt In Intercultural Communication 198

Kumari Pragya
28. Mircostrip Antenna Design Analysis Using Neural-Network 206

Shyam Babu
29. Efficient Auto Code Generation from UML Diagrams Using Semantic 214
Platform and DSL Semantic Annotations
Prof. Sonali R. Idate & Prof. kavita B. Supugade
30. Data Mining: Tools and Techniques 222

Swati Aggarwal & Preeti Raheja
31. Unraveling The Challenges Faced By Indian E-Governance 231

Priyanka Tayal & Dr. Alpana Kakkar
32. Intelligent and Synchronized Signal System for Urban Areas 239
Prashant Pathak
33. Various Methods Of Wireless Power Transmission Technologies for 242

Solar Power Satellites
Guru Raj C, Amita Murthy & Kendaganna Swamy
34. Efficient Method for Detection & Mitigation of Inconsistencies from a 249
all UML Diagrams Based on Description Logic Rules During the Owl Generation
Prof. Sonali R. Idate & Prof. Nilam I. Dalvi
35. Availability Analysis of Various Systems of Brewary Plant-A Review 255

Sunil Kadiyan, Deepanjali Nimker & Uma Gautam
36. Power Quality Analysis Using Various Techniques: A Review 263

Rajeev Kumar Chauhan & J. P. Pandey
37. A Review on Different Iii-V Multijunction Solar Cells 271

Kiran balaji P.S, Shashiraj yadav & Kendaganna swamy
38. Neural Steganography: An Aes-256 Bit PRP & Pseudo Random Hash 278
Based Neural Cryptographic Technique for Image Steganography
Gaurav Indra, Chesta Agarwal, Pawandeep Kaur & Aastha Diwan
39. Demand Forecasting Of Spare Parts Store By Moving Average Method 287
and Verification By Exponential Method
Sharda Pratap Shrivas, S.Gangopadhayay & Aruna Thakur
40. Data Mining: A Mode To Reform Today’s Higher Learning Institutions 292
Through Performance Indicators
Meenu Chopra & Dr. Mamta Madan

SECTION-II
RESEARCH ARTICLES
41. Cyber Crime: A Challenge Ahead With Special Reference to 298

Chandigarh Police
Narinder Singh
42. “Killed Two Birds With One Stone: Secure Data With Cloud” 307
Smita Bajpai
43. Analysis Of Tests Laid Down By Courts To Determine Copyright Violation 319
In Computer Software
Mr. Atmaram Fakirba Shelke
44. CYBER LAW: Various aspects of Cyber Legal System 326

S. Sai Sushanth
SECTION-III
CASE STUDY
45. A Comparative Study of Various CPU Scheduling Simulator 335

Ms. Prerna Ajmani & Ms. Amanpreet Kaur
46. Penetration Testing/ Cyber Security Assessment - XYZ Company 340

Parveen Sadotra & Dr. Anup Girdhar

SECTION-I
RESEARCH PAPERS

SECTION-II
RESEARCH ARTICLES

SECTION-III
CASE STUDY

SECURITY COMPLIANCE CHALLENGES
ON CLOUDS
Yury Chemerkin
Independent Security Researcher / PhD in progress
Russian State University for the Humanities (RSUH), Moscow, Russia
ABSTRACT
Today cloud vendors provide amount features of integration and optimization in many fields
like business or education; there many way to adopt it for medical purposes, maintaining
medical records, or monitoring patients. Not all cloud solutions totally changed an original
security paradigm and customers still need to manage the accessibility, monitoring and
auditing. The security and privacy becomes very important issue led the customers choose an
appropriate security level. The compliance part of security is a cornerstone idea especially
when the cloud vendors talk and refer to worldwide security standards, best practices.
Keywords: cloud security, compliance, amazon web services, aws, csa cloud controls
matrix, csa, cmm, caiq, csa consensus assessments initiative questionnaire
I. INTRODUCTION not exist in clouds” make no serious sense

because it was this way as it had been when
Cloud Computing has been one of the top the hosting service arrived. Customer must
security topics for the last several years. The make any improvements than by-default
clouds increasing popularity [1] is based on configuration with each new technology. If
flexibility of virtualization as a technology the virtual OS is a Windows Server, then the
for replacing and improving of complex OS has the quite similar security and patch
parts of systems reducing unnecessary management state as Desktop/Server OS. In
computation and usage of existing resources. addition, it is mere trust than downloading
Besides the well-known threats, the clouds and buying third-party solutions and it might
introduce new security and management be more trustable, than cloud vendor (they
level. Clouds transform small application are all third-party solutions).The cloud
into the large infrastructure let managing by simply uses well-known protocols like
itself (IaaS) to quick and easy access to any SMTP, HTTP, SSL, TCP/IP etc. to
data. Cloud security vendors (not only cloud communicate, send email, file handling and
vendors, almost of all kind of vendors) claim other activity. The methods that are
that the end-user companies prefer a cost compliant as a part of the RFC should
reduction instead the security to reduce the indicate that they are OK. Standards like the
operation complexity of their clouds (or ISO 27001 series still provide a measure on
systems) that eventually ends with a lower information security, but as minimum set of
amount of security that the end-user will security only. However, a key problem is a
accept. Some security questions about lack of a systematic analysis on the security
clouds are: how is it implemented, how are and privacy for such cloud services. Third
the data or communication channels secured, party organizations like the Cloud Security
how are the cloud and application Alliance (CSA) promote their best practices
environments secure, etc. For example, the and questionnaires to improve a cloud
well-known phrase “physical security does security and have a registry of cloud
Ƭ 172
Ǥ͸ ͳǡ ʹͲͳʹȂ ʹͲͳ͵
vendors' security controls to help the users to applications written using interpretation and
make a right choice on security field. scripts languages like Java/Python but it has
limited features (security and the rest).
This research examines and highlights Windows Azure makes a data spreading to
security things are background for cloud the cornerstone, via neither storage nor web-
security, for best practices and security server [6]. These different goals have a huge
standards, those aspects the customers rely influence on the security while all of them
as a trustable level and minimal security set were built in accordance with best practices,
at least. Enterprises need to comply with of and have security controls are well
the different regulations and standards (PCI, documented.
CSA, HIPAA, ISO etc.) as well as they need
to prove compliance with security standards. As we have enough security problems and
The aim of research is examination issues in the greater quantity of security solutions to
the security standards, regulations and best solve these problems on one hand and
practices (if they are) let the cloud vendors standards with best practices that
or their customers successfully pass the successfully applied to the clouds (according
cloud audit checks and claim about a to the cloud vendors) on another hand, it
compliance having difference security should be analyzed whether it is so difficult
features between clouds not to mention the to pass the cloud compliance audit in
different configurations that meet with accordance with these documents. In this
different business needs and processes.The paper, the AWS services are going to be
general guidelines in such documents examined as the most similar to known
operate at the high level that makes unclear existing technologies. The modern
these guidelines missing the useful security recommendations for clouds are quite
countermeasures and adding a superfluity in similar to given in the Table I at least but
the customer’s vision about the system improved to the low details like “you should
(cloud) which they apply it to. choose the cloud vendor that offers an
encryption but you cannot choose those
II. RELATED WORK vendors that offer the strong encryption e.g.
AES” the make a little sense. The answer
Nowadays, AWS is one of the most popular “why” is relied on the customers willingness
cloud platforms. It offers a virtual to see an action-to-do like ‘whether they
computing, storage, VPN, archiving, should rely on this AES encryption or they
monitoring, health-watching, email and need encrypt their data before uploading’. It
others services environment for a user to run successfully works when the customers need
applications, store data, operates with events to cover all clouds (however, it is obliged to
and deliver event-data due the different provide more details) to choose those
services and by different ways. AWS offers provided the more security but it is bad for
many services more accessibility that is clouds are provided many services and
important with merging to the cloud. GAE security features because it is basic rules
[5] is one more cloud to run web only.
TABLE 1: THE COMMON SECURITY RECOMMENDATIONS

Object What to do
Data Ownership Full rights and access to data
Data Segmentation An isolation data from other customers’ data
Data Encryption A data encryption in transit/memory/storage, at rest
Backup/Recovery An availability for recovery
Data Destruction An Ability to securely destroy when no longer needed
Access Control Who has access to data?
Ƭ 173
Log Management A data access that logged and monitored regularly
Incident Response Are there processes and notifications in place for incidents
(including breaches) that affect data?
Security Controls An appropriate security and configuration control to data
protection
Patch Management Patching for the latest vulnerabilities and exploits?
One more example is how such documents provides these features. The Table II [7]
may substitute the customer understanding. shows a brief difference between AWS and
NIST [25] talks about cloud limits on Azure on compliance vs. documented
security: “the ability to decide who and what technologies to secure and protect data. As a
is allowed to access subscriber data and part of ‘non-transparency’, it is quite
programs … the ability to monitor the status interesting that the different offered security
of a subscriber’s data and programs …” may features and controls have passed e.g. ISO
follow the idea “no one cloud provides such 27xxxx, while the cloud difference
abilities” by mistake without a knowledge (comparingeach other) looks like a medium
about cloud infrastructure. Another reduction.The cloud attributes examined [2]
misthought is about cloud firewall takes are backup, encryption, authentication,
place with opinion that cloud features are access controls, data isolation and
useless due the following statement: a cloud monitoring, security standards, disaster
firewall should provide a centralized recovery, client-side protection, etc. In
management, include pre-defined templates addition, the paper provided a medium-
for common enterprise server types and detailed comparison what exactly each cloud
enable the following: vendor offers to their clients (AWS, Azure,
x Source and Destination Addresses & GAE). Authors presented the cloud
Ports filtering security/privacy attributes mapped to NIST
x Coverage of protocols, DoS prevention guidelines that helps in examining security
x An ability to design policies per network standards. The [3], [4] give a brief
interface examination of AWS S3 and GAE [26]
x Location checks to monitoring who and provide us with more details but a summary
where were accessed to the data comparison over [2-6], [10], [12], [15], [21]
makes clear that AWS offers the most
Besides such detailed ‘how-to’ sets, there are powerful and flexible features and services,
enough statements that the clouds can’t however AWS was not examined deeply
provide with it, so it is still like a security (FAQs examination only) over [2-6] than
hole, while some of them (ex. AWS) [7], [45].
TABLE 2: COMPLIANCE DIFFERENCE BETWEEN AWS AND AZURE

Cloud Vendor
Type
AWS Azure
ISO 27001, CSA, HIPAA + +
Compliance
PCI DSS, FISMA, FIPS 140-2, NIST + N/A
Actions, events logging, logs audit + +
Physical Minimum access rights + +
Security Auto revocation access after N days, role changed,
+ N/A
MFA, escort
Backup, redundancy across the location + +
Data
Redundancy inside one geo location, encryption,
Privacy + N/A
DoD/NIST Destruction
Network MITM Protection, Host-Based Firewall (ip,port,mac), + +
Ƭ 174
Cloud Vendor
Type
AWS Azure
Security Mandatory Firewall, Hypervisor protection from
promiscuous
Pentesting offer of services + -
Pentesting offer of apps + +
DDoS Protection, featured firewall + N/A
Login and Passwords, SSL + +
Credentials Cross account IAM, MFA hardware/software, Key
+ N/A
Rotation
Such recommendations may also advise the additional and lower-cost protection (surely,
different sanitizing technique to use on client the price differs but it downs each time).
of cloud side. Effective and efficient The one of the most serious work on
sanitization is a forensics statement. There AWS security [27] gives results as a "black
are a lot of methods and techniques but some box" analysis methodology in regards to the
of them rely on brute-force wiping that control interfaces (AWS EC2 and S3)
extremely useless for the clouds due compromised via the novel signature
financial matters. The ERASERS proposed wrapping and advanced XSS techniques,
in [43] computes the entropy of each data HTML injections, as well as SOAP issues
block in the target area and wipes that block with validation and man-in-the-middle
specified number of passes and pattern then. attacks. Authors also examined the possible
Patterns and entropy are valuable because way of protection and found that AWS EC2
the file types (docx, mp3, odf, pgp, acid*) & S3 services do not provide the suitable
have a quite different characteristics. It opportunities to implement their solutions.
means that ERASERS has many Despite of that, there was found solutions
subpopulations which of them applied to based on available (native) security features
certain cases. It gives a faster wiping vs. of AWS to protect against these attacks [28]:
regular brute force methods of overwriting. x Utilizing the SSL/HTTPS only with
As the disk sizes increase up to petabyte certificate validation and utilizing API
scale (recently AWS offer such storage), the access mechanisms like REST/Query
brute force methods is becoming near instead of SOAP
impossible in time. Many drives contain x Activating access via MFA and creating
areas do not have data needing overwriting, IAM accounts limited in access, AWS
as known as for SSD that shuffles data credentials rotation enhanced with Key
between data block every time, but keeps the pairs and X.509 certificates
encrypted area untouched. According to x Limiting IP access enhanced with
NIST SP800-88 [44], “studies have shown API/SDK & IAM
that most of data can be effectively cleared The virtualization refers to a hypervisor,
by one overwrite with random data rather while a virtual machine works with a
than zeroing”. The original version of DoD configured snapshot of an OS image and
5220.22-M (AWS implements this one) requires well-known shared resources like
recommends a 3-pass wipe with one pass of memory, storage, or network. It is generally
a uniform character, one pass of its agreed that, despite of the hypervisors are
complement, and one pass of random isolating these shared resources without
characters, while the current DoD 5220.22- affecting other instances, the VMs can be
M does not specify the number of passes or trusted in few cases only, while it is
the pattern. As the ERASERS shows the vulnerable to the most known XEN attacks,
good results, it should be implemented to the however no one XEN vulnerability was not
AWS EC2 or other cloud VM services as an
Ƭ 175
applied to the AWS services according to the III. EXAMINATION THE CSA
[29] as an example. This brings us to DOCUMENTS ON CLOUDS
understanding the term “customize” in The CSA documents provide vendors and
regards to the clouds. Other ability to control their customers with a medium-detailed
due the Intel AMT commands [30] or else is overview what the statements do the cloud
applied for VMware but there is not known security & compliance features applied to as
successful implementations for AWS, it defined in the Cloud Security Alliance
Azure, GAE or other clouds. Also may have (CSA) and Cloud Control Matrix (CCM).
a serious performance problems due The cloud vendors or 3rd party cloud
overloading the virtual OS with analysing providers may announce that their services
CPU commands and system calls, regardless operate in according to these
of where the trusted/untrusted control agents recommendations: However, the customers
are, multiplied by known issues the best of have a responsibility to control their
all demonstrated in case of GPU [31]. environment and define whether it is really
configured in compliance to CSA best
There are security virtualization issues even practices. In other words, how much are
in clouds, no doubt and it should be taken in cloud controls and configurations
consideration that clouds have a builtsecurity transparent to the appropriate policies and
configuration to protect against most known procedures in accordance with their
attacks or new-coming, it still need to be regulatory requirements. Here the
patched or monitored installed and managed regulations meet the technical equipment as
the host-based firewalls and IDS, etc. One a public technical proof is going to be
exciting example [32] talks about an examined at first from that point. Each
incorrect behavior in the SSL certificate control ID will be kept to find it CAIQ [35]
validation mechanisms of AWS SDK for & CCM [34], while his explanation is
EC2, ELB, and FPS. Despite of that, AWS rewritten to reduced amount of text and
has updated all SDK (for all services) to grouped by domain/control group, similar
redress it [33]. questions/metrics. Also, the CID covers a
CAIQ and CCM together.
TABLE 3: AWS SOLUTIONS AGAINST A CAIQ
CID Questions AWS Response

CO-01.1 Any certifications, reports and AWS has this one and provides it under
other relevant documentation in NDA.
regards to the standards
CO-02.1-7 An ability to provide the tenants AWS engages with independent auditors
the 3rd party audit reports, and reviewing their services and provides the
conduct the network/application customers with the relevant 3rd party
cloud penetration tests as well ascompliance/attestations/certifications
internal/external audits regularlyreports under NDA. Such audit covers
(in regards to the guidance) with regularly scans of their (non-customer)
results services for vulnerabilities [41-42] the
customers are also available to make
pentest [40] of their own instances due
the tentative agreement.
CO-03.1-2 An ability to perform the Customers are able to perform it due the
vulnerability tests for customers permission (writing email with the
(means their own tests) on instances IDs and period) request via
Ƭ 176

applications and networks. AWS Vulnerability/Penetration Testing
Request Form [40]
CO-04.1 A person is responsible to contact AWS does contact with local authorities,
local authorities in accordance industry organizations, and regulatory
with contracts and appropriate bodies in according to the ISO 27001.
regulations.
CO-05.1-2 An ability to logically split the Despite of the flat space implemented in
tenants data into the segments AWS services, all data stored by the
(additionally, due the encryption) customers has canonical isolation by path
as well as data recovering for and additional security capabilities like
specific customers in case of the permissions, personal entry points to
failure or data loss access the data as well as MFA. AWS
encryption mechanisms are available for
S3 (Server Side Encryption), EBS
(encryption storage for EC2 AMIs),
SimpleDB, EC2 (due the EBS plus SSL),
VPC (encrypted connections and
sessions). Additionally, the customer can
use any cloud services offered a backup
from and to AWS services like SME
Storage for various cloud vendors (AWS
S3, Azure, Dropbox, etc.) or Veeam
Backup Cloud Edition for VMs (AWS,
Azure, etc.)
CO-06.1 Documented policies on a It is in alignment with COBIT, ISO
CO-07.1 tenant’s intellectual property 27002 and PCI Data Security Standards
CO-08.1 protection
DG-01.1 An implementation of structured Depends on the customers’ needs and
data-labeling standard their requirements.
DG-02.1-5 An identifying ability of the VM The tenants are featured to apply any
via policy tags/metadata to metadata and tagging to the EC2 VMs to
perform any quality set the user-friendly names and enhance
control/restrict actions like searchability.
identifying hardware via policy AWS offer several regions (partially is in
and tags/metadata, using the geo [38]) and which one can be chosen at the
location as an authentication, beginning of data pulling. Each of them
providing a physical geo location, is covered by geo location policy and
allowing to choose suitable geo access as well as is able to be restricted
locations for resources and data by SSL, IP address and a time of day.
routing They offer move data between each other
directly by the customers or via API and
SDK
DG-03.1 Any policies and mechanisms for As the customers retain ownership, they
labeling, handling and security of are responsible to implement it.
data
DG-04.1-2 The technical capabilities to The customers have capability manage
enforce tenant data retention retention, control, and delete their data
policies and documented policy except case when AWS must comply
on government requests with law.
DG-05.1-2 A secure deletion (ex. degaussing At the end of a storage useful life, AWS
Ƭ 177
/ cryptographic wiping) and performs a decommissioning process to
providing the procedures how a prevent data exposing via DoD 5220.22-
cloud vendor handles this deletion M/NIST 800-88 techniques. In additional
the device will be degaussed or
physically destroyed.
DG-06.1 A replication of production in AWS provides the ability to (non-
non-production environments )production delegates the responsibility
to the customers to manage it.
DG-07.1-2 A presence of the controls to There were not known the serious
prevent data leakage / security bugs of AWS environment
compromising between AWS’ successfully applied or that cannot
tenants ‘patched’ by using the implemented PCI
controls [27-29], and other security
controls that make the customer
resources segmented from each other. As
well, a hypervisor is designed to restrict
non-allowed connections between tenant
resources that has validated by
independent PCI QSA with PCI DSS 2.0
according to AWS
DG-08.1 An availability of control health AWS provides the independent auditor
data to implementation a reports under NDA and customers on
continuous monitoring to validate their own systems can build a continuous
the services status monitoring of logical controls
additionally implementing [38].
FS-01.1 Any ‘evidence’ if the policies are AWS is certified by independent auditors
established for having safe and to confirm alignment with AWS SOC 1
secure working environment in Type II and ISO 27001 certification
offices and other areas? standard (domain 9.1)
FS-02.1 A background verification (ex. According to AWS they perform such
criminal) of AWS employees, checks in comply with law
contractors and 3rd parties
FS-03.1 An implementation of the AWS has been implemented the various
FS-05.1 physical security perimeters, physical security controls like fencing,
providing the secure areas walls, security staff, video surveillance,
controlling from unauthorized intrusion detection systems and other
personnel actions electronic means in alignment ISO
27001. It extends by utilizing video
surveillance and requirement to pass two-
factor authentication a minimum two
times to access datacenter floors for staff.
FS-04.1 A ability to provide the customers AWS imposes not to move a customers'
a knowledge which geo locations content from them without notifying in
are under traversing into/out of it compliance the law. The rest is similar to
in regards the law the DG-02.5.
FS-06.1 Availability of docs that explain AWS imposes control the customers to
FS-07.1 if and where data may be moved manage the data locations. Data will not
between different locations, (e.g. be moved between different regions, only
backups) and repurpose inside that were chosen to prevent
equipment as well as sanitizing of failure. The rest is similar the DG-05.1-2
Ƭ 178
resources (talks about the AWS side only)
FS-08.1-2 An inventory of critical assets, The hardware assets monitored by the
critical supplier relationships AWS personnel and maintain the
relationships with all AWS suppliers are
possible in comply ISO 27001 (domain
7.1) for additional details.
HR-01.1 A background verification (ex. Similar to the FS-02.1. Also, AWS does
HR-02.1-2 criminal) of AWS employees publish the Company’s Code of Business
HR-03.1 The security courses and training Conduct and Ethics internally and
employees regularly train employees that
documented and validated periodically.
Other responsibility is shared across HR
IS-01.1 A description of ISMP in the AWS does publish (under NDA) the
IS-02.1 documents with clear direction, documentation about it in alignment ISO
IS-03.1-3 assignment, verification for and certified by independent auditors as
supporting information security well as the policies based upon the
that comply with ISO- COBIT/ISO 27001/PCI DSS
27001/22307, CoBIT, etc. Any
documents shown the evidence of
mapping it in comply to the
regulations
IS-04.1-3 An ability to provide the Customers are able [11] to use their own
documents with security VMs due the image importing via AWS
recommendations per each VM Import, as well as AWS
component, importing the trusted Import/Export accelerates moving large
VMs as well as capability to amounts of data into/out in case of
continuously monitor and report backup or disaster recover. The rest is
the compliance similar to the DG-08.1 in order to ISO
(domain 12.1, 15.2)
IS-05.1 An ability to notify the customers Despite of AWS provides a lot of how-
on information security/privacy to-docs, binary & sources [8-24], [28-29]
polices changes are regularly updated, it’s better to
subscribe to the news via RSS and email,
because there is no other directly way to
be notified
IS-06.1-2 Any sanctions for employees who According to AWS If violation happens,
have violated security policies the appropriate disciplinary action is
followed
IS-07.1-2 Established controls to remove According to AWS docs, any ‘redundant’
the employees access which is no access is automatically revoked when an
longer required and how quickly employee’s record is terminated or
it removes. changed with his job functions in
Amazon’s HR system. If employee was
not fired he will be reassigned with new
access rights that reviewed every 90 days
IS-08.1-2 A docs described how the cloud The customers as data owners are
vendor grant and approve access responsible for the development, content,
to tenant data and if provider & operation, maintenance, and use of their
tenant data classification content.
methodologies is aligned with
Ƭ 179
each other
IS-09.1-2 A revocation/modification of user Amazon provides enough security
access to data upon any change in control to maintain an appropriate
status of employees, contractors, security policy and permissions not to let
customers, etc. spreading the data if it is explicitly not
allowed that also built by AWS. The rest
is similar to the IS-07.1-2 in regards
AWS staff
IS-10.1-3 A certification of entitlements for AWS reviews the access grants every 90
IS-11.1-2 system administrators (exclusive days and reapproves or assign explicitly
tenants), with remediation case of the new access grants if it is the same
inappropriateness of it and a even. (SOC 1 Type II report, ISO 27001,
security awareness training domain 11.2). A training course are quite
program for cloud-related issues similar to the IS-06.1-2
for administrators, engineers
IS-12.1-2 A participation in the security AWS policies is based on COBIT, ISO
groups with benchmarking the 27001/27002 and PCI DSS
controls against standards
IS-13.1 A documentation clarifying the AWS provides these roles among the
difference between administrative general security documents (it means not
responsibilities vs. those of the among the specific services documents)
tenant
IS-14.1 A responsibilities for maintaining Each employee have a Company's Code
IS-15.1 awareness of and complying with of Business Conduct and Ethics and have
security policies, procedures and to complete a periodic training.
standards that are relevant to an Customers should manage the
area of responsibility with segregations of duties by themselves. The
providing docs how maintains the rest are certified by certified by
segregation of duties independent auditors
IS-16.1-3 Informing the users of their AWS provides the various ways to train
responsibilities in regards to the (newly hired employee; others by the
security policies, standards, emails in AWS intranet) the employees
regulations and rules how to keep understand their roles and responsibilities
the equipment that certified by independent auditors
IS-17.1-3 Any policies to address the AWS provides the details AWS SOC 1
conflicts of interests on SLA, Type II report in compliance with ISO
tamper audit, software integrity, 27001 (domain 8.2, 11.3) that validated
and detect changes of VM by independents auditors
configurations
IS-18.1-2 Ability to create and manage If keys created on server side, AWS
IS-19.1-4 unique encryption keys per a creates the unique keys and utilizes it, if
tenant, to encrypt data to an it did on client side due the own or 3rd
identity without access to a public party solutions, the customers can
key certificate (identity based manage it only. AWS encryption
encryption) as well, to protect a mechanisms are available for S3 (Server
tenant data due the network Side Encryption), EBS (encryption
transmission, VMs, DB and other storage for EC2 AMIs), SimpleDB, EC2
data via encryption, and maintain (due the EBS plus SSL), VPC (encrypted
key management connections and sessions), etc.
Ƭ 180

IS-20.1-6 An ability to perform Similar to the CO-03.1-2 but more detail
vulnerability scans in regards to that means the customers are should
the recommendations on performing vuln scan and patching
application-layer, network-layer, despite of the VMs’ OS are coming with
local OS layer and patching then. the latest updates; they are obliged to
Providing the info about issues to come to the agreement with AWS and
AWS who makes it public not violate the Policy. Also similar to the
CO-02.6-7 on providing the results
[40],[41-42]
IS-21.1-2 Availability of AV solutions and AWS does manage AV solutions &
updated signatures, list or updates in compliance to ISO 27001 that
behavioral patterns. confirmed by independent auditors
IS-22.1 A document specifying the roles AWS have this one in compliance with
and responsibilities of AWS and ISO and provides the AWS SOC 1 Type
tenets due handling security Report
incidents?
IS-23.1-2 An ability of SIEM to merge data AWS have this one in compliance with
IS-24.1-4 sources (app logs, firewall logs, ISO and provides the results with AWS
IDS logs, physical access logs, SOC 1 Type II Report. AWS has the
etc.) for granular analysis and incident response program in compliance
alerting. Additional providing an too. Even the customers’ data stored with
isolation of the certain customers strong isolation from AWS side and
due incident. restrictions made by them, additional
A capability to freeze of data materials (SOC 1 Type II report) must be
from a specific point in time, use requested to clarify all questions on
the forensic data collection and forensics. All data should be encrypted
analysis techniques. on client side, because it leads to the
customers participation with law directly
as AWS do not have the keys in this case.
IS-25.1-2 An ability to monitor affecting of AWS does it in alignment with ISO
security incidents and share the 27001 that validated by independent
results with the customers auditors
IS-26.1-3 An ability to collect or create According to AWS, the customers
metadata about the customers manage and control their data only
data and provide a documentation
making clear what and how may
utilize
IS-27.1-2 An ability to provide the The customers are responsible for
monitoring system to check the handling the security and privacy
privacy breaches, notify the
customers, and provide a
confirmation that privacy policy
aligned with industry standards
IS-28.1-2 An ability to use an open AWS encryption mechanisms are
IS-29.1 encryption (3DES, AES, etc.) to available for S3 (Server Side
let tenants to protect their data on Encryption), EBS (encryption storage for
storage and transferring over EC2 AMIs), SimpleDB, EC2 (due the
public networks. As well, an EBS plus SSL), VPC (encrypted
availability of logging, connections and sessions). Customers
monitoring and restriction any may use third-party encryption
Ƭ 181
access to the management technologies too as well as rely on the
systems controlled hypervisors, AWS APIs are available via SSL-
firewalls, APIs, etc.) protected endpoints. AWS has a logging
feature, delineates the minimum
standards for logical access to AWS
resources and provides details with AWS
SOC 1 Type II report
IS-30.1 Securing and providing the AWS systems are design to protect
dedicated secure networks to management console but the
establish a management access to administrators must use MFA devices to
clouds for administrators? gain access to the clouds. In additional,
every 90 days their access rights are
reviewed, as well as all such actions are
reviewed and audited.
IS-31.1-2 An ability to collect and utilize AWS does utilize data in compliance ISO
the data and provide the tenants 27001 that validated by an independent
with reports auditors
IS-32.1 Any restrictions in regards to AWS has this one, delineates the
IS-33.1-2 using the portable/mobile minimum rights for logical access to
devices/PDA and to prevent AWS resources and provides details with
unauthorized access to your AWS SOC 1 Type II report
application, program or object
source code
IS-34.1-3 An ability to monitor and AWS has this one and provides details
segment/restrict the key utilities with AWS SOC 1 Type II report. AWS
managed virtualized partitions examines such attacks and provides
(ex. shutdown, clone, etc.) as well information if they apply in section
as ability to detect attacks (blue “Security Bulletins” [36]. An example of
pill, etc.) to the virtual key blackbox attack [27],[28] was given in
components and prevent from the Section II of this paper with a native
them security features as a solution
LG-01.1 Periodically reviewing the NDA Amazon Legal Counsel reviews 3rd party
LG-02.1-3 and others requirements and agreements and NDA according to the
agreements by legal counsel. An business needs. AWS does not leverage
ability to monitor outsourced any 3rd party cloud providers to deliver
providers in compliance with AWS services to the customers.
laws per country.
OP-01.1 Any policies, system According to AWS, the policies are
OP-02.1 documentation are available for alignment with AWS Information
all personnel to support services Security framework based upon the
operations roles with an COBIT framework, ISO 27001 standard
information system and the PCI DSS requirements. Such
documentation to the authorized docs are available through the Amazon's
personnel Intranet site.
OP-03.1-2 An ability to provide the AWS does not disclose the capacity
documentation regarding what management practices but publishes SLA
levels of system (network, to communicate instead
storage, memory, I/O, etc.)
oversubscription may maintain
and restrict
Ƭ 182
OP-04.1-5 A capability to perform The customers should use an EBS
independent hardware/software Snapshot functionality to manage the
restore, and replicate recovery VM images. Also, they allowed [11] to
actions, move and port to another export their AMIs to use on premise or at
cloud vendor another provider as well as import their
VMs, as well as AWS Import/Export
accelerates moving large amounts of data
in/out in case of backup or disaster
recover
RI-01.1-2 A cloud insurance by a 3rd party AWS provides the detailed customer
RI-02.1-2 for the losses in regards to the remuneration for losses in SLA. The rest
RI-03.1-2 cloud vendors, tenants (due the internal procedures of managing and
RI-04.1 SLA) in alignment with the mitigation the risks in alignment ISO
documents procedures reviewed 27001 (domain 4.2, 5.1) validated by
annually at least considering all independent auditors and a few details
risk categories (e.g., audit results, among the AWS risks documents. Any
threat and vulnerability analysis, updates to such procedures occur each
& regulatory compliance) year
RI-05.1-7 An ability to provide a multi- AWS has several geo regions each of
failure disaster recovery, monitor them has several independent
a service continuity with Availability Zones designed to move
upstream providers in the event of customer data traffic away from the
provider failure and to share the affected area [37].
redundancy plans with your
tenants
RM-01.1 Any policies for new All new developed resources certified by
development acquisitions independent auditors in regards to ISO.
RM-02.1 An ability to obtain a All details provided with AWS SOC 1
RM-03.1 documentation that describes the Type II report. The standards of quality
customers responsibilities within are part of SDLC in compliance ISO
it, quality assurance process 27001 (domain 10.1)
RM-04.1-2 An ability to examine the The standards of quality are part of
standards of quality against SDLC in compliance ISO 27001 (domain
software development and detect 10.1), however AWS does not generally
the source code security defects outsource development of software
RM-05.1 An ability to restrict the AWS does monitor the malicious
installation of unauthorized software in compliance with ISO 27001
software onto clouds (domain 10.4).
RS-01.1 A minimization risk due disaster Such policies are in alignment with ISO
RS-04.1 recovery policies, SLA, security 27001 ( domain 14.1);
RS-02.1-3 metrics, business continuity plans AWS provides a Cloudwatch services to
RS-03.1-2 to test the environment regularly; monitor the state of AWS EC2, EBS,
RS-05.1 technical solutions providing a ELB, SQS, SNS, DynamoDB, Storage
RS-06.1 performance and health visibility Gateways as well as a status history [38].
RS-07.1 with failover capability to other AWS provides several Availability Zones
RS-08.1-2 provides as well as physical in each of six regions to prevent failures,
protection against damage from but the customers are responsible to
natural causes, power failures, manage it across regions or other clouds
and network disruptions. vendors via API and SDK. A physical
Additionally, an ability to find out protection is in compliance ISO 27001
Ƭ 183
the transport route of the and 27002. Information about the
customers data transport routes is similar to the FS-06.1
SA-01.1 Any security/regulatory The requirements are in compliance with
requirements addressed to the ISO 27001(domain 6.2) and reviewed by
industry certifications on granting an independent auditors
access
SA-02.1-7 A capability to use the SSO, an AWS IAM [21-24] provides the securely
identity management system, access and roles to the resources with
MFA Policy Enforcement Point features to control access, create unique
capability (ex. XACML), to entry points of users, cross AWS-
delegate authentication accounts access due API/SDK or IAM
capabilities, to support identity console, create the powerful permissions
federation standards (SAML, with duration and geo auth. AWS offers
SPML, WS-Federation, etc.), use identity federation and VPC tunnels led
3rd party identity assurance to utilizing existing corporate identities
services to access, temporary security credentials.
Additionally, the customers may avoid
the mistakes and risks by using an AWS
Policy Generator and MFA devices [39].
Covered the services are AWS Auto
Scaling, CloudFormation, CloudFront,
CloudSearch, CloudWatch, DynamoDB,
EBS, EC2, Elastic Beanstalk,
ElastiCache, ELB, Elastic MapReduce,
RDS, Route 53, S3, SES, SQS, SNS,
SimpleDB, Storage Gateway, VPC
SA-03.1 Any industry standards as a AWS Security based upon the best
SA-04.1-3 background for a Data Security practices and standards (ISO
SA-05.1 Architecture (FedRAMP, etc.), 27001/27002, CoBIT, PCI DSS) that
standards (BSIMM, NIST, etc.) to certified by independent auditors to build
build-in security for (SDLC), threat modeling and completion of a risk
tools detecting the security assessment as a part of SDLC.
defects and verify the software. AWS implements this one through all
An availability of I/O integrity phases including transmission, storage
routines for the application and processing data in compliance to ISO
interfaces and DB to prevent 27001 (domain 12.2) that certified by
errors and data corruption independent auditors.
SA-06.1-2 An environment separation for AWS provides a lot of how-to-docs,
SA-08.1 SaaS, PaaS, IaaS and providing binary & sources (as an example [8-
the how-to-docs 24],[28-29])
SA-07.1 A MFA features and strong MFA is not strong and depends on the
requirement for all remote user customer configuration [39]
access
SA-09.1-4 A segmentation of system and An internal segmentation is in alignment
SA-10.1-3 network environments with a with ISO and similar to the CO-05.1-2
SA-11.1 compliance, law, protection, and while external is a part of the customer
regulatory as well as a protection responsibility. Internally, a traffic
of a network environment restriction is too and has ‘deny/allow’
parameter option in EC2/S3 by default (but the
explicitly cfg is recommended), etc.
Ƭ 184
Externally, the customers are able to use
SSL, encryption key, encryption
solutions, security policies to explicitly
approve the security settings (AWS, 3rd
party or their own) according to the
security docs, whitepapers
SA-12.1 A NTP or other similar services AWS services rely on the internal system
clocks synchronized via NTP
SA-13.1 An equipment identification is as AWS provides such ability, for example
a method to validate connection due the AWS metadata, geo tags and
authentication integrity based on other tags created by the customers
known location
SA-14.1-3 Any host and network IDS to Similar to the IS-22.1 and IS-23.1-2
detect, investigate in case of
incidents with audit of an user
access (authorized personnel)
SA-15.1-2 A mobile code authorization The customers are responsible to manage
before its installation, prevention it to meet their requirements.
from executing and using to a
clearly defined security policy
TABLE 4: AWS SOLUTIONS AGAINST A CCM
CID Control Specification AWS Response
CO-01 Audit plans, activities and AWS has appropriate technical solutions,
operational action items focusing internal controls to protect customer data
on data duplication, access, and against alteration/destruction/loss/etc.
data boundary limitations with Any kind of additional audit information
aim to minimize the risk of is provided to the customers under NDA
business process disruption.
CO-02 Independent reviews shall be AWS shares 3rd audit reports under
performed annually/planned NDA with their customers. Such audit
intervals to aim a high effective covers regularly scans of their (non-
compliance policies, standards customer) services for vulnerabilities
and regulations (i.e., [41-42] while the customers are allowed
internal/external audits, to request for a pentest [40] of their own
certifications, vulnerability and instances
penetration testing)
CO-03 3rd party service providers shall AWS requires to meet important privacy
demonstrate compliance with and security requirements conducting 3rd
security due; their reports and parties in alignment ISO 27001 (domain
services should undergo audit and 6.2)
review.
CO-04 Responsible persons to contact AWS maintains contacts with external
with local authorities in parties in alignment with ISO standards
accordance with business and
customer requirements and
compliance requirements.
CO-05 The organization's approach to Updates to AWS security policies,
meet known requirements, and procedures, standards and controls occur
adapt to new mandate shall be on an annual basis in alignment with the
Ƭ 185
explicitly defined, documented, ISO 27001 standard.
and kept up to date for each
information system element in the
organization. Information system
elements may include data,
objects, applications,
infrastructure and hardware
CO-06 A policy to safeguard intellectual AWS will not disclose customer data to a
property 3rd party unless it is required by law and
will not use data except to detect/repair
problems affecting the services
DG-01 All data shall be designated with Customers are responsible for
stewardship with assigned maintaining it regarding their assets
responsibilities defined,
documented and communicated.
DG-02 Data, and objects containing data, AWS allows customers to classify their
shall be assigned a classification resources by themselves (ex. applying
based on data type, jurisdiction of any metadata and tagging to the
origin, jurisdiction domiciled, etc. EC2VMs to set the user-friendly names
& enhance searchability)
DG-03 Policies/mechanisms for labeling, Similar to DG-02
handling and security of data and
objects which contain data
DG-04 Policies for data retention and AWS infrastructure is validated regularly
storage as well as implementation any purposes in alignment with security
of backup or redundancy standards and featured by AWS EBS and
mechanisms to ensure compliance Glacier (for data archiving and backup),
with regulatory and other but the customers have capability
requirements that validated manage it due the API/SDK
regularly
DG-05 Policies and mechanisms for the AWS rely on best practices to wipe data
secure disposal and complete via DoD 5220.22-M/NIST 800-88
removal of data from all storage techniques; if it is not possible the
media, ensuring data is not physical destruction happens
recoverable by any computer
forensic means.
DG-06 Production data shall not be AWS has implemented the segmentation
replicated or used in non- of customers data to prevent its
production environments. movement by default, however the end-
users are responsible to manage the right
sharing permissions
DG-07 Security mechanisms to prevent AWS has implemented logical
data leakage. (permissions) and physical
(segmentation) controls to prevent data
leakage. (ex. a hypervisor is designed to
restrict non-allowed connections between
tenant resources that has validated by
independent PCI QSA in alignment with
PCI DSS 2.0 requirements)
DG-08 Risk assessments associated with AWS provides the independent auditor
Ƭ 186
data governance requirements reports under NDA and customers on
shall be conducted at planned their own systems can build a continuous
intervals monitoring of logical controls
additionally implementing [38].
FS-01 Procedures for maintaining a safe AWS controls any access to buildings,
and secure working environment room and other areas, has a strong
in offices, rooms, facilities and requirement to pass two-factor
secure areas. authentication. All procedures are
validated by independent auditors
FS-02 Physical access to information AWS regularly train employees in

assets and functions by users and regards their roles vs. those customers
support personnel shall be that documented and validated
restricted. periodically. Also, any ‘redundant’
access is automatically revoked when an
employee’s record is terminated or
changed with his job functions in
Amazon’s HR system. If employee was
not fired he will be reassigned with new
access rights that reviewed every 90 days
FS-03 An implementation of the AWS has been implemented the various
FS-05 physical security perimeters, physical security controls like fencing,
providing the secure areas walls, security staff, video surveillance,
controlling from unauthorized intrusion detection systems and other
personnel actions electronic means in alignment ISO
27001. It extends by utilizing video
surveillance and requirement to pass two-
factor authentication a minimum two
times to access datacenter floors for staff.
FS-04 Ingress and egress to secure areas Similar to the FS-03/FS-05
shall be constrained and
monitored by physical access
control mechanisms to ensure that
only authorized personnel are
allowed access.
FS-06 Policies and procedures shall be AWS imposes control the customers to
FS-07 established for securing and asset manage the data locations. Data will not
management for the use and be moved between different regions, only
secure disposal of equipment inside that were chosen to prevent
maintained and used outside the failure.
organization's premise.
FS-08 A complete inventory of critical AWS maintains a formal policy that
assets shall be maintained with requires assets, the hardware assets
ownership defined and monitored by the AWS personnel and
documented. maintain the relationships with all AWS
suppliers are possible in comply ISO
27001 (domain 7.1) for additional details.
HR-01 An employment candidates According to AWS they perform such

HR-02 background verification in checks in comply with law. Every
Ƭ 187
HR-03 regards to local laws, regulations, employee is provided with Company’s
etc. Any agreements prior to Code of Business Conduct and Ethics
granting individuals physical or internally and regularly trained.
logical access to facilities, Employee or a third-party contractor has
systems or data, employees, a minimum set of privileges and can be
contractors, 3rd party users, etc. disabled by the hiring manager. All types
Define the roles and of access to any resources logged, as well
responsibilities for performing as its changes, it must be explicitly
employment termination or approved in Amazon's proprietary
change in employment permission management system. All
procedures changes led to revocation of previous
access because of explicitly approving
type to the resource
IS-01 An implementation of ISMP AWS implements ISMS to address
IS-02 included administrative, security/privacy best practices and
IS-03 technical, and physical safeguards provides details under NDA the
to protect assets and data from appropriate documentation
loss, misuse, unauthorized access,
disclosure, alteration, and
destruction
IS-04 An implementation of baseline Baseline security requirements are
security requirements for technically implemented with ‘deny’
applications/DB/systems/network configuration by default and documents
in compliance with among the AWS security documents for
policies/regulations/standards. all services (ex. [8-24])
IS-05 An information security policy Despite of AWS provides a lot of how-
review at planned intervals to-docs, binary & sources [8-24], [28-29]
are regularly updated, it’s better to
subscribe to the news via RSS and email,
because there is no other directly way to
be notified by AWS
IS-06 A sanction policy for violation According to AWS If violation happens,
security policies the appropriate disciplinary action is
followed
IS-07 An implementation of user access All AWS services featured by IAM that
policies to apps, DB, and the rest provides powerful permissions items
in accordance with security, with predefined templates; the rest
compliance and SLA. similar to the FS-02, HR-03, IS-04
IS-08 Documented policies for Similar to the IS-07
granting/revoking access to apps,
DB, and the rest in accordance
with security, compliance and
SLA
IS-09 A revocation/modification of user Any access is automatically revoked
access to data upon any change in when an employee’s/3rd contributor
status of employees, contractors, record is terminated or changed with his
customers, etc. job functions in Amazon’s HR system. If
employee/3rd contributor was not fired
he will be reassigned with new access
rights that reviewed every 90 days
Ƭ 188
IS-10 All levels of user access shall be Similar to the HR-02, HR-03
IS-11 reviewed by management at
planned intervals and documented
while a security awareness
training program shall be
established for all contractors, 3rd
parties and employees and
mandated when appropriate.
IS-12 Industry security knowledge and AWS is a member of industry
benchmarking through organizations and organizers events
networking, specialist security
forums, and professional
associations
IS-13 Roles and responsibilities of Similar to the HR-03
contractors, employees and 3rd
party users shall be documented
as they relate to information
assets and security.
IS-14 A responsibilities for maintaining Each employee have a Company's Code
IS-15 awareness of and complying with of Business Conduct and Ethics and have
security policies, procedures and to complete a periodic training.
standards that are relevant to Customers should manage the
manager area of responsibility segregations of duties by themself. The
with providing a documentation rest are certified by certified by
how maintains the segregation of independent auditors
duties
IS-16 Informing the users of their AWS provides the various ways to train
responsibilities in regards to the (newly hired employee; others by the
security policies, standards, mails in AWS intranet) the employees
regulations and rules how to keep understand their roles and responsibilities
the equipment that certified by independent auditors
IS-17 Documented procedures for Similar to the IS-16
clearing visible documents
containing sensitive data when a
workspace is unattended and
enforcement of workstation
session logout for a period of
inactivity.
IS-18 Implemented If keys created on server side, AWS
IS-19 policies/mechanisms creates the unique keys and utilizes it, if
allowing
data encryption in storage (e.g.,it did on client side due the own or 3rd
file servers, databases, and end-party solutions, the customers can
user workstations) and data in manage it only. AWS encryption
transmission (e.g., mechanisms are available for S3 (Server
system
interfaces, over public networks,Side Encryption), EBS (encryption
and electronic messaging) as storage for EC2 AMIs), SimpleDB, EC2
well, key management too (due the EBS plus SSL), VPC (encrypted
connections and sessions), etc.
IS-20 Implemented policies and AWS provides their services with the
mechanisms for vulnerability and latest updates, performs analyzing
Ƭ 189
patch management on side of software updates on their criticality as
apps, system, and network well as customer partially ability to
devices perform vuln scans and patching despite
of that and not violate the Policy
[40],[41-42]
IS-21 A capability of AV solutions to AWS does manage AV solutions &
detect, remove, and protect updates in compliance to ISO 27001 that
against all known types of confirmed by independent auditors.
malicious or unauthorized Additionally, customers should maintain
software with antivirus signature their own solutions to meet their
updates at least every 12 hours. requirements
IS-22 Policies and procedures to triage AWS has defined role responsibilities
security related events and ensure and incident handling in internal
timely and thorough incident documents in compliance with ISO and
management. provides the AWS SOC 1 Type Report
IS-23 Information security events shall AWS contributes with it over [40-42]
IS-24 be reported through predefined
communications channels in a
prompt and expedient manner in
compliance with statutory,
regulatory and contractual
requirements
IS-25 Availability mechanisms to AWS provides it in alignment with ISO
monitor and quantify the types, 27001 that validated by independent
volumes in case of information auditors
security incidents.
IS-26 Policies and procedures shall be According to AWS, the customers
established for the acceptable use manage and control their data only unless
of information assets. it needs due the law requirements or
troubleshooting aimed at fix services
issues
IS-27 Employees, contractors and 3rd N/A

party users must return all assets
owned by the organization within
a defined and documented time
frame once the employment,
contract or agreement has been
terminated.
IS-28 A protection of e-commerce There is no information that AWS
IS-29 related data traversing over public involve in e-commerce solutions. Internal
networks. audit tools are restricted to AWS
Strong segmentation and personnel to have only the access they
restriction due access to, and use need to perform specific tasks; each
of, audit tools that interact with access is reviewed every 90 days.
the organizations information
systems to prevent compromise
and misuse of log data.
IS-30 User access to diagnostic and Administrators are required to use MFA
configuration ports shall be to access such hosts that are designed
Ƭ 190
restricted to authorized protect and continue have this access
individuals and applications. unless no longer has a business need. All
such access is logged, audited and
reviewed every 90 days.
IS-31 Network and infrastructure SLA SLAs validated and certified by
(in-house or outsourced) shall independent auditors; utilization of
clearly document security customer services housed in the cloud is
controls, capacity and other not mined.
requirements.
IS-32 Policies and mechanism to limit AWS has this one, delineates the
IS-33 access to sensitive data minimum rights for logical access to
(especially an application, AWS resources and provides details with
program or object source code) AWS SOC 1 Type II report
from portable and mobile devices
IS-34 Utility programs capable of AWS provides internal system tools
potentially overriding system, provided to perform specific tasks; each
object, network, virtual machine access is reviewed every 90 days.
and application controls shall be
restricted.
LG-01 Periodically reviewing the NDA Amazon Legal Counsel reviews 3rd party
LG-02 and others requirements and agreements and NDA according to the
agreements by legal counsel. An business needs. AWS does not leverage
ability to monitor outsourced any 3rd party cloud providers to deliver
providers in compliance with AWS services to the customers.
laws per country.
OP-01 Any policies, system According to AWS, the policies are
OP-02 documentation are available for alignment with AWS Information
all personnel to support services Security framework based upon the
operations roles with an COBIT framework, ISO 27001 standard
information system and the PCI DSS requirements. Such
documentation to the authorized docs are available through the Amazon's
personnel to ensure the following: Intranet site.
• Configuring, installing, and
operating the information system
• Effectively using the system’s
security features
OP-03 The availability, quality, and AWS manages capacity and utilization
adequate capacity and resources data in compliance to ISO 27001 that
shall be planned, prepared, and certified by independent auditor
measured to deliver the required
system performance.
OP-04 Policies and procedures shall be AWS has continuity policies developed
established for equipment in order to ISO 27001 (domain 14.1) and
maintenance ensuring continuity provides details in AWS SOC 1 report
and availability of operations.
RI-01 A cloud insurance by a 3rd party AWS provides the detailed customer
RI-02 for the losses in regards to the remuneration for losses in SLA. The rest
RI-03 cloud vendors, tenants (due the internal procedures of managing and
RI-04 SLA) in alignment with the mitigation the risks in alignment ISO
documents procedures reviewed 27001 (domain 4.2, 5.1) validated by
Ƭ 191
annually at least considering all independent auditors and a few details
risk categories (e.g., audit results, among the AWS risks documents. Any
threat and vulnerability analysis, updates to such procedures occur each
and regulatory compliance) year
RI-05 The identification, assessment, Employee or a third-party contractor has
and prioritization of risks posed a minimum set of privileges and can be
by business processes requiring disabled by the hiring manager. All types
3rd party access to the of access to any resources logged, as well
organization's information as its changes, it must be explicitly
systems and data shall be approved in Amazon's proprietary
followed by coordinated permission management system. All
application of resources to changes led to revocation of previous
minimize, monitor, and measure access because of explicitly approving
likelihood and impact of type to the resource
unauthorized or inappropriate OR
access. Compensating controls Similar to the HR-02
derived from the risk analysis
shall be implemented prior to
provisioning access.
RM-01 Any policies for new All new developed resources certified by
development acquisitions independent auditors in regards to ISO.
RM-02 Changes to the production All details provided with AWS SOC 1
RM-03 environment shall be Type II report. The standards of quality
documented, tested and approved are part of SDLC in compliance ISO
prior to implementation. A 27001 (domain 10.1)
program for the systematic
monitoring and evaluation to
ensure that standards of quality
are being met shall be established
for all software developed by the
organization.
RM-04 A program for the systematic The standards of quality are part of
monitoring and evaluation to SDLC in compliance ISO 27001 (domain
ensure that standards of quality 10.1) that certified and validated by
are being met shall be established independent auditors, however AWS
for all outsourced software does not generally outsource
development. The development of development of software
all outsourced software shall be
supervised and monitored by the
organization and must include
security requirements,
independent security review of
the outsourced environment by a
certified individual, certified
security training for outsourced
software developers, and code
reviews.
RM-05 An implementation of policies AWS does monitor the malicious
and mechanisms to restrict the software in compliance with ISO 27001
installation of unauthorized (domain 10.4).
Ƭ 192
software.
RS-01 Documented policy and Such policies are in alignment with ISO
RS-02 procedures defining continuity 27001 ( domain 14.1);
RS-03 and disaster recovery shall be put AWS provides a Cloudwatch services to
RS-04 in place to minimize the impact of monitor the state of AWS EC2, EBS,
RS-05 a realized risk event on the ELB, SQS, SNS, DynamoDB, Storage
RS-06 organization to an acceptable Gateways as well as a status history [38].
RS-07 level and facilitate recovery of AWS provides several Availability Zones
RS-08 information assets through a in each of six regions to prevent failures,
combination of preventive and but the customers are responsible to
recovery controls, in accordance manage it across regions or other clouds
with regulations and standards. vendors via API and SDK. A physical
Physical protection against protection is in compliance ISO 27001
damage from natural causes and and 27002. Information about the
disasters as well as deliberate transport routes is similar to the FS-06.1
attacks including fire, flood, etc.
shall be implemented.
SA-01 Prior to granting customers access Prior to using AWS services, customers
to data, assets and information are required to review and agree to a
systems, all identified security, SLA
contractual and regulatory
requirements for customer access
shall be addressed and
remediated.
A-02 An implementation of user AWS IAM [21-24] provides the securely
credential and password controls access and roles to the resources with
for apps, DB, server and network features to control access, create unique
infrastructure, requiring the entry points of users, cross AWS-
following minimum standards accounts access due API/SDK or IAM
console, create the powerful permissions
with duration and geo auth. AWS offers
identity federation and VPC tunnels led
to utilizing existing corporate identities
to access, temporary security credentials.
Additionally, the customers may avoid
the mistakes and risks by using an AWS
Policy Generator and MFA devices [39].
Covered the services are AWS Auto
Scaling, CloudFormation, CloudFront,
CloudSearch, CloudWatch, DynamoDB,
EBS, EC2, Elastic Beanstalk,
ElastiCache, ELB, Elastic MapReduce,
RDS, Route 53, S3, SES, SQS, SNS,
SimpleDB, Storage Gateway, VPC. IAM
allows creating and handling the sets
defined in accordance with the subrules
of SA-02 (in original version of CMM).
On AWS Side it is similar to FS-02
except ‘training’
Ƭ 193

SA-03 Implemented policies and AWS Security based upon the best
SA-04 mechanisms designed in practices and standards (ISO
SA-05 accordance with industry 27001/27002, CoBIT, PCI DSS) that
accepted security standards to certified by independent auditors to build
ensure security and integrity of threat modeling and completion of a risk
data exchanged between system assessment as a part of SDLC.
interfaces to prevent disclosure, AWS implements this one through all
alteration or destruction phases including transmission, storage
complying with legislative, and processing data in compliance to ISO
regulatory, and contractual 27001 (domain 12.2) that certified by
requirements. An availability of independent auditors.
I/O integrity routines for the
application interfaces and DB to
prevent errors and data corruption
SA-06 A segmentation of production and AWS provides a lot of how-to-docs,
SA-08 non-production environments to binary & sources (as an example [8-
prevent unauthorized access, to 24],[28-29])
restrict connections between
trusted and untrusted networks for
use of all services, protocols, and
ports allowed
SA-07 A requirement of MFA for all MFA is not by default and depends on
remote user access. the customer configuration [39]
SA-09 A system and network An internal segmentation is in alignment
SA-10 environments separation via with ISO and similar to the CO-05.1-2
SA-11 firewalls in regards to isolation ofwhile external is a part of the customer
sensitive data, responsibility. Internally, a traffic
restrict
unauthorized traffic, enhanced restriction is too and has ‘deny/allow’
with strong encryption for option in EC2/S3 by default (but the
authentication and transmission, explicitly cfg is recommended), etc.
replacing vendor default settings Externally, the customers are able to use
(e.g., encryption keys, passwords, SSL, encryption key, encryption
SNMP community strings, etc.) solutions, security policies to explicitly
approve the security settings (AWS, 3rd
party or their own) according to the
security docs, whitepapers
SA-12 An external accurate, externally AWS services rely on the internal system
agreed upon, time source shall be clocks synchronized via NTP
used to synchronize the system
clocks of all relevant information-
processing systems (US GPS &
EU Galileo Satellite Network)
SA-13 A capability of an automated AWS provides such ability, for example
equipment identification as a part due the metadata, geo tags and other tags
of authentication. created by the customers
SA-14 Audit logs recording privileged AWS have this one in compliance with
user access activities, shall be ISO and provides the results with AWS
retained, complying with SOC 1 Type II Report. AWS has the
applicable policies and incident response program in compliance
regulations, reviewed at least too. Even the customers’ data stored with
Ƭ 194
daily and file integrity (host) and strong isolation from AWS side and
network intrusion detection (IDS) restrictions made by them, additional
tools implemented to help materials (SOC 1 Type II report) must be
investigation in case of incidents. requested to clarify all questions on
forensics. All data should be encrypted
on client side, because it leads to the
customers participation with law directly
as AWS do not have the keys in this case.
SA-15 A mobile code authorization The customers are responsible to manage
before its installation, prevention it to meet their requirements.
from executing and using to a
clearly defined security policy
IV. CONCLUSION
Besides the details from 3rd party audit
Any complex solutions and systems like reports customers may require assurance in
AWS, Azure, or GAE tend to prone to order t o local laws and regulations. It is
securitycompromise, because they have to quite complicated of reducing the
operate large-scale computations, dynamic implementation and configuration
configuration. Clouds vendors do usually not information as a part of proprietary
disclose the technical details on security to information (that is not bad or good, just
the customers, thus raising question how to complicated). In other words it may call for
verify with appropriate requirements. The specific levels of audit logging, activity
cloud security depends on whether the cloud reporting, security controlling and data
vendors have implemented security controls retention that are often not a part of SLA
that documented and enhanced with policy. offered by providers. A result of an
However, there is a lack visibility into how examination of AWS security controls
clouds operate; each of them differs from against Russian security
other in levels of control, monitoring and standards/regulations shown in [45] and
securing mechanisms that widely known for partially in [7] is successfully passing
non-cloud systems. The potential standards by use of native security features
vulnerability requires a high degree of implemented in AWS Console, CLI and
security combined with transparency and API/SDK only. It additionally includes
compliance. AWS relies on security cases that the current AWS security features
frameworks based on various standards that should to be enhanced via third party
certified by third auditors and help the security solutions like national encryption on
customers to evaluate if/how AWS meets the client side before uploading data and ability
requirements. CAIQ/CCM provides to indirectly comply with requirements.
equivalent of recommendations over several Talking about security enhance, not only
standards. The bad is allowing vendors to security controls belong to cloud layer
provide fewer public details taking it to (outside the VMs) should be used to protect
NDA reports and writing general data, communications, memory etc. but also
explanations multiplied by general standards internal OS controls and third party solutions
recommendations (even in modern together. However, it excludes obsolescent
documents like CSA).. CAIQ provides more clauses and cases we need ‘just wait’ a
details on security and privacy than matrix solution from AWS of inability to build and
aligned to Cloud Security Guidance in 13 implement appropriate and their promise to
domains. ‘release it soon’ in FAQ or others
documents. OS and third party solutions are
Ƭ 195

known for non-clouds system allow
protecting critical and confidential [1] P. Mell and T. Grance. The NIST definition of
information is present in different system, cloud computing. recommendation of the
national institute of standards and technology,
configuration and other files to avoid NIST, 2011
alteration, exposing, accessing of them. [2] Abdullah Abuhussein, Harkeerat Bedi, Sajjan
Shiva, “Evaluating Security and Privacy in
Examination cloud solutions like Azure, Cloud Computing Services:A Stakeholder’s
BES with AWS & Azure, and Office365 Perspective”, The 7th International Conference
for Internet Technology and Secured
with Cloud BES against other standards Transactions (ICITST-2012), pp. 388 – 395,
(incl. Russians docs) is a part of further December 2012
research, however the signification direction [3] Jun Feng, Yu Chen, Pu Liu, “Bridging the
is improving existing CSA and NIST Missing Link of Cloud Data Storage Security in
recommendations in order to enhance AWS,” 7th Consumer Communications and
networking Conference (CCNC), pp.1-2, Januray
transparency via utilization primarily 2010
technical requirements: on cloud layer, on [4] Yan Hu, Fangjie Lu, Israr Khan, Guohua Bai, "A
inter-VM/DB & inter-cloud-services layer, Cloud Computing Solution for Sharing
and on VM/DB layer. Healthcare Information”, The 7th International
Conference for Internet Technology and Secured
Transactions (ICITST-2012), pp. 465 – 470,
REFERENCES December 2012“
[5] Google cloud services – App Engine”. [Online http://docs.aws.amazon.com/AmazonVPC/latest/
resource: UserGuide, Accessed:05-December-2012]
http://www.google.com/enterprise/cloud/appengi [14] “Amazon Direct Connect User Guide. [Online
ne/, Accessed:23-November-2012] resource:
[6] “Technical Overview of the Security Features in http://docs.aws.amazon.com/DirectConnect/lates
the Windows Azure Platform”. [Online resource: t/UserGuide/, Accessed:05-December-2012]
http://www.google.com/enterprise/cloud/appengi [15] “Amazon Direct Connect API Reference .
ne/, Accessed:23-November-2012] [Online resource:
[7] Y. Chemerkin, “AWS Cloud Security from the http://docs.aws.amazon.com/DirectConnect/lates
point of view of the Compliance”, PenTest t/APIReference/Welcome.html, Accessed:05-
Magazine, Software Press Sp. z o.o. Sp. December-2012]
Komandytowa Warszawa, vol. 2 10 Issue [16] “Amazon S3 Developer Guide. [Online resource:
10/2012 (12) ISSN 2084-1116, pp. 50-59, http://docs.aws.amazon.com/AmazonS3/latest/de
December 2012 v/, Accessed:20-December-2012]
[8] “Amazon EC2 User Guide. [Online resource: [17] “Amazon S3 API Reference. [Online resource:
http://docs.aws.amazon.com/AWSEC2/latest/Us http://docs.aws.amazon.com/AmazonS3/latest/A
erGuide/, Accessed:05-December-2012] PI/, Accessed:20-December-2012]
[9] “Amazon EC2 Microsoft Windows Guide. [18] “Amazon S3 Console User Guide. [Online
[Online resource: resource:
http://docs.aws.amazon.com/AWSEC2/latest/Wi http://docs.aws.amazon.com/AmazonS3/latest/U
ndowsGuide/, Accessed:05-December-2012] G/, Accessed:20-December-2012]
[10] “Amazon EC2 Microsoft API Reference. [Online [19] “Amazon Glacier Developer Guide. [Online
resource: resource:
http://docs.aws.amazon.com/AWSEC2/latest/AP http://docs.aws.amazon.com/amazonglacier/lates
IReference/, Accessed:05-December-2012] t/dev/, Accessed:20-December-2012]
[11] “AWS Import/Export Developer Guide. [Online [20] “Amazon Storage Gateway. [Online resource:
resource: http://docs.aws.amazon.com/storagegateway/late
http://aws.amazon.com/documentation/importex st/userguide/WhatIsStorageGateway.html,
port/, Accessed:16-December-2012] Accessed:20-December-2012]
[12] “Amazon Virtual Private Cloud Network [21] “Amazon IAM API Reference. [Online resource:
Administrator Guide. [Online resource: http://docs.aws.amazon.com/IAM/latest/APIRefe
http://docs.aws.amazon.com/AmazonVPC/latest/ rence/, Accessed:29-December-2012]
NetworkAdminGuide, Accessed:05-December- [22] “Amazon Using Temporary Security Credentials.
2012] [Online resource:
[13] “Amazon Virtual Private Cloud User Guide. http://docs.aws.amazon.com/IAM/latest/UsingS
[Online resource: TS/, Accessed:29-December-2012]
Ƭ 196

[23] “Amazon AWS Security Token Service API January-2013]
Reference. [Online resource: [34] “CSA Cloud Controls Matrix v1.3” [Online
http://docs.aws.amazon.com/STS/latest/APIRefe resource:
rence/, Accessed:29-December-2012] https://cloudsecurityalliance.org/research/cai/,
[24] “Amazon Command Line Reference. [Online Accessed 22-January-2013]
resource: [35] “CSA Consensus Assessments Initiative
http://docs.aws.amazon.com/IAM/latest/CLIRefe Questionnaire v1.1” [Online resource:
rence/, Accessed:29-December-2012] https://cloudsecurityalliance.org/research/cai/,
[25] “DRAFT Cloud Computing Synopsis and Accessed 22-December-2012]
Recommendations,” NIST Special Publication [36] “AWS Securtiy Bulletins” [Online resource:
800-146. [Online resource: https://aws.amazon.com/security/security-
http://csrc.nist.gov/publications/drafts/800- bulletins/, Accessed 16-February-2013[
146/Draft-NIST-SP800-146.pdf, Accessed:06- [37] “Products and Services by Region with AWS
January-2013] Edge Locations” [Online resource:
[26] “Security Whitepaper. Google Apps Messaging http://docs.aws.amazon.com/AWSEC2/latest/Us
and Collaboration Products”, [Online resource: erGuide/using-regions-availability-zones.html,
http://cryptome.org/2012/12/google-cloud- Accessed 10-February-2013]
sec.pdf, Accessed:23-November-2013] [38] “AWS Services Health Status with the history
[27] Juraj Somorovsky, Mario Heiderich, Meiko status” [Online resource:
Jensen, Jorg Schwenk, Nils Gruschka, Luigi Lo http://status.aws.amazon.com/, Accessed 16-
Iacono, "All Your Clouds are Belong to us – February-2013]
Security Analysis of Cloud Management [39] “AWS MFA” [Online resource:
Interfaces", 3rd ACM workshop on Cloud http://aws.amazon.com/mfa, Accessed 16-
computing security workshop (CCSW), pp. 3-14, February-2013]
October 2011 [40] “AWS Vulnerability/Pentesting Request Form”
[28] “Reported SOAP Request Parsing [Online resource:
Vulnerabilities”, [Online resource: https://portal.aws.amazon.com/gp/aws/html-
https://aws.amazon.com/security/security- forms-
bulletins/reported-soap-request-parsing- controller/contactus/AWSSecurityPenTestReque
vulnerabilities-reso/, Accessed 15-January-2013] st, Accessed 16-February-2013]
[29] “Xen Security Advisories”, [Online resource: [41] “AWS Abuses reports (EC2, other AWS
https://aws.amazon.com/security/security- services)” [Online resource:
bulletins/xen-security-advisories/, Accessed 15- https://portal.aws.amazon.com/gp/aws/html-
January-2013] forms-controller/contactus/AWSAbuse,
[30] “The Essential Intelligent Client”, [Online Accessed 16-February-2013]
resource: [42] “AWS Vulnerability Reporting” [Online
http://www.vmworld.com/servlet/JiveServlet/do resource:
wnloadBody/5700-102-1- https://aws.amazon.com/security/vulnerability-
8823/Intel%20The%20Essential%20Intelligent% reporting/, Accessed 16-February-2013]
20Client.pdf, Accessed 15-January-2013] [43] Jeffrey Medsger, Avinash Srinivasan, "ERASE-
[31] Cracking Passwords in the Cloud: Breaking PGP EntRopy-based SAnitization of SEnsitive Data
on EC2 with EDPR [Online resource: for Privacy Preservation", The 7th International
http://news.electricalchemy.net/2009/10/cracking Conference for Internet Technology and Secured
-passwords-in-cloud.html/, Accessed 22- Transactions (ICITST-2012), pp. 427 – 432,
November-2013] December 2012
[32] “The most dangerous code in the world: [44] R. Kissel, M. Scholl, S. Skolochenko, and X. Li,
validating SSL certificates in non-browser “Guidelines for media sanitization:
software”, 19th ACM Conference on Computer Recommendations of the national institute of
and Communications Security, pp. 38-49, standards and technology,” in NIST SP 800-88
October 2012 Report, 2006
[33] “Reported SSL Certificate Validation Errors in [45] Y. Chemerkin, “Analysis of Cloud Security
API Tools and SDKs”, [Online resource: against the modern security standards”, draft (is
https://aws.amazon.com/security/security- going to be published in PenTest Magazine,
bulletins/reported-ssl-certificate-validation- Software Press Sp. z o.o. Sp. Komandytowa
errors-in-api-tools-and-sdks/, Accessed 15- Warszawa in April-May
Ƭ 197

CALL FOR PAPERS
At the outset, I take this opportunity to introduce “Cyber Times – International Journal of
Technology & Management” which is a platform to provide an innovative view of Technology,
Management thinking, Realistic Research Studies and various Management Practices in the
Indian and Global perspective.
“Cyber Times – International Journal of Technology & Management”, is a Bi-Annual Journal

and invites original research papers from different Research Scholars, Faculty Members, and
Industry Professionals in various domains of Technology, Management, Science and all other
categories. The detailed guidelines are attached along with this copy of journal for the
submission of research Paper for Publication.
Last date of Abstract Submission: 30th July’ 2013

Last date of Full Paper Submission: 30th August’ 2013 (Without Late Fee)
Last Date of Full Paper Submission: 15th September’2013 (With Late Fee)
Note:
• The papers received for the final publication will be screened by the Evaluation
Committee for approval and only the selected Papers will be published in the coming
edition. Further information is available on the website (http://journal.cybertimes.in)
under the “Guidelines for paper Submission” section.
You are cordially invited to contribute your Research Paper for the publication in our next
edition. Authors are encouraged to submit their Research work document via Email. Abstract,
and Full Length Paper should be sent in .doc or .docx as an attachment separately to
[email protected]
Moreover, in case of any further queries; please feel free to contact us and we’ll be happy to
assist you in a better way.
Looking for a Long-Term Association
Thanks & Regards,
Dr. ANUP GIRDHAR
Editor-in-Chief (CYBER TIMES)

Guidelines to write Research Papers
1. RESEARCH PAPER TITLE: The title of the paper should be in Times New Roman
with Font Size 24. It should be Bold Typed, Centered Aligned and Fully Capitalized.
2. AUTHOR NAME (S) & INFORMATION: The author (s) Full Name (with initials),
Designation, Address, Mobile/ Landline numbers, and E-mail/ Alternate Email
Address should be in Italic & 12-Point with Times New Roman Font.
3. ABSTRACT: The abstract should not be more than 200-250 words and should be in full
Italics. The abstract must be illuminating and explain the Purpose, Scope & Conclusion of
the research paper.
4. KEYWORDS: Abstract must be followed by a list of keywords. It should be 12-point

with Times New Roman Font. Keywords should be arranged in alphabetic order
separated by commas.
5. RESEARCH PAPER: Research Paper should be prepared in US ENGLISH on a

standard A4 size in PORTRAIT PAPER SETTING. The paper should be typed with
Double Column, Single-Line Spacing, 12 font, Times New Roman, and 1” margin on all
four sides of the page, MS Word compatible format text. It should be free from all the
grammatical, spelling and punctuation errors and must be edited carefully with the
support of your Guide. It should not be more than 10-12 pages.
6. HEADINGS: All the headings should be in14 point Times New Roman Font. The
heading text should be in Bold, Left Aligned and Fully Capitalized.
7. SUB-HEADINGS: All the sub-headings should be in 12 point Times New Roman Font.
The sub-heading text should be in Bold, Left Aligned and Fully Capitalized.
8. FIGURES & TABLES: The Figure & Table headings should be in 10 point Times New
Roman Font. It should be in Bold, Centre Aligned and Tittle Case. The figures & Tables
should be Self-Made, Simple, Crystal clear, centered aligned, separately numbered &
self-explained. Sources of data should be mentioned below the table/ figure and it
should be ensured that the tables/ figures are referred to, from the main text.
9. EQUATIONS: These should be consecutively numbered in parentheses, horizontally

centered with equation number placed at the right.
10. REFERENCES: The list of all references should be arranged alphabetically. The author
(s) should mention the actual utilized references in the preparation of Research Paper only
and should also mention it with numbering ([1] [2]) wherever it is used throughout the
paper. The title of books and journals should be in Italics. Double quotation marks should
be used for Titles of Journals, Articles, Book Chapters, Dissertations, Reports, Working
Papers, Unpublished material, etc.

“SEDULITY SOLUTIONS & TECHNOLOGIES” is an ISO 9001:2008 Certified Organization.
It is a channel to provide the best Technical Solutions to various Corporate, Law-Enforcement
Agencies, Private/ Govt. Institutions etc. We offer innovative technical solutions with an in-
depth security & Legal countermeasures that has helped various Govt. and Private sector
professionals, to provide advanced knowledge in terms of securing their Networks. Our
Expertise Team has been well recognized with their excellent performance many times in
everything it undertakes, be it Penetration Testing, IT Audits, E-Learning Solutions, Website
Developments, Cyber Security AMC’s via Sedulity Operating System, Consultancies and Hi-
Tech Trainings, Placement Activities, etc.
Services/ Solutions/ Products Offered are as follows:

• Penetration Testing
• IT Auditing
• Cyber Crime Investigation
• Network Security
• Security AMC’s
• Server Configurations (File Sever, SMS Server, Web Server, Database Server, E-
Mail Server, Proxy Server, and many more….)
• Hi-Tech Industrial Trainings for Engineering Faculties, Students, Corporate &
Govt. Professionals.
• Secure Web development
• E-Learning Solutions via Web Portals and Products.
• SEO
• Sedulity Operating System (Editions available for Corporate, Developers, Ethical
Hackers, and Cyber Forensics) available in 32/ 64 bit, Client/ Server and many
more…….
For More details;
Contact:
Ph: 011-45651674, +91-9811572430
Website: http://sedulitygroups.com


Security Compliance Challenges On Clouds

Uploaded by

Copyright:

Available Formats

Security Compliance Challenges On Clouds

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Security Compliance Challenges On Clouds

Uploaded by

Copyright:

Available Formats

CTICon-2013

Dr. Anup Girdhar

EDITORIAL ADVISORY BOARD

Dr. Sushila Madan

Ms. Kanika Trehan

CSI ADVISORY BOARD

Prof. S. V. Raghavan, President, CSI

Editorial Office & Administrative Address:

Phone: 011-25595729, +91-9312903095

Management Strategies, Human Resources, Business Intelligence, Global Retail Industry,

With Warm Regards,

Dr. ANUP GIRDHAR

Copyright © “Cyber Times International Journal of Technology & Management”. All

Printed & Published by: Cyber Times

Name Designation, Organization/ University Country

Executive Editorial Advisory Board Members

Name Designation, Organization/ University Country

1. Symbiotic Association Between Cyber Security and Website Testing 01

2. Hybrid Approach of Face Recognition 06

3. An Improved and Scalable Digital Image Encryption Method Based 13

4. Key Compromise Resilient Privacy Provisioning in Vertically Partitioned Data 18

5. Security Against Keyloggers Using Pattern Based Locking Systems 30

6. Two Factor Based Authentication Using Keystroke Biometrics 35

7. Social Networking and Media: Current Applications and Considerations 42

8. Cloud Computing- A Breakthrough In The Obsolete Methods of Computing 48

9. A Comprehensive Approach of Wireless Data Glove Using Gesture 53

Cyber Times International Journal of Technology & Management

12. Impact of E-Learning And Knowledge Management In Indian 73

13. Performance Analysis of SCTP Based Remote Monitoring Systems 79

14. Cloud Computing: ‘Analyses of Risk Involved in Cloud Environment’ 87

15. Ann Based Fault Detection & Classification of A 400 Kv Electrical 95

16. Design & Analysis of Documentation Taxonomy Approach with 102

19. An Experimental Approach to Study the Terminal Fall Velocity of 121

22. Green Database 141

23. Re-Ranking Web Search Result for Semantic Searching 148

24. Implementation of Automatic Wrapper Adaptation System Using 154

Cyber Times International Journal of Technology & Management

27. Modern Media: A Tool For Elt In Intercultural Communication 198

28. Mircostrip Antenna Design Analysis Using Neural-Network 206

30. Data Mining: Tools and Techniques 222

31. Unraveling The Challenges Faced By Indian E-Governance 231

33. Various Methods Of Wireless Power Transmission Technologies for 242

35. Availability Analysis of Various Systems of Brewary Plant-A Review 255

36. Power Quality Analysis Using Various Techniques: A Review 263

37. A Review on Different Iii-V Multijunction Solar Cells 271

Cyber Times International Journal of Technology & Management

41. Cyber Crime: A Challenge Ahead With Special Reference to 298

44. CYBER LAW: Various aspects of Cyber Legal System 326

45. A Comparative Study of Various CPU Scheduling Simulator 335

46. Penetration Testing/ Cyber Security Assessment - XYZ Company 340

Cyber Times International Journal of Technology & Management

Cyber Times International Journal of Technology & Management

Cyber Times International Journal of Technology & Management

Cyber Times International Journal of Technology & Management

I. INTRODUCTION not exist in clouds” make no serious sense

TABLE 1: THE COMMON SECURITY RECOMMENDATIONS

TABLE 2: COMPLIANCE DIFFERENCE BETWEEN AWS AND AZURE

TABLE 3: AWS SOLUTIONS AGAINST A CAIQ

CID Questions AWS Response

Ƭ 176

Ƭ 180

Ƭ 193

Ƭ 195

Ƭ 196

Ƭ 197