Cloud Security Policies

It is becoming increasingly common for organizations to move their data to the cloud. Cloud storage provides a great deal of convenience, and from a disaster recovery perspective, is extremely resilient. However, cloud storage is not without some security risks. Before we discuss cloud security policies, some basics on how clouds function will be necessary.

The term cloud computing was popularized when Amazon.com released Elastic Compute Cloud in 2006. Cloud computing uses servers distributed geographically. In some cases, the servers are in other countries. In February 2010, Microsoft released the Microsoft Azure cloud service. Amazon and Apple also provide cloud services for the general public. There are four general types of clouds:

• Public clouds are defined by the NIST as simply clouds that offer their infrastructure or services to either the general public or at least a large industry group.
• Private clouds are those clouds used specifically by a single organization without offering the services to an outside party. There are, of course, clouds that combine the elements of a private and public cloud. These are essentially private clouds that have some limited public access.
• Community clouds are systems wherein several organizations share a cloud for specific community needs. For example, several computer companies might join to create a cloud devoted to common security issues.
• Hybrid clouds, as the name suggests, are some mixture of two or more of these cloud approaches.

Clouds are essentially virtualization taken to a new level. You have probably used a virtual machine on a computer—perhaps VMWare Workstation or Oracle Virtual Box. All virtual systems are one of two types:

• Type I: bare metal—These systems are installed directly onto hardware. There is no need for an underlying operating system. The virtual system directly hosts virtual machines.
• Type II: hosted—These are virtual systems installed on top of an existing operating system. The aforementioned VMWare Workstation and Oracle Virtual Box are examples of this.

There are several categorizations of virtual systems, and these are often the ways in which people interact with cloud services:

• Software as a Service (SaaS)—NIST defines SaaS as “The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser (e.g., web-based email), or a program interface. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings.”
• Platform as a Service (PaaS)—NIST defines PaaS as “The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages, libraries, services, and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application-hosting environment.”
• Infrastructure as a Service (IaaS)—NIST defines IaaS as “where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, and deployed applications; and possibly limited control of select networking components (e.g., host firewalls).”

Today there are many permutations of these, such as:

• Content as a Service (CaaS)
• Data as a Service (DaaS)
• Desktop as a Service (DaaS)
• Security as a Service (SaaS)

New acronyms are being generated quite regularly; however, they are all focused on the same concept: An underlying IT service is not being installed locally. It is instead virtualized, often via a cloud, and accessed in that manner.

There are some guidelines for cloud security. You don’t have to start from nothing. ISO 27017 is guidance for cloud security. It does apply the guidance of ISO 27002 to the cloud, but then adds seven new controls.

• CLD.6.3.1—This control addresses agreement on shared or divided security responsibilities between the customer and cloud provider.
• CLD.8.1.5—This control addresses how assets are returned or removed from the cloud when the contract is terminated.
• CLD.9.5.1—This control states that the cloud provider must separate the customer’s virtual environment from other customers or outside parties.
• CLD.9.5.2—This control states that the customer and the cloud provider both must ensure the virtual machines are hardened.
• CLD.12.1.5—This control states it is solely the customer’s responsibility to define and manage administrative operations.
• CLD.12.4.5—This control states the cloud provider’s capabilities must enable the customer to monitor their own cloud environment.
• CLD.13.1.4—This control states the virtual network environment must be configured so that it at least meets basic standards

ISO 27018 is closely related to ISO 27017. ISO 27018 defines privacy requirements in a cloud environment, particularly how the customer and cloud provider must protect personally identifiable information (PII). Regardless of which cloud service an organization uses (IaaS, PaaS, etc.), it is important that security policies are in place for handling cloud security.