YURY_CHEMERKIN__ITA_2013_Proceedings.pdf

i

PROCEEDINGS OF THE FIFTH
INTERNATIONAL CONFERENCE
ON INTERNET TECHNOLOGIES
AND APPLICATIONS (ITA 13)



Tuesday 10
th
– Friday 13
th
September 2013
Glyndŵr University, Wrexham, Wales, UK

http://www.ita13.org



Editors
Rich Picking, Stuart Cunningham,
Nigel Houlden, Denise Oram, Vic Grout,
Julie Mayers

Co-editors
Nathan Clarke, Carlos Guerrero,
Raed A Abd-Alhameed, Susan Liggett



Hosted by
Creative and Applied Research for the Digital
Society (C.A.R.D.S.)
Glyndŵr University, Plas Coch Campus, Mold Road, Wrexham,
LL11 2AW, UK

iii
ISBN: 978-0-946881-81-9




www.cards-uk.org














© Glyndŵr University, 2013
All rights reserved
Printed in the United Kingdom
No part of this book may be reproduced, stored in a retrieval system, or transmitted in
any form or by any means – electronic, mechanical, photocopy, recording or otherwise,
- without the prior written permission of the publisher or distributor.

v




FOREWORD


Croeso i Ogledd Cymru. Croeso i Wrecsam!
Welcome to North Wales. Welcome to Wrexham!

These are the proceedings of the Fifth International Conference on Internet
Technologies and Applications (ITA 13), hosted by the University Centre for Creative
and Applied Research for the Digital Society (C.A.R.D.S.) at Glyndŵr University,
Wrexham, North Wales, UK from Tuesday 10
th
to Friday 13
th
September 2013. The
conference has been sponsored by the British Computer Society (BCS) Chester and
North Wales Branch, the British Computer Society (BCS) Health in Wales Group, the
European Union 7
th
Framework Programme (Project Geryon), the UK National Health
Service (NHS) Wales Informatics Service (NWIS), ENIAC (Project Artemos), The
Applied Computational Electromagnetics Society (ACES) and Modibbo Adama
University of Technology, Yola (MAUTECH). We thank them all for their support.

131
SECURITY COMPLIANCE CHALLENGES ON CLOUDS
Yury Chemerkin
Independent Security Researcher / PhD in progress
Russian State University for the Humanities (RSUH)
Moscow, Russia
[email protected]
ABSTRACT
Today cloud vendors provide amount features of integration and optimization in many fields like business
or education; there many way to adopt it for medical purposes, maintaining medical records, or
monitoring patients. Not all cloud solutions totally changed an original security paradigm and customers
still need to manage the accessibility, monitoring and auditing. An appropriate security level has become
very important issue for the customers. The compliance is part of security and a cornerstone when cloud
vendors refer to worldwide standards.
KEYWORDS:
Cloud security, compliance, amazon web services, aws, csa cloud controls matrix, csa, cmm, caiq, csa
consensus assessments initiative questionnaire
1. INTRODUCTION
Cloud Computing has been one of the top security topics for the last several years. The clouds
increasing popularity [1] is based on flexibility of virtualization as a technology for replacing
and improving of complex parts of systems reducing unnecessary computation and usage of
existing resources. Besides the well-known threats, the clouds introduce new security and
management level. Cloud security vendors (not only cloud vendors, almost of all kind of
vendors) claim that the end-user companies prefer a cost reduction instead the security to reduce
the operation complexity of their clouds (or systems) that eventually ends with a lower amount
of security that the end-user will accept. Some security questions about clouds are: how is it
implemented, how are the data or communication channels secured, how are the cloud and
application environments secure, etc. For example, the well-known phrase “physical security
does not exist in clouds” make no serious sense because it was this way as it had been when the
hosting service arrived. Customer must make any improvements than by-default configuration
with each new technology. If the virtual OS is a Windows Server, then the OS has the quite
similar security and patch management state as Desktop/Server OS. In addition, it is mere trust
than downloading and buying third-party solutions and it might be more trustable, than cloud
vendor (they are all third-party solutions).The cloud simply uses well-known protocols like
SMTP, HTTP, SSL, TCP/IP etc. to communicate, send email, file handling and other activity.
The methods that are compliant as a part of the RFC should indicate that they are OK. However,
a key problem is a lack of a systematic analysis on the security and privacy for such cloud
services. Third party organizations like the Cloud Security Alliance (CSA) promote their
recommendations to improve a cloud security and have a registry of cloud vendors' security
controls to help the users to make a right choice on security field.
This research analyzes security aspects, which the customers rely, are basic for cloud and
security standards and represent a minimal set of security state at least. Enterprises need to
comply with of the different regulations and standards (PCI, CSA, HIPAA, ISO etc.). The aim
of research is gaps in the recommendations of security standards (if they are) let cloud vendors

132
or their customers successfully pass the cloud audit checks and claim about compliance having
difference security features between clouds capabilities. The guidelines in such documents
operate at the high level that makes unclear them, miss the useful security countermeasures and
adding a superfluity in the customer’s vision about the system (cloud).
2. RELATED WORK
Nowadays, AWS is one of the most popular cloud platforms. It offers a virtual computing,
storage, VPN, archiving, monitoring, health-watching, email and others services environment
for a user to run applications, store data, operates with events and deliver event-data due the
different services and by different ways. AWS offers many services more accessibility that is
important with merging to the cloud. GAE is one more cloud to run web applications written
using interpretation and scripts languages like Java/Python but it has limited features (security
and the rest). Windows Azure makes a data spreading to the cornerstone, via neither storage nor
web-server. These different goals have a huge influence on the security while all of them were
built in accordance with best practices, and have security controls are well documented.
As we have enough security problems and the greater quantity of security solutions to solve
these problems on one hand and standards with best practices that successfully applied to the
clouds (according to the cloud vendors) on another hand, it should be analyzed whether it is so
difficult to pass the cloud compliance audit in accordance with these documents. In this paper,
the AWS services are going to be examined as the most similar to known existing technologies.
The modern recommendations for clouds are quite similar to given in the Table I at least but
improved to the low details like “you should choose the cloud vendor that offers an encryption
and definitely those who offer the strong encryption e.g. AES” the make a little sense. The
answer “why” is relied on the customers willingness to see an action-to-do like ‘whether they
should rely on this AES encryption or they need encrypt their data before uploading’. It
successfully works when the customers need to check clouds to choose those provide the more
security but it is bad for clouds are provided many services and security features because it is
basic rules only.
Table 1 The common security recommendations
Object What to do
Data Ownership Full rights and access to data
Data Segmentation An isolation data from other customers’ data
Data Encryption A data encryption in transit/memory/storage, at rest
Backup/Recovery An availability for recovery
Data Destruction An Ability to securely destroy when no longer needed
Access Control Who has access to data?
Log Management A data access that logged and monitored regularly
Incident Response Are there processes and notifications in place for incidents (including breaches)
that affect data?
Security Controls An appropriate security and configuration control to data protection
Patch Management Patching for the latest vulnerabilities and exploits?

One more example is how such documents may substitute the customer understanding. NIST
[25] talks about cloud limits on security: “the ability to decide who and what is allowed to
access subscriber data and programs … the ability to monitor the status of a subscriber’s data
and programs …” may follow the idea “no one cloud provides such abilities” by mistake
without a knowledge about cloud infrastructure. Another misthought is about cloud firewall
takes place with opinion that cloud features are useless due the following statement: a cloud

133
firewall should provide a centralized management, include pre-defined templates for common
enterprise server types and enable the following:
Source and Destination Addresses & Ports filtering
Coverage of protocols, DoS prevention
An ability to design policies per network interface
Location checks who/where accessed to data
Besides such detailed ‘how-to’ sets, there are enough statements that the clouds can’t provide
with it, so it is still a security hole, while some of them (ex. AWS) provides these features. The
Table II [7] shows a brief difference between AWS and Azure on compliance vs. documented
technologies to secure and protect data. As a part of ‘non-transparency’, it is quite interesting
that the different offered security features and controls have passed e.g. ISO 27xxxx, while the
cloud difference (comparing each other) looks like a medium feature reduction. The cloud
attributes examined [2] are backup, encryption, authentication, access controls, data isolation
and monitoring, security standards, disaster recovery, client-side protection, etc. This paper
provides a medium-detailed comparison and presents the cloud security/privacy attributes
mapped to NIST guidelines. The [2-6], [26] give a brief examination of AWS S3 and GAE but a
summary comparison over [10], [12], [14], [15] makes clear that AWS offers the most powerful
and flexible features and [7][8].
Table 2 Compliance difference between AWS and Azure
Type
Cloud Vendor
AWS Azure
Compliance
ISO 27001, CSA, HIPAA + +
PCI DSS, FISMA, FIPS 140-2, NIST + N/A
Physical Security
Actions, events logging, logs audit + +
Minimum access rights + +
Auto revocation access after N days, role changed,
MFA, escort
+ N/A
Data Privacy
Backup, redundancy across the location + +
Redundancy inside one geo location, encryption,
DoD/NIST Destruction
+ N/A
Network Security
MITM Protection, Host-Based Firewall (ip,port,mac),
Mandatory Firewall, Hypervisor protection from
promiscuous
+ +
Pentesting offer of services + -
Pentesting offer of apps + +
DDoS Protection, featured firewall + N/A
Credentials
Login and Passwords, SSL + +
Cross account IAM, MFA hardware/software, Key
Rotation
+ N/A

Such recommendations may also advise the different sanitizing technique to use on client of
cloud side. Effective and efficient sanitization is a forensics statement. There are a lot of
methods and techniques but some of them rely on brute-force wiping that extremely useless for
the clouds due financial matters. The ERASERS proposed in [24] computes the entropy of each
data block in the target area and wipes that block specified number of passes and pattern then.
Patterns and entropy are valuable because the file types (docx, mp3, odf, pgp, acid*) have a
quite different characteristics. It means that ERASERS has many subpopulations which of them
applied to certain cases. It gives a faster wiping vs. regular brute force methods of overwriting.
As the disk sizes increase up to petabyte scale (recently AWS offer such storage), the brute

134
force methods is becoming near impossible in time. Many drives contain areas do not have data
needing overwriting, as known as for SSD that shuffles data between data block every time, but
keeps the encrypted area untouched. According to NIST SP800-88 [9], “studies have shown that
most of data can be effectively cleared by one overwrite with random data rather than zeroing”.
The original version of DoD 5220.22-M (AWS implements this one) recommends a 3-pass wipe
with one pass of a uniform character, one pass of its complement, and one pass of random
characters, while the current DoD 5220.22-M does not specify the number of passes or the
pattern. As ERASERS shows the good results, it should be implemented to AWS EC2 or other
cloud VM.
The one of the most serious work on AWS security [27] gives results as a "black box" analysis
methodology in regards to the control interfaces (AWS EC2 and S3) compromised via the novel
signature wrapping and advanced XSS techniques, HTML injections, as well as SOAP issues
with validation and man-in-the-middle attacks. Authors examined the possible way of
protection and found that AWS EC2 & S3 services do not provide the suitable opportunities to
implement their solutions. Despite of that, there was found solutions based on native AWS
security features to protect against these attacks [28]:
Utilizing the SSL/HTTPS only with certificate validation and utilizing API access mechanisms
like REST/Query instead of SOAP
Activating access via MFA and creating IAM accounts limited in access, AWS credentials
rotation enhanced with Key pairs and X.509 certificates
Limiting IP access enhanced with API/SDK & IAM
The virtualization refers to a hypervisor, while a virtual machine works with a configured
snapshot of an OS image and requires well-known shared resources like memory, storage, or
network. It is generally agreed that even isolation these shared resources without affecting other
instances, VMs can be trusted in few cases only, while it is vulnerable under the most known
XEN attacks. However, no one XEN vulnerability has not applied to AWS services [29]that
brings to understanding the term “customize” in regards to clouds. Other ability to control due
the AMT commands [30] is applied to VMware but there is not known successful
implementations for AWS, Azure, GAE or other clouds. Also may have serious performance
problems such as overloading the virtual OS with analysing CPU commands and system calls,
regardless of where the trusted/untrusted control agents are, multiplied by known issues the best
of all demonstrated in case of GPU [31].
There are security virtualization issues even in clouds, no doubt, and it should be taken in
consideration. One exciting example [32] talks about an incorrect behavior in the SSL certificate
validation mechanisms of AWS SDK for EC2, ELB, and FPS. Despite of that, AWS has
updated all SDK (for all services) to redress it [13].
3. EXAMINATION THE CSA DOCUMENTS ON CLOUDS
The CSA documents provide vendors and their customers with a medium-detailed overview
what the statements do the cloud security features applied to as it defined in the Consensus
Assessments Initiative Questionnaire (CAIQ) and Cloud Control Matrix (CCM). The cloud
vendors announce that their services operate in according to them: However, the customers have
a responsibility to control their environment and define whether it is really in compliance. In
other words, how much are cloud controls and configurations transparent. Here the regulations
meet the technical equipment as a public technical proof is going to be examined from that point
at first. Each control ID (CID) will be kept to find it CAIQ [33] & CCM [34], while his
explanation is rewritten to reduced amount of text and grouped by domain/control group,
similar questions/metrics. Some considerations are used in tables III, IV: each abbreviation is
reduced name of Control Group ID: CO-Compliance, DG - Data Governance, FS-Facility

135
Security, HR - Human Resource Security, IS - Information Security, RS – Resiliency, SA -
Security Architecture. Requirements from section [LG–Legal, OP–Operation Management, RI–
Risk Management, RM–Release Management] and other non-technical are removed as are
compliant in order to ISO 27xxx, SOC, COBIT by independent auditors and reviewers.
Table 3 AWS solutions against a CAIQ
CID Questions AWS Response
CO-01.1 Any certifications, reports and other
relevant documentation in regards to the
standards
AWS has this one and provides it under NDA.
CO-02.1-7 An ability to provide the tenants the 3rd
party audit reports, and conduct the
network/application cloud penetration tests
as well as internal/external audits regularly
(in regards to the guidance) with results
AWS engages with independent auditors
reviewing their services and provides the
customers with the relevant 3rd party
compliance/attestations/certifications reports
under NDA. Such audit covers regularly scans
of their (non-customer) services for
vulnerabilities [22-23] the customers are also
available to make pentest [21] of their own
instances due the tentative agreement.
CO-03.1-2 An ability to perform the vulnerability
tests for customers (means their own tests)
on applications and networks.
Customers are able to perform it due the
permission (writing email with the instances
IDs and period) request via AWS
Vulnerability/Penetration Testing Request
Form [21]
CO-05.1-2 An ability to logically split the tenants data
into the segments (additionally, due the
encryption) as well as data recovering for
specific customers in case of failure or
data loss
All data stored by the customers has canonical
isolation by path and additional security
capabilities like the permissions, personal
entry points to access the data as well as
MFA. AWS encryption mechanisms are
available for S3 (Server Side Encryption),
EBS (encryption storage for EC2 AMIs),
SimpleDB, EC2 (due the EBS plus SSL), VPC
(encrypted connections and sessions).
Additionally, the customer can use any cloud
services offered a backup from and to AWS
services like SME Storage for cloud vendors
or Veeam Backup Cloud Edition for VMs
DG-01.1 An implementation of structured data-
labeling standard
Depends on the customers’ needs and their
requirements.
DG-02.1-5 An identifying ability of the VM via policy
tags/metadata to perform any quality
control/restrict actions like identifying
hardware via policy & tags/metadata,
using the geolocation as an authentication,
providing a physical geolocation, allowing
to choose suitable geolocations for
resources and data routing
The tenants are featured to apply any metadata
and tagging to the EC2 VMs to set the user-
friendly names and enhance searchability.
AWS offer several regions [19]. Each of them
is covered by geo location policy and access
as well as is able to be restricted by SSL, IP
address and a time of day. They offer move
data between each other directly by the
customers via API/SDK
DG-03.1 Any policies and mechanisms for labeling,
handling and security of data
As the customers retain ownership, they are
responsible to implement it.

136
DG-04.1-2 The technical capabilities to enforce tenant
data retention policies and documented
policy on government requests
The customers have capability manage
retention, control, and delete their data except
case when AWS must comply with law.
DG-05.1-2 A secure deletion (ex. degaussing /
cryptographic wiping) and providing the
procedures how a cloud vendor handles
this deletion
At the end of a storage useful life, AWS
performs a decommissioning process to
prevent data exposing via DoD 5220.22-
M/NIST 800-88 techniques. In additional the
device will be degaussed or physically
destroyed.
DG-07.1-2 A presence of the controls to prevent data
leakage / compromising between AWS’
tenants
There were not known the serious security
bugs of AWS environment successfully
applied or that cannot ‘patched’ by using the
implemented PCI controls [27-29] to make the
resources segmented from each other. A
hypervisor is designed to restrict non-allowed
connections between tenant resources
DG-08.1 An availability of control health data to
implementation a continuous monitoring to
validate the services status
AWS provides the independent auditor reports
under NDA and customers on their own
systems can build a continuous monitoring of
logical controls additionally implementing
[19].
FS-04.1 A ability to provide the customers a
knowledge which geo locations are under
traversing into/out of it in regards law
AWS imposes not to move a customers'
content from them without notifying in
compliance the law. The rest is similar to the
DG-02.5.
FS-06.1
FS-07.1
Availability of docs that explain if and
where data may be moved between
different locations, (e.g. backups) and
repurpose equipment as well as sanitizing
of resources
AWS imposes control the customers to
manage the data locations. Data will not be
moved between different regions, only inside
that were chosen to prevent failure. The rest is
similar the DG-05.1-2 (talks about the AWS
side only)
IS-04.1-3 An ability to provide the documents with
security recommendations per each
component, importing the trusted VMs as
well as capability to continuously monitor
and report the compliance
Customers are able [11] to use their own VMs
due the image importing via AWS VM
Import, as well as AWS Import/Export
accelerates moving large amounts of data
into/out in case of backup or disaster recover.
The rest is similar to the DG-08.1 in order to
ISO (domain 12.1, 15.2)
IS-05.1 An ability to notify the customers on
information security/privacy polices
changes
Despite of AWS provides a lot of how-to-
docs, binary & sources [10-18], [28-29] are
regularly updated, it’s better to subscribe to
the news via RSS and email, because there is
no other directly way to be notified
IS-08.1-2 A docs described how the cloud vendor
grant and approve access to tenant data
and if provider & tenant data classification
methodologies is aligned with each other
The customers as data owners are responsible
for the development, content, operation,
maintenance, and use of their content.
IS-09.1-2 A revocation/modification of user access
to data upon any change in status of
employees, contractors, customers, etc.
Amazon provides enough security control to
maintain an appropriate security policy and
permissions not to let spreading the data if it is

137
explicitly not allowed that also built by AWS.
The rest is similar to the IS-07.1-2 in regards
AWS staff
IS-12.1-2 A participation in the security groups with
benchmarking the controls against
standards
AWS policies is based on COBIT, ISO
27001/27002 and PCI DSS
IS-13.1 A documentation clarifying the difference
between administrative responsibilities vs.
those of the tenant
AWS provides these roles among the general
security documents (it means not among the
specific services documents)
IS-17.1-3 Any policies to address the conflicts of
interests on SLA, tamper audit, software
integrity, and detect changes of VM
configurations
AWS provides the details SOC 1 Type II
report in compliance with ISO 27001 (domain
8.2, 11.3) that validated by independents
auditors
IS-18.1-2
IS-19.1-4
Ability to create and manage unique
encryption keys per a tenant, to encrypt
data to an identity without access to a
public key certificate (identity based
encryption) as well, to protect a tenant data
due the transmission, VMs, DB and other
data via encryption, and maintain key
management
If keys created on server side, AWS creates
the unique keys and utilizes it, if it did on
client side due the own or 3rd party solutions,
the customers can manage it only. AWS
encryption mechanisms are available for S3
(Server Side Encryption), EBS (encryption
storage for EC2 AMIs), SimpleDB, EC2 (due
the EBS plus SSL), VPC ( encrypted
connections and sessions), etc.
IS-20.1-6 An ability to perform vulnerability scans in
regards to the recommendations on
application-layer, network-layer, local OS
layer and patching then. Providing the info
about issues to AWS who makes it public
Similar to the CO-03.1-2 but more detail that
means the customers are should performing
vuln scan and patching despite of the VMs’
OS are coming with the latest updates; they
are obliged to come to the agreement with
AWS and not violate the Policy. Also similar
to the CO-02.6-7 on providing the results [21-
23]
IS-23.1-2
IS-24.1-4
An ability of SIEM to merge data sources
(app logs, firewall logs, IDS logs, physical
access logs, etc.) for granular analysis and
alerting. Additional providing an isolation
of the certain customers due incident.
AWS have this one in compliance with ISO
and Even the customers’ data stored with
strong isolation from AWS side and
restrictions made by them all data should be
encrypted on client side, because it leads to
participation with law directly as AWS does
not get the keys in this case.
IS-28.1-2
IS-29.1
An ability to use an open encryption
(3DES, AES, etc.) to let tenants to protect
their data on storage and transferring over
public networks. As well, an availability of
logging, monitoring and restriction any
access to the management systems
controlled hypervisors, firewalls, APIs,
etc.)
AWS encryption mechanisms are available for
S3 (Server Side Encryption), EBS (encryption
storage for EC2 AMIs), SimpleDB, EC2 (due
the EBS plus SSL), VPC (encrypted
connections and sessions). Customers may use
third-party encryption technologies too as well
as rely on the AWS APIs are available via
SSL-protected endpoints. AWS has a logging
feature, delineates the minimum standards for
logical access to AWS resources and provides
details with SOC 1 Type II report
IS-34.1-3 An ability to monitor and segment/restrict
the key utilities managed virtualized
AWS has this one and provides details with
SOC 1 Type II report. AWS examines such

138
partitions (ex. shutdown, clone, etc.) as
well as ability to detect attacks (blue pill,
etc.) to the virtual key components and
prevent from them
attacks and provides information if they apply
in section “Security Bulletins” [35]. An
example of blackbox attack [27],[28] was
given in the Section II of this paper with a
native security features as a solution
SA-02.1-7 A capability to use the SSO, an identity
management system, MFA Policy
Enforcement Point capability (ex.
XACML), to delegate authentication
capabilities, to support identity federation
standards (SAML, SPML, WS-Federation,
etc.), use 3rd party identity assurance
services
AWS IAM [15-18] provides the securely
access and roles to the resources with features
to control access, create unique entry points of
users, cross AWS-accounts access due
API/SDK or IAM console, create the
permissions with duration and geo auth. AWS
offers identity federation and VPC tunnels to
utilize existing corporate identities to access.
Additionally, customers may avoid the
mistakes and risks by using AWS Policy
Generator and MFA devices [20].
SA-03.1
SA-04.1-3
SA-05.1
Any industry standards as a background
for a Data Security Architecture standards
(NIST) to build-in security for SDLC,
tools detecting the security defects and
verify the software. An availability of I/O
integrity routines for application
interfaces, DB to prevent errors and data
corruption
AWS Security based upon the best practices
and standards (ISO 27001/27002, CoBIT, PCI
DSS) that certified by independent auditors to
build threat modeling and completion of a risk
assessment as a part of SDLC. AWS
implements this one through all phases
including transmission, storage and processing
data in compliance to ISO 27001 (domain
12.2) that certified by independent auditors.
SA-06.1-2
SA-08.1
Environment separation for
SaaS/PaaS/IaaS, providing how-to-docs
AWS provides a lot of how-to-docs, binary &
sources [10-18],[28-29]
SA-07.1 A MFA features are strong requirement for
all remote access
MFA is not strong and depends on the
customer configuration [20]
SA-09.1-4
SA-10.1-3
SA-11.1
A segmentation of system and network
environments with a compliance, law,
protection, and regulatory as well as a
protection of a network environment
parameter
An internal segmentation is in alignment with
ISO and similar to the CO-05.1-2 while
external is a part of the customer
responsibility. Internally, a traffic restriction is
under ‘deny/allow’ control by default.
Externally, customers may use SSL,
encryption key, encryption solutions, security
policies to explicitly approve the security
settings
SA-12.1 A NTP or other similar services AWS services rely on the internal system
clocks synchronized via NTP
SA-13.1 An equipment identification is as a method
to validate connection authentication
integrity based on known location
AWS provides such ability, for example due
the AWS metadata, geo tags and other tags
created by the customers
SA-15.1-2 A mobile code authorization before its
installation, prevention from executing and
using to a clearly defined security policy
The customers are responsible to manage it to
meet their requirements.

139
Table 4 AWS solutions against a CCM
CID Control Specification AWS Response
CO-01 Audit plans, activities and operational
action items focusing on data duplication,
access, and data boundary limitations with
aim to minimize the risk of business
process disruption.
AWS has appropriate technical solutions,
internal controls to protect customer data
against alteration/destruction/loss/etc. Any
kind of additional audit information is
provided to the customers under NDA
CO-02 Independent reviews shall be performed
annually/planned intervals to aim a high
effective compliance policies, standards
and regulations (i.e., internal/external
audits, certifications, vulnerability and
penetration testing)
AWS shares 3rd audit reports under NDA
with their customers. Such audit covers
regularly scans of their (non-customer)
services for vulnerabilities [22-23] while the
customers are allowed to request for a pentest
[21] of their own instances
CO-03 3rd party service providers shall
demonstrate compliance with security due;
their reports and services should undergo
audit and review.
AWS requires to meet important privacy and
security requirements conducting 3rd parties
in alignment ISO 27001 (domain 6.2)
CO-06 A policy to safeguard intellectual property AWS will not disclose customer data to a 3rd
party unless it is required by law and will not
use data except to detect/repair problems
affecting the services
DG-01 All data shall be designated with
stewardship with assigned responsibilities
defined, documented and communicated.
Customers are responsible for maintaining it
regarding their assets
DG-02 Data, and objects containing data, shall be
assigned a classification based on data
type, jurisdiction of origin, jurisdiction
domiciled, etc.
AWS allows customers to classify their
resources by themselves (ex. applying any
metadata and tagging to the EC2 VMs to set
the user-friendly names & enhance
searchability)
DG-03 Policies/mechanisms for labeling, handling
and security of data and objects which
contain data
Similar to DG-02
DG-04 Policies for data retention and storage as
well as implementation of backup or
redundancy mechanisms to ensure
compliance with regulatory and other
requirements that validated regularly
AWS infrastructure is validated regularly any
purposes in alignment with security standards
and featured by AWS EBS and Glacier (for
data archiving and backup), but the customers
have capability manage it due the API/SDK
DG-05 Policies and mechanisms for the secure
disposal and complete removal of data
from all storage media, ensuring data is not
recoverable by any computer forensic
means.
AWS rely on best practices to wipe data via
DoD 5220.22-M/NIST 800-88 techniques; if it
is not possible the physical destruction
happens
DG-06-07 Security mechanisms to prevent data
leakage.
AWS has implemented logical (permissions)
and physical (segmentation) controls to
prevent data leakage. (ex. a hypervisor is
designed to restrict non-allowed connections
between tenant resources, however the end-
users are responsible to manage the right
sharing permissions

140
FS-06
FS-07
Policies and procedures shall be
established for securing and asset
management for the use and secure
disposal of equipment maintained and used
outside the organization's premise.
AWS imposes control the customers to
manage the data locations. Data will not be
moved between different regions, only inside
that were chosen to prevent failure.
FS-08 A complete inventory of critical assets
shall be maintained with ownership
defined and documented.
AWS maintains a formal policy that requires
assets, the hardware assets monitored by the
AWS personnel and maintain the relationships
with all AWS suppliers are possible in comply
ISO 27001 (domain 7.1) for additional details.
IS-01
IS-02
IS-03
An implementation of ISMP included
administrative, technical, and physical
safeguards to protect assets and data from
loss, misuse, unauthorized access,
disclosure, alteration, and destruction
AWS implements ISMS to address
security/privacy best practices and provides
details under NDA the appropriate
documentation
IS-04 An implementation of baseline security
requirements for applications / DB /
systems / network in compliance with
policies / regulations/standards.
Baseline security requirements are technically
implemented with ‘deny’ configuration by
default and documents among the AWS
security documents for all services (ex. [10-
18])
IS-05 An information security policy review at
planned intervals
Despite of AWS provides a lot of how-to-
docs, binary & sources [10-18], [28-29] are
regularly updated, it’s better to subscribe to
the news via RSS and email, because there is
no other directly way to be notified by AWS
IS-07-08 An implementation of user access policies
and for granting/revoking access to apps to
apps, DB, and the rest in accordance with
security, compliance and SLA.
All AWS services featured by IAM that
provides powerful permissions items with
predefined templates;
IS-18
IS-19
Implemented policies / mechanisms
allowing data encryption in storage (e.g.,
file servers, databases, and end-user
workstations) and data in transmission
(e.g., system interfaces, over public
networks, and electronic messaging) as
well, key management too
If keys created on server side, AWS creates
the unique keys and utilizes it, if it did on
client side due the own or 3rd party solutions,
the customers can manage it only. AWS
encryption mechanisms are available for S3
(Server Side Encryption), EBS (encryption
storage for EC2 AMIs), SimpleDB, EC2 (due
the EBS plus SSL), VPC (encrypted
connections and sessions), etc.
IS-20 Implemented policies and mechanisms for
vulnerability and patch management on
side of apps, system, and network devices
AWS provides their services with the latest
updates, performs analyzing software updates
on their criticality as well as customer
partially ability to perform vuln scans and
patching despite of that and not violate the
Policy [21-23]
IS-21 A capability of AV solutions to detect,
remove, and protect against all known
types of malicious or unauthorized
software with antivirus signature updates
at least every 12 hours.
AWS does manage AV solutions & updates in
compliance to ISO 27001 that confirmed by
independent auditors. Additionally, customers
should maintain their own solutions to meet
their requirements
IS-22 Policies and procedures to triage security AWS has defined role responsibilities and

141
related events and ensure timely and
thorough incident management.
incident handling in internal documents in
compliance with ISO and provides the SOC 1
Type Report
IS-23
IS-24
Information security events shall be
reported through predefined
communications channels in a prompt and
expedient manner in compliance with
statutory, regulatory and contractual
requirements
AWS contributes with it over [21-23]
IS-26 Policies and procedures shall be
established for the acceptable use of
information assets.
According to AWS, the customers manage
and control their data only unless it needs due
the law requirements or troubleshooting aimed
at fix services issues
IS-32
IS-33
Policies and mechanism to limit access to
sensitive data (especially an application,
program or object source code) from
portable and mobile devices
AWS has this one, delineates the minimum
rights for logical access to AWS resources and
provides details with SOC 1 Type II report
RS-01-08 Documented policy and procedures
defining continuity and disaster recovery
shall be put in place to minimize the
impact of a realized risk event on the
organization to an acceptable level and
facilitate recovery of information assets
through a combination of preventive and
recovery controls, in accordance with
regulations and standards. Physical
protection against damage from natural
causes and disasters as well as deliberate
attacks including fire, flood, etc. shall be
implemented.
Such policies are in alignment with ISO 27001
( domain 14.1);
AWS provides a Cloudwatch services to
monitor the state of AWS EC2, EBS, ELB,
SQS, SNS, DynamoDB, Storage Gateways as
well as a status history [19]. AWS provides
several Availability Zones in each of six
regions to prevent failures, but the customers
are responsible to manage it across regions or
other clouds vendors via API and SDK. A
physical protection is in compliance ISO
27001 and 27002. Information about the
transport routes is similar to the FS-06.1
SA-02 An implementation of user credential and
password controls for apps, DB, server and
network infrastructure, requiring the
following minimum standards
AWS IAM [15-18] provides the securely
access and roles to the resources with features
to control access, create unique entry points of
users, cross AWS-accounts access due
API/SDK or IAM console, create the powerful
permissions with duration and geo auth. AWS
offers identity federation and VPC tunnels led
to utilizing existing corporate identities to
access, temporary security credentials.
Additionally, the customers may avoid the
mistakes and risks by using an AWS Policy
Generator and MFA devices [20]. IAM allows
creating and handling the sets defined in
accordance with the subrules of SA-02 (in
original of CMM).
SA-06
SA-08
A segmentation of production and non-
production environments to prevent
unauthorized access, restrict connections
between trusted & untrusted networks for
use of all services, protocols, ports allowed
AWS provides a lot of how-to-docs, binary &
sources (as an example [10-18],[28-29])

142
SA-07 A requirement of MFA for all remote user
access.
MFA is not by default and depends on the
customer configuration [20]
SA-09
SA-10
SA-11
A system and network environments
separation via firewalls in regards to
isolation of sensitive data, restrict
unauthorized traffic, enhanced with strong
encryption for authentication and
transmission, replacing vendor default
settings (e.g., encryption keys, passwords,
SNMP community strings, etc.)
An internal segmentation is in alignment with
ISO and similar to the CO-05.1-2 while
external is a part of the customer
responsibility. Internally, a traffic restriction is
too and has ‘deny/allow’ option in EC2/S3 by
default (but the explicitly cfg is
recommended), etc. Externally, the customers
are able to use SSL, encryption key,
encryption solutions, security policies to
explicitly approve the security settings (AWS,
3rd party or their own)
SA-12 An external accurate time to synchronize
the system clocks of all information-
processing systems (US GPS & EU
Galileo Satellite)
AWS services rely on the internal system
clocks synchronized via NTP
SA-13 A capability of an automated equipment
identification as a part of authentication.
AWS provides such ability, for example due
the metadata, geo tags and other tags created
by the customers
SA-14 Audit logs recording privileged user access
activities, shall be retained, complying
with applicable policies and regulations,
reviewed at least daily and file integrity
(host) and network intrusion detection
(IDS) tools implemented to help
investigation in case of incidents.
AWS have this one in compliance with ISO
and provides the results with SOC 1 Type II
Report. AWS has the incident response
program in compliance too. Even the
customers’ data stored with strong isolation
from AWS side and restrictions made by
them, additional materials (SOC 1 Type II
report) must be requested to clarify all
questions on forensics. All data should be
encrypted on client side, because it leads to
the customers participation with law directly
as AWS do not have the keys in this case.
SA-15 A mobile code authorization before its
installation, prevention from executing and
using to a clearly defined security policy
The customers are responsible to manage it to
meet their requirements.

4. CONCLUSION
Any complex solutions and systems like AWS, Azure, or GAE tend to prone to security
compromise, because they have to operate large-scale computations, dynamic configuration.
Clouds vendors do usually not disclose the technical details on security to the customers, thus
raising question how to verify with appropriate requirements. The cloud security depends on
whether the cloud vendors have implemented security controls that documented and enhanced
with policy. However, there is a lack visibility into how clouds operate; each of them differs
from other in levels of control, monitoring and securing mechanisms that widely known for
non-cloud systems. The potential vulnerability requires a high degree of security combined with
transparency and compliance. AWS relies on security frameworks based on various standards
that certified by auditors and help customers to evaluate if/how AWS meets the requirements.
CAIQ/CCM provide equivalent of them over several standards. Partially bad idea is public
documents filled by vendors with general explanations referred to NDA reports multiplied by
common recommendations.

143
Besides the details from 3
rd
party audit reports customers may require assurance in order to local
laws and regulations. It is quite complicated of reducing the implementation and configuration
information as a part of proprietary information (that is not bad or good, just complicated). In
other words it may call for specific levels of audit logging, activity reporting, security
controlling and data retention that are often not a part of SLA offered by providers. A result of
an examination of AWS security controls against security standards/regulations shown in [8]
and partially in [7] is successfully passing standards by use of native security features
implemented in AWS Console, CLI and API/SDK only. It additionally includes cases that the
current AWS security features should to be enhanced via third party security solutions like
national encryption on client side before uploading data and ability to indirectly comply with
requirements. Talking about security enhance, not only security controls belong to cloud layer
(outside the VMs) should be used to protect data, communications, memory etc. but also
internal OS controls and 3
rd
party solutions together. It excludes obsolescent clauses and cases
‘just wait’ a solution from AWS of inability to build and implement appropriate. OS and third
party solutions are known for non-clouds system allow protecting critical and confidential
information is present in different system, configuration and other files to avoid alteration,
exposing, accessing of them.
Examination cloud solutions such as Azure, BES with AWS & Azure, and Office365 with
Cloud BES against other standards is a part of further research, however the signification
direction is improving existing CSA and NIST recommendations in order to enhance
transparency via utilization primarily technical requirements: on cloud layer, on inter-VM/DB
& inter-cloud-services layer, on VM/DB layer.
5. REFERENCES
[1] Mell P. & Grance T. (2011) The NIST definition of cloud computing. recommendation of the
national institute of standards and technology, NIST
[2] Abuhussein, H. Bedi, S. Shiva, (2012) “Evaluating Security and Privacy in Cloud Computing
Services:A Stakeholder’s Perspective”, The 7th International Conference for Internet Technology
and Secured Transactions, pp. 388 – 395, Dec 2012
[3] Feng, J., Chen, Y.& Liu, P. (2010) “Bridging the Missing Link of Cloud Data Storage Security in
AWS,” 7
th
Consumer Communications and networking Conference (CCNC), pp.1-2, Jan 2010
[4] Hu, Y., Lu F., Khan, I. & Bai, G. (2012) "A Cloud Computing Solution for Sharing Healthcare
Information”, The 7th International Conference for Internet Technology and Secured
Transactions, pp. 465 – 470, Dec 2012
[5] “Google cloud services – App Engine”. [Online resource:
www.google.com/enterprise/cloud/appengine/, Accessed:23-Nov-12]
[6] “Technical Overview of the Security Features in the Windows Azure Platform”. [Online resource:
www.google.com/enterprise/cloud/appengine/, Accessed:23-Nov-12]
[7] Chemerkin, Y. (2012) “AWS Cloud Security from the point of view of the Compliance”, PenTest
Magazine, Software Press Sp. z o.o. Sp. Komandytowa Warszawa, vol. 2 №10 Issue 10/2012 (12)
ISSN 2084-1116, pp. 50-59, Dec 2012
[8] Chemerkin, Y. “Analysis of Cloud Security against the modern security standards”, draft (is going
to be published in PenTest Magazine, Software Press Sp. z o.o. Sp. Komandytowa Warszawa in
May
[9] Kissel, R., Scholl, M., Skolochenko, S. & Li, X. (2006) “Guidelines for media sanitization:
Recommendations of the national institute of standards and technology,” in NIST SP 800-88
Report
[10] “Amazon EC2 Microsoft API Reference. [Online resource:
docs.aws.amazon.com/AWSEC2/latest/APIReference/, Accessed:05-Dec-12]

144
[11] “AWS Import/Export Developer Guide. [Online resource:
aws.amazon.com/documentation/importexport/, Accessed:16-Dec-12]
[12] “Amazon Virtual Private Cloud Network Administrator Guide. [Online
resource:docs.aws.amazon.com/AmazonVPC/latest/NetworkAdminGuide, Accessed:05-Dec-12]
[13] “Reported SSL Certificate Validation Errors in API Tools and SDKs”, [Online resource:
aws.amazon.com/security/security-bulletins/reported-ssl-certificate-validation-errors-in-api-tools-
and-sdks/, Accessed:15-Jan-13]
[14] “Amazon S3 API Reference. [Online resource: docs.aws.amazon.com/AmazonS3/latest/API/,
Accessed:20-Dec-12]
[15] “Amazon IAM API Reference. [Online resource:
docs.aws.amazon.com/IAM/latest/APIReference/, Accessed:29-Dec-12]
[16] “Amazon Using Temporary Security Credentials. [Online resource:
docs.aws.amazon.com/IAM/latest/UsingSTS/, Accessed:29-Dec-12]
[17] “Amazon AWS Security Token Service API Reference. [Online resource:
docs.aws.amazon.com/STS/latest/APIReference/, Accessed:29-Dec-12]
[18] “Amazon Command Line Reference. [Online resource:
docs.aws.amazon.com/IAM/latest/CLIReference/, Accessed:29-Dec-12]
[19] “AWS Services Health Status” [Online resource: status.aws.amazon.com/, Accessed:16-Feb-13]
[20] “AWS MFA” [Online resource: aws.amazon.com/mfa, Accessed:16-Feb-13]
[21] “AWS Vulnerability/Pentesting Request Form” [Online resource:
portal.aws.amazon.com/gp/aws/html-forms-
controller/contactus/AWSSecurityPenTestRequest,Accessed:16-Feb-13]
[22] “AWS Abuses reports (EC2, other AWS services)” [Online resource:
portal.aws.amazon.com/gp/aws/html-forms-controller/contactus/AWSAbuse, Accessed:16-Feb-
13]
[23] “AWS Vulnerability Reporting” [Online resource: aws.amazon.com/security/vulnerability-
reporting/, Accessed:16-Feb-13]
[24] Medsger, J. & Srinivasan, A. (2012) "ERASE- EntRopy-based SAnitization of SEnsitive Data for
Privacy Preservation", The 7th International Conference for Internet Technology and Secured
Transactions, pp. 427 – 432, Dec 2012
[25] “DRAFT Cloud Computing Synopsis and Recommendations,” NIST Special Publication 800-146.
[Online resource: csrc.nist.gov/publications/drafts/800-146/Draft-NIST-SP800-146.pdf,
Accessed:06-Jan-13]
[26] “Security Whitepaper. Google Apps Messaging and Collaboration Products”, [Online resource:
cryptome.org/2012/12/google-cloud-sec.pdf, Accessed:23-Nov-13]
[27] Somorovsky, J., Heiderich, M., Jensen, M., Schwenk, J., Gruschka, N. & Iacono, L.L. (2011) "All
Your Clouds are Belong to us – Security Analysis of Cloud Management Interfaces", 3rd ACM
workshop on Cloud computing security workshop (CCSW), pp.3-14, Oct 2011
[28] “Reported SOAP Request Parsing Vulnerabilities”, [Online resource:
aws.amazon.com/security/security-bulletins/reported-soap-request-parsing-vulnerabilities-reso/,
Accessed:15-Jan-13]
[29] “Xen Security Advisories”, [Online resource: aws.amazon.com/security/security-bulletins/xen-
security-advisories/, Accessed:15-Jan-13]
[30] “The Essential Intelligent Client”, [Online resource:
www.vmworld.com/servlet/JiveServlet/downloadBody/5700-102-1-
8823/Intel%20The%20Essential%20Intelligent%20Client.pdf, Accessed:15-Jan-13]

145
[31] Cracking Passwords in the Cloud: Breaking PGP on EC2 with EDPR [Online resource:
news.electricalchemy.net/2009/10/cracking-passwords-in-cloud.html/, Accessed:22-Nov-13]
[32] “The most dangerous code in the world: validating SSL certificates in non-browser software”, 19
th

ACM Conference on Computer and Communications Security, pp. 38-49, Oct 2012
[33] “CSA Consensus Assessments Initiative Questionnaire v1.1” [Online resource:
cloudsecurityalliance.org/research/cai/, Accessed:22-Dec-12]
[34] “CSA Cloud Controls Matrix v1.3” [Online resource: cloudsecurityalliance.org/research/cai/,
Accessed:22-Jan-13]
[35] “AWS Securtiy Bulletins” [Online resource: aws.amazon.com/security/security-bulletins/,
Accessed 16-Feb-13]