Professional Documents
Culture Documents
YURY CHEMERKIN I-Society-2013 Proceedings
YURY CHEMERKIN I-Society-2013 Proceedings
YURY CHEMERKIN I-Society-2013 Proceedings
Technical Co-Sponsored by
Abstract – Since a web-technology has arisen and clouds has II. RELATED WORK
come, every application wants to be online and operates with
sensitive data that cannot but attract anyone to get an access this MS Azure has become one more popular cloud platform
data. It means an urgent need in security. Examining the clouds along with Amazon Web Services (AWS) as an open cloud
leads us to different visions of security controls and metrics per platform to operate with web sites, applications, mobile
each cloud vendor while industrial organizations try to help to services, VMs, BigData, MediaStream and more. These clouds
the vendors and their customers with an appropriate security are both so popular that both are a background for iCloud [5].
level. They offer a transparency of security controls that belong An examination of AWS security controls with their
to different vendors against the best security practices. transparency in alignment security guidance and ability to pass
it easy were given in paper [4], [3]. A quick analysis of AWS
Keywords: cloud security, amazon web services, aws, azure, and Azure was given in paper [2]. As Azure has purposed of
compliance, csa recommendations, nist sp 800-53 rev.3, nist, csa data spreading, it shifts a significant part of security from
typical layer (network, OS, etc.) to an application layer on
I. INTRODUCTION
standards examination as opposed to AWS [12]. That is key
A cloud goal is delivering various computing resources like thing why a cloud security might have unique concerns under
computing, storage, databases as paid services over the web. It the mask of a non-typical interaction, but certainly known
is generally known, cloud vendors provides it without within a scope of a penstest and audit of applications. In
infrastructure and location details that is partially wrong or general, it replaces a user/password plus MFA access to an
depends on certain vendors as well as cloud may bring quite x509 access keeping basic security rules.
unique concerns on security field. As opposed to a private
cloud, a public cloud hypervisor does not provide APIs The standards with best practices together are known
unfortunately to manage any process and flows that totally has provides us with a least security that sometimes dumped with
nothing new from managing a blackbox several decades ago. It descriptive generalizations and properties, because
is just as trust like downloading and buying third-party simplification and reducing are not the same things. For
solutions while cloud solutions are third party too. example, a paper is about top nine cloud threats [1] as opposed
to seven previous covers quite mixed facts related to private
To build a security and privacy, cloud vendors provide their clouds than public. These examples in the link section are
customers with security controls on areas like data protection,
identity management, application and system/network security “1.0. Top Threat: Data Breaches // Cross-VM Side
and availability. However, the customers must meet a Channels and Their Use to Extract private Keys”,
transparency of security controls in alignment with industrial “7.0. Top Threat: Abuse of Cloud Services // Cross-
standards, while vendors must enable them to comply with it. VM Side Channels and Their Use to Extract private
Standards like the documents of NIST, ISO, PCI DSS, etc. Keys”
provide a measure on information security from the perspective “4.0. Top Threat: Insecurity Interfaces and APIs” //
of security at least because there are various ways to get the both examples
same security level. However, such standards look like more
detailed and go deeply on security and privacy than guidance, The first case highlights how the public clouds e.g. AWS
best practices and metrics promoted by CSA. They try to bring EC2 are vulnerable but totally focused on a private cloud case
a transparency on clouds but results are far away from it that (VMware and XEN), while there is no a known way to apply it
makes the customers actions uncertain. to AWS [9]. Instead, the work [7] explains how to compromise
EC2 & S3 control interfaces with different modern techniques,
This research examines MS Azure and AWS clouds in but Amazon advises a native configuration against it [8].
alignment modern security standards and goes to explain
possible issues to obtain “trustable security controls” in The second case presents issues raised by a SSO access
according to a compliance and present a working out the details without relation to the public clouds (except Dropbox,
of recommendations among several standards. In addition, it SkyDrive) and addressed to insecurity of APIs. A paper is
addresses a deeply analysis between different cloud vendors on about issues of SSL validation [10] is a similar example,
security. The paper extends the results of previous [2-4] on successfully solved by AWS. Dumping all generalized facts
security, compliance and transparency of AWS controls. and recommendations into the basket is not good idea and may
leads to the statements like “cloud vendors do not provide with
full detailed to let us trust and ensure us in privacy”. First of
all, the cloud vendors have their infrastructure built and