International Conference on Information Society (i-Society 2013)

Technical Co-Sponsored by

IEEE Toronto Section

Sponsors June 24-26, 2013, Toronto, Canada

www.i-society.eu

i-Society 2013 Proceedings

Edited By
Charles A. Shoniregun
Galyna A. Akmayeva
Contents Page Welcome Speech Program Committees Keynote Speakers

PhD Consortium Workshops Sessions

Copyright © i-Society 2013 Published by Infonomics Society ISBN: 978-1-908320-13-1

IEEE Catalog Number: CFP1329N-CDR
Limitations of Security Standards against Public Clouds
Yury Chemerkin
Russian State University for the Humanities (RSUH)
Moscow, Russia
yury.chemerkin@gmail.com
Abstract – Since a web-technology has arisen and clouds has
come, every application wants to be online and operates with
sensitive data that cannot but attract anyone to get an access this
data. It means an urgent need in security. Examining the clouds
leads us to different visions of security controls and metrics per
each cloud vendor while industrial organizations try to help to
the vendors and their customers with an appropriate security
level. They offer a transparency of security controls that belong
to different vendors against the best security practices.
Keywords: cloud security, amazon web services, aws, azure,
compliance, csa recommendations, nist sp 800-53 rev.3, nist, csa
I. INTRODUCTION
A cloud goal is delivering various computing resources like
computing, storage, databases as paid services over the web. It
is generally known, cloud vendors provides it without
infrastructure and location details that is partially wrong or
depends on certain vendors as well as cloud may bring quite
unique concerns on security field. As opposed to a private
cloud, a public cloud hypervisor does not provide APIs
unfortunately to manage any process and flows that totally has
nothing new from managing a blackbox several decades ago. It
is just as trust like downloading and buying third-party
solutions while cloud solutions are third party too.
To build a security and privacy, cloud vendors provide their
customers with security controls on areas like data protection,
identity management, application and system/network security
and availability. However, the customers must meet a
transparency of security controls in alignment with industrial
standards, while vendors must enable them to comply with it.
Standards like the documents of NIST, ISO, PCI DSS, etc.
provide a measure on information security from the perspective
of security at least because there are various ways to get the
same security level. However, such standards look like more
detailed and go deeply on security and privacy than guidance,
best practices and metrics promoted by CSA. They try to bring
a transparency on clouds but results are far away from it that
makes the customers actions uncertain.
This research examines MS Azure and AWS clouds in
alignment modern security standards and goes to explain
possible issues to obtain “trustable security controls” in
according to a compliance and present a working out the details
of recommendations among several standards. In addition, it
addresses a deeply analysis between different cloud vendors on
security. The paper extends the results of previous [2-4] on
security, compliance and transparency of AWS controls.
Copyright © i-Society 2013 Technical Co-Sponsored by IEEE Toronto Section
II. RELATED WORK
MS Azure has become one more popular cloud platform
along with Amazon Web Services (AWS) as an open cloud
platform to operate with web sites, applications, mobile
services, VMs, BigData, MediaStream and more. These clouds
are both so popular that both are a background for iCloud [5].
An examination of AWS security controls with their
transparency in alignment security guidance and ability to pass
it easy were given in paper [4], [3]. A quick analysis of AWS
and Azure was given in paper [2]. As Azure has purposed of
data spreading, it shifts a significant part of security from
typical layer (network, OS, etc.) to an application layer on
standards examination as opposed to AWS [12]. That is key
thing why a cloud security might have unique concerns under
the mask of a non-typical interaction, but certainly known
within a scope of a penstest and audit of applications. In
general, it replaces a user/password plus MFA access to an
x509 access keeping basic security rules.
The standards with best practices together are known
provides us with a least security that sometimes dumped with
descriptive generalizations and properties, because
simplification and reducing are not the same things. For
example, a paper is about top nine cloud threats [1] as opposed
to seven previous covers quite mixed facts related to private
clouds than public. These examples in the link section are
 “1.0. Top Threat: Data Breaches // Cross-VM Side
Channels and Their Use to Extract private Keys”,
“7.0. Top Threat: Abuse of Cloud Services // Cross-
VM Side Channels and Their Use to Extract private
Keys”
 “4.0. Top Threat: Insecurity Interfaces and APIs” //
both examples
The first case highlights how the public clouds e.g. AWS
EC2 are vulnerable but totally focused on a private cloud case
(VMware and XEN), while there is no a known way to apply it
to AWS [9]. Instead, the work [7] explains how to compromise
EC2 & S3 control interfaces with different modern techniques,
but Amazon advises a native configuration against it [8].
The second case presents issues raised by a SSO access
without relation to the public clouds (except Dropbox,
SkyDrive) and addressed to insecurity of APIs. A paper is
about issues of SSL validation [10] is a similar example,
successfully solved by AWS. Dumping all generalized facts
and recommendations into the basket is not good idea and may
leads to the statements like “cloud vendors do not provide with
full detailed to let us trust and ensure us in privacy”. First of
all, the cloud vendors have their infrastructure built and
58
configured in according to the standards like ISO, PCI DSS, compliance and transparency area to reduce misunderstanding
CoBIT that validated by independent auditors and experts of several standards’ requirements applied to clouds.
every time. Second, providing such results under a NDA only
(shifting details to private reports) should be mainly reasonable III. EXAMINATION CSA REQ. ON AZURE AND AWS
especially in technical cases. By way of example, an CSA documents are known try to level up a state of
examination of AWS services against CSA requirements gives knowledge on cloud security; it gained to improve a visibility
a vague answer about a real transparency bringing by CSA of cloud controls and features to help the customers easy meet
recommendations, because almost a third part of all responses with certain requirements, include local law regulations. The
covers such private reports [3-4]. However, not all solutions Table 1 addresses to the differences between AWS and Azure
may provide the cloud customers with a proper protection. A according to meet the CSA requirements as well as differences
forensics sanitization like an ERASERS proposed in [6] is a between the requirements of CAIQ [14] and CMM [13] against
good concern for the clouds VM storages such as AWS EC2 Azure in the docket; Microsoft has already filled the CAI
only, not for a data storage provide by such services like AWS Questionnaire [15], but it is CMM in fact. An examination
S3, Dropbox and similar. In this case, it is impossible to use takes a place to meet it from a technical (features) point of
wiping per each file; instead, it is allowed to data volumes view in the first place. Each control ID is kept with a control
upload as a single unit or rely on a cloud implementation group description but without ID control explanation; in
according to DoD techniques. addition, it is grouped by similar metrics. If there is any
Such documents have a claim to be up-to-date with expert- difference between CAIQ ID and CMM ID, there will often be
level understanding of significant threats and vulnerabilities to a difference between AWS and Azure except cases such as
let to build an appropriate strategy to redress them. Everything swapping IDs or repeating it.
taken together calls for an additional analysis on cloud
TABLE I. DIFF. BETWEEN AWS AND AZURE VS. CSA REQ.
Description CAIQ CMM DIFF (CAIQ vs. CMM) DIFF (AWS vs. AZURE)
CID CID
Audit Planning CO-01.1 CO-01 No No
Independent Audits CO-02.1-7 CO-02 No No
Third Party Audits CO-03.1-2 CO-03 No As opposed to AWS, Azure does not have a clearly
defined statement whether their customers able to
perform their own vulnerability test
Contact/AuthorityMaintenance CO-04.1 CO-04 No No
Information System CO-05.1-2 CO-05 CAIQ gets across a segmentation, while AWS falls in details to comply it that results of
Regulatory Mapping CMM makes it unclear at first glance differences between CAIQ and CMM
Intellectual Property CO-06.1 CO-06 No Standards are different; AWS is in alignment with
CO-07.1 COBIT, ISO 27002 and PCI Data Security Standards;
CO-08.1 Azure is in alignment with ISO 27001, Digital
Millennium Copyright Act
Ownership / Stewardship DG-01.1 DG-01 No AWS mentions about ISO 15489 standards while Azure
does not
Classification DG-02.1-5 DG-02 No No
Handling / Labeling / Security DG-03.1 DG-03 No AWS falls in details what customers are allowed to do
Policy and how exactly while Azure does not
Retention Policy DG-04.1-2 DG-04 No AWS points to the customers’ responsibility to manage
data, exclude moving between Availability Zones inside
one region; Azure ensures on validation and processing
with it, and indicate about data historical auto-backup
Secure Disposal DG-05.1-2 DG-05 No No serious, AWS relies on DoD 5220.22 additionally
while Azure does NIST 800-88 only
Nonproduction Data DG-06.1 DG-06 No No
Information Leakage DG-07.1-2 DG-07 No AWS relies on AMI and EBS services, while Azure does
on Integrity data
Risk Assessments DG-08.1 DG-08 CMM DG 08 aggregates CAIQ DG-02,
DG-03, while CAIQ points to a control
of health data and continuous monitoring
Policy FS-01.1 FS-01 No No
User Access FS-02.1 FS-02 CMM F-02 refers to an equivalent CAIQ No
FS-03, while CAIQ FS-02 refers to the
CMM HR-01 and the same CAIQ HR-01
Controlled Access Points FS-03.1 FS-03 No No
Unauthorized Persons Entry FS-05.1 FS-05
Secure Area Authorization FS-04.1 FS-04 CMM FS-04 was partially covered at FS- No
03 and FS-05
Offsite Authorization FS-06.1 FS-06 No No
Offsite equipment FS-07.1 FS-07
Asset Management FS-08.1-2 FS-08 No No
Background Screening HR-01.1 HR-01 No No

Copyright © i-Society 2013 Technical Co-Sponsored by IEEE Toronto Section 59

Employment Agreements HR-02.1-2 HR-02
Employment Termination HR-03.1 HR-03
Management Program, IS-01.1 IS-01 No Differences are in industrial standards AWS relies on
Management Support / IS-02.1 IS-02 CoBIT and PCI DSS additionally while Azure on ISO
Involvement, Policy IS-03.1-3 IS-03 27001 only
Baseline Requirements IS-04.1-3 IS-04 As opposed to CMM, CAIQ points to AWS provides more high detailed how-to docs than
trusted VMs additionally that is allowed Azure, allows to import trusted VM from VMware,
to be imported Azure
Policy Reviews IS-05.1 IS-05 CAIQ CAIQ points to a notifications of customers additionally,
while CMM mentions to review only
Policy Enforcement IS-06.1-2 IS-06 No No
User Access Policy IS-07.1-2 IS-07 No No
User Access Restriction / IS-08.1-2 IS-08 No No
Authorization
User Access Revocation IS-09.1-2 IS-09 No No
User Access Reviews IS-10.1-3 IS-10 No, except CMM IS-10 addressed to an No
Training / Awareness IS-11.1-2 IS-11 access review and CAIQ IS-09 and HR-
02
Industry Knowledge / IS-12.1-2 IS-12 No No
Benchmarking
Roles / Responsibilities IS-13.1 IS-13 No No
Management Oversight IS-14.1 IS-14 No No
Segregation of Duties IS-15.1 IS-15
User Responsibility IS-16.1-3 IS-16 No No
Workspace IS-17.1-3 IS-17 No No
Encryption, Encryption Key IS-18.1-2 IS-18 No AWS offers encryption features for VM, storage, DB,
Management IS-19.1-4 IS-19 networks while Azure does for XStore (Azure Storage)
Vulnerability / Patch IS-20.1-6 IS-20 Additionally, CAIQ points to self AWS provides their customers to ask for their own
Management pentesting besides the vendors’ pentest while Azure does not
responsibilities
Antivirus / Malicious Software IS-21.1-2 IS-21 No No
Incident Management IS-22.1 IS-22 No No
Incident Reporting IS-23.1-2 IS-23 No No
Incident Response Legal IS-24.1-4 IS-24
Preparation
Incident Response Metrics IS-25.1-2 IS-25 No No
Acceptable Use IS-26.1-3 IS-26 No No
Asset Returns IS-27.1-2 IS-27 No No
eCommerce Transactions IS-28.1-2 IS-28 No AWS provides more services and solutions that cover it
Audit Tools Access IS-29.1 IS-29
Diagnostic / Configuration IS-30.1, IS-30, No No
Ports Access, Network / IS-31.1-2 IS-31
Infrastructure Services
Portable / Mobile Devices IS-32.1 IS-32 No No
Source Code Access IS-33.1-2 IS-33
Restriction
Nondisclosure Agreements LG-01.1 LG-01 No AWS highlights that they does not leverage any 3rd party
Third Party Agreements LG-02.1-3 LG-02 cloud providers to deliver AWS services to the
customers. Azure points to the procedures,NDA
undergone with ISO
Policy OP-01.1 OP-01 No AWS relies on CoBIT and PCI DSS additionally while
Documentation OP-02.1 OP-02 Azure relies on ISO 27001 only
Capacity / Resource Planning OP-03.1-2 OP-03 No No
Equipment Maintenance OP-04.1-5 OP-04 No Additionally, AWS provides similar features on
customers’ side to meet the requirements
Program, Assessments, RI-01.1-2 RI-01 No No
Mitigation/Acceptance, RI-02.1-2 RI-02
Business/Policy Change RI-03.1-2 RI-03
Impacts RI-04.1 RI-04
Third Party Access RI-05.1-7 RI-05 No No
New Development / RM-01.1 RM-01 No No
Acquisition
Production Changes RM-02.1 RM-02 No No
Quality Testing RM-03.1 RM-03
Outsourced Development RM-04 RM-04 No As opposed to AWS, Azure details the SDLC controls
Unauthorized Software RM-05.1 RM-05 No No
Installations
Management Program, Impact RS-01.1 RS-01 No No
Analysis, Business Continuity RS-04.1 RS-02
Planning, Business Continuity RS-02.1-3 RS-03

Copyright © i-Society 2013 Technical Co-Sponsored by IEEE Toronto Section 60

Testing, Environmental Risks, RS-03.1-2 RS-04
Equipment Location, RS-05.1 RS-05
Equipment Power Failures, RS-06.1 RS-06
Power/Telecommunications RS-07.1 RS-07
RS-08.1-2 RS-08
Customer Access Requirement SA-01.1 SA-01 No No
User ID Credentials SA-02.1-7 SA-02 CMM falls in details about password Besides the AD (Active Directory) AWS IAM solution
credentials are alignment with both CAIQ, CMM requirements
while Azure addresses to the AD to perform these
actions
Data Security / Integrity SA-03.1 SA-03 CMM refers more to the web host AWS refers to the ISO 27001/27002, CoBIT, PCI DSS
Application Security SA-04.1-3 SA-04 applications than services while Azure refers to the ISO 27001
Data Integrity SA-05.1 SA-05
(Non)Production nvironments, SA-06.1-2 SA-06 No AWS provides more details how-to documents to having
Network Security SA-08.1 SA-08 a compliance
Remote User MFA SA-07.1 SA-07 No No
Segmentation SA-09.1-4 SA-09 CMM highlights useful details Besides vendor features, AWS provides quite similar
Wireless Security SA-10.1-3 SA-10 mechanism in alignment CAIQ & CMM, while Azure
Shared Networks SA-11.1 SA-11 points to features built in infrastructure on a vendor side
Clock Synchronization SA-12.1 SA-12 CMM mentions services of clock No
synchronization
Equipment Identification SA-13.1 SA-13 No Additionally, AWS provides metadatas with tags
together to helps the customers meet it
Audit Logging / IDS SA-14.1-3 SA-14 No No
Mobile Code SA-15.1- SA-15 No AWS points their clients to be responsible to meet such
2 requirements, while Azure points to build solutions
tracked for mobile code
requirements like procedures or rest well-known solutions such
IV. EXAMINATION NIST REQ. ON AZURE AND AWS as VPN. It means an ability to configure and use, however the
A paper [11] provides a brief examination several clouds customers need to use APIs, links a cloud layer solution with
(AWS EC2, Azure, GAE) against NIST through the mapping others like Active Directory or independent solutions (3rd party
security and privacy attributes to NIST guidelines but not goes software, another cloud to backup data, etc.) or definitely non-
deeply. However, NIST documents SP800-144 [16], SP800- cloud layer, e.g. OS layer to meet such requirement. Abbr.
146 [17] provide with general considerations how to improve a "exc." means “Yes”, “No”, “prebuilt”, “poss.” or something
cloud security that does not bring a transparency of cloud else except several statements/clauses related to other meaning:
controls and are still in progress to be similar to NIST SP800- for example, “Y” exc. "smth" means "smth" is difficult (ask for
53 by reducing non-cloud statements that is partially helps the additional actions with APIs or similar) to meet a requirement,
customers because of a limitedness and focusing only on cloud. or "N/A". “N” exc. “smth” means “smth” is equals to “Y”. If
In other words, even it seems as a non-applicable requirement, “exc.” is followed by “N/A” or other, it means an explicitly
such excluding may remove some objects like mobile end- definition that is all good but there is no information (N/A)
points from an infrastructure and cripple a perceptual unity. about “smth”. Abbr. "prebuilt" means the same solution was
That is why the Table 2 contains an examination cloud controls able to use as it (besides a configuration); Abbreviation "part
in alignment NIST SP800-53 Rev.3 (rev.4 has not released yet) prebuilt" means covering not all services of certain cloud.
[18] and covers a technical class only; withdrawn controls are Abbr. "poss." means a possibility to build because of
missed. outstanding a cloud (or non-cloud) object from a logical point
of view. Abbr. "internal" means a possibility ("p.internal") to
Several conditions used in the Table 2: Abbr. "w/o" means build or prebuilt the similar solutions allowed to extend with
basic requirements. Abbr. "w" – with control enhancements. call for internal data, while "t.internal" points to internal cloud
Abbr. "CE" means control enhancements where "None" vendors solutions or reports. Abbr. "N/A" means there is no
means there are no enhancements. Abbr. "N" means there is no public information to execute a requirement as well as a need
ability to meet this requirement. Abbr. "Y" means basic to request a third party reports from cloud vendors.

TABLE II. AWS AND AZURE AGAINST NIST REQ.

w/o CE w CE
ID NAME
AWS Azure AWS Azure
AC1 Access Control Policy and Procedures Y Y None None
AC2 Account Management Y: 1, 4, 6, 7; prebuilt: 2, 5a-b; Y: 1-4, 5a, 6, 7;
Y Y exc. g
poss.3,5c,5d N/A: 5b-d
AC3 Access Enforcement Y Y Y: 1,2;prebuilt: 3-6 Y exc. 3 (partially)
AC4 Information Flow Enforcement Y Y prebuilt:1-8,10-17;N/A:9 Y exc. N/A: 12-15
AC5 Separation of Duties Y Y None None
AC6 Least Privilege Y Y Y Y
AC7 Unsuccessful Login Attempts poss. poss. poss. poss.
AC8 System Use Notification Y Y None None
AC9 Previous Logon (Access) Notification Y Y None None

Copyright © i-Society 2013 Technical Co-Sponsored by IEEE Toronto Section 61

AC10 Concurrent Session Control Y Y None None
AC11 Session Lock Y Y None None
AC14 Permitted actions w/o Identification,
prebuilt prebuilt None None
Authentication
AC16 Security Attributes prebuilt exc.
prebuilt None None
N/A:5
AC17 Remote Access Y Y poss. poss.
AC18 Wireless Access Y Y Y Y
AC19 Access Control for Mobile Devices Y Y poss. poss.
AC20 Use of External Information Systems Y Y Y Y
AC21 User-Based Collaboration & Data Sharing Y Y Y Y
AC22 Publicly Accessible Content Y Y None None
AU1 Audit ,Accountability Policy and Procedures Y Y None None
AU2 Auditable Events Y Y None None
AU3 Content of Audit Records part prebuilt Y part prebuilt N/A
AU4 Audit Storage Capacity part prebuilt N/A None None
AU5 Response to Audit Processing Failures poss. poss. prebuilt. poss.
AU6 Audit Review, Analysis, and Reporting Y Y p.internal t.internal
AU7 Audit Reduction and Report Generation p.internal t.internal p.internal t.internal
AU8 Time Stamps Y Y Y Y
AU9 Protection of Audit Information Y Y poss. poss.
AU10 Non-repudiation Y Y p.internal t.internal
AU11 Audit Record Retention Y Y None None
AU12 Audit Generation Y Y Y Y
AU13 Monitoring for Information Disclosure Y Y None None
AU14 Session Audit poss. poss. None None
IA1 Identification & AuthPolicy & Procedures Y Y None None
IA2 Identification & Authentication Org. Users Y Y Y Y
IA3 Device Identification & Authentication Y Y Y Y
IA4 Identifier Management Y Y poss. poss.
IA5 Authenticator Management prebuilt: 1 exc. poss: c;
prebuilt: 1 exc. poss: c;
prebuilt: 2 exc. poss: c;
Y Y prebuilt: 2 exc. poss: c;
prebuilt: rest exc.
prebuilt: rest
N/A:6
IA6 Authenticator Feedback Y Y None None
IA7 CryptoModule Authentication Y Y None None
IA8 Identification , Authentication Non-Org. Users Y Y None None
SC1 System ,Communications Protection Policy &
Y Y None None
Procedures
SC2 Application Partitioning Y Y prebuilt prebuilt
SC3 Security Function Isolation t.internal t.internal t.internal t.internal
SC4 Data In Shared Resources p.internal p.internal None None
SC5 Denial of Service Protection p.internal p.internal p.internal p.internal
SC6 Resource Priority prebuilt prebuilt None None
SC7 Boundary Protection prebuilt:1-6,11 exc. poss. 4c; prebuilt: 1-6, 11;
prebuilt:7,8,9, 12,15,16; N/A: 3-4, 8, 10, 17;
prebuilt prebuilt
prebuilt:10 exc. N/A: iii, poss. 7, 9, 12, 15;
t.internal:v;p.internal:13,14,17 p.internal: 13, 14, 17
SC8 Transmission Integrity poss. poss. t.internal:1;poss. 2 t.internal: 1;poss. 2
SC9 Transmission Confidentiality poss. poss. prebuilt: 1;poss. 2 prebuilt: 1;poss. 2
SC10 Network Disconnect poss. poss. poss. poss.
SC11 Trusted Path Y Y None None
SC12 CryptoKey Establishment & Management Y Y Y Y
SC13 Use of Cryptography poss. poss. poss. poss.
SC14 Public Access Protections poss. poss. None None
SC15 Collaborative Computing Devices poss.1;p.internal:2 poss.1;p.internal:2 None None
SC16 Transmission of Security Attributes poss. poss. None None
SC17 Public Key Infrastructure Certificates Y Y None None
SC18 Mobile Code p.internal p.internal p.internal p.internal
SC19 Voice Over Internet Protocol poss. poss. None None
SC20- Secure Name/Address Resolution Service
21 (Authoritative Source, Recursive, Caching prebuilt t.internal prebuilt t.internal
Resolver)
SC22 Architecture & Provisioning for Name/Address
prebuilt t.internal prebuilt t.internal
Resolution Service
SC23 Session Authenticity p.internal p.internal p.internal p.internal
SC24 Fail in Known State prebuilt prebuilt None None
SC25 Thin Nodes prebuilt prebuilt None None
SC26 Honeypots poss. poss. None None

Copyright © i-Society 2013 Technical Co-Sponsored by IEEE Toronto Section 62

SC27 OS Independent Applications poss. poss. None None
SC28 Protection of data at Rest poss. poss. None None
SC29 Heterogeneity Y Y None None
SC30 Virtualization Techniques t.internal t.internal t.internal t.internal
SC31 Covert Channel Analysis poss. poss. p.internal p.internal
SC32 Information System Partitioning Y Y None None
SC33 Transmission Preparation Integrity Y Y None None
SC34 Non-Modifiable Executable Programs poss. poss. poss. poss.
us_Nine_Cloud_Computing_Top_Threats_in_2013.pdf, Accessed 06-
V. CONCLUSION March-2013]
[2] Y. Chemerkin, “AWS Cloud Security from the point of view of the
Vendors are known are not tend to make some details on Compliance”, PenTest Magazine, Software Press Sp. z o.o. Sp.
cloud security public to their customers. Clouds vendors Komandytowa Warszawa, vol. 2 №10 Issue 10/2012 (12) ISSN 2084-
explain it as “security through obscurity” matters and provides 1116, pp. 50-59, December 2012
with independent auditors’ reports at the same time. It often [3] Y. Chemerkin, “Cloud Securtiy Analysis against the modern and old
leads to questions of trust level, ability to verify the controls security standarts, regulation reccomendations”, draft (is going to be
and way it should be done. Industrial organizations with their published in PenTest Magazine, Software Press Sp. z o.o. Sp.
Komandytowa Warszawa in April-May
security vision has relived but raised more questions on
transparency instead of reducing it. These documents refer to [4] Y. Chemerkin, “Security compliance challenges on clouds”,Cyber
Times International Journal of Technology & Management 2013, Vol. 6
known vulnerabilities beside the point and bring Issue-1, ISSN No.: 2278-7518, March 2013
misunderstanding, e.g. there are several attacks successfully [5] A. Belenko, D. Sklyarov “Dark and Bright Sides of iCloud (In)security”,
applied to Xen, VMware or other private clouds. It means an [Online resource: viaforensics.com/android-forensics/icloud-insecurity-
application domain that often excludes the public clouds in examining-ios-data-backup-cloud.html, Accessed 01-March- 2013]
case of AWS and Azure. Some cases are not clear in according [6] J. Medsger, A. Srinivasan, "ERASE- EntRopy-based SAnitization of
to the roles and responsibilities of cloud vendors and their SEnsitive Data for Privacy Preservation", The 7th International
customers. As it is not defined clearly, it makes uncertain Conference for Internet Technology and Secured Transactions (ICITST-
2012), pp.427 – 432, December 2012
whether the vendors should provide the customers any control
[7] J. Somorovsky, M. Heiderich, M. Jensen, J. Schwenk, N. Gruschka, L.
opportunities; it leads to swapping responsibilities and shifting L. Iacono, "All Your Clouds are Belong to us – Security Analysis of
vendor job on to customer shoulders. The vendors address to Cloud Management Interfaces", 3rd ACM workshop on Cloud computing
their reports too much instead of providing the public details. It security workshop (CCSW), pp.3-14, October 2011
should be strong defined which controls are allowed to be [8] “Reported SOAP Request Parsing Vulnerabilities”, [Online resource:
available to the customers, which built and detailed in public aws.amazon.com/security/security-bulletins/reported-soap-request-
documents, and the rest is covered by independent reports; ex. parsing-vulnerabilities-reso/, Accessed 15-January-2013]
[Assignment: organization-defined frequency]. Any [9] “Xen Security Advisories”, [Online resource:
aws.amazon.com/security/security-bulletins/xen-security-advisories/,
discrepancy must shift the security level from the highest to Accessed 15-January-2013]
one level lower as it is in NIST.
[10] “The most dangerous code in the world: validating SSL certificates in
Other cases cover an announcement about compliance in non-browser software”, 19th ACM Conference on Computer and
Communications Security, pp.38-49, October 2012
alignment to certain standards on vendor side that is partially
good and should be enhanced by independent analysis reports. [11] A. Abuhussein, H. Bedi, S. Shiva, “Evaluating Security and Privacy in
Cloud Computing Services:A Stakeholder’s Perspective”, The 7th
It yields the technical details from Amazon and well-known International Conference for Internet Technology and Secured
statements multiplied with internal reports from Microsoft. Transactions (ICITST-2012), pp.388 – 395, December 2012
CSA puts the cross references to other standards in their [12] Windows Azure Security Overview whitepaper, [Online resource:
documents, that impact on complexity and lack of clarity in go.microsoft.com/?linkid=9740388, Accessed: 01-Februarry-2013]
case of NIST. It makes very unobvious how the same controls [13] CSA Cloud Controls Matrix v1.3” [Online resource:
related to each other and how general requirements correspond cloudsecurityalliance.org/research/cai/, Accessed 15-January-2013]
to clearly detailed requirements. Anyway, it makes a good [14] “CSA Consensus Assessments Initiative Questionnaire v1.1” [Online
showing to rely on differences of these requirements to resource: cloudsecurityalliance.org/research/cai/, Accessed 15- Jan-
2013]
improve the last and recreate new set to keep a comprehensive
[15] “CSA Consensus Assessments Initiative Questionnaire v1.1” / CSA
unity of cloud security that is signification part to remediate Cloud Controls Matrix v1.3” [Online resource: https
issues and enhance transparency of cloud controls on technical cloudsecurityalliance.org/wp-content/uploads/2012/03/Microsoft-Azure-
requirements more than it was according to industrial CAIQ-v1.1-2012-03-25.zip, Accessed 15-January-2013]
documents. Examination the following cloud solutions, such as [16] “Guidelines on Security and Privacy in Public Cloud Computing”,
Office365 with Cloud BES, AWS and Azure against other [Online resource: csrc.nist.gov/publications/nistpubs/800-144/SP800-
standards (CoBIT, NIST SP 800-53 rev.4 and ISO 27001 ’13) 144.pdf, Accessed 04-February-2013]
is a part of further research too. [17] “Cloud Computing Synopsis and Recommendations”, [Online resource:
www.nist.gov/customcf/get_pdf.cfm?pub_id=911075, Accessed 04-
REFERENCES February -2013]
[18] “Recommended Security Controls for Federal Information Systems and
[1] “CSA The Notorious Nine Cloud Computing Top Threats in 2013” Organizations. Revision 3”, [Online resource:
[Online resource: csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-
downloads.cloudsecurityalliance.org/initiatives/top_threats/The_Notorio final_updated-errata_05-01-2010.pdf, Accessed 04-February-2013]

Copyright © i-Society 2013 Technical Co-Sponsored by IEEE Toronto Section 63