Proceedings

of the
Fifth
International
Proceedings of the
Fifth International
Conference
on Internet
Technologies
and Applications
(ITA 13) Conference on Internet
Technologies and
Applications (ITA 13)
Picking
Cunningham
Houlden
Oram
Grout
Mayers

Editors:
Rich Picking, Stuart Cunningham, Nigel Houlden,
ISBN 978-0-946881-81-9

Denise Oram, Vic Grout, & Julie Mayers

9 780946 881819 Co-editors:
Nathan Clarke, Carlos Guerrero,
Raed A Abd-Alhameed, & Susan Liggett
Glyndŵr University, Wrexham, North Wales, UK
10-13 September 2013
 PROCEEDINGS OF THE FIFTH
INTERNATIONAL CONFERENCE
ON INTERNET TECHNOLOGIES
AND APPLICATIONS (ITA 13)

Tuesday 10th – Friday 13th September 2013

Glyndŵr University, Wrexham, Wales, UK

http://www.ita13.org

Editors
Rich Picking, Stuart Cunningham,
Nigel Houlden, Denise Oram, Vic Grout,
Julie Mayers
Co-editors
Nathan Clarke, Carlos Guerrero,
Raed A Abd-Alhameed, Susan Liggett

Hosted by
Creative and Applied Research for the Digital
Society (C.A.R.D.S.)
Glyndŵr University, Plas Coch Campus, Mold Road, Wrexham,
LL11 2AW, UK

i
ISBN: 978-0-946881-81-9

www.cards-uk.org

© Glyndŵr University, 2013

All rights reserved
Printed in the United Kingdom
No part of this book may be reproduced, stored in a retrieval system, or transmitted in
any form or by any means – electronic, mechanical, photocopy, recording or otherwise,
- without the prior written permission of the publisher or distributor.

iii
FOREWORD

Croeso i Ogledd Cymru. Croeso i Wrecsam!

Welcome to North Wales. Welcome to Wrexham!

These are the proceedings of the Fifth International Conference on Internet

Technologies and Applications (ITA 13), hosted by the University Centre for Creative
and Applied Research for the Digital Society (C.A.R.D.S.) at Glyndŵr University,
Wrexham, North Wales, UK from Tuesday 10th to Friday 13th September 2013. The
conference has been sponsored by the British Computer Society (BCS) Chester and
North Wales Branch, the British Computer Society (BCS) Health in Wales Group, the
European Union 7th Framework Programme (Project Geryon), the UK National Health
Service (NHS) Wales Informatics Service (NWIS), ENIAC (Project Artemos), The
Applied Computational Electromagnetics Society (ACES) and Modibbo Adama
University of Technology, Yola (MAUTECH). We thank them all for their support.

v
SECURITY COMPLIANCE CHALLENGES ON CLOUDS

Yury Chemerkin

Independent Security Researcher / PhD in progress

Russian State University for the Humanities (RSUH)
Moscow, Russia
yury.chemerkin@gmail.com

ABSTRACT
Today cloud vendors provide amount features of integration and optimization in many fields like business
or education; there many way to adopt it for medical purposes, maintaining medical records, or
monitoring patients. Not all cloud solutions totally changed an original security paradigm and customers
still need to manage the accessibility, monitoring and auditing. An appropriate security level has become
very important issue for the customers. The compliance is part of security and a cornerstone when cloud
vendors refer to worldwide standards.

KEYWORDS:
Cloud security, compliance, amazon web services, aws, csa cloud controls matrix, csa, cmm, caiq, csa
consensus assessments initiative questionnaire

1. INTRODUCTION
Cloud Computing has been one of the top security topics for the last several years. The clouds
increasing popularity [1] is based on flexibility of virtualization as a technology for replacing
and improving of complex parts of systems reducing unnecessary computation and usage of
existing resources. Besides the well-known threats, the clouds introduce new security and
management level. Cloud security vendors (not only cloud vendors, almost of all kind of
vendors) claim that the end-user companies prefer a cost reduction instead the security to reduce
the operation complexity of their clouds (or systems) that eventually ends with a lower amount
of security that the end-user will accept. Some security questions about clouds are: how is it
implemented, how are the data or communication channels secured, how are the cloud and
application environments secure, etc. For example, the well-known phrase “physical security
does not exist in clouds” make no serious sense because it was this way as it had been when the
hosting service arrived. Customer must make any improvements than by-default configuration
with each new technology. If the virtual OS is a Windows Server, then the OS has the quite
similar security and patch management state as Desktop/Server OS. In addition, it is mere trust
than downloading and buying third-party solutions and it might be more trustable, than cloud
vendor (they are all third-party solutions).The cloud simply uses well-known protocols like
SMTP, HTTP, SSL, TCP/IP etc. to communicate, send email, file handling and other activity.
The methods that are compliant as a part of the RFC should indicate that they are OK. However,
a key problem is a lack of a systematic analysis on the security and privacy for such cloud
services. Third party organizations like the Cloud Security Alliance (CSA) promote their
recommendations to improve a cloud security and have a registry of cloud vendors' security
controls to help the users to make a right choice on security field.
This research analyzes security aspects, which the customers rely, are basic for cloud and
security standards and represent a minimal set of security state at least. Enterprises need to
comply with of the different regulations and standards (PCI, CSA, HIPAA, ISO etc.). The aim
of research is gaps in the recommendations of security standards (if they are) let cloud vendors

131
or their customers successfully pass the cloud audit checks and claim about compliance having
difference security features between clouds capabilities. The guidelines in such documents
operate at the high level that makes unclear them, miss the useful security countermeasures and
adding a superfluity in the customer’s vision about the system (cloud).

2. RELATED WORK
Nowadays, AWS is one of the most popular cloud platforms. It offers a virtual computing,
storage, VPN, archiving, monitoring, health-watching, email and others services environment
for a user to run applications, store data, operates with events and deliver event-data due the
different services and by different ways. AWS offers many services more accessibility that is
important with merging to the cloud. GAE is one more cloud to run web applications written
using interpretation and scripts languages like Java/Python but it has limited features (security
and the rest). Windows Azure makes a data spreading to the cornerstone, via neither storage nor
web-server. These different goals have a huge influence on the security while all of them were
built in accordance with best practices, and have security controls are well documented.
As we have enough security problems and the greater quantity of security solutions to solve
these problems on one hand and standards with best practices that successfully applied to the
clouds (according to the cloud vendors) on another hand, it should be analyzed whether it is so
difficult to pass the cloud compliance audit in accordance with these documents. In this paper,
the AWS services are going to be examined as the most similar to known existing technologies.
The modern recommendations for clouds are quite similar to given in the Table I at least but
improved to the low details like “you should choose the cloud vendor that offers an encryption
and definitely those who offer the strong encryption e.g. AES” the make a little sense. The
answer “why” is relied on the customers willingness to see an action-to-do like ‘whether they
should rely on this AES encryption or they need encrypt their data before uploading’. It
successfully works when the customers need to check clouds to choose those provide the more
security but it is bad for clouds are provided many services and security features because it is
basic rules only.
Table 1 The common security recommendations

Object What to do
Data Ownership Full rights and access to data
Data Segmentation An isolation data from other customers’ data
Data Encryption A data encryption in transit/memory/storage, at rest
Backup/Recovery An availability for recovery
Data Destruction An Ability to securely destroy when no longer needed
Access Control Who has access to data?
Log Management A data access that logged and monitored regularly
Incident Response Are there processes and notifications in place for incidents (including breaches)
that affect data?
Security Controls An appropriate security and configuration control to data protection
Patch Management Patching for the latest vulnerabilities and exploits?

One more example is how such documents may substitute the customer understanding. NIST
[25] talks about cloud limits on security: “the ability to decide who and what is allowed to
access subscriber data and programs … the ability to monitor the status of a subscriber’s data
and programs …” may follow the idea “no one cloud provides such abilities” by mistake
without a knowledge about cloud infrastructure. Another misthought is about cloud firewall
takes place with opinion that cloud features are useless due the following statement: a cloud

132
firewall should provide a centralized management, include pre-defined templates for common
enterprise server types and enable the following:
Source and Destination Addresses & Ports filtering
Coverage of protocols, DoS prevention
An ability to design policies per network interface
Location checks who/where accessed to data
Besides such detailed ‘how-to’ sets, there are enough statements that the clouds can’t provide
with it, so it is still a security hole, while some of them (ex. AWS) provides these features. The
Table II [7] shows a brief difference between AWS and Azure on compliance vs. documented
technologies to secure and protect data. As a part of ‘non-transparency’, it is quite interesting
that the different offered security features and controls have passed e.g. ISO 27xxxx, while the
cloud difference (comparing each other) looks like a medium feature reduction. The cloud
attributes examined [2] are backup, encryption, authentication, access controls, data isolation
and monitoring, security standards, disaster recovery, client-side protection, etc. This paper
provides a medium-detailed comparison and presents the cloud security/privacy attributes
mapped to NIST guidelines. The [2-6], [26] give a brief examination of AWS S3 and GAE but a
summary comparison over [10], [12], [14], [15] makes clear that AWS offers the most powerful
and flexible features and [7][8].
Table 2 Compliance difference between AWS and Azure

Cloud Vendor
Type
AWS Azure
ISO 27001, CSA, HIPAA + +
Compliance
PCI DSS, FISMA, FIPS 140-2, NIST + N/A
Actions, events logging, logs audit + +
Minimum access rights + +
Physical Security
Auto revocation access after N days, role changed,
+ N/A
MFA, escort
Backup, redundancy across the location + +
Data Privacy Redundancy inside one geo location, encryption,
+ N/A
DoD/NIST Destruction
MITM Protection, Host-Based Firewall (ip,port,mac),
Mandatory Firewall, Hypervisor protection from + +
promiscuous
Network Security
Pentesting offer of services + -
Pentesting offer of apps + +
DDoS Protection, featured firewall + N/A
Login and Passwords, SSL + +
Credentials Cross account IAM, MFA hardware/software, Key
+ N/A
Rotation

Such recommendations may also advise the different sanitizing technique to use on client of
cloud side. Effective and efficient sanitization is a forensics statement. There are a lot of
methods and techniques but some of them rely on brute-force wiping that extremely useless for
the clouds due financial matters. The ERASERS proposed in [24] computes the entropy of each
data block in the target area and wipes that block specified number of passes and pattern then.
Patterns and entropy are valuable because the file types (docx, mp3, odf, pgp, acid*) have a
quite different characteristics. It means that ERASERS has many subpopulations which of them
applied to certain cases. It gives a faster wiping vs. regular brute force methods of overwriting.
As the disk sizes increase up to petabyte scale (recently AWS offer such storage), the brute

133
force methods is becoming near impossible in time. Many drives contain areas do not have data
needing overwriting, as known as for SSD that shuffles data between data block every time, but
keeps the encrypted area untouched. According to NIST SP800-88 [9], “studies have shown that
most of data can be effectively cleared by one overwrite with random data rather than zeroing”.
The original version of DoD 5220.22-M (AWS implements this one) recommends a 3-pass wipe
with one pass of a uniform character, one pass of its complement, and one pass of random
characters, while the current DoD 5220.22-M does not specify the number of passes or the
pattern. As ERASERS shows the good results, it should be implemented to AWS EC2 or other
cloud VM.
The one of the most serious work on AWS security [27] gives results as a "black box" analysis
methodology in regards to the control interfaces (AWS EC2 and S3) compromised via the novel
signature wrapping and advanced XSS techniques, HTML injections, as well as SOAP issues
with validation and man-in-the-middle attacks. Authors examined the possible way of
protection and found that AWS EC2 & S3 services do not provide the suitable opportunities to
implement their solutions. Despite of that, there was found solutions based on native AWS
security features to protect against these attacks [28]:
Utilizing the SSL/HTTPS only with certificate validation and utilizing API access mechanisms
like REST/Query instead of SOAP
Activating access via MFA and creating IAM accounts limited in access, AWS credentials
rotation enhanced with Key pairs and X.509 certificates
Limiting IP access enhanced with API/SDK & IAM
The virtualization refers to a hypervisor, while a virtual machine works with a configured
snapshot of an OS image and requires well-known shared resources like memory, storage, or
network. It is generally agreed that even isolation these shared resources without affecting other
instances, VMs can be trusted in few cases only, while it is vulnerable under the most known
XEN attacks. However, no one XEN vulnerability has not applied to AWS services [29]that
brings to understanding the term “customize” in regards to clouds. Other ability to control due
the AMT commands [30] is applied to VMware but there is not known successful
implementations for AWS, Azure, GAE or other clouds. Also may have serious performance
problems such as overloading the virtual OS with analysing CPU commands and system calls,
regardless of where the trusted/untrusted control agents are, multiplied by known issues the best
of all demonstrated in case of GPU [31].
There are security virtualization issues even in clouds, no doubt, and it should be taken in
consideration. One exciting example [32] talks about an incorrect behavior in the SSL certificate
validation mechanisms of AWS SDK for EC2, ELB, and FPS. Despite of that, AWS has
updated all SDK (for all services) to redress it [13].

3. EXAMINATION THE CSA DOCUMENTS ON CLOUDS

The CSA documents provide vendors and their customers with a medium-detailed overview
what the statements do the cloud security features applied to as it defined in the Consensus
Assessments Initiative Questionnaire (CAIQ) and Cloud Control Matrix (CCM). The cloud
vendors announce that their services operate in according to them: However, the customers have
a responsibility to control their environment and define whether it is really in compliance. In
other words, how much are cloud controls and configurations transparent. Here the regulations
meet the technical equipment as a public technical proof is going to be examined from that point
at first. Each control ID (CID) will be kept to find it CAIQ [33] & CCM [34], while his
explanation is rewritten to reduced amount of text and grouped by domain/control group,
similar questions/metrics. Some considerations are used in tables III, IV: each abbreviation is
reduced name of Control Group ID: CO-Compliance, DG - Data Governance, FS-Facility

134
Security, HR - Human Resource Security, IS - Information Security, RS – Resiliency, SA -
Security Architecture. Requirements from section [LG–Legal, OP–Operation Management, RI–
Risk Management, RM–Release Management] and other non-technical are removed as are
compliant in order to ISO 27xxx, SOC, COBIT by independent auditors and reviewers.
Table 3 AWS solutions against a CAIQ
CID Questions
CO-01.1 Any certifications, reports and other
relevant documentation in regards to the
standards
CO-02.1-7 An ability to provide the tenants the 3rd
party audit reports, and conduct the
network/application cloud penetration tests
as well as internal/external audits regularly
(in regards to the guidance) with results
CO-03.1-2 An ability to perform the vulnerability
tests for customers (means their own tests)
on applications and networks.
CO-05.1-2 An ability to logically split the tenants data
into the segments (additionally, due the
encryption) as well as data recovering for
specific customers in case of failure or
data loss
DG-01.1 An implementation of structured data-
labeling standard
DG-02.1-5 An identifying ability of the VM via policy
tags/metadata to perform any quality
control/restrict actions like identifying
hardware via policy & tags/metadata,
using the geolocation as an authentication,
providing a physical geolocation, allowing
to choose suitable geolocations for
resources and data routing
DG-03.1 Any policies and mechanisms for labeling,
handling and security of data
135
AWS Response
AWS has this one and provides it under NDA.
AWS engages with independent auditors
reviewing their services and provides the
customers with the relevant 3rd party
compliance/attestations/certifications reports
under NDA. Such audit covers regularly scans
of their (non-customer) services for
vulnerabilities [22-23] the customers are also
available to make pentest [21] of their own
instances due the tentative agreement.
Customers are able to perform it due the
permission (writing email with the instances
IDs and period) request via AWS
Vulnerability/Penetration Testing Request
Form [21]
All data stored by the customers has canonical
isolation by path and additional security
capabilities like the permissions, personal
entry points to access the data as well as
MFA. AWS encryption mechanisms are
available for S3 (Server Side Encryption),
EBS (encryption storage for EC2 AMIs),
SimpleDB, EC2 (due the EBS plus SSL), VPC
(encrypted connections and sessions).
Additionally, the customer can use any cloud
services offered a backup from and to AWS
services like SME Storage for cloud vendors
or Veeam Backup Cloud Edition for VMs
Depends on the customers’ needs and their
requirements.
The tenants are featured to apply any metadata
and tagging to the EC2 VMs to set the user-
friendly names and enhance searchability.
AWS offer several regions [19]. Each of them
is covered by geo location policy and access
as well as is able to be restricted by SSL, IP
address and a time of day. They offer move
data between each other directly by the
customers via API/SDK
As the customers retain ownership, they are
responsible to implement it.
DG-04.1-2 The technical capabilities to enforce tenant
data retention policies and documented
policy on government requests
DG-05.1-2 A secure deletion (ex. degaussing /
cryptographic wiping) and providing the
procedures how a cloud vendor handles
this deletion
DG-07.1-2 A presence of the controls to prevent data
leakage / compromising between AWS’
tenants
DG-08.1 An availability of control health data to
implementation a continuous monitoring to
validate the services status
FS-04.1 A ability to provide the customers a
knowledge which geo locations are under
traversing into/out of it in regards law
FS-06.1 Availability of docs that explain if and
FS-07.1 where data may be moved between
different locations, (e.g. backups) and
repurpose equipment as well as sanitizing
of resources
IS-04.1-3 An ability to provide the documents with
security recommendations per each
component, importing the trusted VMs as
well as capability to continuously monitor
and report the compliance
IS-05.1 An ability to notify the customers on
information security/privacy polices
changes
IS-08.1-2 A docs described how the cloud vendor
grant and approve access to tenant data
and if provider & tenant data classification
methodologies is aligned with each other
IS-09.1-2 A revocation/modification of user access
to data upon any change in status of
employees, contractors, customers, etc.
136
The customers have capability manage
retention, control, and delete their data except
case when AWS must comply with law.
At the end of a storage useful life, AWS
performs a decommissioning process to
prevent data exposing via DoD 5220.22-
M/NIST 800-88 techniques. In additional the
device will be degaussed or physically
destroyed.
There were not known the serious security
bugs of AWS environment successfully
applied or that cannot ‘patched’ by using the
implemented PCI controls [27-29] to make the
resources segmented from each other. A
hypervisor is designed to restrict non-allowed
connections between tenant resources
AWS provides the independent auditor reports
under NDA and customers on their own
systems can build a continuous monitoring of
logical controls additionally implementing
[19].
AWS imposes not to move a customers'
content from them without notifying in
compliance the law. The rest is similar to the
DG-02.5.
AWS imposes control the customers to
manage the data locations. Data will not be
moved between different regions, only inside
that were chosen to prevent failure. The rest is
similar the DG-05.1-2 (talks about the AWS
side only)
Customers are able [11] to use their own VMs
due the image importing via AWS VM
Import, as well as AWS Import/Export
accelerates moving large amounts of data
into/out in case of backup or disaster recover.
The rest is similar to the DG-08.1 in order to
ISO (domain 12.1, 15.2)
Despite of AWS provides a lot of how-to-
docs, binary & sources [10-18], [28-29] are
regularly updated, it’s better to subscribe to
the news via RSS and email, because there is
no other directly way to be notified
The customers as data owners are responsible
for the development, content, operation,
maintenance, and use of their content.
Amazon provides enough security control to
maintain an appropriate security policy and
permissions not to let spreading the data if it is

IS-12.1-2 A participation in the security groups with
benchmarking the controls against
standards
IS-13.1 A documentation clarifying the difference
between administrative responsibilities vs.
those of the tenant
IS-17.1-3 Any policies to address the conflicts of
interests on SLA, tamper audit, software
integrity, and detect changes of VM
configurations
IS-18.1-2 Ability to create and manage unique
IS-19.1-4 encryption keys per a tenant, to encrypt
data to an identity without access to a
public key certificate (identity based
encryption) as well, to protect a tenant data
due the transmission, VMs, DB and other
data via encryption, and maintain key
management
IS-20.1-6 An ability to perform vulnerability scans in
regards to the recommendations on
application-layer, network-layer, local OS
layer and patching then. Providing the info
about issues to AWS who makes it public
IS-23.1-2 An ability of SIEM to merge data sources
IS-24.1-4 (app logs, firewall logs, IDS logs, physical
access logs, etc.) for granular analysis and
alerting. Additional providing an isolation
of the certain customers due incident.
IS-28.1-2 An ability to use an open encryption
IS-29.1 (3DES, AES, etc.) to let tenants to protect
their data on storage and transferring over
public networks. As well, an availability of
logging, monitoring and restriction any
access to the management systems
controlled hypervisors, firewalls, APIs,
etc.)
IS-34.1-3 An ability to monitor and segment/restrict
the key utilities managed virtualized
137
explicitly not allowed that also built by AWS.
The rest is similar to the IS-07.1-2 in regards
AWS staff
AWS policies is based on COBIT, ISO
27001/27002 and PCI DSS
AWS provides these roles among the general
security documents (it means not among the
specific services documents)
AWS provides the details SOC 1 Type II
report in compliance with ISO 27001 (domain
8.2, 11.3) that validated by independents
auditors
If keys created on server side, AWS creates
the unique keys and utilizes it, if it did on
client side due the own or 3rd party solutions,
the customers can manage it only. AWS
encryption mechanisms are available for S3
(Server Side Encryption), EBS (encryption
storage for EC2 AMIs), SimpleDB, EC2 (due
the EBS plus SSL), VPC (encrypted
connections and sessions), etc.
Similar to the CO-03.1-2 but more detail that
means the customers are should performing
vuln scan and patching despite of the VMs’
OS are coming with the latest updates; they
are obliged to come to the agreement with
AWS and not violate the Policy. Also similar
to the CO-02.6-7 on providing the results [21-
23]
AWS have this one in compliance with ISO
and Even the customers’ data stored with
strong isolation from AWS side and
restrictions made by them all data should be
encrypted on client side, because it leads to
participation with law directly as AWS does
not get the keys in this case.
AWS encryption mechanisms are available for
S3 (Server Side Encryption), EBS (encryption
storage for EC2 AMIs), SimpleDB, EC2 (due
the EBS plus SSL), VPC (encrypted
connections and sessions). Customers may use
third-party encryption technologies too as well
as rely on the AWS APIs are available via
SSL-protected endpoints. AWS has a logging
feature, delineates the minimum standards for
logical access to AWS resources and provides
details with SOC 1 Type II report
AWS has this one and provides details with
SOC 1 Type II report. AWS examines such
 partitions (ex. shutdown, clone, etc.) as attacks and provides information if they apply
well as ability to detect attacks (blue pill, in section “Security Bulletins” [35]. An
etc.) to the virtual key components and example of blackbox attack [27],[28] was
prevent from them given in the Section II of this paper with a
native security features as a solution
SA-02.1-7 A capability to use the SSO, an identity AWS IAM [15-18] provides the securely
management system, MFA Policy access and roles to the resources with features
Enforcement Point capability (ex. to control access, create unique entry points of
XACML), to delegate authentication users, cross AWS-accounts access due
capabilities, to support identity federation API/SDK or IAM console, create the
standards (SAML, SPML, WS-Federation, permissions with duration and geo auth. AWS
etc.), use 3rd party identity assurance offers identity federation and VPC tunnels to
services utilize existing corporate identities to access.
Additionally, customers may avoid the
mistakes and risks by using AWS Policy
Generator and MFA devices [20].
SA-03.1 Any industry standards as a background AWS Security based upon the best practices
SA-04.1-3 for a Data Security Architecture standards and standards (ISO 27001/27002, CoBIT, PCI
SA-05.1 (NIST) to build-in security for SDLC, DSS) that certified by independent auditors to
tools detecting the security defects and build threat modeling and completion of a risk
verify the software. An availability of I/O assessment as a part of SDLC. AWS
integrity routines for application implements this one through all phases
interfaces, DB to prevent errors and data including transmission, storage and processing
corruption data in compliance to ISO 27001 (domain
12.2) that certified by independent auditors.
SA-06.1-2 Environment separation for AWS provides a lot of how-to-docs, binary &
SA-08.1 SaaS/PaaS/IaaS, providing how-to-docs sources [10-18],[28-29]
SA-07.1 A MFA features are strong requirement for MFA is not strong and depends on the
all remote access customer configuration [20]
SA-09.1-4 A segmentation of system and network An internal segmentation is in alignment with
SA-10.1-3 environments with a compliance, law, ISO and similar to the CO-05.1-2 while
SA-11.1 protection, and regulatory as well as a external is a part of the customer
protection of a network environment responsibility. Internally, a traffic restriction is
parameter under ‘deny/allow’ control by default.
Externally, customers may use SSL,
encryption key, encryption solutions, security
policies to explicitly approve the security
settings
SA-12.1 A NTP or other similar services AWS services rely on the internal system
clocks synchronized via NTP
SA-13.1 An equipment identification is as a method AWS provides such ability, for example due
to validate connection authentication the AWS metadata, geo tags and other tags
integrity based on known location created by the customers
SA-15.1-2 A mobile code authorization before its The customers are responsible to manage it to
installation, prevention from executing and meet their requirements.
using to a clearly defined security policy

138
 Table 4 AWS solutions against a CCM
CID Control Specification
CO-01 Audit plans, activities and operational
action items focusing on data duplication,
access, and data boundary limitations with
aim to minimize the risk of business
process disruption.
CO-02 Independent reviews shall be performed
annually/planned intervals to aim a high
effective compliance policies, standards
and regulations (i.e., internal/external
audits, certifications, vulnerability and
penetration testing)
CO-03 3rd party service providers shall
demonstrate compliance with security due;
their reports and services should undergo
audit and review.
CO-06 A policy to safeguard intellectual property
DG-01 All data shall be designated with
stewardship with assigned responsibilities
defined, documented and communicated.
DG-02 Data, and objects containing data, shall be
assigned a classification based on data
type, jurisdiction of origin, jurisdiction
domiciled, etc.
DG-03 Policies/mechanisms for labeling, handling
and security of data and objects which
contain data
DG-04 Policies for data retention and storage as
well as implementation of backup or
redundancy mechanisms to ensure
compliance with regulatory and other
requirements that validated regularly
DG-05 Policies and mechanisms for the secure
disposal and complete removal of data
from all storage media, ensuring data is not
recoverable by any computer forensic
means.
DG-06-07 Security mechanisms to prevent data
leakage.
139
AWS Response
AWS has appropriate technical solutions,
internal controls to protect customer data
against alteration/destruction/loss/etc. Any
kind of additional audit information is
provided to the customers under NDA
AWS shares 3rd audit reports under NDA
with their customers. Such audit covers
regularly scans of their (non-customer)
services for vulnerabilities [22-23] while the
customers are allowed to request for a pentest
[21] of their own instances
AWS requires to meet important privacy and
security requirements conducting 3rd parties
in alignment ISO 27001 (domain 6.2)
AWS will not disclose customer data to a 3rd
party unless it is required by law and will not
use data except to detect/repair problems
affecting the services
Customers are responsible for maintaining it
regarding their assets
AWS allows customers to classify their
resources by themselves (ex. applying any
metadata and tagging to the EC2 VMs to set
the user-friendly names & enhance
searchability)
Similar to DG-02
AWS infrastructure is validated regularly any
purposes in alignment with security standards
and featured by AWS EBS and Glacier (for
data archiving and backup), but the customers
have capability manage it due the API/SDK
AWS rely on best practices to wipe data via
DoD 5220.22-M/NIST 800-88 techniques; if it
is not possible the physical destruction
happens
AWS has implemented logical (permissions)
and physical (segmentation) controls to
prevent data leakage. (ex. a hypervisor is
designed to restrict non-allowed connections
between tenant resources, however the end-
users are responsible to manage the right
sharing permissions
FS-06 Policies and procedures shall be
FS-07 established for securing and asset
management for the use and secure
disposal of equipment maintained and used
outside the organization's premise.
FS-08 A complete inventory of critical assets
shall be maintained with ownership
defined and documented.
IS-01 An implementation of ISMP included
IS-02 administrative, technical, and physical
IS-03 safeguards to protect assets and data from
loss, misuse, unauthorized access,
disclosure, alteration, and destruction
IS-04 An implementation of baseline security
requirements for applications / DB /
systems / network in compliance with
policies / regulations/standards.
IS-05 An information security policy review at
planned intervals
IS-07-08 An implementation of user access policies
and for granting/revoking access to apps to
apps, DB, and the rest in accordance with
security, compliance and SLA.
IS-18 Implemented policies / mechanisms
IS-19 allowing data encryption in storage (e.g.,
file servers, databases, and end-user
workstations) and data in transmission
(e.g., system interfaces, over public
networks, and electronic messaging) as
well, key management too
IS-20 Implemented policies and mechanisms for
vulnerability and patch management on
side of apps, system, and network devices
IS-21 A capability of AV solutions to detect,
remove, and protect against all known
types of malicious or unauthorized
software with antivirus signature updates
at least every 12 hours.
IS-22 Policies and procedures to triage security
140
AWS imposes control the customers to
manage the data locations. Data will not be
moved between different regions, only inside
that were chosen to prevent failure.
AWS maintains a formal policy that requires
assets, the hardware assets monitored by the
AWS personnel and maintain the relationships
with all AWS suppliers are possible in comply
ISO 27001 (domain 7.1) for additional details.
AWS implements ISMS to address
security/privacy best practices and provides
details under NDA the appropriate
documentation
Baseline security requirements are technically
implemented with ‘deny’ configuration by
default and documents among the AWS
security documents for all services (ex. [10-
18])
Despite of AWS provides a lot of how-to-
docs, binary & sources [10-18], [28-29] are
regularly updated, it’s better to subscribe to
the news via RSS and email, because there is
no other directly way to be notified by AWS
All AWS services featured by IAM that
provides powerful permissions items with
predefined templates;
If keys created on server side, AWS creates
the unique keys and utilizes it, if it did on
client side due the own or 3rd party solutions,
the customers can manage it only. AWS
encryption mechanisms are available for S3
(Server Side Encryption), EBS (encryption
storage for EC2 AMIs), SimpleDB, EC2 (due
the EBS plus SSL), VPC (encrypted
connections and sessions), etc.
AWS provides their services with the latest
updates, performs analyzing software updates
on their criticality as well as customer
partially ability to perform vuln scans and
patching despite of that and not violate the
Policy [21-23]
AWS does manage AV solutions & updates in
compliance to ISO 27001 that confirmed by
independent auditors. Additionally, customers
should maintain their own solutions to meet
their requirements
AWS has defined role responsibilities and
 related events and ensure timely and
thorough incident management.
IS-23 Information security events shall be
IS-24 reported through predefined
communications channels in a prompt and
expedient manner in compliance with
statutory, regulatory and contractual
requirements
IS-26 Policies and procedures shall be
established for the acceptable use of
information assets.
IS-32 Policies and mechanism to limit access to
IS-33 sensitive data (especially an application,
program or object source code) from
portable and mobile devices
RS-01-08 Documented policy and procedures
defining continuity and disaster recovery
shall be put in place to minimize the
impact of a realized risk event on the
organization to an acceptable level and
facilitate recovery of information assets
through a combination of preventive and
recovery controls, in accordance with
regulations and standards. Physical
protection against damage from natural
causes and disasters as well as deliberate
attacks including fire, flood, etc. shall be
implemented.
SA-02 An implementation of user credential and
password controls for apps, DB, server and
network infrastructure, requiring the
following minimum standards
SA-06 A segmentation of production and non-
SA-08 production environments to prevent
unauthorized access, restrict connections
between trusted & untrusted networks for
use of all services, protocols, ports allowed
141
incident handling in internal documents in
compliance with ISO and provides the SOC 1
Type Report
AWS contributes with it over [21-23]
According to AWS, the customers manage
and control their data only unless it needs due
the law requirements or troubleshooting aimed
at fix services issues
AWS has this one, delineates the minimum
rights for logical access to AWS resources and
provides details with SOC 1 Type II report
Such policies are in alignment with ISO 27001
( domain 14.1);
AWS provides a Cloudwatch services to
monitor the state of AWS EC2, EBS, ELB,
SQS, SNS, DynamoDB, Storage Gateways as
well as a status history [19]. AWS provides
several Availability Zones in each of six
regions to prevent failures, but the customers
are responsible to manage it across regions or
other clouds vendors via API and SDK. A
physical protection is in compliance ISO
27001 and 27002. Information about the
transport routes is similar to the FS-06.1
AWS IAM [15-18] provides the securely
access and roles to the resources with features
to control access, create unique entry points of
users, cross AWS-accounts access due
API/SDK or IAM console, create the powerful
permissions with duration and geo auth. AWS
offers identity federation and VPC tunnels led
to utilizing existing corporate identities to
access, temporary security credentials.
Additionally, the customers may avoid the
mistakes and risks by using an AWS Policy
Generator and MFA devices [20]. IAM allows
creating and handling the sets defined in
accordance with the subrules of SA-02 (in
original of CMM).
AWS provides a lot of how-to-docs, binary &
sources (as an example [10-18],[28-29])
SA-07 A requirement of MFA for all remote user
access.
SA-09 A system and network environments
SA-10 separation via firewalls in regards to
SA-11 isolation of sensitive data, restrict
unauthorized traffic, enhanced with strong
encryption for authentication and
transmission, replacing vendor default
settings (e.g., encryption keys, passwords,
SNMP community strings, etc.)
SA-12 An external accurate time to synchronize
the system clocks of all information-
processing systems (US GPS & EU
Galileo Satellite)
SA-13 A capability of an automated equipment
identification as a part of authentication.
SA-14 Audit logs recording privileged user access
activities, shall be retained, complying
with applicable policies and regulations,
reviewed at least daily and file integrity
(host) and network intrusion detection
(IDS) tools implemented to help
investigation in case of incidents.
SA-15 A mobile code authorization before its
installation, prevention from executing and
using to a clearly defined security policy
MFA is not by default and depends on the
customer configuration [20]
An internal segmentation is in alignment with
ISO and similar to the CO-05.1-2 while
external is a part of the customer
responsibility. Internally, a traffic restriction is
too and has ‘deny/allow’ option in EC2/S3 by
default (but the explicitly cfg is
recommended), etc. Externally, the customers
are able to use SSL, encryption key,
encryption solutions, security policies to
explicitly approve the security settings (AWS,
3rd party or their own)
AWS services rely on the internal system
clocks synchronized via NTP
AWS provides such ability, for example due
the metadata, geo tags and other tags created
by the customers
AWS have this one in compliance with ISO
and provides the results with SOC 1 Type II
Report. AWS has the incident response
program in compliance too. Even the
customers’ data stored with strong isolation
from AWS side and restrictions made by
them, additional materials (SOC 1 Type II
report) must be requested to clarify all
questions on forensics. All data should be
encrypted on client side, because it leads to
the customers participation with law directly
as AWS do not have the keys in this case.
The customers are responsible to manage it to
meet their requirements.

4. CONCLUSION
Any complex solutions and systems like AWS, Azure, or GAE tend to prone to security
compromise, because they have to operate large-scale computations, dynamic configuration.
Clouds vendors do usually not disclose the technical details on security to the customers, thus
raising question how to verify with appropriate requirements. The cloud security depends on
whether the cloud vendors have implemented security controls that documented and enhanced
with policy. However, there is a lack visibility into how clouds operate; each of them differs
from other in levels of control, monitoring and securing mechanisms that widely known for
non-cloud systems. The potential vulnerability requires a high degree of security combined with
transparency and compliance. AWS relies on security frameworks based on various standards
that certified by auditors and help customers to evaluate if/how AWS meets the requirements.
CAIQ/CCM provide equivalent of them over several standards. Partially bad idea is public
documents filled by vendors with general explanations referred to NDA reports multiplied by
common recommendations.

142
Besides the details from 3rd party audit reports customers may require assurance in order to local
laws and regulations. It is quite complicated of reducing the implementation and configuration
information as a part of proprietary information (that is not bad or good, just complicated). In
other words it may call for specific levels of audit logging, activity reporting, security
controlling and data retention that are often not a part of SLA offered by providers. A result of
an examination of AWS security controls against security standards/regulations shown in [8]
and partially in [7] is successfully passing standards by use of native security features
implemented in AWS Console, CLI and API/SDK only. It additionally includes cases that the
current AWS security features should to be enhanced via third party security solutions like
national encryption on client side before uploading data and ability to indirectly comply with
requirements. Talking about security enhance, not only security controls belong to cloud layer
(outside the VMs) should be used to protect data, communications, memory etc. but also
internal OS controls and 3rd party solutions together. It excludes obsolescent clauses and cases
‘just wait’ a solution from AWS of inability to build and implement appropriate. OS and third
party solutions are known for non-clouds system allow protecting critical and confidential
information is present in different system, configuration and other files to avoid alteration,
exposing, accessing of them.
Examination cloud solutions such as Azure, BES with AWS & Azure, and Office365 with
Cloud BES against other standards is a part of further research, however the signification
direction is improving existing CSA and NIST recommendations in order to enhance
transparency via utilization primarily technical requirements: on cloud layer, on inter-VM/DB
& inter-cloud-services layer, on VM/DB layer.

5. REFERENCES
[1] Mell P. & Grance T. (2011) The NIST definition of cloud computing. recommendation of the
national institute of standards and technology, NIST
[2] Abuhussein, H. Bedi, S. Shiva, (2012) “Evaluating Security and Privacy in Cloud Computing
Services:A Stakeholder’s Perspective”, The 7th International Conference for Internet Technology
and Secured Transactions, pp. 388 – 395, Dec 2012
[3] Feng, J., Chen, Y.& Liu, P. (2010) “Bridging the Missing Link of Cloud Data Storage Security in
AWS,” 7th Consumer Communications and networking Conference (CCNC), pp.1-2, Jan 2010
[4] Hu, Y., Lu F., Khan, I. & Bai, G. (2012) "A Cloud Computing Solution for Sharing Healthcare
Information”, The 7th International Conference for Internet Technology and Secured
Transactions, pp. 465 – 470, Dec 2012
[5] “Google cloud services – App Engine”. [Online resource:
www.google.com/enterprise/cloud/appengine/, Accessed:23-Nov-12]
[6] “Technical Overview of the Security Features in the Windows Azure Platform”. [Online resource:
www.google.com/enterprise/cloud/appengine/, Accessed:23-Nov-12]
[7] Chemerkin, Y. (2012) “AWS Cloud Security from the point of view of the Compliance”, PenTest
Magazine, Software Press Sp. z o.o. Sp. Komandytowa Warszawa, vol. 2 №10 Issue 10/2012 (12)
ISSN 2084-1116, pp. 50-59, Dec 2012
[8] Chemerkin, Y. “Analysis of Cloud Security against the modern security standards”, draft (is going
to be published in PenTest Magazine, Software Press Sp. z o.o. Sp. Komandytowa Warszawa in
May
[9] Kissel, R., Scholl, M., Skolochenko, S. & Li, X. (2006) “Guidelines for media sanitization:
Recommendations of the national institute of standards and technology,” in NIST SP 800-88
Report
[10] “Amazon EC2 Microsoft API Reference. [Online resource:
docs.aws.amazon.com/AWSEC2/latest/APIReference/, Accessed:05-Dec-12]

143
[11] “AWS Import/Export Developer Guide. [Online resource:
aws.amazon.com/documentation/importexport/, Accessed:16-Dec-12]
[12] “Amazon Virtual Private Cloud Network Administrator Guide. [Online
resource:docs.aws.amazon.com/AmazonVPC/latest/NetworkAdminGuide, Accessed:05-Dec-12]
[13] “Reported SSL Certificate Validation Errors in API Tools and SDKs”, [Online resource:
aws.amazon.com/security/security-bulletins/reported-ssl-certificate-validation-errors-in-api-tools-
and-sdks/, Accessed:15-Jan-13]
[14] “Amazon S3 API Reference. [Online resource: docs.aws.amazon.com/AmazonS3/latest/API/,
Accessed:20-Dec-12]
[15] “Amazon IAM API Reference. [Online resource:
docs.aws.amazon.com/IAM/latest/APIReference/, Accessed:29-Dec-12]
[16] “Amazon Using Temporary Security Credentials. [Online resource:
docs.aws.amazon.com/IAM/latest/UsingSTS/, Accessed:29-Dec-12]
[17] “Amazon AWS Security Token Service API Reference. [Online resource:
docs.aws.amazon.com/STS/latest/APIReference/, Accessed:29-Dec-12]
[18] “Amazon Command Line Reference. [Online resource:
docs.aws.amazon.com/IAM/latest/CLIReference/, Accessed:29-Dec-12]
[19] “AWS Services Health Status” [Online resource: status.aws.amazon.com/, Accessed:16-Feb-13]
[20] “AWS MFA” [Online resource: aws.amazon.com/mfa, Accessed:16-Feb-13]
[21] “AWS Vulnerability/Pentesting Request Form” [Online resource:
portal.aws.amazon.com/gp/aws/html-forms-
controller/contactus/AWSSecurityPenTestRequest,Accessed:16-Feb-13]
[22] “AWS Abuses reports (EC2, other AWS services)” [Online resource:
portal.aws.amazon.com/gp/aws/html-forms-controller/contactus/AWSAbuse, Accessed:16-Feb-
13]
[23] “AWS Vulnerability Reporting” [Online resource: aws.amazon.com/security/vulnerability-
reporting/, Accessed:16-Feb-13]
[24] Medsger, J. & Srinivasan, A. (2012) "ERASE- EntRopy-based SAnitization of SEnsitive Data for
Privacy Preservation", The 7th International Conference for Internet Technology and Secured
Transactions, pp. 427 – 432, Dec 2012
[25] “DRAFT Cloud Computing Synopsis and Recommendations,” NIST Special Publication 800-146.
[Online resource: csrc.nist.gov/publications/drafts/800-146/Draft-NIST-SP800-146.pdf,
Accessed:06-Jan-13]
[26] “Security Whitepaper. Google Apps Messaging and Collaboration Products”, [Online resource:
cryptome.org/2012/12/google-cloud-sec.pdf, Accessed:23-Nov-13]
[27] Somorovsky, J., Heiderich, M., Jensen, M., Schwenk, J., Gruschka, N. & Iacono, L.L. (2011) "All
Your Clouds are Belong to us – Security Analysis of Cloud Management Interfaces", 3rd ACM
workshop on Cloud computing security workshop (CCSW), pp.3-14, Oct 2011
[28] “Reported SOAP Request Parsing Vulnerabilities”, [Online resource:
aws.amazon.com/security/security-bulletins/reported-soap-request-parsing-vulnerabilities-reso/,
Accessed:15-Jan-13]
[29] “Xen Security Advisories”, [Online resource: aws.amazon.com/security/security-bulletins/xen-
security-advisories/, Accessed:15-Jan-13]
[30] “The Essential Intelligent Client”, [Online resource:
www.vmworld.com/servlet/JiveServlet/downloadBody/5700-102-1-
8823/Intel%20The%20Essential%20Intelligent%20Client.pdf, Accessed:15-Jan-13]

144
[31] Cracking Passwords in the Cloud: Breaking PGP on EC2 with EDPR [Online resource:
news.electricalchemy.net/2009/10/cracking-passwords-in-cloud.html/, Accessed:22-Nov-13]
[32] “The most dangerous code in the world: validating SSL certificates in non-browser software”, 19th
ACM Conference on Computer and Communications Security, pp. 38-49, Oct 2012
[33] “CSA Consensus Assessments Initiative Questionnaire v1.1” [Online resource:
cloudsecurityalliance.org/research/cai/, Accessed:22-Dec-12]
[34] “CSA Cloud Controls Matrix v1.3” [Online resource: cloudsecurityalliance.org/research/cai/,
Accessed:22-Jan-13]
[35] “AWS Securtiy Bulletins” [Online resource: aws.amazon.com/security/security-bulletins/,
Accessed 16-Feb-13]

145