Prof. Yale Li, Chief Cyber Security Evaluation Expert of Huawei Internal Cyber Security Lab and Chairman of Cloud Security Alliance (CSA) Greater China Region, gives his take on increased collaboration for cloud security.
In the early days of public cloud computing, a cloud service provider’s (CSP) priority was to sign up businesses by providing low-cost shared resources, faster service, and on-demand elasticity. Security was only considered when customers inquired or attackers forced CSPs to do so. In August 2006, Amazon introduced its Elastic Compute Cloud. When I asked an Amazon security representative to inspect my resource access log in their cloud data center as a customer at that time, he scratched his head. Soon, most cloud customers and service providers had realised that security is the biggest challenge for public cloud computing.
Two years later, Microsoft’s Windows Azure was announced, and Huawei Desktop Cloud was released for employee trial. Security was rated as the No. 1 concern by CIOs from enterprises interested in adopting the cloud. Indeed, even David Cutler, the father of Windows NT, was unable to satisfy many of my basic security requirements relating to Red Dog (Code Name of Azure).
To overcome the security challenges, the Cloud Security Alliance was born in 2008 and officially announced at the 2009 RSA Conference, with the release of its inaugural whitepaper “Security Guidance for Critical Areas of Focus in Cloud Computing V1.0”. The guidance shed a light on cloud security for both customers and services providers. Microsoft, Huawei, as well as other vendors and enterprises joined CSA to band together and address the security challenges. Later on, the leader of IaaS, Amazon AWS, joined CSA after initially resisting but finally realising the value of industry-wide partnership.
The first time I met Jim Reavis, the founder of Cloud Security Alliance, I asked him how many years do you think we need to resolve the cloud security problems. He said, “It will take a long time, probably 20 years.” Today, just 10 years later, cloud computing security has improved significantly. Yet, the old problems have not all been resolved, while new ones continue to appear for the next 10 years.
Cloud security today
The industry has matured significantly over the years in terms of cloud security to be at par with enterprise on premise security. Here are some of the developments the industry had witnessed in recent years.
Cloud architecture and key technologies
Several organisations have developed reference architecture for cloud computing. For example, the Enterprise Architecture (knows as Trusted Cloud Initiative – Reference Architecture initially) was first created by CSA then evolved into NIST Cloud Computing Reference Architecture through CSA-NIST partnership. ISO published “ISO/IEC 17789:2014 Information technology – Cloud computing – Reference architecture”. Oracle and a few other companies released their own Cloud Reference Architecture. Security has earned a place in cloud architectural design through the reference architecture.
Meanwhile, technologies continued to advance. More security capabilities and operation security tools have been added into cloud products, solutions, and services. The vulnerabilities in virtualisation layer have been reported, fixed, and reduced. Hotfix technologies in Xen, KVM, Hyper-V, VMware enable applying security fixes without rebooting the host. The latest versions of cloud management tools, such as OpenStack, have considered security hardening. A cloud security ecosystem or market place provides customers choices to select optional security features and solutions based on their needs.
CSA has published three versions of “Top Threats to cloud computing”. The number of identified cloud threats increased from eight in the first version to nine in the second version, and increased to 12 in the third version. The latest version released at RSA Conference 2016 in February has become widely adopted by vendors when they develop cloud services. Among 12 top threats that are common internationally, Huawei has identified a unique threat in China cloud market, and added counter measure in Huawei Enterprise Cloud deployed in China.
Under the general guidance to have shared security responsibilities between cloud service providers and customers, Huawei, Amazon, Microsoft and other major vendors have all developed their own specific responsibility boundary diagrams for IaaS, PaaS, and SaaS, covering all layers of cloud building stacks from infrastructure to data. Although many cloud service providers collect and analyse data in the cloud to gain business advantage, Huawei Enterprise Cloud announced a new principle “Never touch applications at top and never touch data at bottom”.
Security requirements and standards
The first de-facto cloud security standard CCM (Cloud Control Matrix) was created by CSA with version 3.01 as the latest. It was referenced by many governments, standards organizations and vendors when they create cloud security standards specific to their country, region, or industry. Later, FedRAMP (The Federal Risk and Authorization Management Program) and NIST SP 800-53 was published US. “ISO/IEC 27017:2015 Information technology –Security techniques –Code of practice for information security controls based on ISO/IEC 27002 for cloud services” was published by ISO. China Government also published their National Cloud Security Standards “Information security technology – Security capability requirements of cloud computing services”.
Evaluation and certification
CSA STAR (Security, Trust, & assurance Registry) is the most recognised cloud security certification scheme for service providers worldwide. The STAR Programme comes with 3 levels: Level 1 – Self Assessment, Level 2 – Third Party Assessment-based Certification, Level 3 – Continuous Monitoring. A specific version of STAR for China market called C-STAR was co-developed by CSA and CEPREI. British Standards Institute (BSI) and several third party labs are accredited to evaluate cloud service providers against CSA standards (e.g. Cloud Control Matrix) and grant CSA STAR certifications. In Europe, EuroCloud Star Audit Certification and TUV Rheinland Cloud Security Certification are also available to European cloud service providers. Huawei cloud services have achieved CSA STAR, CSA C-STAR and government issued several certifications.
Cloud penetration test
A cloud security certification demonstrates a cloud service provider or technology vendor meets the basic compliance by implementing security controls required by security requirements. This means Customers who bought certified services will have lower risk. However, the certification itself cannot guarantee vulnerabilities are minimal to effectively defend the cloud against skilled attackers. Most cloud service providers hire white hat security experts or companies to perform penetration test on regular basis as a best practice. At Huawei, the security test and penetration test are conducted twice to double check and double ensure the security quality of Huawei cloud products and solutions. One test is done by the blue army, penetration testers hired by the product team. Another test is then performed again by the red army, an independent and professional Huawei cybersecurity lab, ranging from lower virtualisation and network layers to upper application and business logic layers.
Tomorrow’s cloud security
Clearly, many cloud security issues have not been completely resolved today. Governments and enterprise customers are still cautious when they migrate from on premise to the public cloud. However, the market has shown that cloud adoption will accelerate in the next 10 years. Of course, the industry will also accelerate security investments for cloud computing and emerging technologies in the next 10 years. Here are some examples of work ahead:
Security is a concern for the cloud on one side, but it the cloud enables security on the other side. By utilising the power of cloud computing, delivering security can be easier in the cloud than on premise. SEaaS (Security-as-a-Service) will be a new way to provide security as a service to vast number of business, from small, medium to large. CSA has released implementation guides for 10 different types of SEaaS such as encryption, SIEM, IAM and so on.
Standards and certification
The compliance-type audit and testing is a basic assurance for cloud service. Currently organisations put a focus on higher level security requirements, similar to ISO 27001 series, from customer’s perspective. However, a lower level security requirements at detailed product and solution level needs to be defined and tested for cloud service to defend itself against certain level of attack. CSA STAR Tech, a product and solution level security certification is under development based on CSTR “Cloud Security Technology Requirements” standard, which was originally created by a Research Work Group in CSA Greater China Region. With Mobile App as client in the cloud-client ecosystem, CSA STAR Mobile, a mobile security certification, will be available for apps that meet MAST (Mobile Application Security Test) standard developed by another Work Group with members mainly from greater China region. With DevOps and fast deployment of software builds in the cloud, STAR Level 3 is under develop to enable continuous check of security status of a cloud service. CSA Cloud Vulnerability Reporting standard will enable vulnerability information sharing between different cloud customers and service providers.
Secure next generation technologies
Emerging Technologies such as cloud computing, Big Data, SDN, and IoT introduce emerging threats to business. The industry must keep up with countermeasures though innovation in security solution research and development. CSA, Huawei, and big cloud service providers and vendors, in addition to security tech startups, have already invested in these areas. CSA SPD (Software Defined Perimeter) is a solution to create dynamic trust boundary in cloud and IoT environments to shield resources from attackers. Top 10 Big Data security challenges, IoT Security Framework, Quantum Safe Framework have been published or under development by CSA Work Groups. Container Security including Docker security guidance, architecture, and requirements are been initiated by NCC Groups, Huawei, CSA and other companies.
CABS to independent third party supervision
CABS (Cloud Access Security Brokers) are a category of security tools that help enterprises safely enable cloud apps and mobile devices. Although CASBs provide limited visibility and data security for cloud customers, a new approach may deserve discussion in the industry. This concept is called I3PS (Independent Third-Party Supervision),an independent and neutral authority, is licensed and fully trusted by both cloud customers and cloud service providers. It provides complete security check and visibility for cloud services by automated trust protocols, APIs, tools, and processes. Cloud Service’s security compliance status, administrator’s operations to tenant’s resources, and other anomalies will all be collected, analysed, and reported by I3PS on behalf of cloud customers, service providers, governments and industry regulation bodies. This provides ultimate assurance efficiently for the entire cloud eco-system.
Cloud security requires collaboration between industry players, governments, and academia. Huawei and CSA collaboration have set an example how we can achieve security and enable business together in the cloud. I believe customers will have confidence to put their crown treasure in the cloud in next ten years.