Loud Computing Has Provided an Alternative Means of Utilizing Computing Resources. In

The NIST Definition of Information Security Updates Cloud Computing1 Migrating to Cloud The cloud model is composed of 5 essential characteristics (On-demand self-services; Broad network access; loud computing has This newsletter will describe what Resource pooling; Rapid provided an alternative Universities should consider in order to elasticity and Measured means of utilizing address various IT security issues when service), 3 service models computing resources. In thinking of migrating their internal IT (Software as a Service; the past, Universities, services to the public cloud. This article Platform as a Service and whether large or small, assumes that the audience has basic Infrastructure as a Service) C have to perform the understanding of cloud computing, and and 4 deployment models following in order to will only focus on describing the IT (Private cloud; Community acquire computing power for processing: security considerations. cloud; Public cloud and procure its own hardware and software, Hybrid cloud). setup the infrastructure and Cloud Models Consideration applications, manage and maintain the hardware and software assets, and Universities thinking of using public eventually dispose or upgrade when the cloud service can choose one of the three IT systems become end of life. With cloud service delivery models: Software cloud computing, the same university as a Service (SaaS), Platform as a Service now has the option of utilizing computer (PaaS) or Infrastructure as a Service resources offered by the cloud service (IaaS). The terms of services and provider instead of procuring and contractual agreements of these delivery managing its own resources. models can be very different. Universities need to study the relevant There are many benefits of adopting terms of services to understand the cloud computing including attractive agreements such as licensing rights, financial model of paid, broader network usage restrictions, service level access coverage covering heterogeneous agreements, data protection and platform of end point devices, ownership arrangements, liabilities, availability of services independent of termination arrangements, etc. location and time of access, and easing 2 Software-as-a-Service (SaaS) Stack the management of IT resources. Despite Not only should Universities understand these benefits, IT security is one of the type of risks associated with the choice key concerns which should not be of a cloud service provider, Universities overlooked. should also ask cloud service providers to explain what security features they have built in and made available, past records of encountering and handling of IT security and service outage incidents, service level management and performance monitoring.

Universities should be cautious to check Data Migration Planning what kind of data or information will be migrated together with its IT services to Platform-as-a-Service (PaaS) Stack2

Infrastructure-as-a-Service (IaaS) Stack2 the cloud. If the data contains personal confidential data in the cloud because information such as student records or terms of services would typically state staff information, migrating such data that for content upload, customer would over to the cloud could potentially pose agree to grant license permissions for issues against Hong Kong’s Personal cloud service providers to use, host, Data (Privacy) Ordinance4. For instance, store, reproduce, modify, create utilizing a public cloud service provider derivative works of the content, and could result in dataCommon flow trans-bordering, Causes of even worst that the license could meaning the providerGoogle may Drive have Data spread Loss7 continue if the customer stops using the Cloud Migrations: Don't and/or duplicated the data in multiple cloud service5. There is no guarantee 3 Forget About The Data chunks across severalMany physicalindividuals locations. and that the confidential data in the cloud As a result, thesecompanies physical that locationshave their will receive maximum security Focus on your data employed underdata the in Google cloud Drive service protection. Universities are migration separately from provider may bebelieve governed their by data different is safe recommended to educate users to avoid your application migration jurisdictions whichand could secure. have This different is not storing personal and confidential data in to get better results. and weaker requirementscompletely in true-terms data of can the cloud. protecting personalbecome data. misplaced, What if personal and confidential data Data migration consists of accidentally or maliciously have to be stored in the cloud? three parts: the migration deleted or overwritten Encryption would be the logical solution lifecycle on yourEncryption data Keys Controleven if Similarit is stored to in the to protect sensitive data from subsystem, the transfer of Google concernsDrive. Note that of unauthorized disclosure. legacy data, and, finally, personal data, itthe is reasonsa red flag for data to store loss the integration with the However implementingare not due encryption to Google’s in rest of the migrated the cloud is not asservice straight being forward ineffective as in- at application. Let's examine house environmentsecurity due to or cloud’s storing multi- your Securely Accessing Cloud each in more detail: tenancy characteristics.data. The most common Once internal IT services are migrated to causes are due to user the cloud, sufficient security controls 1. Data Migration If Universities haveerror, weak accidental control deletion over must be built in to guard against all sorts Lifecycle the encryption or key, misplacement, the strength Google of of Internet security threats. 2. Transfer Of Legacy Data encryption protectionaccount will deactivation be severely 3. Integration With The diminished. Therefore,(maybe valid Universities or maybe For instance, strong access controls such Migrated Application should investigateincorrect), whether etc. any data of as two-factor authentication should be deployed to authenticate the real identity of staff. All data transmitted "Encryption is a vital component of a over the public cloud should be strong security posture for any size university, and encrypted to avoid exposing any it should be a standard offering within the cloud," transactions or information to the public Chris Cicotte, EMC CISSP VCP cloud architect/SP Internet. Audit logs with sufficient specialist, said. He added, "The threat landscape details should be enabled to allow has already begun to evolve, and from an overall Universities to track, alert and analyze security perspective, we need to take a proactive when something goes wrong. Since approach by layering in technologies like distributed denial of service (DDoS) encryption at every layer." 6s attacks are becoming common, Universities may have to work with its IT existing services to be migrated to cloud service providers to employ the cloud needs to be encrypted. If so, necessary DDoS mitigation solutions in Universities should analyze how to order to address such threats. maintain the same level of encryption Awareness training should be organized protection and key management after to educate students and staff how to take migrating to the cloud. extra cautions to protect login credentials, avoid accessing the cloud Instagram and Flipboard. A few days service via public terminals, be vigilant later, Office 365 went offline for a couple of phishing attacks and strengthen end of hours. On September 24, Gmail users point protections. experienced email delay because Google encountered a dual network failure. To sum up, Universities are advised to conduct security risk assessment for the People may argue that the overall possible threats,iCloud adds IT additional services service uptime of public cloud service vulnerabilities, likelihoodchallenges of with occurrence respect provider is still higher than in-house IT and aggregated impact.to security The9: outcome of services. However, the main difference security risk assessment should help here is internal IT support staff can be Universities determineThe virtual what environment security designated to urgently fix the issues and controls must beoften implemented changes rapidly in order in provide immediate updates to the to manage risk to an acceptable level. management. But for the outage of cloud the face of varying loads IT services, Universities can only wait for Threat Differentiationon the physical resources, the cloud service providers to resume so end users—and even Within an in-house environment, the IT their services. Whether the outage is a administrators—are not systems are typically located behind couple of seconds, minutes or even firewalls and always intrusion aware prevention of the exact hours, IT services running on top of the systems. Under physical certain hardware circumstances, and cloud service will become offline during newly releasedsoftware security configuration patches or that outage period. configuration hardeningthat runs may the notvirtual need to be immediately appliedinfrastructure. as the IT systems There could also be a worst situation may have been shielded from the public that a cloud service provider went out of Internet access.  Much data is moved business like the case of Megaupload by 10 between on-premise law enforcement agencies in 2012 . As a The treat landscapeequipment changes anddrastically cloud result, files and content uploaded to after migrating to thedata cloud. centers, Since making the IT it Megaupload were not retrievable. The consequential impact can be devastating systems are now Internetvulnerable facing, to outside the IT that these business records are no longer systems can be constantlyhacking. subject to probing and attack attempts even sitting retrievable. behind firewall protection at cloud  The virtualization environment. Universities should therefore well software—the prepare for contingency arrangement in hypervisor—is itself a case of service disruption, a backup copy Exit Strategypotential Planning target for a of their critical records should be kept. cyber attack. Universities should review the readiness Recently there are companies deciding of their IT security Useroperations access to to address security to move their outsourced IT operations areas of vulnerability management and log files within multi- patch management, after migrating IT tenant public clouds Service Outage Handling services to the cloud. back to in-house environment11. Theremay have be beeninconvenient reported or impossible. occurrences of service Likewise, Universities may get frustrated outages by public cloud with the quality and service levels of a service providers. On 8 particular cloud service provider. Hence, August 26, a hardware Universities should define an exit failure at Amazon’s US East strategy how to terminate the cloud data center led to spiraling problems service. If this exit plan is indeed affecting online services including executed, Universities should know how to move to another cloud service planned to be migrated to the cloud. provider or take back the IT services in Whenever possible, Universities should house. Some cloud service providers request regular service level reports may implement technological “lock-in” from the cloud service provider and mechanism making migration out of regularly review to ensure the their platform difficult. Therefore, satisfaction of SLA meet. Universities should ensure the IT services will not Cloudbe “locked-in” Honeypots making12 Cloud Administration Plan the exit strategy more difficult or even impossible for execution. Honeypots allow Depending on the cloud service delivery researchers to: model for the migrated IT services, the If Universities need Compliance and SLAs extent of administrating IT services over to meet certain the cloud can be very different. For regulatory compliance Collect which new requiresand instance, SaaS does not allow on-site audit for attestation,emerging migrating malware IT Universities manage nor control the services to the cloud Identify can be thechallenging. source of underlying cloud infrastructure First of all, global cloudthe serviceattacks providers including network, services, operating typically will not allow any University or  Determine attack system and storage. The administrative assigned third party auditing firm to vectors tasks will be more or less related to user conduct on-site compliance audit. Even if  Build a profile of the account management, credential the providers can present relevant target industry if using management and application certifications such as SSAE 16 SOC-1, specific industry configuration settings. ISO/IEC 27001, PCI-DSS or CSA STAR, domains On the other hand, PaaS and IaaS require this may put Universities at risk without more management and control. the ability to attest that required Cloud Forensics controls have been13 effectively implemented in theOverview cloud. :

Secondly, ServiceThe riseWhat of cloudto Look For in a Cloud Service? Level AgreementcomputingAccording is to pushing Cloud Computing for Dummies (SLA) monitoringdigital of Cloud forensics Elasticity into a cloud servicenew horizon.The cloud Manyservice provider of choice should be able to provider is anotherexistingallocate challenges any amount are of resources depending on the aspect thatexacerbateddemand atin thethe time.Cloud, In other words, the user’s cloud Universities should should grow and shrink depending on what the company includingneeds jurisdictionalat the moment. take intoissue and the lack of consideration. internationalStandardized Interfaces While most cloud collaboration,All applications while shouldthe be written in the same service providers programming language so they can communicate with Clou will only providenew environmenteach other and provide also a seamless experience. d Forensic Three-Dimensional Model15 standard set of SLAbrings unique opportunitiesFast Implementation for without any Once decided on which cloud to use, the cloud service customization foundationalprovider shouldstandards be able to provide all the storage, option, Universitiesand policies.power, software Cloud and any other resource asked for in a For PaaS, should be prudentcomputingfast manner. is a new Universities to select a cloudbattlefieldBilling of as cyber you go crime, have complete service provideras wellUsers as shoulda new be ground able to pay only what is consumed. control over the with a SLAfor novel investigative deployed commensurable approaches. Cloud applications. For with the importanceforensics of its is a IT new services area of IaaS, Universities need to manage the research, much has to be done and this paper merely signposts the way forward. operating systems, storage, network be able to investigate network components and applications, and components controlled by the cloud therefore need to determine the suitable service provider. For PaaS and SaaS, mode of cloud administration for its IT Universities will have to heavily reply on services running on PaaS or IaaS. cloud service provider to provide forensics support and analysis14. Regardless of using SaaS, PaaS or IaaS, Universities will have to arrange for Despite the fact that there may not be a relevant training to ensure the assigned straight forward way to handle incident staff are capable and proficient in response and forensics support for IT performing cloud administrative tasks. services migrated to the cloud, Universities should look into these matters before migration and discuss If Universities these issues with the cloud service Cloud Incident Support already have provider to plan together ahead of time. incident response Otherwise, it will be too late if an IT process developed to cater for IT security incident occurs and the affected security incidents, the same set of Universities only realizes that References process should be applied to cover IT insufficient logging information can be services migrated to the cloud platform. retrieved in the cloud. 1. “The NIST Definition of Cloud Computing – NIST 800-145” 1 September 2011. PDF. 30 Sept 2014 2. “What are service models inHaving Cloud Computing?” said that, Web. incident 30 Sept response 2014 3. “Cloud Migrations: Don't Forgetheavily About relies The on Data” detection Web. 30and Sept analysis 2014 4. “The Ordinance at a Glance”of 2012 logging Web. information. 30 Sept 2014 The challenge for 5. “Google Terms of Service” 14cloud April 2014. platform Web. 30 is Sept that 2014 logging 6. “Cloud Computing Demandsinformation Cloud Data may Encryption” not be fully 13 Mayavailable 2014. by Web. 30 Sept 2014 7. “Common Causes of Googlethe Drive public Data Loss” cloud Web. service 30 Sept 2014 provider. 8. “Google Drive suffering fromDepending service outage” on the 18 cloud March service 2013. delivery Web. 30 Sept 2014 9. “Achieving Cyber Security Readinessmodel, the Within responsibility an Evolving ofThreat keeping Landscape” February 2013. PDF. 30 Sept 2014 10. “Megaupload file-sharing sitelogging shut down”information 20 January may be 2012. by the Web. cloud 30 Sept 2014 11. “Will IT Outsourcing Reverse?”service 29 providerJanuary 2013. (for SaaS), Web; jointly“Georgia’s by the CIO Gets IT Outsourcing Deal Back on Track” 19 July 2013. Web. 30 Sept 2014 University and public cloud service 12. “Alert Logic Cloud Securityprovider Report – Spring (for PaaS), 2014” or2014. solely PDF. by30 Sept the 2014 13. “CSA Security Guidance for Critical Areas of Focus in Cloud Computing v3.0, page 99” 2011. PDF. 16 Oct 2014 14. “ResearchGate – Cloud Forensics: An Overview by Keyun Ruan” 28 February 2011. PDF. 30 Sept 2014

Copyright Statement

All material in this document is, unless otherwise stated, the property of the Joint Universities Computer Centre (“JUCC”). Copyright and other intellectual property laws protect these materials. Reproduction or retransmission of the materials, in whole or in part, in any manner, without the prior written consent of the copyright holder, is a violation of copyright law. W A single copy of the materials available throughhere this is cloud document forensic? may 13be made, solely for personal, non-commercial use. Individuals must preserve any copyright or other notices contained in or associated with them. Users may not distribute such copies to others, whether or not in electronic form, whether orUniversity not for a charge (for IaaS). or other consideration, without prior written consent of the copyright holder of the materials. Contact information for requests for permission to reproduce or distribute materials available through this document are listed below: Forensics support will certainly pose challenges after migrating IT services to [email protected] the cloud. Universities can execute Joint Universities Computer Centre Limited (JUCC) forensics investigations of their own c/o Information Technology Services The University of Hong Kong virtual instances under IaaS, but will not Pokfulam Road, Hong Kong