ASASA

Page 50 http://pentestmag.com10/2012(10)

Web

App

Cloud Computing has been one of the top security topics for the last several years, for enterprise it departments, as well as oth-

er businesses. Cloud Computing offers unlimited storage and other resources with flexibility. the basic idea of the cloud is centralized it services, with on-demand services, network access, rapid elasticity, scalability and resource pooling. there are known are three models: SaaS, paaS and iaaS. each of them can be deployed as a Cloud, Community Cloud, public Cloud, or Hybrid Cloud. Some security questions about clouds are: how is it implemented, how are data or communication channels secured, how are the cloud and appli-cation environments secure, etc. the cloud sim-ply uses well-known protocols like SMtp, Http, SSL, tCp/ip etc. to communicate, send email, file handling and other activity. the methods that are compliant as a part of the rFC should indicate that they are OK. Standards like the iSO 27001 series still provide a measure on information security, but as minimum set of security only. third party orga-nizations like the Cloud Security Alliance (CSA) promote their best practices for cloud security and have a registry of cloud vendors' security controls to help users to make right choice.

Cloud security vendors claim that the end-user companies sometimes prefer cost reduction over

increased security to reduce the operation com-plexity of their cloud. this eventually ends with a lower amount of cloud security that the end-user will accept. For example, as vM instances are of-ten visible you should configure the server or fire-wall “somehow” to protect this flow. Another ex-ample talks that the term “physical security” does not exist anymore since cloud has come. Nev-ertheless, it was this way as it had been when the hosting service arrived. even the new tech-nology is only another way to perform well-known actions; customer must make any improvements than by-default configuration to face cyber-at-tacks and will eventually succeed. phishing or SQL injection is not a real concern, because they have been in existence too long and patches have been made available. if the virtual OS is a Win-dows Server or an ubuntu server, then the OS has the same security and patch management state as Desktop/Server OS. the virtual server can easily be updated and patched, or even re-configured. this is acceptable, except in the situ-ation where the cloud vendor notifies you that a patch or update cannot be applied. in addition, it is mere trust than you download or buy on disk. eventually, they offer solution, e.g. buy & sell suit-able security solution (third party solution should be more trustable, than cloud vendor, oh really?),

WS Cloud Security From the Point of View of the Compliance

Clouds are finding increased use in core enterprise systems, which mean auditing is the cornerstone expectation. Cloud vendors announce new cloud services, offer new security solutions and refer to the global security standards among of them the requirements look like quite similar. This is series of articles about AWS Cloud Security from the point of view of the compliance to highlight technical requirements of the top Worldwide and Russian security standards for key AWS services, describe how technically prepare to audit and configure AWS services.

10/2012(10)

Web

App

note that logs should be analyzed from time to time, you should use iDS, find popular software to protect network ports but such software often cannot be applied to this case. Someone believes that if classic network object like server can be physical near the company then it is more secure than virtual but it is not true. Significant example is thinking about cloud like the one about home/work pC connected to internet that directly or via router. When you need protect this pC you do not talk about why is DNS gates are public, if they are trusted and more. You can keep you hosts file as a DNS; several clouds provide end user with the same feature not through the host, but their own DNS routing service.

General Cloud and Security Points Security in the cloud is just like traditional security: network security, authentication, authorization, au-diting, and identity management. this is not any-thing new or revolutionary.

there are several points about security that are often discussed:

• Perimeter network role and location:• Location (city/country) where is the data lo-

cated/stored in the cloud?• What are the compliance with standards

and country regulations?• What type of firewall (guest, mandatory,

vpN, other) is used?• Identity and Access Management:

• What is the authentication/authorization and role-based access control?

• What is the existence of privileged users, or user access for the cloud services?

• Are there different access types per each user, application and role?

• Data Privacy:• How is data separated from other cloud users? • What type of encryption is used?

• Logging and Auditing• Endpoint protection Client security• Misusing as it was shown at the BlackHat Con-

ference like breaking into Wi-Fi network or password brute-forcing

the virtualization refers primarily to the hypervi-sor, while a virtual machine works with a config-ured and snapshot of an OS image and usual-ly includes virtual disk storage. As all virtual ma-chines require memory, storage, or network, a

ASASA

Page 52 http://pentestmag.com10/2012(10)

Web

App

hypervisor supports these virtual machines and presents the hardware pool that it can work with. Hypervisors isolate the memory and computing resources and allows performing actions with-out affecting other instances. there are securi-ty issues when you are using virtualization in the cloud, no doubt. each OS running in virtual en-vironment should be patched and monitored like any non-virtual OS. You may use a gateway de-vice that provides the applicable security config-uration to the devices connected. You still have to use host-based firewalls and IDS to capture, stop and filter non-allowed activity from applica-tions, network attacks, disable or enable commu-nication between others virtual machines, or to extend the logging system.

Like a classic datacentrewhere you have to maintain stability and security by constant monitor-ing, alerting and reporting about what the custom-ers are doing with the resources, what geographic locations they are coming from, how many users connect at certain times of the day, also, the cloud infrastructure should report misuse or other out-of-policy activity taking place. Auditing needs to log and report on all activities taking place in the cloud (elastic computing, storage, vpN, etc.). it really simplifies increasing complex of the clouds. Some-times, security design failure a single poorly se-cured service that can easily be compromised to lead to the risk of stealing valuable data, making the services unavailable by DDoS or other inter-ruptions.

Accessing solution known as iAM is an impor-tant method to authenticate connections and au-thorizations of the cloud resources. Your it policy should take into account the broad range of access rights, because it often divides access into all, to owner, and somewhere in between these. Not all clients should have the right to access all data, but staff rights need to be set up so that everyone who is responsible should be approved similar to role-based access in traditional offices where the end users can have access to the services, and some-times the controls, while administrators have ac-cess to the controls and managed the functionality and performance of the workloads.

in the cloud, you will need to think about how you handle inbound connections to the resources required to any services, hosting, and client devic-es and how they will connect. DMZ and firewalls are a good solution, but belong to different security zones to prevent access to the whole cloud servic-

es by attacking gateway. the common network iDS does not necessarily work as well here; it might not work even as it is on classic network. But, it may work to monitor suspicious traffic between virtual machines if the iDS allows network gate or traf-fic to be moved thought vpN to/from your corpo-rate network where the iDS exists. Another point is performance that may lead to resource alloca-tion problems and open the service to DoS/DDoS attacks. Another filtering method for limiting traffic is firewalling by physical location that isolates dif-ferent security zones. Network traffic between vir-tual machines should be encrypted to protect data while in transit.

Of course, as the hypervisor has access to all guest OS, and if it is compromised itself, it will have broad impact to the network isolation, but the probability of that is low since all hypervisors very custom. the cloud infrastructure adminis-trator will need to depend on new tools that are cloud aware, and may not be defined by the cur-rent it department.

Another security issue deals with the (de-)allo-cating of resources. if data is written to the stor-age and was not wiped before, or crashed before reallocation, then there is a data leakage problem on the HDD. it means the it department needs to rely on reallocation feature and perform clean operations instead of relying on the cloud ser-vice. it may need special DOD-tools to run man-ually, or running processes until OS fires it off (terminates). this may increases operational ex-penses. in other words, no sensitive information should be stored in the plain text. using whole volume encryption will protect the physical stor-age, prevent access to a virtual environment, and finally reduce the risk of exposure. Also, applica-tions may encrypt data in storage, data in rAM, and data during processing to make it more diffi-cult for someone gain access to.

Security Overview: Windows Azure vs. Amazon Web Servicesthese two platforms differ by the decision made by each vendor's vision on how the end-users should access their cloud services. Windows Azure makes a data spreading to the cornerstone, via neither storage nor web-server. AWS makes many services more accessibility that are important with merging to the cloud. these different goals have a huge influence on not only the it policy, but also the Api. Both AWS and Azure services were built

Page 53 http://pentestmag.com10/2012(10)

Web

App

in accordance with security best practices, and the security features are well documented to make it clear how to use them to design strong protection. Below i examine the security features offered each vendor:

ComplianceAzureMicrosoft complies with the data protection and pri-vacy laws, but only customers are responsible for determining if Windows Azure complies with the country laws and regulations. For example, iSO for Azure covers cloud services (web and vM), stor-age, and networking.

AWSAWS offers compliance with FiSMA to allow the government and federal agencies implement AWS solutions and security configurations at their se-curity system. in addition, vpN (Virtual Private Cloud), GovCloud and SSL mechanism sustain a FipS 140-2. AWS has validated with Level 1 pCi DSS physical infrastructure and such services like eC2, S3, eBS, vpC, rDS, and iAM that allows to the end customers perform storing, processing, transmitting credit card information with properly security. eC2, S3, and vpC as well as AWS data-centres are covered by a global security standard iSO 27001 too.

Physical SecurityAzureAzure designed to be available 24 x 7; their data-centres are managed, monitored, administered by Microsoft and, of course, compliant with applicable industry standards for physical security. Azure staff is limited by the number of operations, and must regularly change access passwords (if performed by administrators). All administrative actions are audited to determine the history of changes. Final-ly, you can know what services are affected through the Health Dashboard (https://www.windowsazure.com/ru-ru/support/service-dashboard/).

AWSAWS datacentres are located throughout the world (uS, eu, and Asia) and available 24 x 7 x 365. Actual location is known by those that have a legitimate business need. Amazon datacen-tres are secured to prevent unauthorized access; the access tickets will immediately be destroyed when someone leaves the company or when they

continue to be an Amazon employee but promot-ed to another position.

A standard employee, or a third-party contractor, has a minimum set of privileges and can be dis-abled by the hiring manager. All types of access to any resources logged, as well as its changes, it must be explicitly approved in Amazon's propri-etary permission management system. All chang-es led to revocation of previous access because of explicitly approving type to the resource. every access grant will revoked since 90 days as it was approved too. Access to services, resources and devices relies on user iDs, passwords and Kerbe-ros. in addition, Amazon mentioned about expira-tion intervals for passwords.

"Physical access is logged and audited and is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means". Staff uses a two-factor authentication while third party contrac-tors escorted by authorized staff have to present signed iDs.

Also, Amazon describes important things like fire detection, power or climate control by mentioning upS to keep services functional 24 hours per day while Microsoft just tells that is. Finally, you can know what services is affected through the AWS Service Health Dashboard (http://status.aws.ama-zon.com/).

Data PrivacyAzureAzure runs in multiple datacentres around the world and offers to the customer deploy redundan-cy and backup features.

AWSAWS offers data encryption, backup and redun-dancy features. For example, services that store data in S3, eBS use redundancy in different phys-ical locations but inside one “Available Zone” ex-cept you set-up backup services to duplicate data. this way (not across multiple zones) works eBS, while S3 provide durability across multiple Avail-ability Zones. to extend and fix eBS redundancy users enabled to backup AMi images stored on eBS to the S3. Object deletion executes un-map-ping process to prevent remote access. When a storage device has reached the end of its use-ful life, AWS initiates destroying procedures with-in DOD 5220.22-M ("National industrial Securi-

ASASA

Page 54 http://pentestmag.com10/2012(10)

Web

App

Table 1. Cloud security features

Type Cloud VendorAWS Azure

Compliance ISO 27001 + +

PCI DSS + N/A

FISMA + N/A

NIST + N/A

CSA + N/A

FIPS 140-2 + N/A

HIPAA + +

Physical Security Actions & events logging + +

Logs audit + +

Minimum access rights + +

Auto revocation access after N days + N/A

Auto revocation access after role changed + N/A

Two-factor authentication + N/A

Escort + N/A

Data Privacy Backup + +

Redundancy inside one GeoLocation + N/A

Redundancy across several GeoLocation + +

Encryption + N/A

DoD/NIST Destruction + N/A

Network Security MITM Protection + +

DDoS Protection + N/A

Host-Based Firewall (ip,port,mac) + +

Mandatory Firewall + +

Extended Firewall (Geo, date’n’time) + N/A

Hypervisor protection from promiscuous + +

Pentesting offer + +

Credentials Login and Passwords + +

SSL + +

Cross account IAM + N/A

MFA hardware + N/A

MFA software + N/A

Key-Rotation + N/A

ty program Operating Manual ") or NiSt 800-88 ("Guidelines for Media Sanitization"). AWS allows encryption of sensitive data and perform actions before uploads it in S3; additionally, there is no permission to use own and commercial encryp-tion tools.

Network SecurityAzureMicrosoft uses a variety of technologies to keep customers away from unauthorized traffic through the firewalls, NAt boxes (load balanc-ers), and filtering routers. Azure relies on 128-

Page 55 http://pentestmag.com10/2012(10)

Web

App

bit tLS protection for communications inside da-tacentres and between end users and customer vMs. Filtering routers reject all non-allowed at-tempts, i.e. addresses and ports that prevent at-tacks that use "drones" or "zombies" searching for vulnerable servers as the most popular way to break into network.

Filtering routers also support configuring back end services to be accessible only from their cor-responding front ends. Firewalls restrict incom-ing and outgoing communication with known ip addresses, ports, protocols. Microsoft of-fers an authorized penetration testing for cus-tomers applications hosted in Windows Azure if requests for it submitted 7 days beforehand at least.

AWSAWS forces MitM protection by SSL-protect-ed endpoints for example eC2 generates new SSH host certificates on first boot and log them to the instance's console. eC2 instances de-signed to be non-spoofed by host-based firewall that restricts traffic with a source ip or MAC ad-dress other than its own and block non-allowed traffic (ip, port, geo location, date and time and more). Despite of instance running in promiscu-ous mode the hypervisor will not deliver any traf-fic relies on explicit restrictions that protect from traffic capturing on the same physical host on neither eC2 nor vpC. unauthorized port scans are a violation of the AWS Acceptable use pol-icy, however customers permit to pentest their AWS services that should be proved by ip, port, date and time and login and contact before pen-testing with AWS support. violations may lead to revocation of AWS accounts after investigation by Amazon. Moreover, if illegal activity will AWS customers should inform AWS about that. in ad-dition, AWS has a proprietary DDoS mitigation technique but does not describe any key features of it.

CredentialsAzureAzure provides virtual machines to customers, giv-ing them access to most of the same security op-tions available in Windows Server. Customers use SSL client certificates to control up-dates to their software and configuration. the basic credentials like username and password are common within Azure resources.

AWSiAM enables to manage multiple users, their per-missions, password and password policy under one AWS account or among several AWS ac-counts as unique security credentials. New iAM users as well entire iAM and eC2 has no (“deny” access type) access to all resources by default and deals with explicitly granted permissions on-ly. AWS Multi-Factor Authentication is an addition-al security to the basic credentials providing by a six-digit single-use code. this code usually gen-erates by an authentication device or similar ap-plications like Google Authenticator. it works very well for AWS account or user accounts within iAM. AWS offers key and certificate rotation on a regu-lar basis to mitigate compromising risk from lost or compromised access keys or certificates. it is available for AWS account or user accounts within iAM too (table 1).

How is AWS Services SecureAccess and CredentialsAn access to applications and services within AWS cloud is protected in multiple ways and it requires special credentials:

• Access Credentials: • Access Keys to manage with REST or Que-

ry protocol requests to any AWS service Api, and S3. the possible states:• Active – Can be used.• Inactive – Cannot be used, but can be

moved back to the Active state.• Deleted – Can never be used again

• X.509 Certificates to manage SOAP protocol requests to AWS service Apis, except S3

• Key Pairs to manage with CloudFront

Figure 2. AWS Access Credentials II

Figure 1. AWS Access Credentials I

ASASA

Page 56 http://pentestmag.com10/2012(10)

Web

App

• Sign-In Credentials: • E-mail Address, and Password to sign in

to AWS web sites, the AWS Management Console, the AWS Discussion Forums, and the AWS premium Support site,

• AWS Multi-Factor Authentication Device as an optional credential that increases the se-curity level to manage with the AWS web site and the AWS Management Console.

• Account Identifiers: • AWS Account ID to manage with all AWS

service resources except Amazon S3 and looks like 8xxx-xxxx-xxx8

• Canonical User ID to manage with for Am-azon S3 resources such as buckets or files only and looks like 64 bytes length string “7xbxxxxxxcdxcxbbxcxxxxxe08xxxxx44xxx-aaxdx0xxbxxxxxeaxed8xxxbxd4x”

the purpose of the access keys is a manage-ment of requests to the AWS product reSt, Que-ry Apis, or third-party product with Access Key iD; the Access Key iD is not a secret. eC2 is en-abled to use access keys, usually known as SSH key pair and/or X.509 certificates, to interact with the services. the secret/private part of access key is used to retrieve an administrator password, REST and Query APIs, while the X.509 certificate is used with command line operations and SOAp Apis, except S3, which is managed with access keys. When AWS receives a request, the Access

Key iD is checked to its own Secret Access Key to validate the signature and confirm that the re-quest sender is legitimate. the key rotation is manually at current moment and looks like:

• Make second active credentials.• Update applications and services with new cre-

dential.• Move first credential to Inactive.• Check that working with the new credential is

OK• Delete the first credential.

to add an extra layer of security, use AWS MFA feature that provide a six-digit, single-use code in addition to the email and password. All details, ac-tivation hardware or software MFA and more is on link http://aws.amazon.com/mfa. (Figure 1 nad Figure 2, table 2)

Additionally, AWS offers so-called identity and Access Management that easy integrates with al-most of all AWS services, e.g. eC2, S3 and more. iAM provides the following:

• Create users and groups under your organiza-tion's AWS account

• Easily share your AWS account resources be-tween the users in the account

• Assign unique security credentials to each user• Granular control user's access to services and

resources

Table 2. Resource credentials

Resource Access typeREST or Query API request to an AWS, S3 Access Keys

SOAP API request to an AWS X.509 Certificates (except for Amazon)

Access to the secure pages or AWS Management Console Amazon E-mail Address and Password with optional AWS Multi-Factor Authentication

Manage to EC2 command line tools Your X.509 Certificates

Launch or connect to an EC2 Your Amazon EC2 Key Pairs

Bundle an Amazon EC2 AMI For Linux/UNIX AMIs: your X.509 Certificates and AWS Ac-count ID to bundle the AMI, and your Access Keys to up-load it to Amazon S3. For Windows AMIs: your Access Keys for both bundling and uploading the AMI.

Share an EC2 AMI or EBS snapshot The AWS Account ID of the account you want to share with (without the hyphens)

Send email by using the Amazon SES SMTP endpoint Your Amazon SES SMTP user name and password

Access to the AWS Discussion Forums or AWS Premium Support site

Your Amazon E-mail Address and Password

Page 57 http://pentestmag.com10/2012(10)

Web

App

Virtual Instances (Amazon Elastic Compute Cloud)eC2 is a web service that provides resizable com-pute capacity in the cloud that allows paying for ca-pacity only and supports OS's like Windows Server, redHat, OpenSuSe Linux, and more. eC2 allows setting up everything according to OS. Moreover, you are enabled to export preconfigured OS's from vMware, through the AWS console commands, AWS Api, or special vMware Connector. it helps to leverage the configuration management or com-pliance requirements. vM import/export is avail-able for use in all Amazon eC2 regions and with vpC even.

the final goal is protection from interception and unauthorized actions and eC2 security is designed to protect several attack vectors.

• Host OS protection usually includes event log-ging, multi-factor authentication, regular ac-

cess revocation (this case is talking about AWS that manages with host OS set)

• Guest OS protection usually includes native firewall (Windows Firewall, IPTables, etc.), ba-sic credentials, such login/email and password, as well as extended by multi-factor authenti-cation based on SSH version 2 access, eC2 keys that should unique per each virtual in-stance.

• Firewall protection includes pre-configured in a default deny-all mode mandatory inbound fire-wall that allows the following restrictionby protocolby service portby source ip address

• This firewall is not controlled through the Guest OS without X.509 certificate and key to autho-rize changes. Additionally, customers may use and guest OS firewall to filter inbound and out-bound traffic.

Table 3. Requirements of the Russian Federal Law about Personal Data

Requirements AWS SolutionAccess management Users require using alphanumeric

password long six characters at least and special code in addition.

Native AWS solution implemented in IAM and MFA in ad-dition

All devices (incl. external), instances, network nodes require identification by logical name

Canonical name developed for users and resources and enabled mainly through IAM, EC2 identifies by tags

Access event log-ging

Login and logout events Not yet released for IAM and come to EC2 OS solution (Windows, *nix)Date and time of login and logout

events

Credentials used to login

Access to the file events Not yet released for IAM and come to EC2 OS solu-tion (Windows, *nix)

Native solution implement-ed in S3 that provides ca-nonical user id and IP ad-dress accessed to the file, date and time or more

Date and time of access to the file events

User ID/equivalent used to access to the file events

Allocated drive wiping Native AWS solution on un-mapping, termination, etc.

Integrity Physical security, control access management, restriction of employ-ee or third contractor

AWS solution described above at physical security and compliance on physical security

Backup and restore for protection solution

Depend on designed; generally AMI image stored on EBS and backed up into S3

Additional Network packet filtering by date and time

Native solution implemented in EC2 mandatory firewall that includes IP, port, protocol, additional solutions of EC2 OS (Windows and *nix), additional IAM solution to the resources enabled geo filtering and date and time fil-tering.

Network packet filtering by IP ad-dress

Network packet filtering by date and time

Network packet filtering by protocol

ASASA

Page 58 http://pentestmag.com10/2012(10)

Web

App

• API calls signed by X509 certificates is a kind of protection that helps to the Xen keep the dif-ferent instances isolated from each other.

Moreover, eC2 designed to prevent a mass spam distribution by limitations of sending email. Any wishes about mass email are avail-able through the request by urL (https://por-tal.aws.amazon.com/gp/aws/html-forms-con-troller/contactus/ec2-email-limit-rdns-request). the main concept of cloud security is visibili-ty by guest OS firewall, mandatory firewall and geo availability (regions and Availability Zones) because such zone managed with physically in-dependent infrastructure. Different areas of the world .i.e. uSA or eu are known as region in-

side of which there several physically indepen-dent zones. each zone is isolated from failures in other; some AWS services is allowed to move data between zones to keep away from failure, some not, but moving across regions is manual-ly only.

Virtual Storage (Amazon Simple Storage Service and Elastic Block Store volume)S3 is a simple storage for the internet with sev-eral interfaces (for example, web service and Api calls) to store and retrieve data from anywhere. eBS provides so-called block-level storage; in other words, it equals to the physical and logical hard disks. the multiple volumes can be attached to an instance while the same volume cannot

Table 4. Requirements of CSA CAI Questionnaire

Requirements AWS SolutionData Governance Do you provide a capability to identi-

fy virtual machines via policy tags/meta-data (ex. Tags can be used to limit guest operating systems from booting/instan-tiating/transporting data in the wrong country, etc.)?

AWS provides the ability to tag EC2 resources. A form of metadata, EC2 tags can be used to create user-friendly names

Do you provide a capability to identify hardware via policy tags/metadata/hard-ware tags (ex. TXT/TPM, VN-Tag, etc.)?

Do you have a capability to use system geographic location as an authentica-tion factor?

Native solution implemented in EC2 mandatory fire-wall that includes IP, port, protocol, additional solu-tions of EC2 OS (Windows and *nix), additional IAM solution to the resources enabled geo filtering and date and time filtering.

Can you provide the physical location/geography of storage of a tenant’s data upon request?

AWS currently offers six regions which customer da-ta and servers will be located designated by cus-tomers: US East (Northern Virginia), US West (North-ern California and Oregon), GovCloud (US) (Ore-gon), South America (Sao Paulo), EU (Ireland), Asia Pacific(Singapore) and Asia Pacific (Tokyo).

Do you allow tenants to define accept-able geographical locations for data routing or resource instantiation?

Do you support secure deletion (ex. de-gaussing / cryptographic wiping) of ar-chived data as determined by the ten-ant?

Native AWS solution on un-mapping, termination, etc. as well as DoD 5220.22-M / NIST 800-88 to destroy da-ta discussed above.

Facility Security Are physical security perimeters (fences, walls, barriers, guards, gates, electron-ic surveillance, physical authentication mechanisms, reception desks and secu-rity patrols) implemented?

Physical security controls include but are not limit-ed to perimeter controls such as fencing, walls, secu-rity staff, video surveillance, intrusion detection sys-tems and other electronic means; compliance with AWS SOC 1 Type 2 and ISO 27001 standard, Annex A, domain 9.1.

Information Secu-rity

Do you encrypt tenant data at rest (on disk/storage) within your environment?

Encryption mechanisms for almost of all the services, including S3, EBS, SimpleDB and EC2 and VPC sessions as well as Amazon S3 Server Side Encryption.Do you leverage encryption to protect

data and virtual machine images during transport across and between networks and hypervisor instances?

Page 59 http://pentestmag.com10/2012(10)

Web

App

be attached to different instance. eBS provides backup feature through the S3. S3 is “unlimited” storage while customers size eBS. S3 Apis pro-vide both bucket- and object-level access con-trols, with defaults that only permit authenticated access by the bucket and/or object creator. As opposed to eC2 where all activity restricted by default, S3 starts with open for all access under current AWS account only that means all buckets and other folders and files should controlled by iAM and canonical user iD that finally authenti-cates with an HMAC-SHA1 signature of the re-quest using the user's private key. S3 provides read, List and Write permissions in an own ACL at the bucket level or iAM permissions list those independent and supplements each other. S3 provides file versioning as a kind of protection to restore any version of every object on the bucket. Additionally, “S3 versioning's MFA Delete” feature will request typing the six-digit code and serial number from MFA device. Also, a valuable feature for audit and forensics case is logging S3 events that can be configured per bucket on initialization. these logs will contain information about each access request and include

• request type, • the requested resource,

• the requestor's IP, • the time and date of the request.

eBS restriction access looks similar to the S3; re-sources are accessible under current AWS Ac-count only, and to the users those granted with AWS iAM (this case may be affected cross AWS Accounts as well if it is explicitly allowed. Snap-shots backed up to the S3 and shared enable in-direct access (only read permission, not altera-tion, deletion or another modification) to the EBS. there is an interesting point suitable for foren-sics that snapshot stored on S3 will keep all delet-ed data from eBS volume, they were not altered, or DOD wiped. talking about secure wiping, AWS provides “destroying” data feature via a specific method, such as those detailed in DoD 5220.22-M ("National industrial Security program Operat-ing Manual") or NiSt 800-88 ("Guidelines for Me-dia Sanitization"); AWS perform these actions for S3 and eBS. in case, it is impossible to wipe data after storage disk lifetime such disk will be physi-cally destroyed.

Gross Inspection on AWS Compliance from customer sideAs it is first part of series of articles, i briefly ex-amine several standards and order documents re-

On the Net• http://www.windowsecurity.com/articles/Cloud-computing-can-we-trust-how-can-be-used-whilst-being-secure.html

– Cloud computing, can we trust it and how can it be used whilst being secure, Ricky M. Magalhaes• http://www.windowsecurity.com/articles/Security-Considerations-Cloud-Computing-Part1.html – Security Considera-

tions for Cloud Computing (Part 1) – Virtualization Platform, Deb Shinder• http://www.windowsecurity.com/articles/Security-Considerations-Cloud-Computing-Part2.html – Security Considera-

tions for Cloud Computing (Part 2), Deb Shinder• http://www.windowsecurity.com/articles/Security-Considerations-Cloud-Computing-Part3.html – Security Considera-

tions for Cloud Computing (Part 3) – Broad Network Access, Deb Shinder• http://www.windowsecurity.com/articles/Security-Considerations-Cloud-Computing-Part4.html – Security Considera-

tions for Cloud Computing (Part 4) – Resource Pooling, Deb Shinder• http://www.windowsecurity.com/articles/Security-Considerations-Cloud-Computing-Part5.html – Security Considera-

tions for Cloud Computing (Part 5) – Rapid Elasticity, Deb Shinder• http://www.windowsecurity.com/articles/Security-Considerations-Cloud-Computing-Part6.html – Security Considera-

tions for Cloud Computing (Part 6) – Metered Services, Deb Shinder• https://www.windowsazure.com/en-us/support/legal/security-overview/ – Technical Overview of the Security Featu-

res in the Windows Azure Platform, April 2011• http://www.baselinemag.com/c/a/Security/Securing-Data-in-the-Cloud/ – Securing Data in the Cloud, Eric Friedberg• http://d36cz9buwru1tt.cloudfront.net/Whitepaper_Security_Best_Practices_2010.pdf – AWS Security Best Practices,

January 2011• http://d36cz9buwru1tt.cloudfront.net/pdf/AWS_Security_Whitepaper.pdf – Amazon Web Services: Overview of Secu-

rity Processes, May 2011• https://www.windowsazure.com/en-us/support/trust-center/compliance/ – Trust Center Home, Compliance• http://conventions.coe.int/Treaty/en/Treaties/Html/108.htm – Convention for the Protection of Individuals with re-

gard to Automatic Processing of Personal Datat

ASASA

Page 60 http://pentestmag.com10/2012(10)

Web

App

ferred to security on compliance; some of them is worldwide and some is russian. in further articles, i will provide a detail AWS services’ examination with the most known documents to explain and show if cloud services (mainly AWS and Azure) are so insecure, if configuring with compliance is so complex and if compliance makes a sense for end customers on security. Some requirements and entire documents are going to be discussed will deliberately be used as outdated to highlight comparison. One of them, the russian Federal Law about personal Data refers to the “Conven-tion for the protection of individuals with regard to Automatic processing of personal Data” that was confirmed in 2006. this reference allows storing data out russia and 1C Company has already of-fer a cloud solution in accordance with Chapter iii about “transborder data flows” and Article 12 about “transborder flows of personal data and do-mestic law”.

• The following provisions shall apply to the transfer across national borders, by whatever medium, of personal data undergoing automat-ic processing or collected with a view to their being automatically processed.

• A Party shall not, for the sole purpose of the protection of privacy, prohibit or subject to spe-cial authorization transborder flows of personal data going to the another territory.

• Nevertheless, each Party shall be entitled to derogate from the provisions of paragraph 2:• insofar as its legislation includes specific

regulations for certain categories of person-al data or of automated personal data files, because of the nature of those data or those files, except where the regulations of the other Party provide an equivalent protection;

• when the transfer is made from its territo-ry to the territory of a non-ing State through the intermediary of the territory of anoth-er Party, in order to avoid such transfers re-sulting in circumvention of the legislation of the Party referred to at the beginning of this paragraph.

the russian law refers to another documents pro-vided several requirements to protection some of them i will examine right now. these requirements divide into three categories based on which da-ta is processed (medical, religion, nationality, etc.) (table 3).

Some non-profit organizations try to unify best practices for clouds, help the vendors to improve their security features and provide customers with best choice of solution they need. One of them is CSA that offers range of industry security practitio-ners, corporations, and associations participate in this organization to achieve its mission. they cre-ate so-called “CSA Consensus Assessments ini-tiative Questionnaire” that provides a set of ques-tions the CSA anticipates a cloud consumer and/or a cloud auditor would ask of a cloud provider. AWS announced that they has completed the CSA CAi (table 4).

ConclusionSome companies have to manage with regula-tions because of legal proceedings to how the da-ta should be handled, where they should be stored and how the consumer data are protected. On an-other hand, security audit may uncover the vulner-abilities. Whether audit makes sense or not, there is case when you or someone else have to vali-date with standard. in these articles, i briefly ana-lyze security features of WS with several require-ments. in further articles, i will provide a detail AWS services' examination with the most known docu-ments to explain and show if cloud services (main-ly AWS and Azure) are so insecure, if configuring with compliance is so complex and if compliance makes a sense for end customers on security.

YurY ChemerKin Yury Chemerkin graduated from RSUH in 2010 (http://rggu.com/) on the BlackBerry diploma thesis. Currently in the postgraduate program at RSUH on the Cloud Se-curity thesis. Experience in Reverse Engineering, Soft-ware Programming, Cyber & Mobile Security Research, Documentation, and as a contributing Security Writer. Also, researching Cloud Security and Social Privacy. The last several years, I have worked on mobile social secu-rity, cloud security and compliance, mobile security and forensics; additionally develops solutions based on ex-ploiting, not only OS vulnerabilities, but also third-par-ty products and solutions.Regular blog: http://security-through-obscurity.blogspot.com.Regular Email: yury.chemerkin@gmail.comSkype: yury.chemerkin