ISSN 2320 - 2602 Volume 5 No.11, November 2016 Martin ShikukuInternational Gwara et al., International Journal Advances in Computer Science and Technology, 5(11), November 2016, 151- 159 Journal ofofAdvances in Computer Science and Technology
Available Online at http://www.warse.org/IJACST/static/pdf/file/ijacst015112016.pdf
A Framework for Assessing Cloud Computing Security for Cloud Adoption in Microfinance Banks Martin Shikuku Gwara1, George Okeyo2, Michael Kimwele3 School of Computing and Information Technology, Jomo Kenyatta University of Agriculture and Technology, Kenya martingwara@gmail.com 2 School of Computing and Information Technology, Jomo Kenyatta University of Agriculture and Technology, Kenya gokeyo@icsit.jkuat.ac.ke 3 School of Computing and Information Technology, Jomo Kenyatta University of Agriculture and Technology, Kenya mkimwele@jkuat.ac.ke 1
ABSTRACT
vendor lock in [15], loss of governance [3], malicious insider and data location [15], data recovery [9], account, service and traffic hijacking , virtualization, legal issues [3], cloud service termination or failure [2], [6], data loss [12], [15], physical interruption, data segregation and auditing issues [6], data breach [12], resource exhaustion [11], software vulnerabilities, personnel security issues, responsibility ambiguity, data privacy issues, intellectual property issues, unsafe network architecture, network attacks and application security issues [4], [6].
Cloud computing is an important element of success to microfinance banks. While significant progress has taken place in the adoption of cloud services, there still remains security challenges which have to be addressed immediately. Many microfinance banks adopt cloud computing without considering what security measures has been offered by the cloud service providers, their level of security readiness for cloud adoption which always leads to weak implementation and or total failure. Therefore, this paper aims to develop a framework for assessing cloud computing security for cloud adoption in microfinance banks that covers all the aspects relating to the security of cloud computing which are to be necessarily examined by microfinance banks intending to use cloud solutions prior to entering into a contract with a cloud service provider. In particular, this framework ensures the development of a clear, consistent and simplified criteria to be used in assessing cloud security and in the onset define the risks/ challenges to be considered, the security controls, measurement metrics and provide an iterative process for assessing cloud security and or improvement by addition of new security controls/ measures. In addition, this paper discusses the security challenges, requirements and barriers in the cloudification of microfinance bank business. This paper will assist microfinance banks in resolving the problems confronting the cloud security for cloud adoption.
Microfinance banks do not always understand all the cloud security challenges and how the cloud service provider (CSP) have dealt with this challenges which leads to half hazard contracting that leaves the microfinance banks at a great disadvantage. In dealing with these issues, this paper is organized into five sections. The rest of this paper is organized as follows. Section 2 presents related work. Section 3 describes the framework development. Section 4 presents the framework validation. Finally, Section 5 is the conclusion and future work directions. 2. RELATED WORK According to [5], as data moves to the cloud, companies will need to enforce the same security, compliance, and governance policies that they do for data stored on premises. It is for this reason that organizations are going flat out to find a safe simple way to secure the cloud through cloud security frameworks.
Keywords: Cloud security challenges, security requirements, cloud security framework, microfinance banks. 1. INTRODUCTION Security involves confidentiality, privacy, integrity and availability which aid the development of secure systems. There is so much concern about security within cloud computing environment. Literature has revealed that security is the biggest management issue with cloud computing [6]. Some of the security challenges include 1
Reference [13] stated that the Cloud security alliance group provided actionable best practices for businesses to transition to cloud services while mitigating the risk involved in doing so which has critical areas of focus in cloud computing being divided into fourteen domains.
Martin Shikuku Gwara 151
Martin Shikuku Gwara et al., International Journal of Advances in Computer Science and Technology, 5(11), November 2016, 151- 159 Reference [10] provided a cloud security framework framework was developed based on the countermeasures. In in which they presented various lines of defense and identify this paper, the security challenges have been categorized into the dependency levels among them. They identified 28 cloud security standards which describes the standards required to security threats in which they classified into five categories. take measures in order to prevent attacks, network includes They also presented nine general cloud attacks along with network attacks such as distributed denial of service, access various attack incidents, and provided effectiveness analysis control deals with issues of authentication and access of the proposed countermeasures. Also, according to [1], the control, cloud infrastructure deals with attacks on the cloud IBM Security Framework provides a top level view on infrastructure, data deals with data related issues like data security. breach and people deals with issues affecting personnel like personnel security, governance, roles and responsibilities and The framework for secure cloud computing by [8] is awareness and training. based on the security model that describes the details of each component and apply the needed security technologies for Each challenge had its own security control and implementation between components in the cloud security metrics. A score of one is given if a security control computing. exist for a particular security challenge and zero is given if otherwise. According to [7], gone are the days of long drawn Reference [14] proposed that in order for implementations, and blueprinting exercises and that today organizations to look at cloud risk issues thoroughly, then, we are quickly towards the concept of “iterative the items under legal requirements, operational security, blueprinting� which allows not only you to not only visualize business continuity management, identity and access the process, but also make amends to inefficiencies, monitor management, physical security, data and services portability, the changed process. It is for this same reasoning that the environmental controls, personnel security, supply-chain proposed framework consists of an iterative process as assurance and asset management have to be addressed. shown in Figure 1 that also incorporates the element of continuous improvement, and a framework implementation Having security controls in place help mitigate all matrix as shown in Table 1. The framework ensures the security risk before they result in security breaches. To do development of a clear, consistent and simplified criteria to this, it is important to classify cloud service against the cloud be used in assessing cloud security and in the onset define architecture model in order to map security architecture as the risks/ challenges to be considered, the security controls, well as business, regulatory and other compliance measurement metrics and provide an iterative process for requirement against it. Information asset can then be assessing cloud security and or improvement by addition of protected thoroughly from the results. new security controls/ measures. This work follows the [10] approach but differs from [10] in several aspects. First, this work uses security challenges that classified into six categories. Secondly, this work uses a framework that ensures development of a clear, consistent and simplified criteria to be used in assessing cloud security and in the onset define the risks/ challenges to be considered, the security controls, measurement metrics and provide an iterative process for assessing cloud security and or improvement by addition of new security controls/ measures. Also this work uses [14] work but differs from it in many aspects that includes expanded security challenges and the use of six categories in classifying these challenges which is not included in work of [14]. 3. FRAMEWORK DEVELOPMENT A review was carried out on some cloud security frameworks discussed in the section on related work. The
152
Martin Shikuku Gwara et al., International Journal of Advances in Computer Science and Technology, 5(11), November 2016, 151- 159
Figure 1: Iterative process for assessing cloud security
153
Martin Shikuku Gwara et al., International Journal of Advances in Computer Science and Technology, 5(11), November 2016, 151- 159 Table 1: Framework implementation matrix
Score: Yes=1 No=0 CATEGORY
CHALLENGE
SECURITY CONTROL/ COUNTERMESURE
METRICS
S1
Legal issues
Legal: CSP's contract or service level agreements (SLA) should specify that it is bound by the law of the bank’s home country and allow the courts of that country exclusive jurisdiction over any disputes arising out of the contract or leave that particular section open for later argument and resolution if and when needed; Responsibility management: Clearly defined split of responsibilities between the microfinance bank and the CSP to manage security and associated risks. Governance: CSP provide evidence of their own compliance with the relevant requirements Auditing: CSPs should offer regular and timely access to audited events. Supply chain assurance: Third party SLA should be in place to cater for conditions of the agreement.
Evidence of CSP's contract or SLA; Evidence of compliance of CSP to the national and international obligations and certifications.
Security, legal, regulatory, administrative and Management
S2
Responsibility ambiguity
S3
Loss of governance Auditing issues
S4 S5
Supply chain failure
S6
Regulatory compliance issues Software vulnerabilities
S7
S8
Software assurance:
Patch management:
S9
Intellectual property issues Risk from changes of jurisdiction
S10
A1
Regulatory compliance: Certification and compliance to regulations.
Access control management
Unsafe access
Intellectual property management: CSPs having security and compliance policies and procedures. Jurisdiction management: Before migrating applications or data to a cloud computing environment, understand precisely the specific laws or regulations that apply and the relevant duties or obligations imposed on both the customer and the provider (e.g. data retention, data protection, interoperability, medical file management, disclosure to authorities); Clearly defined SLA. Authorization and authentication;
154
Split of responsibilities between the microfinance bank and the CSP to manage security and associated risks. CSP provide evidence of their compliance with requirements Availability of audit reports and certification Third party SLA; Evidence of a list of core information technology services outsourced. Evidence of certification and compliance to regulations. Evidence of controls used to protect the integrity of the operating system and applications software used; Evidence of patch management procedure covering all layers of the cloud delivery technologies. CSPs having security and compliance policies and procedures. Specific laws or regulations that apply and the relevant duties or obligations imposed on both the customer and the provider; Clearly defined SLA.
- System-wide privileges for the entire cloud system; - Authentication and management of accounts with the highest level of
SCORE 0 1
Martin Shikuku Gwara et al., International Journal of Advances in Computer Science and Technology, 5(11), November 2016, 151- 159 privilege; - High-privilege roles allocation do not break the segregation of duties’ rule; - Principle of least privilege followed; - Processes in place for de-provisioning credentials. A2 Account, service Access control: Checks on the identity of user accounts and traffic Two-factor authentication; Identity and access management at registration (standards followed) hijacking control; Authentication and authorization for interapplication connections and cloud services; Prohibit the sharing of account credentials between employees by setting up a protocol which act as a firewall; Employ proactive monitoring to detect unauthorized activity; Identity provisioning C1 Cloud Cloud service Clearly defined SLA having exit/ change management; Evidence of exit/ change management infrastructure termination or Mirroring strategy, which involves pairs of similar data and mirroring strategy. management failure centers and permanent replication of data; C2 Virtualization Security information and event management (SIEM) - Security information and event solution considered to correlate server and network logs management (SIEM) solution considered across virtual infrastructures; Using Mirage Image to correlate server and network logs Management System; Host architecture; across virtual infrastructures; - Monitoring through IDS (Instruction Detection System)/IPS (Intrusion Prevention System) and by implementing firewall to mitigate Virtual Machine Level vulnerabilities; C3 Physical Physical infrastructure and facilities should be held in secure Audit and assessment reports, interruption areas; Protection against external and environmental threats; demonstrating compliance to security Control of personnel working in secure areas; Equipment standards; Physical security perimeter; security controls; Supporting utilities such as electricity Physical entry controls; CSP should have supply, gas supply, telecommunications, and water supply appropriate backup of data, redundancy should have controls in place; Control security of cabling; of equipment and continuity plans for Proper equipment maintenance; Control of removal of handling equipment failure situations; assets; Secure disposal or re-use of equipment; Human Security and compliance policies and resources security; Backup, Redundancy and Continuity procedures that are used to protect their Plans; Regular risk assessments; Ensure that the hosting intellectual property and corporate service has adequate natural disaster protection. assets, especially in the IT space; Natural disaster preparedness; Offer multiple redundant sites and network paths by default. C4 Application PaaS (platform-as-a-service) – application security; - Multi-tenanted applications isolated security issues from each other; - Confirmation that access to own data is 155
Martin Shikuku Gwara et al., International Journal of Advances in Computer Science and Technology, 5(11), November 2016, 151- 159 restricted to own enterprise users and their applications; - Offer a set of security features including user authentication, single sign on, authorization; C5 SaaS (software-as-a-service) – application security Administration controls are provided and used to assign read and write privileges to other users; C6 Distributed Intrusion detection systems loaded for each cloud; Access - Technical description of interfaces and denial of service control list that blocks offending traffic; Geographic spread, protection methods (DDOS) elasticity, authentication methods at graphical user interface (GUI) and application programming interface (API), protection measures for administrator interfaces, authentication for administration interface, administrator roles and privileges; Intrusion detection systems (IDS) loaded for each cloud; Use of access control list that blocks offending traffic. D1 Data security Data breach, Encryption of the files and devices using the best standards Formal process in place for detecting, management Data loss, Data and adherence to encryption policy; Strong passwords; identifying, analyzing and responding to location Avoid employees bringing their own devices which may be incidents; Rehearsal process to check infected with malware, virus and or spyware that may infect that incident handling processes are microfinance banks’ intranet and PCs by providing those effective; Real time security monitoring employees with bank’s devices; Create a data asset catalog; (RTSM) service in place; Periodical report on security incidents upon request; D2 Vendor lock in Standardize APIs; Compatible software to enable surge or - Provision of interoperable export hybrid cloud computing; Data and services portability; formats for all data stored within the cloud by the vendor; - Standardized API interfaces used in SaaS; D3 Data segregation, Security of API; Secure storage for used keys; Data backup; Secure API; Secure storage for used Data recovery Retention policies; and server-side storage. Backups; keys; Data backup; Retention policies; and server-side storage. D4 Data privacy Privacy requirements be adequately addressed in the cloud Privacy requirements be adequately issues service agreement; Microfinance banks are responsible for addressed in the cloud service defining policies to address privacy concerns and raise agreement; Audit program covering all awareness of data protection within their organization. aspects of the privacy policies. D5 Intercepting data Use of encryption, and strong authentication mechanisms - Authentication methods at GUIs and in transit APIs; - Protection measures for administrator interfaces; - Authentication for administration interface; 156
Martin Shikuku Gwara et al., International Journal of Advances in Computer Science and Technology, 5(11), November 2016, 151- 159 - IP restrictions, administrator roles and privileges; - Authentication for administration interface; - Encryption; D6 Loss of backups CSP should have appropriate backup of data, redundancy of Evidence of data backup, redundant equipment and continuity plans for handling equipment equipment and continuity plans for failure situations; Policies and procedures for backup handling equipment failure situations; (includes procedures for the management of removable Policies and procedures for backup. media and methods for securely destroying media no longer required). D7 Data migration - Standard data formats and interfaces, business continuity Standard data formats and interfaces, strategy which includes migration/exit plans for moving data business continuity strategy which and/or processes to another provider; includes migration/exit plans for moving - CSP should have appropriate backup of data, redundancy data and/or processes to another of equipment and continuity plans for handling equipment provider; failure situations; Encryption of data; P1 People security Personnel CSP should support microfinance banks’ own existing CSPs offer single-sign-on and single management security issues Identity and Access Management (IdAM) system; Identity sign-off; auditing logs, reports, alerts and Provisioning and Delegation where the CSP should support notifications to monitor user access both delegated administration; Single Sign-On (SSO), Single for customer’s needs; strong multiSign-Off; Identity and Access Audit; Robust Authentication; factor, mutual and/or biometric Role, Entitlement and Policy Management; Human authentication; Policies and procedures resources security including appropriate controls for CSP on recruitment of personnel with system staff working at the facilities; Recruitment of personnel; access that includes vetting; Security Training; Process of continuous evaluation; education program; P2 Isolation of roles Authentication, authorization and encryption; Authentication, authorization and encryption; P3 Malicious insider Implementation of a tracking system which can generate Tracking system reports of employee’s activities and client-side encryption gateway; Vetting before, during and hiring of personnel and personnel awareness and training; N1 Network security Unsafe network Security policy and assurance via audit and certification; Controls used to mitigate DDoS attacks; management architecture Network architecture controls Levels of isolation are used for virtual machines, physical machines, network, storage; N2 Network attacks Network security configurations; Traffic screening - Backup and network failover systems performed by firewall devices or software; Denial-of-service to maintain availability of network protection; Intrusion detection and prevention; Logging and services. notification; - Network Access Control (NAC) TOTAL SCORE
157
Martin Shikuku Gwara et al., International Journal of Advances in Computer Science and Technology, 5(11), November 2016, 151- 159 assess cloud computing security for cloud adoption. Some of 4. FRAMEWORK VALIDATION Framework validation was done through interviews the notable responses were: with the microfinance banks and also with computer “The cost and complexity of mitigating risks has been consultants who are persons with wealth of knowledge and reduced by this framework. To go the cloud computing way, experience in the information technology (IT) field. The it is significant to understand the security needs and priorities interview responses to the validation questions came from of the microfinance bank and identify with the security six microfinance banks and two computer experts who were solutions offered by the CSP”. approached for their input to this proposed framework. The majority of the participants’ experience while Majority of the participants indicated that the using this framework felt that the proposed framework will framework offers a clear and simplified criteria by the use of go a long way in helping microfinance banks in entering into its simple to follow iterative process. The participants felt a contract with a CSP when they have known upfront what that the microfinance banks need to define their tolerance security features has been provided by that CSP but there levels in advance and also need to have at the beginning a list should be a system of engagement where the microfinance of prospective cloud service providers (CSP). These banks can interact with the CSPs to secure the much needed concerns have been incorporated in the framework. Some of security information. This engagement facility has been the most notable responses are: incorporated in the iterative process of the framework. “This framework will act in a simplified way like an independent procedure in analyzing the security on offer by a Other participants also felt that the microfinance particular CSP. It has made the work scrutiny for banks should have a way of benchmarking within themselves microfinance banks to be much easy. The microfinance the security maturity of each other as this would go a long banks need only to have initially the list of prospective way in improving the information on security and be able CSPs”. confront the challenges better as a common group. This researcher feels that this idea is outside the current scope of The participants also noted that the risks/ challenges this research and may should be taken into consideration in considered, the security controls and the measurement future research. The participants also advised the metrics included in the framework implementation matrix microfinance banks on the need to invest on proper skills and offers an effective way to assess the security offered by the expertise in their security department. From the responses CSPs. Some of the notable responses were: received, the majority of those participants were in favor of “This helps in keeping track of the security measures so as to the framework saying that it is a positive step towards have an effective way to assess the security offered by the achieving a proper assessment of cloud security prior to CSPs. The risks considered though not exhaustive is good for contracting a CSP and or subsequent cloud adoption. the start”. 5. CONCLUSION AND FUTURE WORK The participants also noted that the element of This paper presented a framework for assessing continual process improvement or updating has been cloud computing security for cloud adoption in microfinance incorporated in the framework. The participants felt that this banks. The framework consisted of an iterative process that would make the microfinance banks to have a visibility into also incorporates the element of continuous improvement, the everyday security events across the entire cloud security and a framework implementation matrix. This framework world so as to have an effective implementation matrix for ensures development of a clear, consistent and simplified the framework. Some of the notable responses were: criteria to be used in assessing cloud security and in the onset “This proposed framework has gone a long way to create a define the risks/ challenges to be considered, the security way of updating the security measures which is fine. The controls, measurement metrics and provide an iterative new security risks can be easily be included when this process for assessing cloud security and or improvement by framework is put into use”. addition of new security controls/ measures. The majority of the participants also noted that the framework actually offers a wealth of security information and informs the microfinance banks on matters of cloud security. Some of the notable responses were: “This framework helps to look at the issue of cloud security as perceived by the microfinance banks and aligns that experience with that of the CSPs. The microfinance banks’ team should always be led by its team of IT experts and or IT Experts from without”.
The first research question considered the state of deployment to cloud computing in various microfinance banks in Kenya. The results of the research showed that the majority of the microfinance banks have adopted some form of cloud computing in their operations (66.7%), and 50% were aware of the implications and that majority of the microfinance banks had adopted non-core applications such as email hosting, customer resource management (CRM). This research has shown link that the majority of the microfinance banks who had 5 years and above banking experience (83.3%), are the ones who have embraced cloud computing in their core banking services and their level of knowledge about information security and cloud computing
The majority of the participants also noted that the framework is capable of assisting microfinance banks to 158
Martin Shikuku Gwara et al., International Journal of Advances in Computer Science and Technology, 5(11), November 2016, 151- 159 are either somewhat knowledgeable and or very Cloud Standards Customer Council, 2015, pp 1-35. knowledgeable. [5] CSA. Cloud Adoption Practices & Priorities Survey Report, CSA, pp 1-13, 2015. The second research question considered the [6] ENISA. Secure Use of Cloud Computing in the Finance security challenges, requirements and barriers in the Sector. Good Practices and Recommendations, pp 1-38, “cloudification” of banking services. The results of the study 2015. shows that 66.7% strongly agree that security concern is a [7] IBM. Going Mobile? Then start along the business blocking issue in cloud computing. And that data loss, process way, (N. S., Ed.), pp 1-8, 2014. account, service and traffic hijacking at 100.0% offer the [8] Munir K. and Palaniappan S. Framework for Secure main security challenge/ barrier to cloud computing. Others Cloud Computing. International Journal on Cloud are vendor lock in, loss of governance, insecure or Computing: Services and Architecture, 3(2), 2013, pp 21incomplete data deletion (83.3%). Also the results of the 35. study showed that 66.7% are aware of regulatory [9] Kaur M. and Singh H. A Review of Cloud Computing requirements related to cloud computing adoption. Security Issues. International Journal of Advances in Furthermore, the results of the study showed that avoiding Engineering & Technology, 2015, pp. 397-403. vendor lock-in, right to audit, SLAs are chosen to be key [10] Khalil I., Khreishah A. and Azeem M. Cloud security requirements (100.0%). The research also showed Computing Security: A Survey. Computers, Volume 3, that SLAs and specific clauses in the contract are considered 2014, pp. 1-35. to be the best way microfinance institutions can ensure [11] Liu Y., Sun Y., Ryoo J., Rizvi S. and Vasilakos A. A compliance to regulations and internal procedures by the Survey of Security and Privacy Challenges in Cloud service providers (100.0%). The research also showed that Computing: Solutions and Future Directions. avoiding vendor lock in and right to audit (100.0%) were the Journal most widely requested clauses for mitigation followed by of Computing Science and Engineering, 9(3), 2015, pp. developing exit strategies (83.3%). 119-133. [12] Parashar A. and Borde A. Cloud computing: Security The third research question considered the existence issues and its detection. International Journal of of any state-of-the-art techniques to analyze cloud security in Engineering Sciences, 5(2), 2015, pp. 136-140. microfinance banks and the research showed that the all [13] Shijisujai. Cloud security – CSA domains, microfinance banks have no knowledge of the existence of Retrieved2016, from any state-of-the-art techniques to analyze cloud security http://thetechnologychronicle.blogspot.co.ke/2015/05/cloud(100.0%). security-csa-domains.html, 2015. [14] Were T. O. A framework for assessing cloud Future work should include additional analysis into computing risk for Kenyan organizations, MSc the effectiveness of this framework with the idea of Thesis, 2013. improving it further and also should be expanded to involve [15] Wickramasinghe S., Sudesh R., Dissanayaka D., a way of measuring how effective a security control is. There Udarini is need to interrogate further the security controls offered by W., Hettiarachchi P. and Dhammearatchi D. Cloud the CSPs to see how close they can match with the security computing-Enhancement of Security with respect to requirements of the microfinance banks. Encryption and secure APIs. Imperial Journal of Interdisciplinary Research (IJIR), 2(5), 2016, pp. 690695. REFERENCES [1] Alan S. Reading List: Managing Security and Compliance in Cloud or Virtualized Data Centers, Retrieved 2016, from http://alanstreet.net/reading-listmanaging-security-and-compliance-in-cloud-or-virtualizeddata-centers/, 2014, pp 1-4. [2] Armbrust M., Fox A., Griffith R., Joseph A. D., Katz R., Konwinski A., Lee G., Patterson D., Rabkin A., Stoica I. and Zaharia M. A view of cloud computing. Communications of the ACM, 2010, pp. 50-58. [3] Bobade A. and Patil D. Survey on Different Security Issues & Challenges in Cloud Computing for Multifarious Technology. International Journal of Emerging Research in Management & Technology, 4(10), 2015, pp. 117-123. [4] Cloud Standards Customer Council. Security for Cloud Computing Ten Steps to Ensure Success Version 2.0, 159