Technical compliance checking practice guide for cloud services (infrastructure as a service)
This document is proposed to ISO/IEC JTC1 SC27 from an Japanese expert, as a draft of an Annex of ISO/IEC TR 27008, which JASA members wrote. C.1 Positioning and purpose of this Annex This Annex is a technical guideline for reviewing based on the guidelines for reviewers on information security controls given in the Annex A of this standard regarding implementation and operation of the controls and implementation guidance given in the Code of practice for information security controls based on ISO/IEC 27002 for cloud services defined in ISO/IEC 27017. This Annex covers technical viewpoints required for review and review methods, assuming infrastructure as a service, which provides cloud service customers with computer resources of the cloud services. Systems which provide cloud services are diverse even in infrastructure as a service and keep changing due to significant technology innovation. This Annex does not assume a specific system but targets to be used as a practice for review methods, notes, and review targets. This Annex covers only information security controls or their implementation specific to cloud services given in ISO/IEC 27017. This Annex focuses on reviewing if the security controls are implemented in the cloud system properly. (See Figure 1) This Annex uses models and examples to explain technical review methods for computer systems which provide cloud services. This Annex provides a reviewer with understanding of review points specific to cloud services. In addition, this Annex also give insights to an engineer to be reviewed how the service should be verified and audit trail should be shown. A cloud service provider would incorporate adopted security controls which can be implemented in an IT system into its own cloud system. Following this guideline allows not only reviewers to work on a proper review but the cloud service provider to design specific controls to make their own service comply with ISO/IEC 27017.
Security controls Design
Scope of this Annex
Implementation
Operation Figure 1 Scope of this Annex
C.2 Relationship with other international standards The following standards are related to this Annex in addition to Annex ISO/IEC 27017. (1) ISO/IEC 27018 Information technology – Security techniques – Code of practice for PII protection in public clouds acting as PII processor ISO/IEC 27018 defines Personally Identifiable Information (PII) in cloud services. This Annex covers infrastructure as a service. In infrastructure as a service, cloud service customers are responsible for their own information security on the information stored in a virtual machine used by the cloud service customers. This means that the cloud service provider is not able to administer PII in the virtual machine, causing this to be outside the scope of this standard. PII which should be maintained by the cloud service provider, includes information on cloud service customers. This is managed by and stored in the Service Management of the Implementation Model explained later. In addition, PII should be handled in the Service Management according to ISO/IEC 27018. (2) ISO/IEC 17788 Information technology – Cloud computing – Overview and vocabulary This Annex applies overview and vocabulary on cloud computing defined in ISO/IEC 17788. (3) ISO/IEC DIS 17789 Information technology - Cloud computing - Reference architecture ISO/IEC 17789 applies for basic ideas on components which configure cloud services. While ISO/IEC 17789 defines architecture of cloud computing in terms of its role and activities, cloud system implementation-conscious viewpoints are required in the review, including confirmation of a virtualization mechanism configuration. Therefore, this Annex presents the Implementation model which models a cloud system and maps functional components defined in ISO/IEC 17789 to review items.
C.3 Configuration of this Annex This Annex first suggests a cloud service environment modeling with infrastructure as a service assumed. This model describes the relationship between resource types and virtualization, and the concept of cloud service customers and tenant. Server, network and storage are identified as a resource type. The audit requirements are described in the same format as in Annex A in the order of common topics through the model, individual resource type and Service management. See Annex A for the meaning of those items in the table. (1) Explanation of the typical technologies Explanation of technological elements and guideline related to virtualization implementation. When multiple implementation methods exist, typical methods are explained. (2) The controls defined in ISO/IEC27017 Reference of the controls in ISO/IEC27017which related to the virtualization (3) Audit method for the controls of ISO/IEC27017 Guideline of the review method for the controls of ISO/IEC27017 When multiple implementation methods exist, one of them is explained. C.4 Cloud services (infrastructure as a service) environment model C.4.1 Meaning of the model introduced As cloud service technologies are diverse, it is too individual and specific if we pick up these in detail one by one. In addition, computing technologies used in the cloud service is new and still on
the
way of development technically. Considering this, standardizing audit methods based on these individual/specific technologies is not appropriate. The auditor (or reviewer) can keep this methodological model in mind and recall whether the actual technologies implemented for a control have been designed based on the idea of the control and how audit evidences should be collected prior to the actual evaluation. C.4.2 Model and components In infrastructure as a service assumed in this Annex, an environment which provides cloud services, consists of virtual resources directly used by the cloud service customers, virtualization mechanisms that install those resources, and Service Management which controls and serves the virtualization mechanisms. Figure 2 shows the Implementation Model for systems which provide cloud services.
Service Management
Virtual resources Tenant
User portal/APIs
Virtual machine
Operational support systems
Virtual VDiskdisc Service resources
…
Virtualization mechanisms (Resource abstraction & control)
Business support systems
Direct
Physical resources
Figure 2 Implementation Model An important concept of this model is the virtualization and separation of the resource. In the virtualization mechanisms, physical resources are provided as virtual resources with their access right separated by tenant with resource abstraction & control components. This processing is directed by the Service management to the virtualization mechanisms. A tenant is an area where virtual resources allocated to each access controlled are aggregated. Multiple tenants can be provided to a cloud service customer by request. Generally multiple users access to a tenant and execute information processing. This model has four components. Three of them, physical resources, virtualization mechanisms and virtual resources, are categorized into server, network and storage as resource types. (1) Physical resources Physical resources are physical equipment required for providing cloud services. They consist of server equipment, network equipment, and storage equipment as components. The physical network equipment includes a physical Network Interface Card (NIC) which connects the server to the network. The physical storage equipment includes a Host Bus Adapter (HBA) and FC switches which connect the server to the storage. (2) Virtualization mechanisms Virtualization mechanisms are used to produce virtual resources provided by the cloud services. Hypervisor is applicable to this for a server virtualization. Virtual Local Area Network (VLAN) and Software Defined Network (SDN) apply for a network virtualization. Mostly storage devices include this mechanism for storage. (3) Virtual resources Virtual resources such as a Virtual Machine (VM) which are created by the function for virtualization and provided to cloud service customers in the cloud service. While the function for
virtualization provides virtual
resources,
the
virtual
resources
indicate
the
concept
of
collection of virtual resources produced. Note: Network and storage can be virtualized by servers. For instance virtualized switches configuring the virtual network may be created by Hypervisor which virtualizes the server. (4) Service management Service management is a system to enable the cloud service provider to provide cloud services, and provide an interface for the cloud system to the cloud service customer. Using the above the function for virtualization, it provisions virtual resources required for the cloud service. It also monitors and manages the physical resources and ensures to control that the entire cloud environment can function appropriately. This Service management also includes portal functions, utilities, and Application Program Interfaces (APIs) which allow for cloud service customers to work on allowable operation, including provisioning and activation/deactivation of a VM. C.4.3 Correspondence between ISO/IEC 17789 Functional components defined in ISO/IEC 17789 are actually implemented in this framework by implementation elements used to implement each component depending on the target resource type or layer. Take Access Control as an example:
Access management of physical disks
Disk unit
Access management per tenant
Virtualization mechanisms
Access management of virtual disks
Virtualization mechanisms
Access management in each VM
OS of the VM
Multi-layer functions and components defined in ISO/IEC 17789, which serve cloud services, are included in the Service management in the Implementation Model of this Annex. Business support systems (BSS) or operational support systems (OSS) defined in ISO/IEC 17789 are included in the Implementation Model of this Annex.. Multi-layer functions in relation to integration and security are implemented in its target mechanisms as with the above access rights.
C.5 Common practice in the Implementation Model This section describes a checking practice common to server virtualization, network virtualization, and storage virtualization explained later.
C.5.1
Application of virtualization technologies in the cloud service and its points of focus
As explained above, virtualization consists of functions for virtualization and virtual resources. In infrastructure as a service these virtual resources are to be accessed by cloud service users. The following assessments are required for the virtualization mechanisms in a technical review of the cloud system: (1) Operations security As operation of the virtualization mechanisms has direct impact on virtual resources, make sure that the operation is performed properly. (2) Definition of environment Check if logs and events which must be provided to cloud service customers (error notification, warning, and a value beyond the threshold, etc.) are defined as parameters of the virtualization mechanisms so that the information will be collected and accumulated. Redundancy of the virtualization mechanisms and virtual resources is also defined as parameters of the virtualization mechanisms and is to be reviewed regarding their availability. (3) Capacity management In each virtualization the relationship of virtual resources provided to cloud service customers with physical resources is managed. In general, cloud computing provides logical resources available concurrently with a statistical approach. Therefore, the total virtual resources provided will be larger than the total physical resources (oversubscription, overcommit). C.5.2 Common review method in the Implementation Model C.5.2.1 Operation Security <12>
Control ISO/IEC 27017 12.1.2 Change management Implementation The cloud service provider should provide the cloud service customer with information guidance for cloud regarding changes to the cloud service and the systems on which it runs that could service provider adversely impact the cloud service customer’s information security. The following will help the cloud service customer determine the effect the changes can have on information security: categories of changes; planned date and time of the changes; technical description of the changes to the cloud services and underlying systems; Notification of the start and the completion of the changes. When a cloud service provider offers a cloud services that depends on a peer cloud service provider, then the cloud service provider might need to inform the cloud service customer of changes caused by the peer cloud service provider. Additional technical Potentially significant changes for a cloud service customer are as shown below: information Server: - Update or upgrade of Hypervisor - Changes in Hypervisor parameters and environmental definitions Network:
-
1
Security implementation standard
Technical note on security implementation standard 1.1
1.2
1.3
Changes in virtual LAN definitions Changes in configuration, environmental definitions, and parameters, including a switch, router, firewall, and load balancer Storage: - Changes in device definitions - Changes in SAN zoning, etc. Hardware: - Firmware upgrade Software: - Software upgrade - Application of program fixes (patches) - Application of security fixes These changes are diverse and have different impacts on a cloud service customer. Therefore, in general, a cloud service customer and a cloud service provider should have agreed on which level or above should be notified. As IT resources are shared by the cloud service customers in the cloud, cloud service customers who are using those resources must be notified of changes in hardware or software in the IT resources, if any. In addition, as the IT resources are mutually dependent, service customers using other resources which are dependent on the relevant resources will be affected. Therefore, in change management, cloud service users who are directly or indirectly affected must be identified and notified appropriately. In general, hardware and software configuring the cloud are managed by CMDB (Configuration Management Database). Hardware and software support for cloud service customers is also managed by CMDB, OSS (Operation Support System), or BSS (Business Support System). The relationship of hardware and software to be changed with cloud service customers is managed by these systems. Practice Check if cloud service customers who are using IT resources to be Guide changed are identified. Evidence Search result of CMDB, etc. assumed (Search result of cloud service customers who are utilizing specific IT resources specified.) Method Examine/Observe Practice Check if the relevant relationship is understood when dependencies or Guide impacts between IT resources exist. Evidence Search result of CMDB, etc. assumed (Search result of other IT resources affected by specific IT resources specified when dependencies exist between the IT resources.) Method Examine/Observe Practice Check if information on the change management which should be Guide provided to cloud service customers is provided properly. Check the following on the information provided: - The changes are related to cloud service customers, and (Indirect impacts should also be provided.) - Agreements with customers or reasonably appropriate level of impacts are provided. Evidence Mail to cloud service customers assumed Portal intended for cloud service customers Method Examine/Observe
Control ISO/IEC 27017 12.1.3 Capacity management Implementation The cloud service provider should monitor the total capacity of computing resources to guidance for cloud prevent information security incidents caused by resource shortages. service provider Additional technical Computing resources provided by the cloud service provider should include: information - CPU processing capacity, core memories - Network band - Storage capacity
1
In the cloud, the capacity management is mandatory to prevent computing resources from getting short at peak hours because a temporary use of computing resources involves the peak hours. The capacity management must be implemented not only across the cloud but in each block because the computing resources may not be provided beyond the block of the cloud system. Define a level beyond which computing resources must be added and take necessary actions when the level is reached.
Security implementation standard Technical note Specify a certain threshold on computing resources and conduct monitoring to issue on security an alarm when the usage may exceed the threshold. implementation Monitor the usage of the computing resources by using the cloud system, IT standard equipment, and software, etc. 1.1 Practice Check if computing resources which need the capacity management are Guide monitored as requirements. Evidence Definition of monitoring the cloud monitoring system assumed Report output of the capacity usage Method Examine/Observe 1.2 Practice Check if an alarm is issued when the capacity used exceeds the Guide threshold. Evidence Alarm setting for the cloud monitoring system (check if an alarm is defined assumed to be triggered by the threshold) Event log of the cloud monitoring system (check if an alarm was issued in the past) Method Examine/Observe
Control ISO/IEC 27017 CLD.12.1.5 Administrator's operational security Implementation The cloud service provider should provide documentation about the critical operations guidance for cloud and procedures to cloud service customers who require it. service provider Additional technical In general, if changes to the cloud environment fail, cloud service customers will be information affected and prevented to use the cloud. Especially, deletion and destruction of data on the storage are the most critical damage to customers’ assets. It is assumed that a temporary service breakdown or the disabled cloud environment may not destroy the assets even if transactions being processed are discarded. 1 Security Only preauthorized operators are able to delete the data. implementation standard Technical note Operation with administrative privileges with which data on the storage used by the on security cloud service customers can be deleted requires authentication different from that for implementation the normal operation. standard 1.1 Practice Check if IDs which allow operation with administrative privileges are Guide limited and used with a different procedure than a normal one. Evidence List of user IDs including the storage operation utility, etc. assumed Operation when using administrative privileges Method Examine/Observe Control ISO/IEC 27017 12.4.1 Event logging Implementation The cloud service provider should provide logging capabilities to the cloud service guidance for cloud customer. service provider Additional technical As described in ISO/IEC 27017 "Other information for cloud services", the cloud information service provider is responsible for logging and monitoring cloud computing infrastructure components in IaaS covered in this document. They include: - Logs and events of Hypervisor - Logs and events of firewall and a load balancer - Logs and events of a storage device and SAN equipment
As these infrastructure components are shared between cloud service customers, these cloud service customers are logged. Therefore, a log only related to the relevant cloud service customer must be extracted and provided. 1
Security A log to be provided to service customers is collected and events are monitored. implementation standard Technical note Cloud computing infrastructure components’ function is used to output a log and on security collect events. implementation Log output is defined by the definition of the cloud computing infrastructure standard components' parameters. 1.1 Practice Check if log or event collection settings are defined for the cloud Guide computing infrastructure components. Evidence Definition of the cloud computing infrastructure components' parameters assumed Method Examine/Observe
Control ISO/IEC 27017 12.4.4 Clock synchronization Implementation The cloud service provider should provide information to the cloud service customer guidance for cloud regarding the clock used by the cloud service provider’s systems, and information about service provider how a cloud service customer can synchronize local clocks with the cloud clock. Additional technical VM time synchronization with the cloud environment is required for cloud service information customers in IaaS. Generally VM time synchronization methods are as follows:: - NTP (Network Time Protocol) method - Hypervisor method 1 Security The cloud service provider uses either NTP or Hypervisor method to provide the implementation means for synchronizing VM time. standard Technical note The cloud service customers need to set up time synchronization of their own VMs on security based on the method provided. implementation standard 1.1 Practice Check if the cloud service provider provides a method for time Guide synchronization. Evidence Check if NTP server is provided and cloud service customers have an assumed access to the server via NTP protocol. Check if Hypervisor provides time synchronization and cloud service customers can use the function to synchronize time. Method Test Control ISO/IEC 27017 CLD.12.4.5 Monitoring of cloud services Implementation The cloud service provider should provide facilities that enable the cloud service guidance for cloud customer to monitor specified aspects, relevant to the cloud service customer, of the service provider operation of the cloud services. For example, to monitor and detect if the cloud services is being used as a platform to attack others or if sensitive data is being leaked from the cloud services. Appropriate access controls should secure the use of the monitoring capabilities. The capabilities should provide access only to information about the cloud service customer's own cloud service instances. The cloud service provider should provide documentation of the service monitoring facilities to the cloud service customer. Monitoring should provide data consistent with the event logs described in clause 12.4.1 and assist with SLA terms. Additional technical In general, as defining nefarious use of cloud services is difficult, network traffic which information exceeds a certain amount and storage access as such will be detected. 1 Security Use a logging or monitoring function to detect the occurrence of status defined as implementation nefarious use of cloud services. standard
Technical note See 12.4.1. on security implementation standard 1.1 Practice Check if the monitoring system is defined so that an event defined as Guide nefarious use of cloud services will be detected. Evidence Definition of the monitoring system parameters assumed Method Examine/Observe Control ISO/IEC 27017 12.6.1 Management of technical vulnerabilities Implementation The cloud service provider should make available to the cloud service customer guidance for cloud information about the management of technical vulnerabilities as it applies to the cloud service provider services and the information systems it uses. Additional technical Technical vulnerabilities depend on the software version. In general, as cloud information computing infrastructure components use more than one version from the same software, it is required to determine if the vulnerabilities exist in computing resources in use. 1 Security When technical vulnerabilities are found in cloud computing infrastructure implementation components, identify cloud service customers who are using the computing resources standard with the vulnerabilities and provide them with information on those vulnerabilities. See the description in "12.1.2 Change management" for searching for the relationship of computing resources with cloud service customers. Technical note See the description in "12.1.2 Change management" for searching for the relationship on security of computing resources with cloud service customers. implementation standard 1.1 Practice Check if service customers who are using the computing resources with Guide the vulnerabilities found are identified and provided with information on technical vulnerabilities. Evidence Notification mail on technical vulnerabilities and Portal screen, etc. assumed Method Examine/Observe
C.6 Service management C.6.1 Overview of Service management In an infrastructure as a service environment, the security configuration for the Virtual resources provided by the cloud service provider is the responsibility of the cloud service customer, who makes the configuration themselves. Security configuration for a virtual machine OS is a prime example of this. On the other hand, configuration of functions on virtualization mechanisms and log retrieval cannot be accessed directly by the cloud service customer. Therefore, service management provides the necessary function for virtualization to the cloud service customer through a portal etc. Function for virtualization for network, server and storage each have access control functionality, but these are not open to the cloud service customer, and necessary coordination and settings are made in Service
management. It is also the role of Service management to provide correlation for the relationship between physical resources and virtual structures or virtual resources, as well as the relationship between virtual resources and cloud service customers. Normally, Configuration Management Database (CMDB) is used to make these relationship connections. The user portal enables access to cloud service customers’ virtual resources and function for virtualization based on the previously mentioned correlated information. Also, functionality to show notifications and current status of incidents that occur on the cloud system is provided to the cloud service customers.
Virtual resources Virtual networks
Tenant
Tenant
Service Management Virtual servers
Virtual storages User portal/APIs
Cloud Service user
Cloud Service user
Operational support systems Virtualization mechanisms Network mechanism (VLAN, SDN, etc.)
Server virtualization mechanism (Hypervisor)
Virtualization mechanism (RAID, LDev, etc.)
Physical server
Physical storage
Business support systems
Physical resources Physical network
Configuration Management Database (CMDB)
Figure 3 Outline of Service Management C.6.2.
Application of Service management in the cloud services and its points of focus
(1) Access Control Each function for virtualization possesses the mechanism for both access control for the function for virtualization itself and access control to virtual resources. The authentication method (password), object of applied access privileges (user ID etc.) and scope of control differ for each of these by network, server and storage sections. Service management enables unified access control to cloud service customers as tenants by applying the appropriate access controls across differing classifications. Note: The function for virtualization should not be opened directly to cloud service customers.
(2) User Authentication As a premise to access controls, it is necessary to ensure that proper authentication is being performed on cloud service customers. Within Service management, user portals and APIs are the main interface for cloud service customers, but user authentication must be performed at the first point of access. There are certain items of the user mandate that are decided by the maximum resources available to the user, charge balance, contract and billing cost. These are managed by a BSS. On the other hand, parameter configuration etc. by the cloud service customers for function for virtualization and access management by the aforementioned function for virtualization is managed by an OSS. (3) Configuration management The relationship between physical servers and virtual servers running on those physical servers, the relationship between virtual servers and cloud service customers, and the relationship between cloud service customers and contractual conditions, charges etc. is essential information for managing and operating cloud services and this relational information is also used when applying access controls. In Service management, information regarding these configurations is stored and managed in a CMDB (configuration management database). BSS and OSS refer to this configuration management database and operate while updating. (4) Incident management Incident management for events that occur on physical resources configuring the system which provide cloud service, function for virtualization and virtual resources etc. as well as troubleshooting and notifications between the cloud provider and cloud service customers are normally handled by the Service management. Functionality for incident management is generally provided to the cloud service customers in the user portal etc.
C.6.3 Auditing the Service Management C.6.3.1 User access management <9>
Control ISO/IEC 27017 9.2.1 User registration and deregistration Implementation To manage access to cloud services by a cloud service customer's cloud service guidance for cloud users, the cloud service provider should provide user registration and deregistration service provider functions, and specifications for the use of these functions to the cloud service customer. Additional technical The object of this section is the addition and deletion of cloud service users in information Service management. Generally, cloud service customer will operate the functionality of the active resource to perform user registration and deletion on virtual resources (e.g. VM OS). 1 Security Management of cloud service users is implemented in Service management. implementation Access controls for Function of virtualization are controlled by Service management standard and are not openly provided to cloud service customer Technical note In cases when cloud services user management is possible through the Service
on security management portal, methods for registration and deletion are provided in the portal. implementation As management of cloud service customer is an important security item, cloud standard providers may perform registration and deletion of cloud service users on contact from said users. 1.1 Practice Confirm if method exists for cloud service customers to register or delete Guide cloud service users through a cloud service customer portal, API etc. Evidence Portal operation screen and operation results assumed API etc. interface and operation results from API Method Examine/Observe, Test Control ISO/IEC 27017 9.2.2 User access provisioning Implementation The cloud service provider should provide functions for managing the access rights of guidance for cloud the cloud service customer’s cloud service users, and specifications for the use of these service provider functions. Additional technical The object of this section is access provisioning for cloud service users in Service information management. Access provisioning for virtual resources (e.g. VM OS) is not subject to this section. 1 Security Cloud services user management is implemented in Service management. implementation Access privilege management for cloud service users provided by Service standard management does not necessarily need to be identical to access privilege management in virtualization functions. However, it is necessary to implement access privilege management specifications, presented to cloud service customers, as Service management. Technical note Access provisioning for Service management is provided as management for cloud on security service users in the portal. implementation Single Sign-On mentioned in “Other information for cloud services” in this control is standard implemented in the Service management portal etc., and SAML (Security Assertion Markup Language) can be given as a representative type of implementation. 1.1 Practice Confirm that cloud services user access privilege management Guide functionality is provided within the user control in the portal. Evidence Portal operation screen and operation results assumed Method Examine/Observe, Test 1.2 Practice Where Single Sign-On functionality is provided, confirm that it can be used Guide with provided protocols etc. Evidence External application with Single Sign-On implemented assumed Access results to Service management through external application Method Examine/ Observe, Test Control ISO/IEC 27017 9.2.3 Management of privileged access rights Implementation The cloud service provider should provide sufficient authentication techniques for guidance for cloud authenticating the cloud service administrators of the cloud service customer to the service provider administrative capabilities of a cloud service, according to the identified risk. For example, the cloud service provider can provide multi-factor authentication capabilities or enable the use of third-party multi-factor authentication mechanisms. Additional technical The object of this section is access provisioning for cloud service users in Service information management. Access provisioning for virtual resources (e.g. VM OS) is not subject to this section. 1 Security “Sufficiently strong authentication” as defined in this control is implemented in portal implementation authentication etc. in Service management. standard Technical note Multi-factor authentication, given as an example of “sufficiently strong authentication” on security in this control, includes the following components. implementation - Biometric authentication standard - Authentication using a token in addition to passwords - Authentication by client certificate 1.1 Practice Confirm that sufficiently strong authentication is provided as portal Guide authentication in Service management. Evidence Authentication method and test results of sufficiently strong authentication assumed provided by cloud provider
Method
Examine/Observe, Test
Control ISO/IEC 27017 9.4.1 Information access restriction Implementation The cloud service provider should provide access controls that allow the cloud service guidance for cloud customer to restrict access to its cloud services, its cloud services functions and the service provider cloud service customer data maintained in the service. Additional technical The subject of this section is access provisioning for cloud service users in Service information management. Access provisioning for virtual resources (e.g. VM OS) is not subject to this section. 1 Security Information and access privileges provided to the cloud service customer through implementation Service management are limited to the tenant within the cloud service customer, and standard no information or access privileges for other tenants may be provided. In cases when it is possible to define the information and access privileges handled on a customer basis, these operations will be made possible through customer management functions in the portal etc. Technical note Multiple cloud service customers share function for virtualization in the cloud services. on security Tenant separation is implemented using function for virtualization access controls so implementation that each cloud service customer cannot access information related to tenants of standard other cloud service customers. Access controls on a customer basis may be implemented within Service management rather than using access controls for function for virtualization. 1.1 Practice Confirm that information on other tenants cannot be accessed in the portal Guide by using management functionality for information provision and access privileges. Evidence Portal operation screen and operation results assumed Method Examine/Observe, Test 1.2 Practice In cases where functionality to provide access control on a customer basis Guide is provided, confirm that access to cloud services is possible over the scope of access privilege configured for the customer. Evidence Customer control screen and operations in portal etc. assumed Access results when applying access privilege limits on customer Method Examine/ Observe, Test Control ISO/IEC 27017 9.4.4 Use of privileged utility programs Implementation The cloud service provider should identify the requirements for any utility programs guidance for cloud used within the cloud services. service provider The cloud service provider should ensure that any use of utility programs capable of bypassing normal operating or security procedures is strictly limited to authorized personnel, and that the use of such programs is reviewed and audited regularly. Additional technical Utility programs attached to the function for virtualization may have an influence on information resources outside the cloud service customer tenant. If cloud service customer requires results of utility program showing status of function for virtualization etc., the results must be provided to the cloud service customer in such a way that this will not affect other customers. 1 Security The virtualization utility program that will provide information necessary to the cloud implementation service customer will not all direct access from the cloud service customer, will be standard executed within Service management in such a way that it will not affect other tenants, and will only provide information limited to the cloud service customer tenant. Technical note The utility programs in this section included the following. on security - Retrieval of virtual server specifications, logs, performance information related implementation to server virtualization standard - Retrieval of traffic information etc. related to network virtualization - Retrieval of volume copies, access information etc. related to server virtualization 1.1 Practice Confirm that information provided by the utility function provided by the Guide customer does not include information related to other tenants. Evidence Utility function usage results assumed Method Examine/Observe, Test
2
Security implementation standard Technical note on security implementation standard 2.1
When the cloud service customer uses the utility for function for virtualization in the tenant environment, virtualization parameters must be configured to ensure that no party other than the tenant is affected. Generally, it is difficult to use the utility that is bundled with the Function of virtualization within the virtual resource. In order to audit this section, it is necessary to discover if any utility exists that may exceed necessary resources within the virtual resource and affect other resources, and perform the following checks if such resources were affected. Practice With regards to utilities that may affect other resources, confirm that Guide parameters to block this are defined in the function for virtualization. Note: if such a test is actually performed, it must be considered that this may cause a failure in the cloud environment. Evidence Parameter definitions for function for virtualization etc. assumed Method Examine/Observe
C.6.3.2 Cryptography <10> Control ISO/IEC 27017 10.1.1 Policy on the use of cryptographic controls Implementation The cloud service provider should provide information to the cloud service customer guidance for cloud regarding the circumstances in which it uses cryptography to protect the information it service provider processes. The cloud service provider should also provide information to the cloud service customer about any capabilities it provides that can assist the cloud service customer in applying its own cryptographic protection. NOTE In some jurisdictions, it may be required to apply cryptography to protect particular kinds of information, such as health data, resident registration numbers, passport numbers and driver's license numbers. Additional technical In Service management, this control is required for encryption of access to the portal information etc. 1 Security A representative example of implementing encryption of access to the portal is HTTP implementation over SSL/TLS. standard Technical note Communications with the Service management portal will use https. on security implementation standard 1.1 Practice Confirm that https is used as the protocol for the Service management Guide portal. Evidence Protocol used to access the portal assumed Certificate used to access the portal etc. Method Examine/Observe 2 Security Particular kinds of information in the control “Note” will be stored in order to manage implementation cloud service customer and cloud server user information in Service management. standard Encryption denoted in this control must be applied to this information when necessary according to cloud provider policy. Technical note Encryption for data managed by cloud management is a security control of the cloud on security provider themselves, and differs from the functionality provided to the cloud service implementation customer as defined in this control. standard 2.1 Practice N/A Guide Evidence N/A assumed Method ――
C.6.3.3 Information security incident management <16> Control Control
ISO/IEC 27017 16.1.2 Reporting information security events The cloud service provider should provide mechanisms for: the cloud service customer to report an information security event to the provider; the cloud service provider to report an information security event to a cloud service customer; the cloud service customer to track the status of a reported information security event. Additional technical As noted in “Other information for cloud services”, this mechanism is provided by information telephone, e-mail etc. 1 Security Portal functionality may be provided as an interface to the cloud service customer for implementation management of information security incidents as defined in this control, within Service standard management. Technical note When implementing this functionality in Service management, reports raised from the on security cloud service customer and information provided by the cloud provider will be implementation managed, and cloud service customers will have the functionality to understand the standard current situation of the incident in question. 1.1 Practice Confirm that the portal provides reports on the information security Guide incident and functionality to assess the situation. Evidence Information security incident related screens and operations on the portal assumed etc. Method Examine/Observe
C.7 Server virtualization C.7.1 Overview of server virtualization Server virtualization abstracts a physical server (consisting of a CPU, memory, and I/O devices, etc.) to a logical resource. Generally, the server virtualization is structured as shown in Figure 4.
Applications
..
OS Virtual machine (VM) Virtual CPU (vCPU)
Virtual memory
Virtual NIC
Virtual resources
Virtual I/O device
Virtual machine monitor (VMM) Kernel/Driver
Virtual switch
Virtual storage
Physical server CPU
Memory
NIC
I/O device
Virtualization mechanisms
Physical resources
Figure 4 Overview of server virtualization (1) CPU virtualization CPU virtualization allocates customer VMs the physical CPU on the Virtual Machine Monitor (VMM) on a physical server as virtualization resources on a virtual "core" basis. CPU virtualization enables to oversubscribe or allocate more virtual CPUs than the number of physical CPU cores for
the entire server. At over-subscription, VMM performs CPU scheduling and such processing as switchover of virtual CPUs allocated to physical CPU cores. Therefore, note that simultaneous heavy processing by more than one VM increases the contention rate of the physical CPUs, consuming CPU resources for the CPU scheduling as well as latency before the CPU resources are allocated, which may affect processing performance. (2) Memory virtualization Memory virtualization allocates virtual machine's memories on the physical server memories. Similar to the CPU virtualization, virtualizing the memory allows over-subscription, meaning that the total memory size seen from the virtual machine is larger than the actual memory size on the physical server. Memory over-subscription includes a method in which memories are allocated dynamically to a VM (ballooning) and another method in which more than one VM can share the identical memory. In either method, the sum of the minimum values of the memory allocated to each VM must be smaller than the size of the memory equipped with the physical server. (3) Storage virtualization In storage virtualization the storage of a virtual machine is handled as a file set on the storage of a physical server. However, the problem is an occupied band and storage speed, etc. at the transmission of large amount of data when migrating a virtualized server between physical servers. Therefore, generally the system which provide cloud service is often designed so that an access is via the SAN (storage area network) by installing a common storage server. (4) I/O virtualization I/O virtualization virtualizes a series of peripherals, including a NIC, HBA, and serial port adapter. Virtualized adapter port is used by connecting to a virtual machine, which is set to work on VMM with VMM settings, or by connecting to a physical adapter port on the physical server. Note that I/O function of the HBA and NIC are highly shared hardware compared to memories and CPUs and often becomes a bottleneck particularly in the function for virtualization. C.7.2 Application of server virtualization in the cloud services and its points of focus (1) Tenant separation in the server virtualization In the general virtualized environment design, virtualized servers are designed as completely independent resources and connected via a virtual network between VMs. Therefore,
the
minimum
network
security
measures
are
required
for
separating
VM
resources. In addition, what specially should note on the virtualization environment is to correct the vulnerability of the virtualization environment itself provided by a legitimate source.
Furthermore, a special virtualization environment provides a fast communication route between VMs for mutual connection or enables data exchange between VMs via a physical port of the physical server. Therefore, attention should be paid to other I/Os than NIC. To protect virtual resources, a technology by which memories and IOs are accessed on VMM or a privileged VM exists. Using this technology, the behavior on the VM can be monitored and an invalid program operation can be detected to protect the resources. However, remember not to install this technology carelessly even though an access from VMM or the privileged VM is useful for the security of virtual resources, because this may provide an attack route to bad users. (2) Ensured availability in the server virtualization Live migration is a function that migrates the VM operation environment onto a different physical server without deactivating the VM. Live migration is implemented by starting up a VM image stored on a shared storage on the VMM of the destination physical server, transferring data on cache memory via LAN, as well as succeeding the virtualized I/O. This mechanism allows the memory content to flow on LAN at the live migration, and memory data security and LAN security are critical. In the live migration, the administrator migrates the VM between physical servers, or a high-availability technology is provided, by which the VM can be migrated between physical servers automatically when a failure occurs in the environment. If a failure is detected by monitoring with this kind of high-availability technology, provided services will be suspended for a certain period of time because the image of the virtual machine working on the faulty physical server is activated on another physical server working normally. A failure-resistant virtualization environment is also provided as a technology to reduce the time of service suspensions which occur in the high- availability technology. The failure-resistant virtualization environment includes implementation that operates the primary and secondary VMs on more than one physical server and synchronizes both VMs each other at all times. Under normal operation, the primary VM provides the service and the secondary VM can take it over the moment a failure occurred to provide the failure resistance. Note that both technologies require available resources on another physical server, not on the same physical server. (3) Capacity administration in the server virtualization Virtualized memories or CPU resources can be allocated dynamically during operation by using an appropriate OS. Because up to the resources on the physical server can be allocated, free space may need to be assured by using the above live migration technology to migrate the VM to another physical server, considering the resources used by other VMs. Physical server resources are indexed by:
Number of CPU cores
Memory size
Disk I/O performance
Disk size
Network I/O performance
The total required resources can be calculated by multiplying the total of these indexes provided as services for a simple virtualized environment by overhead loaded for the virtualization. When service availability is considered, a margin should be assured per physical server, as well as resources. What index should be focused and how services are provided depend on the business model or SLA of the cloud service provider, in any case, it is critical that currently provided resources and available resources should be monitored to continue to provide hardware resource. This kind of monitoring will be performed mainly at the Service management for integrity of the entire cloud services environment. However, note that a resource usage monitoring tool may be installed on the VMM or privileged VM on the server virtualization. C.7.3 Auditing the server virtualization (1)
CLD.9.5.1 Segregation in virtual computing environments
For the segmentation in server virtualization, see "7.2 Application of server virtualization in the cloud services and its points of focus" (Tenant separation in the server virtualization). The implementation above and review method are defined in "CLD.9.5.1 Segregation in virtual. Control ISO/IEC 27017 CLD.9.5.1 Implementation The cloud service provider should enforce appropriate logical segregation of cloud guidance for cloud service customer data, virtualized applications, operating systems, storage, and network service provider for: – the separation of resources used by cloud service customers in multi-tenant environments; – the separation of the cloud service provider's internal administration from resources used by cloud service customers. Where the cloud service involves multi-tenancy, the cloud service provider should implement information security controls to ensure appropriate isolation of resources used by different tenants. The cloud service provider should consider the risks associated with running cloud service customer-supplied software within the cloud services offered by the cloud service provider. Additional technical Implementation of the logical partition depends upon the technologies applied to the information virtualization 1 Security Separation of cloud service customers in multi-tenant environments. implementation standard Technical note There is a communication path between VMs using memory and virtual ports, which on security may become a communication path between “virtual resources”. implementation standard 1.1 Practice Make inactive functions accessed directly between VMs Guide Evidence Confirm that functions accessed directly between VMs within VMM are assumed made inactive Method Examine/Observe, Examine /Review 2 Security Separation of the cloud service provider’s internal administration from the cloud
implementation service customers’ virtual environments. standard Technical note Within VM-VMM separation, VM-VM management is active in the same way as noted in on security previous section. In addition, as communication path may be created with tools implementation implemented from security or availability aspect in VM-VMM, vulnerabilities in those standard tools may prove to be a loophole in VM-VMM configuration. 2.1 Practice applying segregation functions of virtualization software Guide Enable the partition function on virtualization environment. Evidence Confirmation of Access Control Policy in VMM assumed Confirm that Transparent Page Sharing is inactive in VMM Method Examine/Observe, Examine /Review 2.2 Practice Physical segregation of a cluster of virtual systems Guide Evidence Confirm that Virtualization support function in physical server is active assumed Method Examine/Observe, Examine /Review 3 Security Perform vulnerability management implementation standard Technical note Confirm that products used in virtualization platform (host OS, hypervisor etc.) are built on security with security measures in mind (Common Criteria qualified etc.). implementation standard 3.1 Practice Confirm that products used in virtualization platforms are built with security Guide measures in mind. Evidence Base design document for virtualization platform assumed Method Examine /Review 3.1 Practice Sharing of vulnerability information within operations Guide Evidence Confirmation of status of vulnerability information sharing (check posted assumed information on portal page etc.) Method Examine/Observe
CLD.9.5.2 Virtual Machine Hardening This Annex does not explain anew about enhancing a virtualized server because general server enhancing technologies can be applied to it. However, there is a technology providing security for a server from a VMM. If this technology is used, its review method shall also comply with the method defined in ISO/IEC 27002. Control Implementation guidance for cloud service provider
ISO/IEC 27017 CLD.9.5.2 Virtual Machine Hardening When configuring virtual machines, cloud service customers and cloud service providers should ensure that appropriate aspects are hardened (e.g. only those ports, protocols and services that are needed to run the cloud services are enabled) and the appropriate technical measures are in place (e.g. anti-malware, logging) for each virtual machine used. Additional technical Virtual machine hardening is achieved not only by the VM operating system, but also by information the VM/VMM and physical server. As these are all closely related, virtual machine hardening requires cooperation from the cloud service customer and cloud service provider. 1 Security When configuring virtual machines, only necessary device and/or service shall remain in implementation effect. standard Technical note on security implementation standard
1.1
1.2
Practice Guide Evidence assumed Method Practice Guide Evidence assumed
Virtual devices to comprise VM are configured as bare minimum. Confirm that provided VM functionality within VMM is configured as the bare minimum. Examine/Observe, Examine /Review Describe what type of service will be added to VM OS image provided by default in VMM or Service management. Confirm the posting of additional service information is performed in configuration screen for new VM created by cloud service users, which is provided in Service management. Examine/Observe, Examine /Review
Method 2 Security When creating a virtual environment, reduce risk of malware and vulnerability implementation standard attacks on server that provides the virtual environment. Technical note Depending on virtualization technology, it is possible to add various applications using a on security generic OS but unnecessary roles, functions and applications must be avoided. implementation The VMM must be dedicated to running essential infrastructure elements such as standard antivirus software, backup agent etc. It is ideal to use a VMM with all functionality that could host vulnerability removed. 2.1 Practice Confirm that services on the host are limited to the bare minimum. An OS Guide in minimum configuration is recommended.
2.2
2.3
Evidence assumed Method Practice Guide
Check services on the VMM and confirm with the design document that it is the bare minimum configuration. Examine/Observe, Examine /Review
Evidence assumed Method Practice Guide Evidence assumed Method
Confirm that new updates do not need to be performed due to implementation of update tool. Examine/Observe, Test
Confirm that security updates are performed appropriately on the VMM and applications (including VMM).
Confirm that boot loader or VMM are not tampered within any way. Confirm SecureBoot is active by checking UEFI screen
Examine/Observe 3 Security When configuring virtual machines, ensure that appropriate technical controls are in implementation place (e.g. anti-malware, logging) for each virtual machine used. standard Technical note While similar to commonly used practices to manage vulnerabilities on servers, there is on security software such as drivers to more effectively use quasi-virtual environments and software implementation to manage guest machines from the server etc. that must be implemented due to the standard fact that the environment is being virtualized. 3.1 Practice Collect information on vulnerabilities in tools and drivers used in virtual Guide environments and prepare a model to announce updates to cloud
service customers. Evidence assumed Method
Check that notification logs and related data can be confirmed by the cloud service customers. Examine/Observe
C.8 Network virtualization C.8.1 Overview of network virtualization The conventional network virtualization is a means to enable multiple independent communications on a single physical network. On the other hand, the network virtualization on server virtualization is a means to connect multiple virtual machines that are in a single physical server. Virtual machines can move to another physical server with a failure of its physical server or the high usage
rate of a physical resource as a trigger. It is characteristic that the virtual machines continue to have the same VLAN IDs and IP addresses in this case. The following is the outlined configuration of the virtual machines and the network connecting them:
VM
VM
Virtual Router
Virtual FW
Virtual NIC
Virtual NIC
VM
VM
Virtual NIC
VM
VM
Virtual NIC
Virtual NIC
VM
Virtual Router
Virtual FW
Virtual NIC
Virtual NIC
VM
VM
Virtual NIC
Virtual NIC
VMM
VMM Virtual Router
Virtual FW
Virtual Switch
Physical Storage
Physical NIC
Physical NIC
Physical Switch
Virtual Switch
Physical Server Physical Physical NIC NIC
Physical Server Physical NIC
Virtual Router
Physical NIC
Physical Switch
Physical Switch
VM
Physical NIC
Virtual NIC Virtual FW
Physical NIC
Physical Switch
Physical Switch
Physical FW
Physical Router
Figure 5 Overview of network virtualization (1) Virtual switch A function of the logical L2 switch provided by the virtual machine monitor This lies between a physical NIC and a virtual machine and receives/sends frames. As the physical NIC transparently relays frames, a virtual switch is connected through the physical NIC to the physical switch. (2) Virtual NIC A function of the logical network interface card provided by a virtual machine monitor to connect a virtual machine to a virtual switch (3) Virtual router Refers to a function of the logical router provided by the software installed on a virtual machine, or to the actual virtual machine functioning as a router A virtual switch may have a router function, too. (4) Virtual firewall
Refers to a function of the logical firewall provided by the software installed on a virtual machine, or to the actual virtual machine functioning as a firewall C.8.2 Application of network virtualization in the cloud services and its points of focus (1) Tenant separation in the network virtualization A virtual machine used by tenants has a unique virtual MAC address and IP address. Because a logical network connecting one or more virtual machines is set up separately for each tenant, the tenants are separated both on the physical network and the physical server. (2) Ensuring availability in the network virtualization If a physical server fails, the availability of the virtual machines and virtual network on the server can be maintained by moving them to another physical machine. When a physical NIC implemented on a physical server fails, if the physical NIC is redundantly configured, its availability can be maintained by the virtual network skipping to another physical NIC, without changing the actual virtual machine (3) Managing the bands and address space in the network virtualization Because cloud services in general set up many virtual resources intensively on a limited physical resource in a high density, the sum of the logical bands for the virtual network can be by far greater than the physical band of the physical network. In addition, since many virtual machines may move from a physical server to another physical server while keeping their VLAN ID and/or IP address, the number of VLAN IDs to be set in the physical switch and/or the number of MAC addresses to learn have a tendency to increase. C.8.3
Auditing the network virtualization
C.8.3.1 Access control <9> cf. ISO/IEC 27017 13.1. C.8.3.2 Cryptography <10> Control ISO/IEC 27017 10.1.1 Policy on the use of cryptographic controls Implementation The cloud service provider should provide information to the cloud service customer guidance for cloud regarding the circumstances in which it uses cryptography to protect the information it service provider processes. The cloud service provider should also provide information to the cloud service customer about any capabilities it provides that can assist the cloud service customer in applying its own cryptographic protection. NOTE In some jurisdictions, it may be required to apply cryptography to protect particular kinds of information, such as health data, resident registration numbers, passport numbers and driver's license numbers. Additional technical Cloud service customers’ communication when accessing to the cloud services is information encrypted. 1 Security User data is encrypted using network devices or server encryption functionality. implementation standard
Technical note Encryption uses encryption protocols such as SSL/TLS, SSH, IPsec etc. on security implementation standard 1.1 Practice Confirm that network devices or servers are configured for communication Guide encryption. Evidence Configuration values for encryption on communication device or server assumed Method Examine/Observe, Examine /Review 1.2 Practice Use a packet analyzer to monitor the traffic over communication path and Guide confirm that the payload is encrypted. Evidence Traffic monitoring data from packet analyzer assumed Method Examine/Observe, Examine /Review
C.8.3.3 Communications security <13> Control ISO/IEC 27017 13.1.3 Segregation in networks Implementation The cloud service provider should enforce segregation of network access for the guidance for cloud following cases: service provider - segregation between each tenancy in a multi-tenant environment; -segregation between the cloud service provider’s internal administration environment and the customer’s cloud computing environment. Where appropriate, the cloud service provider should help the cloud service customer verify the segregation implemented by the cloud service provider. Additional technical For the segregation in networks in cloud services, there are a physical segregation information using physical networks where physical resources are independent and a logical segregation using logical networks sharing physical resources. Logical networks can be expanded not only on physical networks but also on physical servers. 1 Security - When cloud service customers use an individual physical resource (e.g. physical implementation server, physical storage) respectively, they shall use a physical network consisting of standard independent communication device and communication cable for each cloud service customer as a specific network to every cloud service customer. - When multiple cloud service customers as tenants share the same physical resource (e.g. physical server, physical storage), they shall use a logically independent VLAN for each tenant or virtual machine. - The cloud services administrator who manages physical resources (e.g. physical server, physical storage) used by the cloud service customers shall connect to a different physical port from that for cloud service customers and use a physical network consisting of physically independent communication device and communication cable as an administrative network. - The cloud service provider who manages physical resources (e.g. physical server, physical storage) used by the cloud service customers shall be connected to a different logical port from that for cloud service customers and use a logically independent VLAN as an administrative network. Technical note When the network is physically separated, different IDs will be applied to multiple on security physical ports on identical physical asset. When the network is logically divided, different implementation VLAN ID, VSAN ID or subnet mask will be applied to multiple logical networks on standard identical physical network. 1.1 Practice Confirm that an independent network for each tenant is set up and that there Guide is no other back door. Evidence Routing information for network and network IDs assigned to tenants assumed (switching table, routing table etc.). Method Examine/Observe, Examine /Review 1.2 Practice Confirm that only authorized persons can access the configured network for Guide tenants. Evidence Access privileges for network assigned to tenants (access control server, assumed management table for network device access privileges etc.). Method Examine/Observe, Examine /Review 1.3 Practice Confirm that the administrative network used by the cloud service provider is
Guide Evidence assumed Method
configured independently of other networks and also confirm that only authorized persons out of cloud service provider can access the configured administrative network. Access privilege settings and routing information for management network used by the cloud service provider. Examine/Observe, Examine /Review
Control
ISO/IEC 27017:201x CLD.13.1.4 Consistency between virtual and physical networks The cloud service provider should define and document an information security policy for the configuration of the virtual network consistent with the information security policy for the physical network. The cloud service provider should ensure that the virtual network configuration matches the information security policy, whatever the means used to create the configuration. Addition technical If the means to configure physical resources (e.g. physical switch, physical router, information physical cable, physical server, physical storage) is independent of the means to configure a virtual network that has the physical resources as part of its route, aligning these settings manually requires practice and full attention from the person who configures the settings. There are various examples for technological means that do not rely only on the skill of the person who performs the configurations but automatically align the settings of a virtual network and those of a physical network. 1 Security - Each own control part shall be separated from the virtual network and physical network, implementation and the network architecture integrating all those control parts shall be adopted. standard - A physical switch implementing the virtual switch function, not he virtual switch function, shall be used to control the virtual networks and physical networks on the physical switch. - A mechanism that synchronizes the changes of the virtual switch and physical switch settings to the live migration of the virtual machines shall be used. In addition, VLAN IDs that are fully extended to use the same network settings even after the live migration moved the virtual machines shall be used. - The administration system of virtual networks and that of physical networks shall be unified and this unified system shall be used to configure the settings. Technical note Due to rerouting due to failure or VM live migration, the routing of virtual networks over on security physical networks will change. Also, when multiple tenants or multiple VM exist on one implementation single physical server, multiple virtual networks will be configured for the virtual network standard devices (virtual switch, virtual router etc.) on the physical server 1.1 Practice Confirm that there is a physical route for the virtual network to audit. Guide Evidence Virtual network ID configured on a physical network device, virtual network assumed ID configured on a virtual network device on a physical server Method Examine/Observe, Examine /Review 1.2 Practice Confirm that the virtual network to audit is not inconsistent with the Guide configuration of the physical network that it has as its route (e.g. routing, switching, filtering, band control, priority control, access control). Evidence Route selection configuration (switching table, routing table etc.), filtering, assumed bandwidth control, prioritization and access control configuration on both physical and virtual network devices Method Examine/Observe, Examine /Review
C.9 Storage virtualization C.9.1 Overview of storage virtualization Storage virtualization virtualizes a physical storage (drive) to Generally, the storage virtualization is structured as shown in Figure 6.
a logical storage.
VM
VMM
VM
VM
・・・
Virtualized storage Virtual Virtual drive drive
・・・
VM
VMM
Drive
Physical server
Drive
Fiber channel, iSCSI Virtual storages Logical volume Storage virtualization mechanism
Logical volume
Logical volume
Logical volume
Logical volume
Function for volume virtualization
Function for volume virtualization Storage pool
Storage pool function
Physical Storage
RAID group
RAID function
Physical disk
Physical disk
RAID group
RAID group
RAID function
RAID function
Physical disk
Physical disk
Physical disk
Physical disk
Figure 6 Overview of storage virtualization (1) Logical volume The most important element in the storage virtualization is a "logical volume". A logical volume is the unit of storage which can be recognized by Hypervisor or OS on VM as a virtual resource in the storage. Physical disks are virtualized by the storage virtualized function. (2) RAID Recently a large number of storage devices are handled such a logical volume as a RAID (redundant arrays of independent disks) group where more than one physical disk is bundled from the failure-resistance point of view and also feature a mechanism which helps improve redundancy with distributed data. Distributing data on more than one physical disk provides a mechanism for data maintenance when a physical disk is damaged. RAID can virtualize an area on which more than one physical disk is bundled as a logical volume. (3) Storage pool A function which handles physical disks or logical volume as one large logical volume (storage pool) This can improve the flexibility in storage operation, including disk space, and its combination, added capacity caused by new additional physical disks to the existing storage pool. This is refered to as Logical Unit or Logical Device (LDev).
(4) Storage capacity virtualization A function which allocates any capacity virtually independent of the physical capacity of the storage when allocating a logical volume This is implemented by dynamically allocating storage area from the storage pool, if necessary, when storing data on the logical volume. This function is to use the storage resource efficiently. (5) SAN zoning Storage Area Network (SAN) using a Fiber Channel (FC) can partition connections as zone per port with an FC Switch. Reference to storage in a different zone is blocked when partitioning zone using this zoning function in the storage function for virtualization. C.9.2 Application of storage virtualization in the cloud services and its points of focus (1) Tenant separation in the storage virtualization Tenant separation in the storage virtualization is implemented by zoning the logical volume or SAN per tenant. However, when the storage is virtualized by Hypervisor in the server, the logical volume as the storage virtualization cannot be the unit of tenant but simply be the unit of storage which stores more than one logical volume created by Hypervisor. A virtualization of storage by the virtualization function of the server should be focused, for tenant separation cannot be achieved by logical volumes when the storage virtualization or tenant separation takes place in the server virtualization. (2) Ensured availability in the storage virtualization Availability of cloud service can be enhanced, using RAID technology, redundant ones of FC Switch, HBA and SAN routes configuring SAN, and a backup function featured in physical storage equipment. (3) Capacity management in the storage virtualization A storage pool and virtualization of a capacity is applied in the storage virtualization to facilitate the management of the storage capacity in the entire cloud services and streamline the management of the logical volume capacities per tenant. In this case, managing both physical storage capacity provided to the cloud services and the logical storage capacity provided to the tenant is required. C.9.3 Auditing the storage virtualization C.9.3.1 Access control <9>
Control ISO/IEC 27017 CLD.9.5.1 Segregation in virtual computing environments Implementation The cloud service provider should enforce appropriate logical segregation of cloud guidance for cloud service customer data, virtualized applications, operating systems, storage, and network service provider for: – the separation of resources used by cloud service customers in multi-tenant environments; – the separation of the cloud service provider's internal administration from resources used by cloud service customers.
Where the cloud service involves multi-tenancy, the cloud service provider should implement information security controls to ensure appropriate isolation of resources used by different tenants. The cloud service provider should consider the risks associated with running cloud service customer-supplied software within the cloud services offered by the cloud service provider. Additional technical Representative methods for storage segmentation are as follows. information - Create logical volumes for each tenant and implement access control on a logical volume basis. - Separate tenants using SAN zoning. 1 Security Due to segmentation functionality provided by virtualization structure of storage, implementation segmentation is performed on cloud service customer basis. standard Technical note Storage segmentation may be implemented by the server hypervisor. In this case, due on security to the storage virtualization structure, it is unnecessary to have segmentation implementation performed on a cloud service customer basis. standard 1.1 Practice Use the parameter settings for the storage virtualization function to check Guide that the method providing logical volumes to each tenant grants access to logical volumes only to the cloud users who provide the relevant logical volumes using the access control function owned by the storage virtualization function. Evidence Storage device parameters assumed Storage management program parameters Method Examine/Observe 1.2 Practice In the method that separates tenants through SAN zoning, use the Guide parameter settings for the equipment comprising the SAN to check that zones are allocated to each tenant and that the storages is not accessible between different tenants. Evidence Zoning definition for fiber channel device that constitutes SAM assumed Method Examine/Observe
C.9.3.2 Cryptography <10> Control ISO/IEC 27017 10.1.1 Policy on the use of cryptographic controls Implementation The cloud service provider should provide information to the cloud service customer guidance for cloud regarding the circumstances in which it uses cryptography to protect the information it service provider processes. The cloud service provider should also provide information to the cloud service customer about any capabilities it provides that can assist the cloud service customer in applying its own cryptographic protection. NOTE In some jurisdictions, it may be required to apply cryptography to protect particular kinds of information, such as health data, resident registration numbers, passport numbers and driver's license numbers. Additional technical Encrypting the Logical volume is one way of performing storage encryption. information 1 Security The data for tenants shall be encrypted using an encryption function for logical implementation volumes. standard Technical note Storage method for encryption key and scope of encryption etc. differs by the storage on security device used. implementation standard 1.1 Practice For the case where the encryption function for logical volumes in storage Guide virtualization is applied, check that the relevant logical volume is encrypted using the status display or utility functions that storage virtualization function provides. Evidence Storage device parameters assumed Storage management program parameters Method Examine/Observe
C.9.3.3 Operations security <12>
Control ISO/IEC 27017 12.3.1 Information backup Implementation The cloud service provider should provide the specifications of its backup capabilities guidance for cloud to the cloud service customer. The specifications should include the following service provider information, as appropriate: scope and schedule of backups; backup methods and data formats, including encryption, if relevant; retention periods for backup data; procedures for verifying integrity of backup data; procedures and timescales involved in restoring data from backup; procedures to test the backup capabilities; Storage location of backups. The cloud service provider should provide secure and segregated access to backups, such as virtual snapshots, if such service is offered to cloud service customers. Additional technical If the storage equipment or software that implements virtualization function at the information storage virtualization fails due to some reason, the required information to restore to the previous status where services can be delivered shall be saved. This information includes the parameters of storage virtualization function and the setup information of logical volumes. 1 Security The parameters and definition information to be saved shall be backed up, using the implementation utility owned by storage virtualization function or other system utility. standard Technical note If changing a virtualized storage resource affects definition information, the backed up on security data shall be updated at the triggering time of changes or within a reasonable time. implementation standard 1.1 Practice Check that the parameters and definition information are backed up. Guide Check that the changes of virtual resources and the triggering times and periods of backups are valid. Check whether the previous virtual resources can be restored from the backed up information. Evidence Storage device parameters assumed Storage management program parameters Method Examine/Observe
C.10 Chapter
Relational Table for Denotations in ISO/IEC 27017 and Annex Title
Server virtualization N/A as this is not "technical" Common
Network virtualization
Storage virtualization
5 Information security policies Management direction for 5.1 × × × × information security 6 Organization of information security N/A as this is not "technical" 6.1 Internal organization × × × × 6.2 Mobile devices and teleworking × × × × Relationship between cloud service CLD.6.3 × × × × customer and cloud service provider 7 Human resource security N/A as this is not "technical" 7.1 Prior to employment × × × × 7.2 During employment × × × × Termination and change of 7.3 × × × × employment 8 Asset management N/A as the "physical resources" is outside the scope 8.1 Responsibility for assets × × × × CLD.8.1 Responsibility for assets × × × × 8.2 Information classification × × × × 8.3 Media handling × × × ×
Service management × × × × × × × × × × ×
9 Access control
9.1
Business requirements of access control
- Descriptions on AC for customers are completed basically in the service management. - This chapter does not cover AC for a service provider's operators・but Chapter 12 does. - This chapter covers possible settings for AC per customer in the function for virtualization/virtual resources, if any. ―
―
―
―
9.2 User access management
→
→
→
→
9.3 User responsibilities System and application access 9.4 control Access control of cloud service CLD.9.5 customer’s data in shared virtual environment 10 Cryptography
―
―
―
―
→ →
→ CLD.9.5.1 CLD.9.5.2
→ cf. 13.1.3
→
― 9.2.1 9.2.2 9.2.3 ― 9.4.1 9.4.4
CLD.9.5.1
←
- Covers cases encryption by the function for virtualization is needed.
10.1 Cryptographic controls
×
10.1.1
10.1.1
10.1.1
10.1.1
11 Physical and environmental security N/A as the "physical resources" is outside the scope 11.1 Secure areas ― ― ― ― ― 11.2 Equipment ― ― ― ― ― - Focuses on a service provider's operator processing for the function for 12 Operations security virtualization/virtual resources. Operational procedures and 12.1.2 12.1 ← ← ← ← responsibilities 12.1.3 Operational procedures and CLD.12.1 12.1.5 ← ← ← ← responsibilities 12.2 Protection from malware ― ― ― ― ― 12.3 Backup → → → 12.3.1 ← 12.4 Logging and monitoring
12.4.1 12.4.4 12.4.5
←
←
CLD.12.4 Logging and monitoring ← ← 12.5 Control of operational software ― ― ― 12.6 Technical vulnerability management 12.6.1 ← ← Information systems audit 12.7 ― ― ― considerations 13 Communications security - Network-focused security 13.1 Network security management → → 13.1.3 CLD.13.1 Network security management → → CLD.13.1.4 13.2 Information transfer ― ― ― System acquisition, development 14 N/A as this is not directly related to technical model and maintenance Security requirements of information 14.1 × × × systems Security in development and support 14.2 × × × processes 14.3 Test data ― ― ― 15 Supplier relationships N/A as this is not "technical" 15.1 Security in supplier relationship × × × Supplier service delivery 15.2 ― ― ― management Information security incident 16 management Management of information security 16.1 → → → incidents and improvements Information security aspects of 17 business continuity management 17.1 Information security continuity × × × 18 Compliance N/A as this is not "technical" 18.1 Compliance with legal and × × ×
←
←
← ― ←
← ― ←
―
―
← ← ―
― ← ―
×
×
×
×
―
―
×
×
―
―
→
16.1.2
×
×
×
×
contractual requirements 18.2 Information security reviews
×
×
×
×
Legend ― : Cloud service provider management controls are not defined in ISO/IEC 27017 × : No technical notation is required in this Annex →, ← : Implemented by content denoted in other section Control Number: Description is included in this Annex
×