SlideShare ist ein Scribd-Unternehmen logo

Zimory White Paper: Security in the Cloud pt 1/2

Z
Zimory

The Cloud has intrinsic and dynamic characteristics of proactivity and interaction. From the customer's point of view, they might seem difficult to control with conventional IT security standards. Cloud computing security is, in reality, not isolated from the standard IT security and data protection policies and regulations. Main security concerns are:  Data protection  Sharing of resources  Differences in country legislations The following document analyzes on one hand, security in virtualized environments from the Cloud customer’s point of view, justifying the importance of customer awareness about security issues in the Cloud.

TechnologieBusiness
1 von 9
Downloaden Sie, um offline zu lesen
SECURITY IN THE CLOUD Part 1 – Guarantees for Cloud Security White Paper, November 2012
SECURTY IN THE CLOUD – PART 1 Copyright© 2013, Zimory GmbH 1 TABLE OF CONTENTS Introduction and Problem Description........................................................ 2 Security vs. Decision of Moving to the Cloud............................................. 2 Market Perspectives for Virtualization............................................................................ 3 Cloud Security Best Practices........................................................................................ 4 Benefits of Cloud Security.......................................................................... 5 Security Implications in the Zimory Cloud Suite......................................... 5 Security Standards and Testing Procedures: The Zimory Cloud Suite case ................ 5 Conclusion ................................................................................................. 7 Contact Information.................................................................................... 8
SECURTY IN THE CLOUD – PART 1 Copyright© 2013, Zimory GmbH 2 INTRODUCTION AND PROBLEM DESCRIPTION The Cloud stopped being a trend, it is now a reality. However, some aspects of the Cloud cause of hesitation for both customers considering moving to the Cloud and Cloud Service Providers. The Cloud has intrinsic and dynamic characteristics of proactivity and interaction. From the customer's point of view, they might seem difficult to control with conventional IT security standards. Cloud computing security is, in reality, not isolated from the standard IT security and data protection policies and regulations. Main security concerns are:  Data protection  Sharing of resources  Differences in country legislations The following document analyzes on one hand, security in virtualized environments from the Cloud customer’s point of view, justifying the importance of customer awareness about security issues in the Cloud. The second part of this white paper puts Zimory as an example of Cloud management services, meeting high quality and security standards. This section includes the description of penetration tests performed by one of Zimory’s customers in order to observe responses of the Zimory Cloud Suite, facing simulated attacks. SECURITY VS. DECISION OF MOVING TO THE CLOUD When deciding to move to the Cloud, customers must demand to openly discuss have with Cloud Service Providers and vendors any security doubt or question they may have. Clarity and efficiency are a must when dealing with these issues on any IT environment. Even more so in Cloud Computing environments where elements that are by definition intrinsic to them (abstracted resources, scalability and flexibility, shared resources, programmatic management, etc.) can create some uncertainties for all parties involved. As stated by the European Network and Information Security Agency (ENISA),”Cloud’s economies of scale and flexibility are both a friend and a foe from a security point of view.
SECURTY IN THE CLOUD – PART 1 Copyright© 2013, Zimory GmbH 3 The massive concentrations of resources and data present a more attractive target to attackers, but cloud-based defenses can be more robust, scalable and cost-effective”1 . Security issues can be a major question mark for businesses hesitating to move to the Cloud. The Cloud with its innovative technology has also found effective means to face and resolve these issues in order to provide guarantees. MARKET PERSPECTIVES FOR VIRTUALIZATION Regarding virtualization projections in the IT market, the following chart presents Gartner's predictions regarding the progression of virtualization by 2015: Figure 1. Progress towards Virtualization Source: Gartner (May 2012) Based on the previous chart, it is important to mention basic principles regarding the transition from the “physical” security environment to a virtualized security environment2 , such as:  Management consoles: Often being the target of an attack.  Multi-tenancy and shared resources.  Compromising the hypervisor. 1 Catteddu, Daniele and Hogben, Giles: “Cloud Computing Security Risk Assessment”. European Network and Information Security Agency- ENISA: 2009. 2 For more details regarding this transition, see “Security in the Cloud- Part II: Threats and Solutions”. Zimory, 2012.
SECURTY IN THE CLOUD – PART 1 Copyright© 2013, Zimory GmbH 4 Providers should be able to offer high-quality security standards in order to limit liability, “minimizing vulnerabilities and using effective security controls”3 This is clearly one of the main challenges of the Cloud Computing market due to its novelty and rapid evolution. CLOUD SECURITY BEST PRACTICES Ideally, in order to keep Cloud Computing Services balanced and in continuous evolution, there are certain aspects to be considered even as a best practices check-list 1 : 1. Customers must be aware of risks when adopting Cloud services. 2. Customers should compare different Cloud provider offerings in order to make an informed decision. 3. Cloud providers should provide customers with as much assurance as possible. 4. Not all the assurance burden should fall on Cloud providers. 5. Awareness of regulations of the country where data is stored, where the company is located and where the cloud service provider is located. 6. Awareness of who controls and regulates data. Customers using services of a US company are exposed to the Patriot Act, for example. 7. Transparency as work principle and basis of the cloud computing companies and customers. 8. Whenever possible, allow customers to test Cloud services. Testing procedures will become a guarantee for Cloud Services. All implicated players in the cloud computing contracts must be aware of the applicable regulation to their businesses. It is of high importance for Cloud Service Vendors to explain security issues to their customers before moving to the Cloud. 3 Gartner Inc. Securing and Managing Enterprise Cloud. John Pescatore. May 2012
SECURTY IN THE CLOUD – PART 1 Copyright© 2013, Zimory GmbH 5 BENEFITS OF CLOUD SECURITY As stated in ENISA’s Cloud Computing Security Assessment 1 , security in the Cloud can also imply multiple benefits for all parties involved: 1. Security as a differentiator: Cloud services meeting high security standards can be a stand-out point in a very competitive market. 2. The larger scale, the cheaper the implemented security measures. 3. Efficient and effective scaling of resources: An intrinsic quality of Cloud services is the ability to dynamically reallocate resources for multiple purposes, which has many advantages for resilience. 4. Audits and gathering consumption information: Zimory Cloud Suite offers a pay- per-use policy and the possibility of exporting resource consumption reports. All of which leads to more effective resource and cost management. 5. Advantages of Resource concentration: This is generally seen as a risk for Cloud Computing. It can also facilitate, however, the application of many security- related measures. SECURITY IMPLICATIONS IN THE ZIMORY CLOUD SUITE The Zimory Cloud suite can be taken as an example of testing the performance of Cloud management services. To be more concrete, Zimory manages for one of its customers, public cloud services for large companies. High security standards are especially required for these security environments where virtual private clouds are working inside public clouds. A clear challenge for security issues on software management for public cloud services offered inside the high security networks of telecommunication companies. When providing these solutions, the Zimory Cloud Suite successfully proves to be capable of meeting all security requirements of a carrier grade IaaS management software. Furthermore, Zimory's multi-layered security approach provides clear and concrete answers regarding security issues. This approach is based on a compensation method, which implies that in case one security layer is compromised, other layers will back-up the security system integrity. This back-up procedure will maintain the system stable and secure, avoiding complete shutdown. SECURITY STANDARDS AND TESTING PROCEDURES: THE ZIMORY CLOUD SUITE CASE
SECURTY IN THE CLOUD – PART 1 Copyright© 2013, Zimory GmbH 6 Testing procedures are thus of key importance to support and provide security standards to the performance of Cloud services. Therefore, Zimory welcomed one of their customers to perform penetration tests on the Zimory Cloud Suite, based on well-defined security standards. Penetration tests or pentests are defined by Search Software Quality as “the practice of testing a computer system, network or Web application to find vulnerabilities that an attacker could exploit”4 . These tests simulate both internal and external attacks, including four main steps: Step 1: Preparing the Test. During this step, an access methodology to the tested system is created. Some of the tasks performed during this step are:  Defining the system to be tested: In this case, zimory®manage was the tested component, since it allows direct interaction with an end and external user.  Determining visibility of the system and the company: Identifying existing limits of the Information availability.  Setting test depth and aggressiveness.  Determining methodology to approach problems, such as software damages, information leaks, etc. Step 2: Gathering Information. This step identifies for example, elements that need to be “less visible”. Other tasks of this step include:  Providing documentation.  Surveying the development process.  Examining the I-modules, which constitute the “test steps that serve for pure provision of information”. Step 3: Evaluation of Gathered Information. Analysis of the information gathered during the previous step, including:  Identifying critical areas.  Identifying achievable goals.  Selecting and examining e-modules, or the “active penetration attempts” 4  Describing test cases. Step 4: Execution Phase or Active Intrusion. Applying the testing procedures described above, penetration tests were performed on the Zimory Cloud Suite on April 2011 and included both on-site and remote tests. 4 Gershater, Jonathan and Mehta, Puneet. Pen Test (Penetration Testing). Search Software Quality, 2011. Retrieved from: http://searchsoftwarequality.techtarget.com/definition/penetration-testing
SECURTY IN THE CLOUD – PART 1 Copyright© 2013, Zimory GmbH 7 After pentest implementation, Zimory software presented no abnormalities regarding essential test parameters such as:  Verification of Security laws.  Failure causes.  Command, XPath and SQL injections: Techniques used to attack software.  XML poisoning.  XDoS attacks: XML denial of service. Most of the problems, which were minor issues, detected during the penetration testing procedure and regarding for example, cross-site scripting issues, have been already solved ever since. Cloud vendors allowing customers and Service Providers to perform test procedures with high standards could be nearly considered as a breakthrough in the Cloud Computing world. Lack of standard testing procedures, especially with regards to security issues, has been identified as one of the main customer concerns when moving to the Cloud and one of the reasons for the slow take-off of the Cloud Computing market5 . Moreover, testing software with such high standard procedures and without having any major issues detected is a clear indicator of carrier grade software meeting high quality standards. CONCLUSION It is of key importance for customers to be aware and well informed with regards to security implications from the moment they decide to move to the Cloud. Providers, on the other hand, should be able to offer high-quality security standards in order to limit liability, “minimizing vulnerabilities and using effective security controls” 3 . Security in the Cloud is a matter concerning all actors involved, who must actively contribute to build confidence in the Cloud. Cloud security measures are not at all isolated from the conventional IT security measures. Customers and Cloud service users need to analyze and beware of security conditions before actually deciding to move to the Cloud. Finally, the Zimory Cloud Suite can be considered an example of carrier grade IaaS management software, meeting high quality and security standards. As described in this paper, Zimory is open and secure enough to submit its product to rigorous tests regarding security parameters of the product. All of this confirms product guarantees regarding data protection, scalability, flexibility, hardening of virtual machines and hypervisors, etc. Our Cloud Suite is without a doubt, a secure option for managing Cloud services. 5 For more information, see “Cloud Computing Market: Understanding its Slow Take-Off in Europe”. Zimory, 2012
SECURTY IN THE CLOUD – PART 1 Copyright© 2013, Zimory GmbH 8 CONTACT INFORMATION Zimory GmbH Alexanderstrasse 3, 10178 Berlin Germany Email: info@zimory.com Tel: +49 (0)30 609 85 07-0 For the latest information, please visit www.zimory.com The information contained in this document represents the current view of Zimory GmbH on the issues discussed as of the date of publication. Because Zimory must respond to changing market conditions, this document should not be interpreted to be a commitment on the part of Zimory, and Zimory cannot guarantee the accuracy of any information presented after the date of publication. The information represents the product at the time this document was published and should be used for planning purposes only. Information is subject to change at any time without prior notice. This document is for informational purposes only. ZIMORY MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2009 Zimory GmbH. All rights reserved. Zimory is a registered trademark of Zimory GmbH in Germany. All other trademarks are the property of their respective owners.

Empfohlen

A study on securing cloud environment from d do s attack to preserve data ava...
A study on securing cloud environment from d do s attack to preserve data ava...A study on securing cloud environment from d do s attack to preserve data ava...
A study on securing cloud environment from d do s attack to preserve data ava...Manimaran A
 
Zimory White Paper: Security in the Cloud pt 2/2
Zimory White Paper: Security in the Cloud pt 2/2Zimory White Paper: Security in the Cloud pt 2/2
Zimory White Paper: Security in the Cloud pt 2/2Zimory
 
A Survey on Cloud Computing Security – Challenges and Trust Issues
A Survey on Cloud Computing Security – Challenges and Trust IssuesA Survey on Cloud Computing Security – Challenges and Trust Issues
A Survey on Cloud Computing Security – Challenges and Trust IssuesIJCSIS Research Publications
 
Cloud Security: Perception VS Reality
Cloud Security: Perception VS RealityCloud Security: Perception VS Reality
Cloud Security: Perception VS RealityKVH Co. Ltd.
 
An Architecture for Providing Security to Cloud Resources
An Architecture for Providing Security to Cloud ResourcesAn Architecture for Providing Security to Cloud Resources
An Architecture for Providing Security to Cloud ResourcesNiranjana Padmanabhan
 
Cloud Security Strategy
Cloud Security StrategyCloud Security Strategy
Cloud Security StrategyCapgemini
 
Csathreats.v1.0
Csathreats.v1.0Csathreats.v1.0
Csathreats.v1.0vivek_kale27
 
Ccsw
CcswCcsw
CcswVinit Zunjarrao
 

Empfohlen

A study on securing cloud environment from d do s attack to preserve data ava...
A study on securing cloud environment from d do s attack to preserve data ava...A study on securing cloud environment from d do s attack to preserve data ava...
A study on securing cloud environment from d do s attack to preserve data ava...Manimaran A
 
Zimory White Paper: Security in the Cloud pt 2/2
Zimory White Paper: Security in the Cloud pt 2/2Zimory White Paper: Security in the Cloud pt 2/2
Zimory White Paper: Security in the Cloud pt 2/2Zimory
 
A Survey on Cloud Computing Security – Challenges and Trust Issues
A Survey on Cloud Computing Security – Challenges and Trust IssuesA Survey on Cloud Computing Security – Challenges and Trust Issues
A Survey on Cloud Computing Security – Challenges and Trust IssuesIJCSIS Research Publications
 
Cloud Security: Perception VS Reality
Cloud Security: Perception VS RealityCloud Security: Perception VS Reality
Cloud Security: Perception VS RealityKVH Co. Ltd.
 
An Architecture for Providing Security to Cloud Resources
An Architecture for Providing Security to Cloud ResourcesAn Architecture for Providing Security to Cloud Resources
An Architecture for Providing Security to Cloud ResourcesNiranjana Padmanabhan
 
Cloud Security Strategy
Cloud Security StrategyCloud Security Strategy
Cloud Security StrategyCapgemini
 
Csathreats.v1.0
Csathreats.v1.0Csathreats.v1.0
Csathreats.v1.0vivek_kale27
 
Ccsw
CcswCcsw
CcswVinit Zunjarrao
 
PROFILE - NETMONASTERY
PROFILE - NETMONASTERYPROFILE - NETMONASTERY
PROFILE - NETMONASTERYShomiron Das Gupta
 
The impact of a security breach on MSP's and their clients
The impact of a security breach on MSP's and their clientsThe impact of a security breach on MSP's and their clients
The impact of a security breach on MSP's and their clientsJose Lopez
 
Outsourcing control
Outsourcing controlOutsourcing control
Outsourcing controlShahbaz Sidhu
 
Secure Your Virtualized Environment. Protection from Advanced Persistent Thre...
Secure Your Virtualized Environment. Protection from Advanced Persistent Thre...Secure Your Virtualized Environment. Protection from Advanced Persistent Thre...
Secure Your Virtualized Environment. Protection from Advanced Persistent Thre...Acrodex
 
Cloud Security for small and medium enterprises (SME)
Cloud Security for small and medium enterprises (SME)Cloud Security for small and medium enterprises (SME)
Cloud Security for small and medium enterprises (SME)Fabio Cerullo
 
Cloud Armor: A Conclusion Work on Trust Management System
Cloud Armor: A Conclusion Work on Trust Management SystemCloud Armor: A Conclusion Work on Trust Management System
Cloud Armor: A Conclusion Work on Trust Management SystemIJAEMSJORNAL
 
Cloud computing understanding security risk and management
Cloud computing understanding security risk and managementCloud computing understanding security risk and management
Cloud computing understanding security risk and managementShamsundar Machale (CISSP, CEH)
 
Cloud security cam ready
Cloud security cam readyCloud security cam ready
Cloud security cam readyHai Nguyen
 
Cloud01: Best Practices for Virtual Cloud Security - H. Del Castillo, AIPMM
Cloud01: Best Practices for Virtual Cloud Security - H. Del Castillo, AIPMMCloud01: Best Practices for Virtual Cloud Security - H. Del Castillo, AIPMM
Cloud01: Best Practices for Virtual Cloud Security - H. Del Castillo, AIPMMHector Del Castillo, CPM, CPMM
 
Strategies for assessing cloud security
Strategies for assessing cloud securityStrategies for assessing cloud security
Strategies for assessing cloud securityArun Gopinath
 
Strategies for assessing cloud security
Strategies for assessing cloud securityStrategies for assessing cloud security
Strategies for assessing cloud securityIBM India Smarter Computing
 
Cloud Cuckoo Land to Corporate Acceptance
Cloud Cuckoo Land to Corporate AcceptanceCloud Cuckoo Land to Corporate Acceptance
Cloud Cuckoo Land to Corporate AcceptanceMark Henshaw
 
Security in a Virtualised Computing
Security in a Virtualised ComputingSecurity in a Virtualised Computing
Security in a Virtualised ComputingIOSR Journals
 
The Charter of Trust
The Charter of TrustThe Charter of Trust
The Charter of TrustDefCamp
 
Cost of DDoS Attacks | DDoS Attacks Cost | MazeBolt Technologies
Cost of DDoS Attacks | DDoS Attacks Cost | MazeBolt TechnologiesCost of DDoS Attacks | DDoS Attacks Cost | MazeBolt Technologies
Cost of DDoS Attacks | DDoS Attacks Cost | MazeBolt TechnologiesMazeBolt Technologies
 
Comodo SOC service provider
Comodo SOC service providerComodo SOC service provider
Comodo SOC service providerpaulharry03
 
Ipremier case
Ipremier caseIpremier case
Ipremier caseFabian Okidi
 
Cloud Security
Cloud Security Cloud Security
Cloud Security Hi-Tech College
 
70 74
70 7470 74
70 74Editor IJARCET
 
Cloud computing & IAAS The Dual Edged Sword of New Technology
Cloud computing & IAAS The Dual Edged Sword of New Technology Cloud computing & IAAS The Dual Edged Sword of New Technology
Cloud computing & IAAS The Dual Edged Sword of New Technology Mekhi Da ‘Quay Daniels
 
The Management of Security in Cloud Computing Ramgovind.docx
The Management of Security in Cloud Computing Ramgovind.docxThe Management of Security in Cloud Computing Ramgovind.docx
The Management of Security in Cloud Computing Ramgovind.docxcherry686017
 
Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0David Spinks
 

Weitere ähnliche Inhalte

Was ist angesagt?

The impact of a security breach on MSP's and their clients
The impact of a security breach on MSP's and their clientsThe impact of a security breach on MSP's and their clients
The impact of a security breach on MSP's and their clientsJose Lopez
 
Secure Your Virtualized Environment. Protection from Advanced Persistent Thre...
Secure Your Virtualized Environment. Protection from Advanced Persistent Thre...Secure Your Virtualized Environment. Protection from Advanced Persistent Thre...
Secure Your Virtualized Environment. Protection from Advanced Persistent Thre...Acrodex
 
Cloud Security for small and medium enterprises (SME)
Cloud Security for small and medium enterprises (SME)Cloud Security for small and medium enterprises (SME)
Cloud Security for small and medium enterprises (SME)Fabio Cerullo
 
Cloud Armor: A Conclusion Work on Trust Management System
Cloud Armor: A Conclusion Work on Trust Management SystemCloud Armor: A Conclusion Work on Trust Management System
Cloud Armor: A Conclusion Work on Trust Management SystemIJAEMSJORNAL
 
Cloud computing understanding security risk and management
Cloud computing understanding security risk and managementCloud computing understanding security risk and management
Cloud computing understanding security risk and managementShamsundar Machale (CISSP, CEH)
 
Cloud security cam ready
Cloud security cam readyCloud security cam ready
Cloud security cam readyHai Nguyen
 
Cloud01: Best Practices for Virtual Cloud Security - H. Del Castillo, AIPMM
Cloud01: Best Practices for Virtual Cloud Security - H. Del Castillo, AIPMMCloud01: Best Practices for Virtual Cloud Security - H. Del Castillo, AIPMM
Cloud01: Best Practices for Virtual Cloud Security - H. Del Castillo, AIPMMHector Del Castillo, CPM, CPMM
 
Strategies for assessing cloud security
Strategies for assessing cloud securityStrategies for assessing cloud security
Strategies for assessing cloud securityArun Gopinath
 
Cloud Cuckoo Land to Corporate Acceptance
Cloud Cuckoo Land to Corporate AcceptanceCloud Cuckoo Land to Corporate Acceptance
Cloud Cuckoo Land to Corporate AcceptanceMark Henshaw
 
Security in a Virtualised Computing
Security in a Virtualised ComputingSecurity in a Virtualised Computing
Security in a Virtualised ComputingIOSR Journals
 
The Charter of Trust
The Charter of TrustThe Charter of Trust
The Charter of TrustDefCamp
 
Cost of DDoS Attacks | DDoS Attacks Cost | MazeBolt Technologies
Cost of DDoS Attacks | DDoS Attacks Cost | MazeBolt TechnologiesCost of DDoS Attacks | DDoS Attacks Cost | MazeBolt Technologies
Cost of DDoS Attacks | DDoS Attacks Cost | MazeBolt TechnologiesMazeBolt Technologies
 
Comodo SOC service provider
Comodo SOC service providerComodo SOC service provider
Comodo SOC service providerpaulharry03
 
Cloud computing & IAAS The Dual Edged Sword of New Technology
Cloud computing & IAAS The Dual Edged Sword of New Technology Cloud computing & IAAS The Dual Edged Sword of New Technology
Cloud computing & IAAS The Dual Edged Sword of New Technology Mekhi Da ‘Quay Daniels
 

Was ist angesagt? (20)

PROFILE - NETMONASTERY
PROFILE - NETMONASTERYPROFILE - NETMONASTERY
PROFILE - NETMONASTERY
 
The impact of a security breach on MSP's and their clients
The impact of a security breach on MSP's and their clientsThe impact of a security breach on MSP's and their clients
The impact of a security breach on MSP's and their clients
 
Outsourcing control
Outsourcing controlOutsourcing control
Outsourcing control
 
Secure Your Virtualized Environment. Protection from Advanced Persistent Thre...
Secure Your Virtualized Environment. Protection from Advanced Persistent Thre...Secure Your Virtualized Environment. Protection from Advanced Persistent Thre...
Secure Your Virtualized Environment. Protection from Advanced Persistent Thre...
 
Cloud Security for small and medium enterprises (SME)
Cloud Security for small and medium enterprises (SME)Cloud Security for small and medium enterprises (SME)
Cloud Security for small and medium enterprises (SME)
 
Cloud Armor: A Conclusion Work on Trust Management System
Cloud Armor: A Conclusion Work on Trust Management SystemCloud Armor: A Conclusion Work on Trust Management System
Cloud Armor: A Conclusion Work on Trust Management System
 
Cloud computing understanding security risk and management
Cloud computing understanding security risk and managementCloud computing understanding security risk and management
Cloud computing understanding security risk and management
 
Cloud security cam ready
Cloud security cam readyCloud security cam ready
Cloud security cam ready
 
Cloud01: Best Practices for Virtual Cloud Security - H. Del Castillo, AIPMM
Cloud01: Best Practices for Virtual Cloud Security - H. Del Castillo, AIPMMCloud01: Best Practices for Virtual Cloud Security - H. Del Castillo, AIPMM
Cloud01: Best Practices for Virtual Cloud Security - H. Del Castillo, AIPMM
 
Strategies for assessing cloud security
Strategies for assessing cloud securityStrategies for assessing cloud security
Strategies for assessing cloud security
 
Strategies for assessing cloud security
Strategies for assessing cloud securityStrategies for assessing cloud security
Strategies for assessing cloud security
 
Cloud Cuckoo Land to Corporate Acceptance
Cloud Cuckoo Land to Corporate AcceptanceCloud Cuckoo Land to Corporate Acceptance
Cloud Cuckoo Land to Corporate Acceptance
 
Security in a Virtualised Computing
Security in a Virtualised ComputingSecurity in a Virtualised Computing
Security in a Virtualised Computing
 
The Charter of Trust
The Charter of TrustThe Charter of Trust
The Charter of Trust
 
Cost of DDoS Attacks | DDoS Attacks Cost | MazeBolt Technologies
Cost of DDoS Attacks | DDoS Attacks Cost | MazeBolt TechnologiesCost of DDoS Attacks | DDoS Attacks Cost | MazeBolt Technologies
Cost of DDoS Attacks | DDoS Attacks Cost | MazeBolt Technologies
 
Comodo SOC service provider
Comodo SOC service providerComodo SOC service provider
Comodo SOC service provider
 
Ipremier case
Ipremier caseIpremier case
Ipremier case
 
Cloud Security
Cloud Security Cloud Security
Cloud Security
 
70 74
70 7470 74
70 74
 
Cloud computing & IAAS The Dual Edged Sword of New Technology
Cloud computing & IAAS The Dual Edged Sword of New Technology Cloud computing & IAAS The Dual Edged Sword of New Technology
Cloud computing & IAAS The Dual Edged Sword of New Technology
 

Ähnlich wie Zimory White Paper: Security in the Cloud pt 1/2

The Management of Security in Cloud Computing Ramgovind.docx
The Management of Security in Cloud Computing Ramgovind.docxThe Management of Security in Cloud Computing Ramgovind.docx
The Management of Security in Cloud Computing Ramgovind.docxcherry686017
 
Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0David Spinks
 
Ast 0064255 strategies-for_assessing_cloud_security
Ast 0064255 strategies-for_assessing_cloud_securityAst 0064255 strategies-for_assessing_cloud_security
Ast 0064255 strategies-for_assessing_cloud_securityAccenture
 
Cloud computing risk assesment report
Cloud computing risk assesment reportCloud computing risk assesment report
Cloud computing risk assesment reportAhmad El Tawil
 
Cloud computing seminar report
Cloud computing seminar reportCloud computing seminar report
Cloud computing seminar reportshafzonly
 
Big data analysis concepts and references by Cloud Security Alliance
Big data analysis concepts and references by Cloud Security AllianceBig data analysis concepts and references by Cloud Security Alliance
Big data analysis concepts and references by Cloud Security AllianceInformation Security Awareness Group
 
Automation alley day in the cloud presentation - formatted
Automation alley day in the cloud presentation - formattedAutomation alley day in the cloud presentation - formatted
Automation alley day in the cloud presentation - formattedMatthew Moldvan
 
Issue identification cloud computing
Issue identification cloud computingIssue identification cloud computing
Issue identification cloud computinggirish0984
 
IRJET- A Survey on SaaS-Attacks and Digital Forensic
IRJET- A Survey on SaaS-Attacks and Digital ForensicIRJET- A Survey on SaaS-Attacks and Digital Forensic
IRJET- A Survey on SaaS-Attacks and Digital ForensicIRJET Journal
 
Secure Cloud Hosting.paper
Secure Cloud Hosting.paperSecure Cloud Hosting.paper
Secure Cloud Hosting.paperjagan339
 
Whitepaper: Security of the Cloud
Whitepaper: Security of the CloudWhitepaper: Security of the Cloud
Whitepaper: Security of the CloudCloudSmartz
 
Security and Privacy Issues of Cloud Computing; Solutions and Secure Framework
Security and Privacy Issues of Cloud Computing; Solutions and Secure FrameworkSecurity and Privacy Issues of Cloud Computing; Solutions and Secure Framework
Security and Privacy Issues of Cloud Computing; Solutions and Secure FrameworkIOSR Journals
 
SOC 2 presentation. Overview of SOC 2 assessment
SOC 2 presentation. Overview of SOC 2 assessmentSOC 2 presentation. Overview of SOC 2 assessment
SOC 2 presentation. Overview of SOC 2 assessmentModu9
 
IRJET- Security Concern: Analysis of Cloud Security Mechanism
IRJET- Security Concern: Analysis of Cloud Security MechanismIRJET- Security Concern: Analysis of Cloud Security Mechanism
IRJET- Security Concern: Analysis of Cloud Security MechanismIRJET Journal
 
Data Privacy And Security Issues In Cloud Computing.pdf
Data Privacy And Security Issues In Cloud Computing.pdfData Privacy And Security Issues In Cloud Computing.pdf
Data Privacy And Security Issues In Cloud Computing.pdfCiente
 
Zimory white paper: End-to-end Enterprise-Grade Cloud Infrastructure
Zimory white paper: End-to-end Enterprise-Grade Cloud InfrastructureZimory white paper: End-to-end Enterprise-Grade Cloud Infrastructure
Zimory white paper: End-to-end Enterprise-Grade Cloud InfrastructureZimory
 

Ähnlich wie Zimory White Paper: Security in the Cloud pt 1/2 (20)

The Management of Security in Cloud Computing Ramgovind.docx
The Management of Security in Cloud Computing Ramgovind.docxThe Management of Security in Cloud Computing Ramgovind.docx
The Management of Security in Cloud Computing Ramgovind.docx
 
Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0
 
[IJCT-V3I3P2] Authors: Prithvipal Singh, Sunny Sharma, Amritpal Singh, Karand...
[IJCT-V3I3P2] Authors: Prithvipal Singh, Sunny Sharma, Amritpal Singh, Karand...[IJCT-V3I3P2] Authors: Prithvipal Singh, Sunny Sharma, Amritpal Singh, Karand...
[IJCT-V3I3P2] Authors: Prithvipal Singh, Sunny Sharma, Amritpal Singh, Karand...
 
Ast 0064255 strategies-for_assessing_cloud_security
Ast 0064255 strategies-for_assessing_cloud_securityAst 0064255 strategies-for_assessing_cloud_security
Ast 0064255 strategies-for_assessing_cloud_security
 
Cloud computing risk assesment report
Cloud computing risk assesment reportCloud computing risk assesment report
Cloud computing risk assesment report
 
Cloud computing seminar report
Cloud computing seminar reportCloud computing seminar report
Cloud computing seminar report
 
Big data analysis concepts and references by Cloud Security Alliance
Big data analysis concepts and references by Cloud Security AllianceBig data analysis concepts and references by Cloud Security Alliance
Big data analysis concepts and references by Cloud Security Alliance
 
Automation alley day in the cloud presentation - formatted
Automation alley day in the cloud presentation - formattedAutomation alley day in the cloud presentation - formatted
Automation alley day in the cloud presentation - formatted
 
legal and ethical.ppt
legal and ethical.pptlegal and ethical.ppt
legal and ethical.ppt
 
Issue identification cloud computing
Issue identification cloud computingIssue identification cloud computing
Issue identification cloud computing
 
IRJET- A Survey on SaaS-Attacks and Digital Forensic
IRJET- A Survey on SaaS-Attacks and Digital ForensicIRJET- A Survey on SaaS-Attacks and Digital Forensic
IRJET- A Survey on SaaS-Attacks and Digital Forensic
 
Secure Cloud Hosting.paper
Secure Cloud Hosting.paperSecure Cloud Hosting.paper
Secure Cloud Hosting.paper
 
Whitepaper: Security of the Cloud
Whitepaper: Security of the CloudWhitepaper: Security of the Cloud
Whitepaper: Security of the Cloud
 
Security of the Cloud
Security of the CloudSecurity of the Cloud
Security of the Cloud
 
Security and Privacy Issues of Cloud Computing; Solutions and Secure Framework
Security and Privacy Issues of Cloud Computing; Solutions and Secure FrameworkSecurity and Privacy Issues of Cloud Computing; Solutions and Secure Framework
Security and Privacy Issues of Cloud Computing; Solutions and Secure Framework
 
SOC 2 presentation. Overview of SOC 2 assessment
SOC 2 presentation. Overview of SOC 2 assessmentSOC 2 presentation. Overview of SOC 2 assessment
SOC 2 presentation. Overview of SOC 2 assessment
 
IRJET- Security Concern: Analysis of Cloud Security Mechanism
IRJET- Security Concern: Analysis of Cloud Security MechanismIRJET- Security Concern: Analysis of Cloud Security Mechanism
IRJET- Security Concern: Analysis of Cloud Security Mechanism
 
Data Privacy And Security Issues In Cloud Computing.pdf
Data Privacy And Security Issues In Cloud Computing.pdfData Privacy And Security Issues In Cloud Computing.pdf
Data Privacy And Security Issues In Cloud Computing.pdf
 
Zimory white paper: End-to-end Enterprise-Grade Cloud Infrastructure
Zimory white paper: End-to-end Enterprise-Grade Cloud InfrastructureZimory white paper: End-to-end Enterprise-Grade Cloud Infrastructure
Zimory white paper: End-to-end Enterprise-Grade Cloud Infrastructure
 
secued cloud
secued cloud secued cloud
secued cloud
 

Kürzlich hochgeladen

Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesThousandEyes
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 

Kürzlich hochgeladen (20)

Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 

Zimory White Paper: Security in the Cloud pt 1/2

  • 1. SECURITY IN THE CLOUD Part 1 – Guarantees for Cloud Security White Paper, November 2012
  • 2. SECURTY IN THE CLOUD – PART 1 Copyright© 2013, Zimory GmbH 1 TABLE OF CONTENTS Introduction and Problem Description........................................................ 2 Security vs. Decision of Moving to the Cloud............................................. 2 Market Perspectives for Virtualization............................................................................ 3 Cloud Security Best Practices........................................................................................ 4 Benefits of Cloud Security.......................................................................... 5 Security Implications in the Zimory Cloud Suite......................................... 5 Security Standards and Testing Procedures: The Zimory Cloud Suite case ................ 5 Conclusion ................................................................................................. 7 Contact Information.................................................................................... 8
  • 3. SECURTY IN THE CLOUD – PART 1 Copyright© 2013, Zimory GmbH 2 INTRODUCTION AND PROBLEM DESCRIPTION The Cloud stopped being a trend, it is now a reality. However, some aspects of the Cloud cause of hesitation for both customers considering moving to the Cloud and Cloud Service Providers. The Cloud has intrinsic and dynamic characteristics of proactivity and interaction. From the customer's point of view, they might seem difficult to control with conventional IT security standards. Cloud computing security is, in reality, not isolated from the standard IT security and data protection policies and regulations. Main security concerns are:  Data protection  Sharing of resources  Differences in country legislations The following document analyzes on one hand, security in virtualized environments from the Cloud customer’s point of view, justifying the importance of customer awareness about security issues in the Cloud. The second part of this white paper puts Zimory as an example of Cloud management services, meeting high quality and security standards. This section includes the description of penetration tests performed by one of Zimory’s customers in order to observe responses of the Zimory Cloud Suite, facing simulated attacks. SECURITY VS. DECISION OF MOVING TO THE CLOUD When deciding to move to the Cloud, customers must demand to openly discuss have with Cloud Service Providers and vendors any security doubt or question they may have. Clarity and efficiency are a must when dealing with these issues on any IT environment. Even more so in Cloud Computing environments where elements that are by definition intrinsic to them (abstracted resources, scalability and flexibility, shared resources, programmatic management, etc.) can create some uncertainties for all parties involved. As stated by the European Network and Information Security Agency (ENISA),”Cloud’s economies of scale and flexibility are both a friend and a foe from a security point of view.
  • 4. SECURTY IN THE CLOUD – PART 1 Copyright© 2013, Zimory GmbH 3 The massive concentrations of resources and data present a more attractive target to attackers, but cloud-based defenses can be more robust, scalable and cost-effective”1 . Security issues can be a major question mark for businesses hesitating to move to the Cloud. The Cloud with its innovative technology has also found effective means to face and resolve these issues in order to provide guarantees. MARKET PERSPECTIVES FOR VIRTUALIZATION Regarding virtualization projections in the IT market, the following chart presents Gartner's predictions regarding the progression of virtualization by 2015: Figure 1. Progress towards Virtualization Source: Gartner (May 2012) Based on the previous chart, it is important to mention basic principles regarding the transition from the “physical” security environment to a virtualized security environment2 , such as:  Management consoles: Often being the target of an attack.  Multi-tenancy and shared resources.  Compromising the hypervisor. 1 Catteddu, Daniele and Hogben, Giles: “Cloud Computing Security Risk Assessment”. European Network and Information Security Agency- ENISA: 2009. 2 For more details regarding this transition, see “Security in the Cloud- Part II: Threats and Solutions”. Zimory, 2012.
  • 5. SECURTY IN THE CLOUD – PART 1 Copyright© 2013, Zimory GmbH 4 Providers should be able to offer high-quality security standards in order to limit liability, “minimizing vulnerabilities and using effective security controls”3 This is clearly one of the main challenges of the Cloud Computing market due to its novelty and rapid evolution. CLOUD SECURITY BEST PRACTICES Ideally, in order to keep Cloud Computing Services balanced and in continuous evolution, there are certain aspects to be considered even as a best practices check-list 1 : 1. Customers must be aware of risks when adopting Cloud services. 2. Customers should compare different Cloud provider offerings in order to make an informed decision. 3. Cloud providers should provide customers with as much assurance as possible. 4. Not all the assurance burden should fall on Cloud providers. 5. Awareness of regulations of the country where data is stored, where the company is located and where the cloud service provider is located. 6. Awareness of who controls and regulates data. Customers using services of a US company are exposed to the Patriot Act, for example. 7. Transparency as work principle and basis of the cloud computing companies and customers. 8. Whenever possible, allow customers to test Cloud services. Testing procedures will become a guarantee for Cloud Services. All implicated players in the cloud computing contracts must be aware of the applicable regulation to their businesses. It is of high importance for Cloud Service Vendors to explain security issues to their customers before moving to the Cloud. 3 Gartner Inc. Securing and Managing Enterprise Cloud. John Pescatore. May 2012
  • 6. SECURTY IN THE CLOUD – PART 1 Copyright© 2013, Zimory GmbH 5 BENEFITS OF CLOUD SECURITY As stated in ENISA’s Cloud Computing Security Assessment 1 , security in the Cloud can also imply multiple benefits for all parties involved: 1. Security as a differentiator: Cloud services meeting high security standards can be a stand-out point in a very competitive market. 2. The larger scale, the cheaper the implemented security measures. 3. Efficient and effective scaling of resources: An intrinsic quality of Cloud services is the ability to dynamically reallocate resources for multiple purposes, which has many advantages for resilience. 4. Audits and gathering consumption information: Zimory Cloud Suite offers a pay- per-use policy and the possibility of exporting resource consumption reports. All of which leads to more effective resource and cost management. 5. Advantages of Resource concentration: This is generally seen as a risk for Cloud Computing. It can also facilitate, however, the application of many security- related measures. SECURITY IMPLICATIONS IN THE ZIMORY CLOUD SUITE The Zimory Cloud suite can be taken as an example of testing the performance of Cloud management services. To be more concrete, Zimory manages for one of its customers, public cloud services for large companies. High security standards are especially required for these security environments where virtual private clouds are working inside public clouds. A clear challenge for security issues on software management for public cloud services offered inside the high security networks of telecommunication companies. When providing these solutions, the Zimory Cloud Suite successfully proves to be capable of meeting all security requirements of a carrier grade IaaS management software. Furthermore, Zimory's multi-layered security approach provides clear and concrete answers regarding security issues. This approach is based on a compensation method, which implies that in case one security layer is compromised, other layers will back-up the security system integrity. This back-up procedure will maintain the system stable and secure, avoiding complete shutdown. SECURITY STANDARDS AND TESTING PROCEDURES: THE ZIMORY CLOUD SUITE CASE
  • 7. SECURTY IN THE CLOUD – PART 1 Copyright© 2013, Zimory GmbH 6 Testing procedures are thus of key importance to support and provide security standards to the performance of Cloud services. Therefore, Zimory welcomed one of their customers to perform penetration tests on the Zimory Cloud Suite, based on well-defined security standards. Penetration tests or pentests are defined by Search Software Quality as “the practice of testing a computer system, network or Web application to find vulnerabilities that an attacker could exploit”4 . These tests simulate both internal and external attacks, including four main steps: Step 1: Preparing the Test. During this step, an access methodology to the tested system is created. Some of the tasks performed during this step are:  Defining the system to be tested: In this case, zimory®manage was the tested component, since it allows direct interaction with an end and external user.  Determining visibility of the system and the company: Identifying existing limits of the Information availability.  Setting test depth and aggressiveness.  Determining methodology to approach problems, such as software damages, information leaks, etc. Step 2: Gathering Information. This step identifies for example, elements that need to be “less visible”. Other tasks of this step include:  Providing documentation.  Surveying the development process.  Examining the I-modules, which constitute the “test steps that serve for pure provision of information”. Step 3: Evaluation of Gathered Information. Analysis of the information gathered during the previous step, including:  Identifying critical areas.  Identifying achievable goals.  Selecting and examining e-modules, or the “active penetration attempts” 4  Describing test cases. Step 4: Execution Phase or Active Intrusion. Applying the testing procedures described above, penetration tests were performed on the Zimory Cloud Suite on April 2011 and included both on-site and remote tests. 4 Gershater, Jonathan and Mehta, Puneet. Pen Test (Penetration Testing). Search Software Quality, 2011. Retrieved from: http://searchsoftwarequality.techtarget.com/definition/penetration-testing
  • 8. SECURTY IN THE CLOUD – PART 1 Copyright© 2013, Zimory GmbH 7 After pentest implementation, Zimory software presented no abnormalities regarding essential test parameters such as:  Verification of Security laws.  Failure causes.  Command, XPath and SQL injections: Techniques used to attack software.  XML poisoning.  XDoS attacks: XML denial of service. Most of the problems, which were minor issues, detected during the penetration testing procedure and regarding for example, cross-site scripting issues, have been already solved ever since. Cloud vendors allowing customers and Service Providers to perform test procedures with high standards could be nearly considered as a breakthrough in the Cloud Computing world. Lack of standard testing procedures, especially with regards to security issues, has been identified as one of the main customer concerns when moving to the Cloud and one of the reasons for the slow take-off of the Cloud Computing market5 . Moreover, testing software with such high standard procedures and without having any major issues detected is a clear indicator of carrier grade software meeting high quality standards. CONCLUSION It is of key importance for customers to be aware and well informed with regards to security implications from the moment they decide to move to the Cloud. Providers, on the other hand, should be able to offer high-quality security standards in order to limit liability, “minimizing vulnerabilities and using effective security controls” 3 . Security in the Cloud is a matter concerning all actors involved, who must actively contribute to build confidence in the Cloud. Cloud security measures are not at all isolated from the conventional IT security measures. Customers and Cloud service users need to analyze and beware of security conditions before actually deciding to move to the Cloud. Finally, the Zimory Cloud Suite can be considered an example of carrier grade IaaS management software, meeting high quality and security standards. As described in this paper, Zimory is open and secure enough to submit its product to rigorous tests regarding security parameters of the product. All of this confirms product guarantees regarding data protection, scalability, flexibility, hardening of virtual machines and hypervisors, etc. Our Cloud Suite is without a doubt, a secure option for managing Cloud services. 5 For more information, see “Cloud Computing Market: Understanding its Slow Take-Off in Europe”. Zimory, 2012
  • 9. SECURTY IN THE CLOUD – PART 1 Copyright© 2013, Zimory GmbH 8 CONTACT INFORMATION Zimory GmbH Alexanderstrasse 3, 10178 Berlin Germany Email: info@zimory.com Tel: +49 (0)30 609 85 07-0 For the latest information, please visit www.zimory.com The information contained in this document represents the current view of Zimory GmbH on the issues discussed as of the date of publication. Because Zimory must respond to changing market conditions, this document should not be interpreted to be a commitment on the part of Zimory, and Zimory cannot guarantee the accuracy of any information presented after the date of publication. The information represents the product at the time this document was published and should be used for planning purposes only. Information is subject to change at any time without prior notice. This document is for informational purposes only. ZIMORY MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2009 Zimory GmbH. All rights reserved. Zimory is a registered trademark of Zimory GmbH in Germany. All other trademarks are the property of their respective owners.