Geekly Articles each Day
📜 ⬆️ ⬇️

SecaaS as a type of cloud services and other standards of the GOST project “Information protection when using cloud technologies”



In the previous article “Everything is in accordance with GOST. Information security when using virtualization technologies ” , we mentioned the developed project GOST“ Information Security When Using Cloud Technologies ”. Despite the fact that he has been without approval for more than a year, we can focus on him as a source of information on the direction of the activities of regulators in the field of cloud technologies. The project is also valuable in a systematic list of terms, threats and measures to protect cloud services.

Let's start in order, as indicated in the draft, GOST establishes requirements for the protection of information processed using cloud technologies. Therefore, I propose to go to the terms and understand what is meant in the project by cloud technologies and other terms found in this document. It should be noted in advance that some of the standards of this document are very controversial and at times contradict the established business practice.
')

Terms


Of course, in this article we will not consider the entire list of terms and definitions, you can familiarize yourself with them in detail in the project itself, and highlight the main and most interesting ones.

Thus, according to the version of the Project, which in turn refers to a number of standards, namely GOST R ISO / IEC 27000, GOST R ISO / IEC 27001, GOST R 50922, GOST R 53114, the following definitions of cloud computing are given.
Cloud computing : a model for providing users with on-demand, ubiquitous and convenient network access to a pool of computer resources distributed among them (for example, processor time (computing power), space in data storages, bandwidth of computer networks, network services, programs, etc.) allocated and provided with a minimum amount of management actions and minimal interaction with the service provider.
The project also defines cloud services: a service that provides cloud resources to its customers. But here the types of services being considered are more interesting. The following main types of services are distinguished in the Project:


As you can see, the Project includes a fairly large number of cloud services, including rare services, such as TraaaS (transparency), which are not forgotten.

Why are they on a par with well-known in the industry and generalizing IaaS, Paas and SaaS? Why DaaS is not Desktop as a Service , but cloud storage? How can consumers guess that TraaaS (transparency as a service) provides an opportunity to recover information lost during the transition to cloud computing? In our opinion, such standards are far from reaching consensus in the professional community.

In addition, different cloud deployment models are considered, although their definitions are also quite controversial and not entirely consistent with the same standards on the basis of which the Project data was developed. Nevertheless, we list the models under consideration:


The cloud infrastructure itself is considered as a composition of hierarchically interconnected groups of hardware and software implementing five integral properties of the cloud computing model. There is an important note to understand, and in the annex there is even a picture, I’ll give it below.

  1. Cloud infrastructure includes both physical and abstract layers.
  2. At the physical level (equipment level) is located the hardware of the perimeter of the cloud infrastructure - the hardware used to implement cloud technologies.
  3. Among the abstract levels are distinguished: the level of orchestration, the level of management and the level of virtualization.

At the orchestration level, there are means for processing requests from consumers of cloud services and reports on the means of centralized distribution of cloud resources about their use.

At the management level, the means of centralized distribution of cloud resources among cloud service consumers are located based on requests from the orchestration level.

At the level of virtualization are hypervisors and objects generated by them. The level of virtualization is absent in the cloud infrastructure, if its implementation does not use virtualization technologies.

4. The cloud infrastructure is built in compliance with the following hierarchy of levels:

- the upper level is the level of orchestration;
- below the level of orchestration is the level of management;
- under the management level - the level of virtualization (in the case of using virtualization technology);
- the lower level is the physical level (equipment level).

5. Five integral properties of cloud computing are implemented using tools located at different levels of the cloud infrastructure:

- self-service at the request of consumers, rapid response, ubiquitous access and measurability are implemented at the orchestration level;
- integration of computer resources into a single pool - at the management level.


Infrastructure of a typical information system built using cloud technologies (larger image by reference ).

Threats


In the draft GOST, all threats are divided into two large sections:


The threats are similar for all parties to the interaction, but it should be noted that the number of threats for suppliers is much more. As I see it, some of the threats, although related to threats to suppliers, also pose a threat to consumers. So, the assignment of threats to one group or another is very conditional.

The threats to cloud service consumers are as follows:


Threats to cloud service providers:


Also, all threats are summarized in a summary table in which threats are divided not only for suppliers and consumers, but also depending on the cloud service provided.

Generalized scheme of dependence of the presence of threats on the cloud services provided

Threats


Cloud service


H
a
a
S


S
e
c
a
a
S


B
P
a
a
S


D
a
a
S


I
a
a
S


S
D
P
a
a
S


C
a
a
S


P
a
a
S


N
a
a
S


S
a
a
S


T
r
a
a
a
S


W
a
a
S


Security Threats to Cloud Users


Threat of uncertainty of responsibility


+


+


+


+


+



+


+


+


+


+


+


Threat of losing control


+


+


+


+


+


+



+



+



+


The threat of loss of confidence


+


+


+


+


+


+


+


+


+


+



+


The threat of binding to the cloud service provider


+


+


+


+


+


+



+


+


+



+


The threat of unprotected access by consumers of cloud services


+


+


+


+


+



+


+


+


+



+


The threat of a lack of information / cloud management


+


+


+


+


+


+


+


+


+


+


+


+


The threat of data loss and leakage



+


+


+







+


+


+


Security threats to cloud service providers


The threat of uncertainty in the distribution of responsibility


+


+


+


+


+


+


+


+


+


+


+


+


The threat of inconsistency of security policies


+


+


+


+


+


+



+


+


+


+


+


The threat of continuous modernization


+


+


+


+


+


+



+


+


+



+


The threat of suspension of services due to technical failures


+


+


+


+


+


+


+


+


+


+


+


+


The threat of the inability to migrate VM images due to incompatibility of hardware and software


+



+


+


+




+



+



+


The threat of licensing policies



+


+


+


+


+



+



+


+


+


The threat of conflict of jurisdictions of different countries


+


+


+


+


+


+


+


+


+


+


+


+


The threat of poor infrastructure transfer to the cloud












+



The threat of unprotected administration of cloud services


+


+


+


+


+


+


+


+


+


+


+


+


The threat to public access infrastructure


+



+


+


+


+


+


+



+



+


The threat of using virtualization technologies


+


+


+



+




+



+



+


The threat of a cloud server availability





+


+


+



+



+




The threat of unfair fulfillment of obligations by cloud service providers



+


+


+



+


+


+


+


+


+


+


The threat of abuse by cloud service providers g


+


+


+


+


+


+


+


+


+


+


+


+


The threat of abuse by consumers of cloud services


+





+




+





+



Protection requirements


The sixth section of the GOST project is fully devoted to the requirements for the protection of information in the provision of cloud services, depending on the type of service. As an example, we list the measures for the service (IaaS), since the measures are in general identical and it is impractical to list them for each of the services within the framework of this article.

Ensuring the security of information in the provision of infrastructure as a service requires paying special attention to the protection of hardware and virtual data processing devices, as well as communication channels. The following measures should be directed to this:


Finally


Looking at our previous article “Protecting information when using virtualization technologies”, it can be noted that most of the requirements are identical, since the cloud infrastructure is implemented using virtualization technology. All the more surprising is the fact that if you compare the GOST for the protection of virtualization and the GOST project for the protection of clouds, you can see the difference in the conceptual apparatus and the terms used . Considering that when using cloud technologies, it is very likely that both documents need to be applied, this can cause some confusion.

The draft standard has been under development for about five years, changes are made to it and, when we see the approved wording, it is not clear. However, now it can be used as a source of information when planning a secure cloud infrastructure. Just do not forget about the standards that are listed in the draft GOST and with which it was developed.

PS By the link you can download our White Paper on the Federal Law No. 152 .
This is a book that was published to help eliminate confusion in the processing of personal data and clearly describe the process of bringing personal data to IP in accordance with the laws of Russia.

Source: https://habr.com/ru/post/352358/

More articles:


All Articles