29
35 CHAPTER 5 DISCUSSION AND ANALYSIS 5. Discussion and Analysis In this chapter, the author, first, would like to discuss about the possible difference in security between IaaS, PaaS, and SaaS. Other than that, the author would like to also discuss about Indonesia’s regulation for information and electronic transaction. Finally, the result of data gathering process will be analysed according to Gartner’s security assessment framework. 5.1 Discussion This section will discuss about different how cloud vendor provide different kind of security measure for different kind of service model. Moreover, in this section, the author would also discuss about Indonesian constitution and how it helps with securing vendor’s and client’s rights in terms of electronic transaction in cloud. 5.1.1 Differences of IaaS, PaaS, and SaaS in terms of security If we try to draw a picture of what layers involved in cloud computing, the result for VDC will typically look like this:

CHAPTER 5 DISCUSSION AND ANALYSIS - Binus Librarylibrary.binus.ac.id/eColls/eThesisdoc/Bab5/CHAPTER 5_274.pdf · 2012. 10. 5. · ting system fferent oper y that the ve first, vend

  • Upload
    others

  • View
    0

  • Download
    0

Embed Size (px)

Citation preview

  • 35

    CHAPTER 5

    DISCUSSION AND ANALYSIS

    5. Discussion and Analysis

    In this chapter, the author, first, would like to discuss about the possible difference

    in security between IaaS, PaaS, and SaaS. Other than that, the author would like to

    also discuss about Indonesia’s regulation for information and electronic transaction.

    Finally, the result of data gathering process will be analysed according to Gartner’s

    security assessment framework.

    5.1 Discussion

    This section will discuss about different how cloud vendor provide

    different kind of security measure for different kind of service model.

    Moreover, in this section, the author would also discuss about Indonesian

    constitution and how it helps with securing vendor’s and client’s rights in

    terms of electronic transaction in cloud.

    5.1.1 Differences of IaaS, PaaS, and SaaS in terms of security

    If we try to draw a picture of what layers involved in cloud computing, the

    result for VDC will typically look like this:

  • 36

    APPLICATION LAYER

    OPERATING SYSTEM LAYER

    VIRTUALISATION LAYER

    PHYSICAL LAYER

    NETWORK LAYER

    Picture 0.1 VDC Layers

    For the one that uses VPS the picture will typically look like the one used

    by Abc:

    Picture 0.1 VPS Layers

    Each layer presents, not only different responsibility for the vendor, but

    also different vulnerabilities that needed to be considered.

    APPLICATION LAYER

    OPERATING SYSTEM LAYER 2

    VIRTUALISATION LAYER

    OPERATING SYSTEM LAYER 1

    PHYSICAL LAYER

    NETWORK LAYER

  • 37

    5.1.1.1 IaaS

    IaaS model only handle security risks in the physical layer

    virtualization layer. Above that, the responsibility already

    moved to the client. In physical server layer, vendor are

    responsible to make sure that the server is up and running.

    While on the network layer, vendor is responsible to

    monitor the network traffic and make sure that the

    resources are available to the client. Last but not least, in

    Virtualization layer, vendor is responsible to make sure of

    a secured multi-tenancy environment. Client’s data must

    be strongly isolated.

    In IaaS model. client are responsible to handle the security

    issue from the n. In VDC architecture, virtualization

    software run directly on top of the physical server, the

    only probable risks that needed to be taken care of the

    problem that might be caused by multi-tenancy. This

    includes data from different client got mixed up,

    unauthorized user can access client’s data, etc. However,

    in VPS, the virtualisation software runs on top of an

    operating system. Thus, as an addition to multi-tenancy

    risks, VPS client must be aware of the vulnerability of the

    operating system that might cause some issue.

  • Picture 0.1

    5.

    IaaS Security

    .1.1.2 PaaS

    In P

    hand

    oper

    respo

    Oper

    OS

    shou

    On t

    hand

    2. Th

    syste

    need

    respo

    Handling; Ye

    S

    PaaS model,

    dle security p

    rating system

    onsibilities

    rating System

    is patched

    uld only be re

    the other ha

    dle the secur

    his means th

    em that prese

    d to be co

    onsible to pa

    ellow = Vendo

    , for VDC

    problem from

    m layer. A

    mentioned

    m layer, ven

    and functio

    esponsible f

    and, for VPS

    rity problem

    here are two

    ent different

    onsidered. F

    atch/update

    or, White = Cl

    architecture

    m the physic

    As an addit

    in the prev

    ndor must m

    onal. Meanw

    for their own

    S architectur

    up to opera

    o possibly di

    t vulnerabilit

    First thing

    the operatin

    lient

    e, vendor sh

    cal layer up t

    tion to ven

    vious sectio

    make sure tha

    while, the

    n application

    re, vendor sh

    ating system

    ifferent oper

    ty that the ve

    first, vend

    ng system. If

    38

    hould

    to the

    ndor’s

    on, in

    at the

    client

    n.

    hould

    layer

    rating

    endor

    dor is

    f an y

  • Picture 0.2

    prob

    hold

    PaaS Security

    blem occurre

    d responsible

    y Handling; Ye

    ed in this la

    e.

    llow=Vendor,

    ayer, vendor

    White=Client

    r will need

    39

    to be

  • 5.

    Picture 0.1

    .1.1.3 SaaS

    In S

    secu

    appli

    ment

    add

    vend

    avail

    vend

    appli

    the a

    corre

    come

    respo

    the s

    1 SaaS Securit

    S

    aaS model

    urity from th

    ication laye

    tioned in the

    some other

    dor should m

    lable to the

    dor is resp

    ication. Seco

    application i

    ect. Howeve

    es from

    onsibilities c

    software.

    ty Handling; Y

    vendor is re

    he physical

    er. As an ad

    e previous s

    responsibili

    make sure th

    e client whe

    ponsible fo

    ondly, the v

    is functionin

    er, if this a

    a partner

    can be throw

    Yellow=Vendo

    esponsible f

    layer and al

    ddition to t

    ection, appl

    ity to the ve

    hat the appl

    en needed.

    or the ava

    vendor shoul

    ng properly

    application i

    r company

    wn to the com

    or, White=Cli

    for managin

    ll the way t

    the responsi

    ication layer

    endor. Firstly

    ication is al

    In other w

    ailability of

    ld make sure

    and the outp

    is a product

    y, then

    mpany that

    ent

    40

    ng the

    to the

    ibility

    r also

    y, the

    lways

    words,

    f the

    e that

    put is

    t that

    these

    make

  • 41

    5.1.2 Indonesia’s Constitution about Information and Electronic

    Transaction

    Many people said that Indonesia is not yet ready to adopt cloud

    computing technology because the regulation still is not enough to

    protect client’s right. But what is really the content of UU ITE that

    might relate to electronic transaction in cloud? The following is

    the list of some of the verses in UU ITE about electronic

    transaction:

    • Verse 9 states that every business actor that offers

    a product through an electronic system has to

    provide complete and correct information about

    the product. Based on this verse, client can sue

    vendor in case the vendor provides a false

    information about their service just to lure the

    client to subscribe.

    • Verse 15 of the constitution explains that the

    owner of the electronic system is responsible to

    run the system in a reliable and secure manner

    and it should function properly as it should be.

    The vendor will be held responsible for all

    process running in their electronic system.

    However, this will not be the case if it can be

  • 42

    proved that the mistake or error was made by the

    client. This verse protect both client’s and

    vendor’s rights. If the mistake is on vendor, then

    they can be punished. However, if the error is on

    client, then the vendor will not be held

    responsible.

    • Verse 18 of the constitution explains that for an

    international transaction, every actor has the right

    to choose which country’s law will be applied for

    the transaction. However, this should be written

    in a form of contract or else the International

    Civil Law will be applied. Thus, vendor and

    client should come up with a agreement as to the

    law that applied for international transactions.

    This will become important in case vendor’s data

    centre is located outside the country. That is why

    it is very critical for the client to inquire about the

    data centre’s location before subscribing to any

    vendor’s services.

  • 43

    • Verse 26 of the constitution states that, for every

    usage of someone’s personal data on an

    electronic media, the person’s permission is

    required. If this right is violated, then the person

    could file a lawsuit for his/her loss, based on this

    constitution.

    • Verse 30 of this constitution states that no

    unauthorized person is allowed to access

    someone else’s computer or electronic system

    with any way possible, for the purpose of

    accessing electronic information/document.

    • Verse 31 forbids any individual from doing

    interception or tapping any private electronic

    information/document, unless it is done by law

    enforcement agencies which is done based on the

    constitution.

    • Verse 33 protects the right of the vendor of

    electronic system. Every individual, either

    intentionally or unintentionally did something

    that resulted in disturbance on the electronic

    system will get a punishment.

  • 44

    • Verse 35 protects data integrity and availability

    by forbidding any party to manipulate, create,

    fabricate, delete, or damage someone else's

    electronic information/document in order to make

    it look as authentic.

    • Verse 37 protects electronic system whose

    location is inside Indonesia’s jurisdiction from

    attack by an individual or party from outside the

    country.

    5.2 Analysis

    In this section, the author will analyse the result of data gathering that

    appear in chapter 4. Table 5.1 below will show the summary of the data

    gathered in chapter 4.

  • 45

    Tabel 5.0.1 SUMMARY OF THE INFORMATION GATHERED FROM CLOUD VENDOR

    CATEGORY BIZNET IPTEKNET XYZ ABC

    Priviledge User Access

    1. Who can access

    client’s data

    2. Who has access

    to get into the

    server room

    3. How to access

    the server room

    1. Biznet does not

    have access to

    client’s data

    2. Only an Authorized

    person can access.

    3. A person will need

    to go through

    authorization

    process.

    1. Only client has access

    their data

    2. Only an Authorized

    person can access.

    3. A person will need to

    go through

    authorization process.

    1. Only client has access

    their data

    2. Only admin have

    access to the server

    room. Plus, xyz’s data

    centre already

    followed ISO 270001

    3. A person will need to

    go through

    authorization process.

    1. Only client has access

    their data

    2. Data centre already

    followed ISO 270001

    3. A person will need to

    go through

    authorization process.

  • 46

    Compliance

    1. Audit/Certificat

    ion

    1. Data centre of

    Biznet already

    comply with ISO

    270001

    1. Data centre of Ipteknet

    already comply with

    ISO 270001

    1. Xyz already acquired

    ISO 270001 certificate

    1. Abc already acquired

    ISO 270001 certificate

    Data Location

    1. Is the data

    centre located

    in Indonesia?

    2. What law

    applies in case

    of security

    problem?

    All Data Centre that is used

    to store clients’ data is

    located in Indonesia. Thus,

    only Indonesian law

    applied.

    All Data Centre that is used to

    store clients’ data is located in

    Indonesia. Thus, only

    Indonesian law applied.

    All Data Centre that is used to

    store clients’ data is located in

    Indonesia. Thus, only

    Indonesian law applied.

    All Data Centre that is used to

    store clients’ data is located in

    Indonesia. Thus, only

    Indonesian law applied

    Data Segregation

    1. How provider

    separate data

    for each client?

    1. The data is

    separated using the

    technology of

    virtualization.

    1. The data is separated

    using the technology

    of virtualization.

    1. The data is separated

    using VLAN

    technology

    1. Vendor ensure data

    separation (secure

    multi-tenant system)

  • 47

    Availability

    1. Does the SLA

    contain the

    promise on

    server uptime?

    1. It is written in the

    SLA

    1. It is written in the SLA 1. It is written in the SLA 1. It is written in the SLA

    Recovery

    1. What will

    happen to your

    data in case of a

    disaster?

    1. BizNet has its own

    Disaster Recovery

    site. Client’s data

    will be backed up

    periodically

    1. Ipteknet has its own

    Disaster Recovery site.

    Client’s data will be

    backed up

    periodically.

    1. Xyz has its own

    Disaster Recovery site.

    Client’s data will be

    backed up

    periodically.

    1. Abc has its own

    Disaster Recovery site.

    Client’s data will be

    backed up

    periodically.

    Investigative Support

    1. What kind of

    information can

    be gained from

    the vendor that

    1. server log, 1. server log 1. server log 1. server log

  • 48

    will be useful

    for

    investigation?

    Long-term Viability

    1. What will

    happen to your

    data in case the

    vendor’s

    company went

    bankrupt or not

    operating

    anymore?

    1. Client will be given

    some time

    (Approximately a

    month) to choose

    what they want to

    do with their data

    (either move it or

    delete it)

    1. The data will be given

    back to the client

    1. The data will be given

    back to the client free

    of charge

    1. The data will be given

    back to the client

  • 49

    Support in Reducing

    Risks

    1. Does the

    vendor provide

    any kind of

    training for

    increasing

    security?

    1. If requested, Biznet

    can provide a

    consultation and

    recommendation.

    1. If requested, Ipteknet

    can provide a

    consultaion and

    recommendation.

    1. If requested, xyz can

    provide a consultaion

    and recommendation.

    1. If requested, abc can

    provide a consultaion

    and recommendation.

  • 50

    5.2.1 Privileged User Access

    5.2.1.1 Access to Client’s Data

    Client’s data can only be accessed by client. Nobody from the

    vendor could have access to client’s data. This provides a level

    of trust between vendor and the client. Every vendor claims that

    only client can have access to client’s data. For this, all vendors

    can get a SECURE.

    5.2.1.2 How to Access the Server Room

    According to Gartner, privileged user access is all about finding

    out who on the vendor’s side could possibly have access to

    client’s data. This means assessing who have access to client’s

    data in the server, and also the server itself. It is important to

    ask the vendor about whether or not vendor can access client’s

    data; that can access the server room. Furthermore, method of

    authentication used to access the server room should also be

    considered.

    The ways in which someone may be authenticated fall into three

    categories. The first one is using something that you know, i.e.

    password or collections of personal information. The second

    factor is related to what you have. Examples include a

    SmartCard and a key. Meanwhile, the third one involves

    something that you are such as fingerprint and eye retina.

  • 51

    The use of these factors for authentication then further involved

    in the categorization of method for authentication [21]. There

    are three category of methods based on the number of factor

    used. The first one is called as Single-Factor Authentication as

    it only uses one of the three factors mentioned above. This

    authentication method is used in application like email where

    we need only a password and email address to login. The

    second one is Two-Factor Authentication which uses two of the

    three factors. This kind of authentication is used in our banking

    transaction using ATM machine. In the transaction using ATM

    machine, user needs to insert the card (what you have) and then

    input their password (what you know). Last but not least, the

    third method of authentication is Three-Factor Authentication.

    This method of authentication uses all the factors for

    authenticating a person. For example, to access a room a person

    might need to have an access card (what you have), enter a

    four-digit code (what you know), and then put his/her finger for

    fingerprint authentication (what you are).

    Out of these three methods, the Biznet and Ipteknet used two-

    factor authentication. To access the server room a person will

    need to have an access card and know the password. The other

    provider did not give an answer to this question when asked by

    phone or by email. However, xyz and abc both already got ISO

  • 52

    270001. This means the security of their data centre is already

    up to the standard. In conclusion the author believes that all

    vendors deserve a SECURE.

    5.2.1.3 Who has Access to the server room

    Only administrator from vendor’s company can access the

    server room. This is the case with Biznet and Ipteknet. For Xyz

    and Abc, since they already got the ISO 270001 certificate, we

    can assume that access control is already considered to be

    secure. Thus, every vendor deserves a SECURE.

    CATEGORY BIZNET IPTEKNET XYZ ABC

    PRIVILEGED USER ACCESS

    Access to client’s data from vendor SECURE SECURE SECURE SECURE

    Who has access to get into the server room? SECURE SECURE SECURE SECURE

    How to access the server room SECURE SECURE SECURE SECURE

    Table 5.2 Privileged User Access Assessment

  • 53

    5.2.2 Compliance

    5.2.2.1 Audit/Certification

    The certification that vendor should’ve had related to

    Information security is ISO 270001. ISO 270001 which full

    name is ISO/IEC 27001:2005 standard which defines the

    requirements for an Information Security Management System

    (ISMS). The standard is designed to ensure the selection of

    adequate and proportionate security controls [23]. The

    existence of this certificate may impact on customer’s trust on

    the vendor’s security. Only Xyz and Abc already got the ISO

    270001 certification. However, Biznet and Ipteknet has also

    build their data centre in compliance with the ISO 270001.

    Thus, all vendors get a SECURE.

    CATEGORY BIZNET IPTEKNET XYZ ABC

    COMPLIANCE

    Audit/Certification YES YES YES YES

    Table 5.3 Compliance Assessment

  • 54

    5.2.3 Data Location

    5.2.3.1 Based on the data gained from the vendors, the servers used to

    keep client’s data are located in Indonesia. So does the

    Disaster Recovery Site. This is probably to cope with the RPP

    PITE, which is a draft of constitution about the establishment

    of information and electronic transaction. In this draft of

    regulation there are rules for people who own a. electronic

    system, which requires them to have their data centre located

    in Indonesia. This is said to be for the sake of guarding

    national data. For this, all vendors get a YES

    5.2.3.2 Since all data centre are located in Indonesia, only Indonesia’s

    regulation applied. This is makes it easier in solving dispute in

    case of a trouble. Thus, every vendor gets a YES.

    CATEGORY BIZNET IPTEKNET XYZ ABC

    DATA LOCATION

    Is the data centre located in

    Indonesia? YES YES YES YES

    What law applies in case of security

    problem? YES YES YES YES

    Table 5.4 Data Location Assessment

  • 55

    5.2.4 Data Segregation

    5.2.4.1 How provider separate data for each client?

    The virtualization technology is used to separate data from

    different client. The virtualization make it looks like each

    client’s data is located in different server just like a dedicated

    server. This creates a secure multi-tenant environment. Biznet,

    Ipteknet and Abc enforce strong isolation for each VM to

    separate it. Xyz uses VLAN technology to limit access from

    one network to another. Thus, every vendor gets a SECURE.

    Table 5.5 Data Segregation Assessment

    CATEGORY BIZNET IPTEKNET XYZ ABC

    DATA SEGREGATION

    How provider separate data for each

    client? SECURE SECURE SECURE SECURE

  • 56

    5.2.5 Availability

    Each vendor has their own number of uptime. However, every vendor

    must put it in the SLA so that it will have a binding power. Turns out

    that Biznet, Ipteknet, Xyz, and Abc all have put it in the SLA to show

    their commitment. Thus, all vendors got a YES.

    CATEGORY BIZNET IPTEKNET XYZ ABC

    AVAILABILITY

    Does the SLA contain the promise on

    server uptime? YES YES YES YES

    Table 5.6 Availability Assessment

    5.2.6 Recovery

    The architecture used by all vendors already provides redundancy. This

    means that all client’s data have already been backed up in to a Disaster

    Recovery Site.

    In case of a disaster, and let say the data centre is ruined, vendor will

    redirect all request to the disaster recovery site while they fix the

    damage. Each vendor has their own Disaster Recovery Site and back up

    client’s data periodically. This, way in case of a disaster client will not

    lose their data. For this reason all vendor can be counted as SECURE.

  • 57

    CATEGORY BIZNET IPTEKNET XYZ ABC

    RECOVERY

    What will happen to your data in case of a

    disaster? SECURE SECURE SECURE SECURE

    Table 5.7 Recovery Assessment

    5.2.7 Investigative Support

    All vendors can provide a server log which contains the list of people

    who have accessed the server. Thus, all vendors get a YES.

    Table 5.8 Investigative Support Assessment

    CATEGORY BIZNET IPTEKNET XYZ ABC

    INVESTIGATIVE SUPPORT

    What kind of information can be

    gained from the vendor that will be

    useful for investigation?

    YES YES YES YES

  • 58

    5.2.8 Long-Term Viability

    Long-Term Viability is all about what will happen with client’s data if

    the vendor stops operating. When asked about this, all vendors

    basically said that the data will be given back to the client. However, it

    is actually not that simple. There is also a problem of integrating back

    to in-house. However, the vendor did not explain about this. For that

    reason all vendor get a NO.

    Table 5.9 Investigative Support Assessment

    5.2.9 Support for Reducing Risks

    When requested, all vendors are willing to help client with consultation

    to help client in need. Client can ask about how to maintain their

    infrastructure, what anti-virus should be used, etc. Then vendor staff

    can provide answers based on their expertise. For this, all vendors will

    get a YES.

    CATEGORY BIZNET IPTEKNET XYZ ABC

    LONG-TERM VIABILITY

    What will happen to your data in case the

    vendor’s company went bankrupt or not

    operating anymore?

    NO NO NO NO

  • 59

    CATEGORY BIZNET IPTEKNET XYZ ABC

    SUPPORT IN REDUCING RISKS

    Does the vendor provide any kind of

    training for increasing security? YES YES YES YES

    Table 5.10 Support in Reducing Risks Assessment

  • 60

    Tabel 5.11 OVERALL ASSESSMENT OF SECURITY MEASURE GIVEN BY VENDOR

    BASED ON GARTNER’S FRAMEWORK

    CATEGORY BIZNET IPTEKNET XYZ ABC

    PRIVILEDGE USER ACCESS

    Access to client’s data from vendor SECURE SECURE SECURE SECURE

    Who has access to get into the server

    room? SECURE SECURE SECURE SECURE

    How to access the server room SECURE SECURE SECURE SECURE

    COMPLIANCE

    Audit/Certification YES YES YES YES

    DATA LOCATION

    Is the data centre located in Indonesia? YES YES YES YES

    What law applies in case of security

    problem? YES YES YES YES

  • 61

    DATA SEGREGATION

    How provider separate data for each

    client? SECURE SECURE SECURE SECURE

    AVAILABILITY

    Does the SLA contain the promise on

    server uptime? YES YES YES YES

    RECOVERY

    What will happen to your data in case of a

    disaster? SECURE SECURE SECURE SECURE

    INVESTIGATIVE SUPPORT

    What kind of information can be gained

    from the vendor that will be useful for

    investigation?

    YES YES YES YES

  • 62

    LONG-TERM VIABILITY

    What will happen to your data in case the

    vendor’s company went bankrupt or not

    operating anymore?

    NO NO NO NO

    SUPPORT IN REDUCING RISKS

    Does the vendor provide any kind of

    training for increasing security? YES YES YES YES

    GRAND TOTAL

    SECURE/YES :

    NOT

    SECURE/NO

    8:1 8:1 8:1 8:1 32:4

  • 63