Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
35
CHAPTER 5
DISCUSSION AND ANALYSIS
5. Discussion and Analysis
In this chapter, the author, first, would like to discuss about the possible difference
in security between IaaS, PaaS, and SaaS. Other than that, the author would like to
also discuss about Indonesia’s regulation for information and electronic transaction.
Finally, the result of data gathering process will be analysed according to Gartner’s
security assessment framework.
5.1 Discussion
This section will discuss about different how cloud vendor provide
different kind of security measure for different kind of service model.
Moreover, in this section, the author would also discuss about Indonesian
constitution and how it helps with securing vendor’s and client’s rights in
terms of electronic transaction in cloud.
5.1.1 Differences of IaaS, PaaS, and SaaS in terms of security
If we try to draw a picture of what layers involved in cloud computing, the
result for VDC will typically look like this:
36
APPLICATION LAYER
OPERATING SYSTEM LAYER
VIRTUALISATION LAYER
PHYSICAL LAYER
NETWORK LAYER
Picture 0.1 VDC Layers
For the one that uses VPS the picture will typically look like the one used
by Abc:
Picture 0.1 VPS Layers
Each layer presents, not only different responsibility for the vendor, but
also different vulnerabilities that needed to be considered.
APPLICATION LAYER
OPERATING SYSTEM LAYER 2
VIRTUALISATION LAYER
OPERATING SYSTEM LAYER 1
PHYSICAL LAYER
NETWORK LAYER
37
5.1.1.1 IaaS
IaaS model only handle security risks in the physical layer
virtualization layer. Above that, the responsibility already
moved to the client. In physical server layer, vendor are
responsible to make sure that the server is up and running.
While on the network layer, vendor is responsible to
monitor the network traffic and make sure that the
resources are available to the client. Last but not least, in
Virtualization layer, vendor is responsible to make sure of
a secured multi-tenancy environment. Client’s data must
be strongly isolated.
In IaaS model. client are responsible to handle the security
issue from the n. In VDC architecture, virtualization
software run directly on top of the physical server, the
only probable risks that needed to be taken care of the
problem that might be caused by multi-tenancy. This
includes data from different client got mixed up,
unauthorized user can access client’s data, etc. However,
in VPS, the virtualisation software runs on top of an
operating system. Thus, as an addition to multi-tenancy
risks, VPS client must be aware of the vulnerability of the
operating system that might cause some issue.
Picture 0.1
5.
IaaS Security
.1.1.2 PaaS
In P
hand
oper
respo
Oper
OS
shou
On t
hand
2. Th
syste
need
respo
Handling; Ye
S
PaaS model,
dle security p
rating system
onsibilities
rating System
is patched
uld only be re
the other ha
dle the secur
his means th
em that prese
d to be co
onsible to pa
ellow = Vendo
, for VDC
problem from
m layer. A
mentioned
m layer, ven
and functio
esponsible f
and, for VPS
rity problem
here are two
ent different
onsidered. F
atch/update
or, White = Cl
architecture
m the physic
As an addit
in the prev
ndor must m
onal. Meanw
for their own
S architectur
up to opera
o possibly di
t vulnerabilit
First thing
the operatin
lient
e, vendor sh
cal layer up t
tion to ven
vious sectio
make sure tha
while, the
n application
re, vendor sh
ating system
ifferent oper
ty that the ve
first, vend
ng system. If
38
hould
to the
ndor’s
on, in
at the
client
n.
hould
layer
rating
endor
dor is
f an y
Picture 0.2
prob
hold
PaaS Security
blem occurre
d responsible
y Handling; Ye
ed in this la
e.
llow=Vendor,
ayer, vendor
White=Client
r will need
39
to be
5.
Picture 0.1
.1.1.3 SaaS
In S
secu
appli
ment
add
vend
avail
vend
appli
the a
corre
come
respo
the s
1 SaaS Securit
S
aaS model
urity from th
ication laye
tioned in the
some other
dor should m
lable to the
dor is resp
ication. Seco
application i
ect. Howeve
es from
onsibilities c
software.
ty Handling; Y
vendor is re
he physical
er. As an ad
e previous s
responsibili
make sure th
e client whe
ponsible fo
ondly, the v
is functionin
er, if this a
a partner
can be throw
Yellow=Vendo
esponsible f
layer and al
ddition to t
ection, appl
ity to the ve
hat the appl
en needed.
or the ava
vendor shoul
ng properly
application i
r company
wn to the com
or, White=Cli
for managin
ll the way t
the responsi
ication layer
endor. Firstly
ication is al
In other w
ailability of
ld make sure
and the outp
is a product
y, then
mpany that
ent
40
ng the
to the
ibility
r also
y, the
lways
words,
f the
e that
put is
t that
these
make
41
5.1.2 Indonesia’s Constitution about Information and Electronic
Transaction
Many people said that Indonesia is not yet ready to adopt cloud
computing technology because the regulation still is not enough to
protect client’s right. But what is really the content of UU ITE that
might relate to electronic transaction in cloud? The following is
the list of some of the verses in UU ITE about electronic
transaction:
• Verse 9 states that every business actor that offers
a product through an electronic system has to
provide complete and correct information about
the product. Based on this verse, client can sue
vendor in case the vendor provides a false
information about their service just to lure the
client to subscribe.
• Verse 15 of the constitution explains that the
owner of the electronic system is responsible to
run the system in a reliable and secure manner
and it should function properly as it should be.
The vendor will be held responsible for all
process running in their electronic system.
However, this will not be the case if it can be
42
proved that the mistake or error was made by the
client. This verse protect both client’s and
vendor’s rights. If the mistake is on vendor, then
they can be punished. However, if the error is on
client, then the vendor will not be held
responsible.
• Verse 18 of the constitution explains that for an
international transaction, every actor has the right
to choose which country’s law will be applied for
the transaction. However, this should be written
in a form of contract or else the International
Civil Law will be applied. Thus, vendor and
client should come up with a agreement as to the
law that applied for international transactions.
This will become important in case vendor’s data
centre is located outside the country. That is why
it is very critical for the client to inquire about the
data centre’s location before subscribing to any
vendor’s services.
43
• Verse 26 of the constitution states that, for every
usage of someone’s personal data on an
electronic media, the person’s permission is
required. If this right is violated, then the person
could file a lawsuit for his/her loss, based on this
constitution.
• Verse 30 of this constitution states that no
unauthorized person is allowed to access
someone else’s computer or electronic system
with any way possible, for the purpose of
accessing electronic information/document.
• Verse 31 forbids any individual from doing
interception or tapping any private electronic
information/document, unless it is done by law
enforcement agencies which is done based on the
constitution.
• Verse 33 protects the right of the vendor of
electronic system. Every individual, either
intentionally or unintentionally did something
that resulted in disturbance on the electronic
system will get a punishment.
44
• Verse 35 protects data integrity and availability
by forbidding any party to manipulate, create,
fabricate, delete, or damage someone else's
electronic information/document in order to make
it look as authentic.
• Verse 37 protects electronic system whose
location is inside Indonesia’s jurisdiction from
attack by an individual or party from outside the
country.
5.2 Analysis
In this section, the author will analyse the result of data gathering that
appear in chapter 4. Table 5.1 below will show the summary of the data
gathered in chapter 4.
45
Tabel 5.0.1 SUMMARY OF THE INFORMATION GATHERED FROM CLOUD VENDOR
CATEGORY BIZNET IPTEKNET XYZ ABC
Priviledge User Access
1. Who can access
client’s data
2. Who has access
to get into the
server room
3. How to access
the server room
1. Biznet does not
have access to
client’s data
2. Only an Authorized
person can access.
3. A person will need
to go through
authorization
process.
1. Only client has access
their data
2. Only an Authorized
person can access.
3. A person will need to
go through
authorization process.
1. Only client has access
their data
2. Only admin have
access to the server
room. Plus, xyz’s data
centre already
followed ISO 270001
3. A person will need to
go through
authorization process.
1. Only client has access
their data
2. Data centre already
followed ISO 270001
3. A person will need to
go through
authorization process.
46
Compliance
1. Audit/Certificat
ion
1. Data centre of
Biznet already
comply with ISO
270001
1. Data centre of Ipteknet
already comply with
ISO 270001
1. Xyz already acquired
ISO 270001 certificate
1. Abc already acquired
ISO 270001 certificate
Data Location
1. Is the data
centre located
in Indonesia?
2. What law
applies in case
of security
problem?
All Data Centre that is used
to store clients’ data is
located in Indonesia. Thus,
only Indonesian law
applied.
All Data Centre that is used to
store clients’ data is located in
Indonesia. Thus, only
Indonesian law applied.
All Data Centre that is used to
store clients’ data is located in
Indonesia. Thus, only
Indonesian law applied.
All Data Centre that is used to
store clients’ data is located in
Indonesia. Thus, only
Indonesian law applied
Data Segregation
1. How provider
separate data
for each client?
1. The data is
separated using the
technology of
virtualization.
1. The data is separated
using the technology
of virtualization.
1. The data is separated
using VLAN
technology
1. Vendor ensure data
separation (secure
multi-tenant system)
47
Availability
1. Does the SLA
contain the
promise on
server uptime?
1. It is written in the
SLA
1. It is written in the SLA 1. It is written in the SLA 1. It is written in the SLA
Recovery
1. What will
happen to your
data in case of a
disaster?
1. BizNet has its own
Disaster Recovery
site. Client’s data
will be backed up
periodically
1. Ipteknet has its own
Disaster Recovery site.
Client’s data will be
backed up
periodically.
1. Xyz has its own
Disaster Recovery site.
Client’s data will be
backed up
periodically.
1. Abc has its own
Disaster Recovery site.
Client’s data will be
backed up
periodically.
Investigative Support
1. What kind of
information can
be gained from
the vendor that
1. server log, 1. server log 1. server log 1. server log
48
will be useful
for
investigation?
Long-term Viability
1. What will
happen to your
data in case the
vendor’s
company went
bankrupt or not
operating
anymore?
1. Client will be given
some time
(Approximately a
month) to choose
what they want to
do with their data
(either move it or
delete it)
1. The data will be given
back to the client
1. The data will be given
back to the client free
of charge
1. The data will be given
back to the client
49
Support in Reducing
Risks
1. Does the
vendor provide
any kind of
training for
increasing
security?
1. If requested, Biznet
can provide a
consultation and
recommendation.
1. If requested, Ipteknet
can provide a
consultaion and
recommendation.
1. If requested, xyz can
provide a consultaion
and recommendation.
1. If requested, abc can
provide a consultaion
and recommendation.
50
5.2.1 Privileged User Access
5.2.1.1 Access to Client’s Data
Client’s data can only be accessed by client. Nobody from the
vendor could have access to client’s data. This provides a level
of trust between vendor and the client. Every vendor claims that
only client can have access to client’s data. For this, all vendors
can get a SECURE.
5.2.1.2 How to Access the Server Room
According to Gartner, privileged user access is all about finding
out who on the vendor’s side could possibly have access to
client’s data. This means assessing who have access to client’s
data in the server, and also the server itself. It is important to
ask the vendor about whether or not vendor can access client’s
data; that can access the server room. Furthermore, method of
authentication used to access the server room should also be
considered.
The ways in which someone may be authenticated fall into three
categories. The first one is using something that you know, i.e.
password or collections of personal information. The second
factor is related to what you have. Examples include a
SmartCard and a key. Meanwhile, the third one involves
something that you are such as fingerprint and eye retina.
51
The use of these factors for authentication then further involved
in the categorization of method for authentication [21]. There
are three category of methods based on the number of factor
used. The first one is called as Single-Factor Authentication as
it only uses one of the three factors mentioned above. This
authentication method is used in application like email where
we need only a password and email address to login. The
second one is Two-Factor Authentication which uses two of the
three factors. This kind of authentication is used in our banking
transaction using ATM machine. In the transaction using ATM
machine, user needs to insert the card (what you have) and then
input their password (what you know). Last but not least, the
third method of authentication is Three-Factor Authentication.
This method of authentication uses all the factors for
authenticating a person. For example, to access a room a person
might need to have an access card (what you have), enter a
four-digit code (what you know), and then put his/her finger for
fingerprint authentication (what you are).
Out of these three methods, the Biznet and Ipteknet used two-
factor authentication. To access the server room a person will
need to have an access card and know the password. The other
provider did not give an answer to this question when asked by
phone or by email. However, xyz and abc both already got ISO
52
270001. This means the security of their data centre is already
up to the standard. In conclusion the author believes that all
vendors deserve a SECURE.
5.2.1.3 Who has Access to the server room
Only administrator from vendor’s company can access the
server room. This is the case with Biznet and Ipteknet. For Xyz
and Abc, since they already got the ISO 270001 certificate, we
can assume that access control is already considered to be
secure. Thus, every vendor deserves a SECURE.
CATEGORY BIZNET IPTEKNET XYZ ABC
PRIVILEGED USER ACCESS
Access to client’s data from vendor SECURE SECURE SECURE SECURE
Who has access to get into the server room? SECURE SECURE SECURE SECURE
How to access the server room SECURE SECURE SECURE SECURE
Table 5.2 Privileged User Access Assessment
53
5.2.2 Compliance
5.2.2.1 Audit/Certification
The certification that vendor should’ve had related to
Information security is ISO 270001. ISO 270001 which full
name is ISO/IEC 27001:2005 standard which defines the
requirements for an Information Security Management System
(ISMS). The standard is designed to ensure the selection of
adequate and proportionate security controls [23]. The
existence of this certificate may impact on customer’s trust on
the vendor’s security. Only Xyz and Abc already got the ISO
270001 certification. However, Biznet and Ipteknet has also
build their data centre in compliance with the ISO 270001.
Thus, all vendors get a SECURE.
CATEGORY BIZNET IPTEKNET XYZ ABC
COMPLIANCE
Audit/Certification YES YES YES YES
Table 5.3 Compliance Assessment
54
5.2.3 Data Location
5.2.3.1 Based on the data gained from the vendors, the servers used to
keep client’s data are located in Indonesia. So does the
Disaster Recovery Site. This is probably to cope with the RPP
PITE, which is a draft of constitution about the establishment
of information and electronic transaction. In this draft of
regulation there are rules for people who own a. electronic
system, which requires them to have their data centre located
in Indonesia. This is said to be for the sake of guarding
national data. For this, all vendors get a YES
5.2.3.2 Since all data centre are located in Indonesia, only Indonesia’s
regulation applied. This is makes it easier in solving dispute in
case of a trouble. Thus, every vendor gets a YES.
CATEGORY BIZNET IPTEKNET XYZ ABC
DATA LOCATION
Is the data centre located in
Indonesia? YES YES YES YES
What law applies in case of security
problem? YES YES YES YES
Table 5.4 Data Location Assessment
55
5.2.4 Data Segregation
5.2.4.1 How provider separate data for each client?
The virtualization technology is used to separate data from
different client. The virtualization make it looks like each
client’s data is located in different server just like a dedicated
server. This creates a secure multi-tenant environment. Biznet,
Ipteknet and Abc enforce strong isolation for each VM to
separate it. Xyz uses VLAN technology to limit access from
one network to another. Thus, every vendor gets a SECURE.
Table 5.5 Data Segregation Assessment
CATEGORY BIZNET IPTEKNET XYZ ABC
DATA SEGREGATION
How provider separate data for each
client? SECURE SECURE SECURE SECURE
56
5.2.5 Availability
Each vendor has their own number of uptime. However, every vendor
must put it in the SLA so that it will have a binding power. Turns out
that Biznet, Ipteknet, Xyz, and Abc all have put it in the SLA to show
their commitment. Thus, all vendors got a YES.
CATEGORY BIZNET IPTEKNET XYZ ABC
AVAILABILITY
Does the SLA contain the promise on
server uptime? YES YES YES YES
Table 5.6 Availability Assessment
5.2.6 Recovery
The architecture used by all vendors already provides redundancy. This
means that all client’s data have already been backed up in to a Disaster
Recovery Site.
In case of a disaster, and let say the data centre is ruined, vendor will
redirect all request to the disaster recovery site while they fix the
damage. Each vendor has their own Disaster Recovery Site and back up
client’s data periodically. This, way in case of a disaster client will not
lose their data. For this reason all vendor can be counted as SECURE.
57
CATEGORY BIZNET IPTEKNET XYZ ABC
RECOVERY
What will happen to your data in case of a
disaster? SECURE SECURE SECURE SECURE
Table 5.7 Recovery Assessment
5.2.7 Investigative Support
All vendors can provide a server log which contains the list of people
who have accessed the server. Thus, all vendors get a YES.
Table 5.8 Investigative Support Assessment
CATEGORY BIZNET IPTEKNET XYZ ABC
INVESTIGATIVE SUPPORT
What kind of information can be
gained from the vendor that will be
useful for investigation?
YES YES YES YES
58
5.2.8 Long-Term Viability
Long-Term Viability is all about what will happen with client’s data if
the vendor stops operating. When asked about this, all vendors
basically said that the data will be given back to the client. However, it
is actually not that simple. There is also a problem of integrating back
to in-house. However, the vendor did not explain about this. For that
reason all vendor get a NO.
Table 5.9 Investigative Support Assessment
5.2.9 Support for Reducing Risks
When requested, all vendors are willing to help client with consultation
to help client in need. Client can ask about how to maintain their
infrastructure, what anti-virus should be used, etc. Then vendor staff
can provide answers based on their expertise. For this, all vendors will
get a YES.
CATEGORY BIZNET IPTEKNET XYZ ABC
LONG-TERM VIABILITY
What will happen to your data in case the
vendor’s company went bankrupt or not
operating anymore?
NO NO NO NO
59
CATEGORY BIZNET IPTEKNET XYZ ABC
SUPPORT IN REDUCING RISKS
Does the vendor provide any kind of
training for increasing security? YES YES YES YES
Table 5.10 Support in Reducing Risks Assessment
60
Tabel 5.11 OVERALL ASSESSMENT OF SECURITY MEASURE GIVEN BY VENDOR
BASED ON GARTNER’S FRAMEWORK
CATEGORY BIZNET IPTEKNET XYZ ABC
PRIVILEDGE USER ACCESS
Access to client’s data from vendor SECURE SECURE SECURE SECURE
Who has access to get into the server
room? SECURE SECURE SECURE SECURE
How to access the server room SECURE SECURE SECURE SECURE
COMPLIANCE
Audit/Certification YES YES YES YES
DATA LOCATION
Is the data centre located in Indonesia? YES YES YES YES
What law applies in case of security
problem? YES YES YES YES
61
DATA SEGREGATION
How provider separate data for each
client? SECURE SECURE SECURE SECURE
AVAILABILITY
Does the SLA contain the promise on
server uptime? YES YES YES YES
RECOVERY
What will happen to your data in case of a
disaster? SECURE SECURE SECURE SECURE
INVESTIGATIVE SUPPORT
What kind of information can be gained
from the vendor that will be useful for
investigation?
YES YES YES YES
62
LONG-TERM VIABILITY
What will happen to your data in case the
vendor’s company went bankrupt or not
operating anymore?
NO NO NO NO
SUPPORT IN REDUCING RISKS
Does the vendor provide any kind of
training for increasing security? YES YES YES YES
GRAND TOTAL
SECURE/YES :
NOT
SECURE/NO
8:1 8:1 8:1 8:1 32:4
63