CYBER TIMES

CTICon-2013

Proceedings of the

International Conference on “Diversifying Trends in

Technology & Management”

Organized by:

CYBER TIMES

Sponsored by:

SEDULITY SOLUTIONS & TECHNOLOGIES

Technically Co-Sponsored by:

CSI Region-I & Division-I

Cyber Times International Journal of Technology & Management

Vol. 6, Issue 1, October 2012 – March 2013

ISSN: 2278-7518

EDITOR-IN-CHIEF

Dr. Anup Girdhar

EDITORIAL ADVISORY BOARD

Dr. Sushila Madan Dr. A.K. Saini

Mr. Mukul Girdhar

EXECUTIVE EDITORS

Ms. Kanika Trehan Mr. Rakesh Laxman Patil

CSI ADVISORY BOARD

Prof. S. V. Raghavan, President, CSI Mr. H. R. Mohan, Vice President, CSI

Mr. S. Ramanathan, Hony. Secretary, CSI Mr. Ranga Rajagopal, Hony. Treasurer, CSI

Mr. Satish Babu, Immediate Past President, CSI Mr. R. K. Vyas, Regional Vice President, Region-I, CSI

Prof. M.N. Hoda, Chairman, Division-I, CSI

“Cyber Times International Journal of Technology & Management”. All rights reserved. No part of this journal may be reproduced, republished, stored, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior permission of the publisher in writing. Any person who does any unauthorized act in relation to this journal publication may be liable to criminal prosecution and civil claims for damages. Editorial Office & Administrative Address: The Editor, 310 Suneja Tower-II, District Centre, Janak Puri, New Delhi-110058. ISSN: 2278-7518 Phone: 011-25595729, +91-9312903095 Website: http://journal.cybertimes.in Email: [email protected] Disclaimer: Views and information expressed in the Research Papers or Articles are those of the respective authors. “Cyber Times International Journal of Technology & Management”, its Editorial Board, Editor and Publisher (Cyber Times) disclaim the Responsibility and Liability for any statement of fact or option made by the contributors. The content of the papers are written by their respective authors. The originality and authenticity of the papers and the explanation of information and views expressed therein are the sole responsibility of the authors. However, effort is made to acknowledge source material relied upon or referred to, however; “Cyber Times International Journal of Technology & Management” does not accept any responsibility for any unintentional mistakes & errors.

Cyber Times International Journal of Technology & Management, Bi-Annually, Vol.6, Issue 1, has been Published, Printed and Edited by Dr. Anup Girdhar, on behalf of Cyber Times, at 310 Suneja Tower-II, District Centre, Janak Puri, New Delhi-110058.

From the Editor’s Desk

At the outset, I take this opportunity to thank all the contributors and readers for making “Cyber Times – International Journal of Technology & Management” an outstanding success.

The response that we have received from the Researchers, Authors, Academicians, Law-Enforcement Agencies and Industry Professionals for sending their Research Papers/ Articles for publication is duly acknowledged across the globe.

We are pleased to present the Volume 6, Issue 1, of “ Cyber Times International Journal of Technology & Management” which include two parts where Part-1 is for the area of ‘Technology’ and Part-2 is for the area of ‘Management’.

Part-1: Technology Cloud Computing, Artificial Intelligence, Wireless Networks, Cyber Security and Network Attacks, Penetration Testing, Cyber Laws, Cyber Crime Investigation, Data Mining, Databases, Mobile Commerce, Software Testing, etc. Part-2: Management Management Strategies, Human Resources, Business Intelligence, Global Retail Industry, Business Process Outsourcing, Indian Economy, Performance Management, Risk Management, International Business, etc. I am sure that this issue will generate immense interest amongst the Readers in different aspects of Technology & Management.

We look forward to receive your valuable and future contributions to make this journal a joint endeavor.

With Warm Regards,

Editor-in-Chief

Dr. ANUP GIRDHAR

General Information

� “Cyber Times International Journal of Technology & Management” is published bi-annually. All editorial and administrative correspondence for publication should be addressed to The Editor, Cyber Times.

� The Abstracts received for the final publication are screened by the Evaluation Committee for approval and only the selected Papers/ Abstracts will be published in each edition. Further information is available in the “Guidelines for paper Submission” section.

� Annual Subscription details for obtaining the journal are provided separately and the interested persons may avail the same accordingly after filling the Annual subscription form.

� This journal is meant for education, reference and learning purposes. The author(s) of this of the book has/have taken all reasonable care to ensure that the contents of the book do not violate any existing copyright or other intellectual property rights of any person/ company/ institution in any manner whatsoever. In the event the author(s) has/have been unable to track any source and if any copyright has been inadvertently infringed, please notify the publisher in writing for the corrective action.

� Copyright © “Cyber Times International Journal of Technology & Management”. All rights reserved. No part of this journal may be reproduced, republished, stored, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior permission of the publisher in writing. Any person who does any unauthorized act in relation to this journal publication may be liable to criminal prosecution and civil claims for damages.

� Other Publications: • Cyber Times Newspaper (English) – RNI No: DELENG/2008/25470 • Cyber Times Newspaper (Hindi) – RNI No. DELHIN/1999/00462

� Printed & Published by: Cyber Times

310 Suneja Tower-II, District Centre, Janak Puri, New Delhi-110058

Editorial Advisory Board Members

Name Designation, Organization/ University Country Dr. Sushila Madan Associate Professor, Delhi University India Dr. A. K. Saini Professor, GGS IP University India Mr. J. R. Ahuja Former Consultant, AICTE India Mr. Mukul Girdhar Vice President, Sedulity Solutions India Mr. Geetesh Madan Q.A. Consultant with Tesco Bank, Newcastle UK Dr. Deepak Shikarpur Chairman Board of Studies, Pune University India Dr. B. B. Ahuja Deputy Director,COE Pune India Prof. M. N. Hoda Director, Bharati Vidyapeeth's (BVICAM) India Dr. S. C. Gupta Director, NIEC, GGS IP University India Dr. S. K. Gupta Professor, IIT Delhi India Dr. K. V. Arya Associate Professor, IIITM, Gwalior India BRIG. Dr. S.S. Narula Director, Gitarattan International Bussiness School India Dr. Sarika Sharma Director, JSPM'S ENIAC Institute of CA, Pune India Dr. S.K.M. Bhagat Prof. & Head, MIT Academy of Engg., Pune India Dr. Jack Ajowi Jaramogi Oginga Odinga University of Sci. & Tech. Kenya Dr. Srinivas Sampalli Professor, Dalhousie University, Halifax Canada Dr. Ijaz A. Qureshi V.P. Academic Affairs, JFK Inst. of Tech. and Mgmt. Pakistan Aryya Bhattacharyya Director, CIP, Columbus State University US

Dr. M. M. Schiraldi Assistant Professor, 'Tor Vergata' University of Rome Italy

Executive Editorial Advisory Board Members

Name Designation, Organization/ University Country Ms. Kanika Trehan Editor - Cyber Times, New Delhi India Mr. Rakesh Laxman Patil Editor - Cyber Times, Pune India Adv. Tushar Kale Cyber Lawyer, Pune India Adv. Neeraj Aarora Cyber Lawyer, New Delhi India Mr. Sanjeev Sehgal HOD, SJP Polytech, Damla, Haryana India Mr. Rajinder Kumar Bajaj GM, Satake India Engg. Pvt. Ltd., (Japan) India Dr. B. M. Patil Associate Professor MIT, Pune India Dr. R. K. Sharma Professor, Bharati Vidyapeeth,(BVIMR), N. Delhi India Dr. Rajesh S. Prasad Professor, DCOER, Pune University India Dr. Binod Kumar Associate Professor, MIT Academy of Engg, Pune India Dr. Vimal Mishra Head, UPTE, UP India Dr. V.N. Wadekar Prof. & Head, MIT college of Engg. CMSR, Pune India Dr. M.D. Goudar Associate Prof. & Head, Pune University India Dr. Mohd. Rizwan Alam Sr. Lecturer, Amity University Dubai

Dr. Y.P. Singh Director, KLSIET, UP India


Vol.6 Issue 1, October 2012 – March 2013

PART-I TECHNOLOGY

CONTENTS

SECTION-I

Research Papers

1. Symbiotic Association Between Cyber Security and Website Testing 01 Rajiv Chopra & Dr. Sushila Madan

2. Hybrid Approach of Face Recognition 06

B. Mohd. Jabarullah, Sandeep Saxena, Dr. C N Kennedy Babu & Dr. Mansaf Alam 3. An Improved and Scalable Digital Image Encryption Method Based 13

on One-Dimensional Random Scrambling Madhu Rohini V, Balaji Venkatesh, A. Bhavana, N. Ravi Shankar & M. Seshu Kumar

4. Key Compromise Resilient Privacy Provisioning in Vertically Partitioned Data 18

S KumaraSwamy, Manjula S H, K R Venugopal, Iyengar S S & L M Patnaik 5. Security Against Keyloggers Using Pattern Based Locking Systems 30

Purnesh Tripathi 6. Two Factor Based Authentication Using Keystroke Biometrics 35

Shaveta Tatwani, Neeru Dubey, Nitya Vij, Tanvi Jain & Priyanka 7. Social Networking and Media: Current Applications and Considerations 42

Ishita Khar & Dr. Sharmishtha Bhattacharjee

8. Cloud Computing- A Breakthrough In The Obsolete Methods of Computing 48 Mr. Shahnawaz Sarwar & Miss Aiman Zubair

9. A Comprehensive Approach of Wireless Data Glove Using Gesture 53

Recognition Technique towards Development of a Supporting System for Aged And Disabled People Prof. Shantanu A. Lohi, Prof. Harish Gorewar, Prof. R. N. Jogekar & Prof. Sandeep S. Ganorkar

10. Experimental Analysis of Stabilizing B.C. Soil with Murrum and Rice 63 Husk Ash B D Ramteke & Neetu B Ramteke



11. Analytical Study of Attacks on Manets Based On Layered Architecture 66 Tushar Saxena & Nandini Deb

12. Impact of E-Learning And Knowledge Management In Indian 73 Rural Education Shallu Joshi

13. Performance Analysis of SCTP Based Remote Monitoring Systems 79 against Service Failures Piyush Yadav, Amit Sehgal & Rajeev Agrawal

14. Cloud Computing: ‘Analyses of Risk Involved in Cloud Environment’ 87 Sonali Bajaj & Dr. Sharad Saxena

15. Ann Based Fault Detection & Classification of A 400 Kv Electrical 95 Transmission Line Gaurav Gangil & Prof. Rakesh Narvey

16. Design & Analysis of Documentation Taxonomy Approach with 102 Algorithmic Fusion towards Ambiguity Free Results for English Idiolect Snehal A. Lohi & Prof. Rishi Kant Malviya

17. Computing Network Reliability where Nodes are Imperfectly Reliable 108 and Links are Perfectly Reliable Moirangthem Marjit Singh

18. Predicting the Consumption Behavior of Smart Phones Using Social Media 114 Disha Verma & Kanika Minocha

19. An Experimental Approach to Study the Terminal Fall Velocity of 121 Particles in Different Types of Fluids M. N. Umare, Prof. (Dr.) A. G. Bhole & Dr. D. P. Singh

20. Qualitative Analysis of Different Routing Protocols in Mobile Ad Hoc Network 126 Tushar Saxena, Rahul Raj & Prabhat Kumar

21. An Online Fuzzy Expert System using Rule Advancement Strategy for 135 Specific Domain Abhishek Goel, Arun Solanki & Ela Kumar

22. Green Database 141 Pranav Kharbanda, Varun Chauhan & Sumit Jain

23. Re-Ranking Web Search Result for Semantic Searching 148 Rutuja Ajmire, Prof.A.V.Deorankar & Dr. P. N. Chatur

24. Implementation of Automatic Wrapper Adaptation System Using 154 Dom Tree for Web Mining A. A. Tekale, Dr. Rajesh Prasad & S. S. Nandgaonkar

25. DDA Based Approach For Object Tracking & Detection In Large Motion Videos 164 Dimple Chawla



26. Security Compliance Challenges On Clouds 172

Yury Chemerkin

27. Modern Media: A Tool For Elt In Intercultural Communication 198 Kumari Pragya

28. Mircostrip Antenna Design Analysis Using Neural-Network 206 Shyam Babu

29. Efficient Auto Code Generation from UML Diagrams Using Semantic 214 Platform and DSL Semantic Annotations Prof. Sonali R. Idate & Prof. kavita B. Supugade

30. Data Mining: Tools and Techniques 222 Swati Aggarwal & Preeti Raheja

31. Unraveling The Challenges Faced By Indian E-Governance 231 Priyanka Tayal & Dr. Alpana Kakkar

32. Intelligent and Synchronized Signal System for Urban Areas 239 Prashant Pathak

33. Various Methods Of Wireless Power Transmission Technologies for 242 Solar Power Satellites Guru Raj C, Amita Murthy & Kendaganna Swamy

34. Efficient Method for Detection & Mitigation of Inconsistencies from a 249 all UML Diagrams Based on Description Logic Rules During the Owl Generation Prof. Sonali R. Idate & Prof. Nilam I. Dalvi

35. Availability Analysis of Various Systems of Brewary Plant-A Review 255 Sunil Kadiyan, Deepanjali Nimker & Uma Gautam

36. Power Quality Analysis Using Various Techniques: A Review 263 Rajeev Kumar Chauhan & J. P. Pandey

37. A Review on Different Iii-V Multijunction Solar Cells 271 Kiran balaji P.S, Shashiraj yadav & Kendaganna swamy

38. Neural Steganography: An Aes-256 Bit PRP & Pseudo Random Hash 278 Based Neural Cryptographic Technique for Image Steganography Gaurav Indra, Chesta Agarwal, Pawandeep Kaur & Aastha Diwan

39. Demand Forecasting Of Spare Parts Store By Moving Average Method 287 and Verification By Exponential Method Sharda Pratap Shrivas, S.Gangopadhayay & Aruna Thakur

40. Data Mining: A Mode To Reform Today’s Higher Learning Institutions 292 Through Performance Indicators Meenu Chopra & Dr. Mamta Madan



SECTION-II RESEARCH ARTICLES

41. Cyber Crime: A Challenge Ahead With Special Reference to 298 Chandigarh Police Narinder Singh

42. “Killed Two Birds With One Stone: Secure Data With Cloud” 307 Smita Bajpai

43. Analysis Of Tests Laid Down By Courts To Determine Copyright Violation 319 In Computer Software Mr. Atmaram Fakirba Shelke

44. CYBER LAW: Various aspects of Cyber Legal System 326 S. Sai Sushanth

SECTION-III CASE STUDY

45. A Comparative Study of Various CPU Scheduling Simulator 335 Ms. Prerna Ajmani & Ms. Amanpreet Kaur

46. Penetration Testing/ Cyber Security Assessment - XYZ Company 340 Parveen Sadotra & Dr. Anup Girdhar



SECTION-I

RESEARCH PAPERS





SECTION-II

RESEARCH ARTICLES



SECTION-III

CASE STUDY

��

�� !� �"�� !�#�

172

SECURITY COMPLIANCE CHALLENGES ON CLOUDS

Yury Chemerkin Independent Security Researcher / PhD in progress

Russian State University for the Humanities (RSUH), Moscow, Russia Email: [email protected]

ABSTRACT

Today cloud vendors provide amount features of integration and optimization in many fields like business or education; there many way to adopt it for medical purposes, maintaining medical records, or monitoring patients. Not all cloud solutions totally changed an original security paradigm and customers still need to manage the accessibility, monitoring and auditing. The security and privacy becomes very important issue led the customers choose an appropriate security level. The compliance part of security is a cornerstone idea especially when the cloud vendors talk and refer to worldwide security standards, best practices.

Keywords: cloud security, compliance, amazon web services, aws, csa cloud controls matrix, csa, cmm, caiq, csa consensus assessments initiative questionnaire

I. INTRODUCTION Cloud Computing has been one of the top security topics for the last several years. The clouds increasing popularity [1] is based on flexibility of virtualization as a technology for replacing and improving of complex parts of systems reducing unnecessary computation and usage of existing resources. Besides the well-known threats, the clouds introduce new security and management level. Clouds transform small application into the large infrastructure let managing by itself (IaaS) to quick and easy access to any data. Cloud security vendors (not only cloud vendors, almost of all kind of vendors) claim that the end-user companies prefer a cost reduction instead the security to reduce the operation complexity of their clouds (or systems) that eventually ends with a lower amount of security that the end-user will accept. Some security questions about clouds are: how is it implemented, how are the data or communication channels secured, how are the cloud and application environments secure, etc. For example, the well-known phrase “physical security does

not exist in clouds” make no serious sense because it was this way as it had been when the hosting service arrived. Customer must make any improvements than by-default configuration with each new technology. If the virtual OS is a Windows Server, then the OS has the quite similar security and patch management state as Desktop/Server OS. In addition, it is mere trust than downloading and buying third-party solutions and it might be more trustable, than cloud vendor (they are all third-party solutions).The cloud simply uses well-known protocols like SMTP, HTTP, SSL, TCP/IP etc. to communicate, send email, file handling and other activity. The methods that are compliant as a part of the RFC should indicate that they are OK. Standards like the ISO 27001 series still provide a measure on information security, but as minimum set of security only. However, a key problem is a lack of a systematic analysis on the security and privacy for such cloud services. Third party organizations like the Cloud Security Alliance (CSA) promote their best practices and questionnaires to improve a cloud security and have a registry of cloud

��

�� !� �"�� !�#�

173

vendors' security controls to help the users to make a right choice on security field. This research examines and highlights security things are background for cloud security, for best practices and security standards, those aspects the customers rely as a trustable level and minimal security set at least. Enterprises need to comply with of the different regulations and standards (PCI, CSA, HIPAA, ISO etc.) as well as they need to prove compliance with security standards. The aim of research is examination issues in the security standards, regulations and best practices (if they are) let the cloud vendors or their customers successfully pass the cloud audit checks and claim about a compliance having difference security features between clouds not to mention the different configurations that meet with different business needs and processes.The general guidelines in such documents operate at the high level that makes unclear these guidelines missing the useful security countermeasures and adding a superfluity in the customer’s vision about the system (cloud) which they apply it to. II. RELATED WORK Nowadays, AWS is one of the most popular cloud platforms. It offers a virtual computing, storage, VPN, archiving, monitoring, health-watching, email and others services environment for a user to run applications, store data, operates with events and deliver event-data due the different services and by different ways. AWS offers many services more accessibility that is important with merging to the cloud. GAE [5] is one more cloud to run web

applications written using interpretation and scripts languages like Java/Python but it has limited features (security and the rest). Windows Azure makes a data spreading to the cornerstone, via neither storage nor web-server [6]. These different goals have a huge influence on the security while all of them were built in accordance with best practices, and have security controls are well documented. As we have enough security problems and the greater quantity of security solutions to solve these problems on one hand and standards with best practices that successfully applied to the clouds (according to the cloud vendors) on another hand, it should be analyzed whether it is so difficult to pass the cloud compliance audit in accordance with these documents. In this paper, the AWS services are going to be examined as the most similar to known existing technologies. The modern recommendations for clouds are quite similar to given in the Table I at least but improved to the low details like “you should choose the cloud vendor that offers an encryption but you cannot choose those vendors that offer the strong encryption e.g. AES” the make a little sense. The answer “why” is relied on the customers willingness to see an action-to-do like ‘whether they should rely on this AES encryption or they need encrypt their data before uploading’. It successfully works when the customers need to cover all clouds (however, it is obliged to provide more details) to choose those provided the more security but it is bad for clouds are provided many services and security features because it is basic rules only.

TABLE 1: THE COMMON SECURITY RECOMMENDATIONS Object What to do Data Ownership Full rights and access to data Data Segmentation An isolation data from other customers’ data Data Encryption A data encryption in transit/memory/storage, at rest Backup/Recovery An availability for recovery Data Destruction An Ability to securely destroy when no longer needed Access Control Who has access to data?

��

�� !� �"�� !�#�

174

Log Management A data access that logged and monitored regularly Incident Response Are there processes and notifications in place for incidents

(including breaches) that affect data? Security Controls An appropriate security and configuration control to data

protection Patch Management Patching for the latest vulnerabilities and exploits?

One more example is how such documents may substitute the customer understanding. NIST [25] talks about cloud limits on security: “the ability to decide who and what is allowed to access subscriber data and programs … the ability to monitor the status of a subscriber’s data and programs …” may follow the idea “no one cloud provides such abilities” by mistake without a knowledge about cloud infrastructure. Another misthought is about cloud firewall takes place with opinion that cloud features are useless due the following statement: a cloud firewall should provide a centralized management, include pre-defined templates for common enterprise server types and enable the following: � Source and Destination Addresses &

Ports filtering � Coverage of protocols, DoS prevention � An ability to design policies per network

interface � Location checks to monitoring who and

where were accessed to the data

Besides such detailed ‘how-to’ sets, there are enough statements that the clouds can’t provide with it, so it is still like a security hole, while some of them (ex. AWS)

provides these features. The Table II [7] shows a brief difference between AWS and Azure on compliance vs. documented technologies to secure and protect data. As a part of ‘non-transparency’, it is quite interesting that the different offered security features and controls have passed e.g. ISO 27xxxx, while the cloud difference (comparingeach other) looks like a medium reduction.The cloud attributes examined [2] are backup, encryption, authentication, access controls, data isolation and monitoring, security standards, disaster recovery, client-side protection, etc. In addition, the paper provided a medium-detailed comparison what exactly each cloud vendor offers to their clients (AWS, Azure, GAE). Authors presented the cloud security/privacy attributes mapped to NIST guidelines that helps in examining security standards. The [3], [4] give a brief examination of AWS S3 and GAE [26] provide us with more details but a summary comparison over [2-6], [10], [12], [15], [21] makes clear that AWS offers the most powerful and flexible features and services, however AWS was not examined deeply (FAQs examination only) over [2-6] than [7], [45].

TABLE 2: COMPLIANCE DIFFERENCE BETWEEN AWS AND AZURE

Type Cloud Vendor AWS Azure

Compliance ISO 27001, CSA, HIPAA + + PCI DSS, FISMA, FIPS 140-2, NIST + N/A

Physical Security

Actions, events logging, logs audit + + Minimum access rights + + Auto revocation access after N days, role changed, MFA, escort + N/A

Data Privacy

Backup, redundancy across the location + + Redundancy inside one geo location, encryption, DoD/NIST Destruction + N/A

Network MITM Protection, Host-Based Firewall (ip,port,mac), + +

��

�� !� �"�� !�#�

175

Type Cloud Vendor AWS Azure

Security Mandatory Firewall, Hypervisor protection from promiscuous Pentesting offer of services + - Pentesting offer of apps + + DDoS Protection, featured firewall + N/A

Credentials Login and Passwords, SSL + + Cross account IAM, MFA hardware/software, Key Rotation + N/A

Such recommendations may also advise the different sanitizing technique to use on client of cloud side. Effective and efficient sanitization is a forensics statement. There are a lot of methods and techniques but some of them rely on brute-force wiping that extremely useless for the clouds due financial matters. The ERASERS proposed in [43] computes the entropy of each data block in the target area and wipes that block specified number of passes and pattern then. Patterns and entropy are valuable because the file types (docx, mp3, odf, pgp, acid*) have a quite different characteristics. It means that ERASERS has many subpopulations which of them applied to certain cases. It gives a faster wiping vs. regular brute force methods of overwriting. As the disk sizes increase up to petabyte scale (recently AWS offer such storage), the brute force methods is becoming near impossible in time. Many drives contain areas do not have data needing overwriting, as known as for SSD that shuffles data between data block every time, but keeps the encrypted area untouched. According to NIST SP800-88 [44], “studies have shown that most of data can be effectively cleared by one overwrite with random data rather than zeroing”. The original version of DoD 5220.22-M (AWS implements this one) recommends a 3-pass wipe with one pass of a uniform character, one pass of its complement, and one pass of random characters, while the current DoD 5220.22-M does not specify the number of passes or the pattern. As the ERASERS shows the good results, it should be implemented to the AWS EC2 or other cloud VM services as an

additional and lower-cost protection (surely, the price differs but it downs each time).

The one of the most serious work on AWS security [27] gives results as a "black box" analysis methodology in regards to the control interfaces (AWS EC2 and S3) compromised via the novel signature wrapping and advanced XSS techniques, HTML injections, as well as SOAP issues with validation and man-in-the-middle attacks. Authors also examined the possible way of protection and found that AWS EC2 & S3 services do not provide the suitable opportunities to implement their solutions. Despite of that, there was found solutions based on available (native) security features of AWS to protect against these attacks [28]: � Utilizing the SSL/HTTPS only with

certificate validation and utilizing API access mechanisms like REST/Query instead of SOAP

� Activating access via MFA and creating IAM accounts limited in access, AWS credentials rotation enhanced with Key pairs and X.509 certificates

� Limiting IP access enhanced with API/SDK & IAM

The virtualization refers to a hypervisor, while a virtual machine works with a configured snapshot of an OS image and requires well-known shared resources like memory, storage, or network. It is generally agreed that, despite of the hypervisors are isolating these shared resources without affecting other instances, the VMs can be trusted in few cases only, while it is vulnerable to the most known XEN attacks, however no one XEN vulnerability was not

��

�� !� �"�� !�#�

176

applied to the AWS services according to the [29] as an example. This brings us to understanding the term “customize” in regards to the clouds. Other ability to control due the Intel AMT commands [30] or else is applied for VMware but there is not known successful implementations for AWS, Azure, GAE or other clouds. Also may have a serious performance problems due overloading the virtual OS with analysing CPU commands and system calls, regardless of where the trusted/untrusted control agents are, multiplied by known issues the best of all demonstrated in case of GPU [31]. There are security virtualization issues even in clouds, no doubt and it should be taken in consideration that clouds have a builtsecurity configuration to protect against most known attacks or new-coming, it still need to be patched or monitored installed and managed the host-based firewalls and IDS, etc. One exciting example [32] talks about an incorrect behavior in the SSL certificate validation mechanisms of AWS SDK for EC2, ELB, and FPS. Despite of that, AWS has updated all SDK (for all services) to redress it [33].

III. EXAMINATION THE CSA DOCUMENTS ON CLOUDS

The CSA documents provide vendors and their customers with a medium-detailed overview what the statements do the cloud security & compliance features applied to as it defined in the Cloud Security Alliance (CSA) and Cloud Control Matrix (CCM). The cloud vendors or 3rd party cloud providers may announce that their services operate in according to these recommendations: However, the customers have a responsibility to control their environment and define whether it is really configured in compliance to CSA best practices. In other words, how much are cloud controls and configurations transparent to the appropriate policies and procedures in accordance with their regulatory requirements. Here the regulations meet the technical equipment as a public technical proof is going to be examined at first from that point. Each control ID will be kept to find it CAIQ [35] & CCM [34], while his explanation is rewritten to reduced amount of text and grouped by domain/control group, similar questions/metrics. Also, the CID covers a CAIQ and CCM together.

TABLE 3: AWS SOLUTIONS AGAINST A CAIQ

CID Questions AWS Response CO-01.1 Any certifications, reports and

other relevant documentation in regards to the standards

AWS has this one and provides it under NDA.

CO-02.1-7 An ability to provide the tenants the 3rd party audit reports, and conduct the network/application cloud penetration tests as well as internal/external audits regularly (in regards to the guidance) with results

AWS engages with independent auditors reviewing their services and provides the customers with the relevant 3rd party compliance/attestations/certifications reports under NDA. Such audit covers regularly scans of their (non-customer) services for vulnerabilities [41-42] the customers are also available to make pentest [40] of their own instances due the tentative agreement.

CO-03.1-2 An ability to perform the vulnerability tests for customers (means their own tests) on

Customers are able to perform it due the permission (writing email with the instances IDs and period) request via

��

�� !� �"�� !�#�

177

applications and networks. AWS Vulnerability/Penetration Testing Request Form [40]

CO-04.1 A person is responsible to contact local authorities in accordance with contracts and appropriate regulations.

AWS does contact with local authorities, industry organizations, and regulatory bodies in according to the ISO 27001.

CO-05.1-2 An ability to logically split the tenants data into the segments (additionally, due the encryption) as well as data recovering for specific customers in case of failure or data loss

Despite of the flat space implemented in AWS services, all data stored by the customers has canonical isolation by path and additional security capabilities like the permissions, personal entry points to access the data as well as MFA. AWS encryption mechanisms are available for S3 (Server Side Encryption), EBS (encryption storage for EC2 AMIs), SimpleDB, EC2 (due the EBS plus SSL), VPC (encrypted connections and sessions). Additionally, the customer can use any cloud services offered a backup from and to AWS services like SME Storage for various cloud vendors (AWS S3, Azure, Dropbox, etc.) or Veeam Backup Cloud Edition for VMs (AWS, Azure, etc.)

CO-06.1 CO-07.1 CO-08.1

Documented policies on a tenant’s intellectual property protection

It is in alignment with COBIT, ISO 27002 and PCI Data Security Standards

DG-01.1 An implementation of structured data-labeling standard

Depends on the customers’ needs and their requirements.

DG-02.1-5 An identifying ability of the VM via policy tags/metadata to perform any quality control/restrict actions like identifying hardware via policy and tags/metadata, using the geo location as an authentication, providing a physical geo location, allowing to choose suitable geo locations for resources and data routing

The tenants are featured to apply any metadata and tagging to the EC2 VMs to set the user-friendly names and enhance searchability. AWS offer several regions (partially is in [38]) and which one can be chosen at the beginning of data pulling. Each of them is covered by geo location policy and access as well as is able to be restricted by SSL, IP address and a time of day. They offer move data between each other directly by the customers or via API and SDK

DG-03.1 Any policies and mechanisms for labeling, handling and security of data

As the customers retain ownership, they are responsible to implement it.

DG-04.1-2 The technical capabilities to enforce tenant data retention policies and documented policy on government requests

The customers have capability manage retention, control, and delete their data except case when AWS must comply with law.

DG-05.1-2 A secure deletion (ex. degaussing At the end of a storage useful life, AWS

��

�� !� �"�� !�#�

178

/ cryptographic wiping) and providing the procedures how a cloud vendor handles this deletion

performs a decommissioning process to prevent data exposing via DoD 5220.22-M/NIST 800-88 techniques. In additional the device will be degaussed or physically destroyed.

DG-06.1 A replication of production in non-production environments

AWS provides the ability to (non-)production delegates the responsibility to the customers to manage it.

DG-07.1-2 A presence of the controls to prevent data leakage / compromising between AWS’ tenants

There were not known the serious security bugs of AWS environment successfully applied or that cannot ‘patched’ by using the implemented PCI controls [27-29], and other security controls that make the customer resources segmented from each other. As well, a hypervisor is designed to restrict non-allowed connections between tenant resources that has validated by independent PCI QSA with PCI DSS 2.0 according to AWS

DG-08.1 An availability of control health data to implementation a continuous monitoring to validate the services status

AWS provides the independent auditor reports under NDA and customers on their own systems can build a continuous monitoring of logical controls additionally implementing [38].

FS-01.1 Any ‘evidence’ if the policies are established for having safe and secure working environment in offices and other areas?

AWS is certified by independent auditors to confirm alignment with AWS SOC 1 Type II and ISO 27001 certification standard (domain 9.1)

FS-02.1 A background verification (ex. criminal) of AWS employees, contractors and 3rd parties

According to AWS they perform such checks in comply with law

FS-03.1 FS-05.1

An implementation of the physical security perimeters, providing the secure areas controlling from unauthorized personnel actions

AWS has been implemented the various physical security controls like fencing, walls, security staff, video surveillance, intrusion detection systems and other electronic means in alignment ISO 27001. It extends by utilizing video surveillance and requirement to pass two-factor authentication a minimum two times to access datacenter floors for staff.

FS-04.1 A ability to provide the customers a knowledge which geo locations are under traversing into/out of it in regards the law

AWS imposes not to move a customers' content from them without notifying in compliance the law. The rest is similar to the DG-02.5.

FS-06.1 FS-07.1

Availability of docs that explain if and where data may be moved between different locations, (e.g. backups) and repurpose equipment as well as sanitizing of

AWS imposes control the customers to manage the data locations. Data will not be moved between different regions, only inside that were chosen to prevent failure. The rest is similar the DG-05.1-2

��

�� !� �"�� !�#�

179

resources (talks about the AWS side only) FS-08.1-2 An inventory of critical assets,

critical supplier relationships The hardware assets monitored by the AWS personnel and maintain the relationships with all AWS suppliers are possible in comply ISO 27001 (domain 7.1) for additional details.

HR-01.1 HR-02.1-2 HR-03.1

A background verification (ex. criminal) of AWS employees The security courses and training employees

Similar to the FS-02.1. Also, AWS does publish the Company’s Code of Business Conduct and Ethics internally and regularly train employees that documented and validated periodically. Other responsibility is shared across HR

IS-01.1 IS-02.1 IS-03.1-3

A description of ISMP in the documents with clear direction, assignment, verification for supporting information security that comply with ISO-27001/22307, CoBIT, etc. Any documents shown the evidence of mapping it in comply to the regulations

AWS does publish (under NDA) the documentation about it in alignment ISO and certified by independent auditors as well as the policies based upon the COBIT/ISO 27001/PCI DSS

IS-04.1-3 An ability to provide the documents with security recommendations per each component, importing the trusted VMs as well as capability to continuously monitor and report the compliance

Customers are able [11] to use their own VMs due the image importing via AWS VM Import, as well as AWS Import/Export accelerates moving large amounts of data into/out in case of backup or disaster recover. The rest is similar to the DG-08.1 in order to ISO (domain 12.1, 15.2)

IS-05.1 An ability to notify the customers on information security/privacy polices changes

Despite of AWS provides a lot of how-to-docs, binary & sources [8-24], [28-29] are regularly updated, it’s better to subscribe to the news via RSS and email, because there is no other directly way to be notified

IS-06.1-2 Any sanctions for employees who have violated security policies

According to AWS If violation happens, the appropriate disciplinary action is followed

IS-07.1-2 Established controls to remove the employees access which is no longer required and how quickly it removes.

According to AWS docs, any ‘redundant’ access is automatically revoked when an employee’s record is terminated or changed with his job functions in Amazon’s HR system. If employee was not fired he will be reassigned with new access rights that reviewed every 90 days

IS-08.1-2 A docs described how the cloud vendor grant and approve access to tenant data and if provider & tenant data classification methodologies is aligned with

The customers as data owners are responsible for the development, content, operation, maintenance, and use of their content.

��

�� !� �"�� !�#�

180

each other IS-09.1-2 A revocation/modification of user

access to data upon any change in status of employees, contractors, customers, etc.

Amazon provides enough security control to maintain an appropriate security policy and permissions not to let spreading the data if it is explicitly not allowed that also built by AWS. The rest is similar to the IS-07.1-2 in regards AWS staff

IS-10.1-3 IS-11.1-2

A certification of entitlements for system administrators (exclusive tenants), with remediation case of inappropriateness of it and a security awareness training program for cloud-related issues for administrators, engineers

AWS reviews the access grants every 90 days and reapproves or assign explicitly the new access grants if it is the same even. (SOC 1 Type II report, ISO 27001, domain 11.2). A training course are quite similar to the IS-06.1-2

IS-12.1-2 A participation in the security groups with benchmarking the controls against standards

AWS policies is based on COBIT, ISO 27001/27002 and PCI DSS

IS-13.1 A documentation clarifying the difference between administrative responsibilities vs. those of the tenant

AWS provides these roles among the general security documents (it means not among the specific services documents)

IS-14.1 IS-15.1

A responsibilities for maintaining awareness of and complying with security policies, procedures and standards that are relevant to an area of responsibility with providing docs how maintains the segregation of duties

Each employee have a Company's Code of Business Conduct and Ethics and have to complete a periodic training. Customers should manage the segregations of duties by themselves. The rest are certified by certified by independent auditors

IS-16.1-3 Informing the users of their responsibilities in regards to the security policies, standards, regulations and rules how to keep the equipment

AWS provides the various ways to train (newly hired employee; others by the emails in AWS intranet) the employees understand their roles and responsibilities that certified by independent auditors

IS-17.1-3 Any policies to address the conflicts of interests on SLA, tamper audit, software integrity, and detect changes of VM configurations

AWS provides the details AWS SOC 1 Type II report in compliance with ISO 27001 (domain 8.2, 11.3) that validated by independents auditors

IS-18.1-2 IS-19.1-4

Ability to create and manage unique encryption keys per a tenant, to encrypt data to an identity without access to a public key certificate (identity based encryption) as well, to protect a tenant data due the network transmission, VMs, DB and other data via encryption, and maintain key management

If keys created on server side, AWS creates the unique keys and utilizes it, if it did on client side due the own or 3rd party solutions, the customers can manage it only. AWS encryption mechanisms are available for S3 (Server Side Encryption), EBS (encryption storage for EC2 AMIs), SimpleDB, EC2 (due the EBS plus SSL), VPC (encrypted connections and sessions), etc.

��

�� !� �"�� !�#�

181

IS-20.1-6 An ability to perform vulnerability scans in regards to the recommendations on application-layer, network-layer, local OS layer and patching then. Providing the info about issues to AWS who makes it public

Similar to the CO-03.1-2 but more detail that means the customers are should performing vuln scan and patching despite of the VMs’ OS are coming with the latest updates; they are obliged to come to the agreement with AWS and not violate the Policy. Also similar to the CO-02.6-7 on providing the results [40],[41-42]

IS-21.1-2 Availability of AV solutions and updated signatures, list or behavioral patterns.

AWS does manage AV solutions & updates in compliance to ISO 27001 that confirmed by independent auditors

IS-22.1 A document specifying the roles and responsibilities of AWS and tenets due handling security incidents?

AWS have this one in compliance with ISO and provides the AWS SOC 1 Type Report

IS-23.1-2 IS-24.1-4

An ability of SIEM to merge data sources (app logs, firewall logs, IDS logs, physical access logs, etc.) for granular analysis and alerting. Additional providing an isolation of the certain customers due incident. A capability to freeze of data from a specific point in time, use the forensic data collection and analysis techniques.

AWS have this one in compliance with ISO and provides the results with AWS SOC 1 Type II Report. AWS has the incident response program in compliance too. Even the customers’ data stored with strong isolation from AWS side and restrictions made by them, additional materials (SOC 1 Type II report) must be requested to clarify all questions on forensics. All data should be encrypted on client side, because it leads to the customers participation with law directly as AWS do not have the keys in this case.

IS-25.1-2 An ability to monitor affecting of security incidents and share the results with the customers

AWS does it in alignment with ISO 27001 that validated by independent auditors

IS-26.1-3 An ability to collect or create metadata about the customers data and provide a documentation making clear what and how may utilize

According to AWS, the customers manage and control their data only

IS-27.1-2 An ability to provide the monitoring system to check the privacy breaches, notify the customers, and provide a confirmation that privacy policy aligned with industry standards

The customers are responsible for handling the security and privacy

IS-28.1-2 IS-29.1

An ability to use an open encryption (3DES, AES, etc.) to let tenants to protect their data on storage and transferring over public networks. As well, an availability of logging, monitoring and restriction any

AWS encryption mechanisms are available for S3 (Server Side Encryption), EBS (encryption storage for EC2 AMIs), SimpleDB, EC2 (due the EBS plus SSL), VPC (encrypted connections and sessions). Customers may use third-party encryption

��

�� !� �"�� !�#�

182

access to the management systems controlled hypervisors, firewalls, APIs, etc.)

technologies too as well as rely on the AWS APIs are available via SSL-protected endpoints. AWS has a logging feature, delineates the minimum standards for logical access to AWS resources and provides details with AWS SOC 1 Type II report

IS-30.1 Securing and providing the dedicated secure networks to establish a management access to clouds for administrators?

AWS systems are design to protect management console but the administrators must use MFA devices to gain access to the clouds. In additional, every 90 days their access rights are reviewed, as well as all such actions are reviewed and audited.

IS-31.1-2 An ability to collect and utilize the data and provide the tenants with reports

AWS does utilize data in compliance ISO 27001 that validated by an independent auditors

IS-32.1 IS-33.1-2

Any restrictions in regards to using the portable/mobile devices/PDA and to prevent unauthorized access to your application, program or object source code

AWS has this one, delineates the minimum rights for logical access to AWS resources and provides details with AWS SOC 1 Type II report

IS-34.1-3 An ability to monitor and segment/restrict the key utilities managed virtualized partitions (ex. shutdown, clone, etc.) as well as ability to detect attacks (blue pill, etc.) to the virtual key components and prevent from them

AWS has this one and provides details with AWS SOC 1 Type II report. AWS examines such attacks and provides information if they apply in section “Security Bulletins” [36]. An example of blackbox attack [27],[28] was given in the Section II of this paper with a native security features as a solution

LG-01.1 LG-02.1-3

Periodically reviewing the NDA and others requirements and agreements by legal counsel. An ability to monitor outsourced providers in compliance with laws per country.

Amazon Legal Counsel reviews 3rd party agreements and NDA according to the business needs. AWS does not leverage any 3rd party cloud providers to deliver AWS services to the customers.

OP-01.1 OP-02.1

Any policies, system documentation are available for all personnel to support services operations roles with an information system documentation to the authorized personnel

According to AWS, the policies are alignment with AWS Information Security framework based upon the COBIT framework, ISO 27001 standard and the PCI DSS requirements. Such docs are available through the Amazon's Intranet site.

OP-03.1-2 An ability to provide the documentation regarding what levels of system (network, storage, memory, I/O, etc.) oversubscription may maintain and restrict

AWS does not disclose the capacity management practices but publishes SLA to communicate instead

��

�� !� �"�� !�#�

183

OP-04.1-5 A capability to perform independent hardware/software restore, and replicate recovery actions, move and port to another cloud vendor

The customers should use an EBS Snapshot functionality to manage the VM images. Also, they allowed [11] to export their AMIs to use on premise or at another provider as well as import their VMs, as well as AWS Import/Export accelerates moving large amounts of data in/out in case of backup or disaster recover

RI-01.1-2 RI-02.1-2 RI-03.1-2 RI-04.1

A cloud insurance by a 3rd party for the losses in regards to the cloud vendors, tenants (due the SLA) in alignment with the documents procedures reviewed annually at least considering all risk categories (e.g., audit results, threat and vulnerability analysis, & regulatory compliance)

AWS provides the detailed customer remuneration for losses in SLA. The rest internal procedures of managing and mitigation the risks in alignment ISO 27001 (domain 4.2, 5.1) validated by independent auditors and a few details among the AWS risks documents. Any updates to such procedures occur each year

RI-05.1-7 An ability to provide a multi-failure disaster recovery, monitor a service continuity with upstream providers in the event of provider failure and to share the redundancy plans with your tenants

AWS has several geo regions each of them has several independent Availability Zones designed to move customer data traffic away from the affected area [37].

RM-01.1 Any policies for new development acquisitions

All new developed resources certified by independent auditors in regards to ISO.

RM-02.1 RM-03.1

An ability to obtain a documentation that describes the customers responsibilities within it, quality assurance process

All details provided with AWS SOC 1 Type II report. The standards of quality are part of SDLC in compliance ISO 27001 (domain 10.1)

RM-04.1-2 An ability to examine the standards of quality against software development and detect the source code security defects

The standards of quality are part of SDLC in compliance ISO 27001 (domain 10.1), however AWS does not generally outsource development of software

RM-05.1 An ability to restrict the installation of unauthorized software onto clouds

AWS does monitor the malicious software in compliance with ISO 27001 (domain 10.4).

RS-01.1 RS-04.1 RS-02.1-3 RS-03.1-2 RS-05.1 RS-06.1 RS-07.1 RS-08.1-2

A minimization risk due disaster recovery policies, SLA, security metrics, business continuity plans to test the environment regularly; technical solutions providing a performance and health visibility with failover capability to other provides as well as physical protection against damage from natural causes, power failures, and network disruptions. Additionally, an ability to find out

Such policies are in alignment with ISO 27001 ( domain 14.1); AWS provides a Cloudwatch services to monitor the state of AWS EC2, EBS, ELB, SQS, SNS, DynamoDB, Storage Gateways as well as a status history [38]. AWS provides several Availability Zones in each of six regions to prevent failures, but the customers are responsible to manage it across regions or other clouds vendors via API and SDK. A physical protection is in compliance ISO 27001

��

�� !� �"�� !�#�

184

the transport route of the customers data

and 27002. Information about the transport routes is similar to the FS-06.1

SA-01.1 Any security/regulatory requirements addressed to the industry certifications on granting access

The requirements are in compliance with ISO 27001(domain 6.2) and reviewed by an independent auditors

SA-02.1-7 A capability to use the SSO, an identity management system, MFA Policy Enforcement Point capability (ex. XACML), to delegate authentication capabilities, to support identity federation standards (SAML, SPML, WS-Federation, etc.), use 3rd party identity assurance services

AWS IAM [21-24] provides the securely access and roles to the resources with features to control access, create unique entry points of users, cross AWS-accounts access due API/SDK or IAM console, create the powerful permissions with duration and geo auth. AWS offers identity federation and VPC tunnels led to utilizing existing corporate identities to access, temporary security credentials. Additionally, the customers may avoid the mistakes and risks by using an AWS Policy Generator and MFA devices [39]. Covered the services are AWS Auto Scaling, CloudFormation, CloudFront, CloudSearch, CloudWatch, DynamoDB, EBS, EC2, Elastic Beanstalk, ElastiCache, ELB, Elastic MapReduce, RDS, Route 53, S3, SES, SQS, SNS, SimpleDB, Storage Gateway, VPC

SA-03.1 SA-04.1-3 SA-05.1

Any industry standards as a background for a Data Security Architecture (FedRAMP, etc.), standards (BSIMM, NIST, etc.) to build-in security for (SDLC), tools detecting the security defects and verify the software. An availability of I/O integrity routines for the application interfaces and DB to prevent errors and data corruption

AWS Security based upon the best practices and standards (ISO 27001/27002, CoBIT, PCI DSS) that certified by independent auditors to build threat modeling and completion of a risk assessment as a part of SDLC. AWS implements this one through all phases including transmission, storage and processing data in compliance to ISO 27001 (domain 12.2) that certified by independent auditors.

SA-06.1-2 SA-08.1

An environment separation for SaaS, PaaS, IaaS and providing the how-to-docs

AWS provides a lot of how-to-docs, binary & sources (as an example [8-24],[28-29])

SA-07.1 A MFA features and strong requirement for all remote user access

MFA is not strong and depends on the customer configuration [39]

SA-09.1-4 SA-10.1-3 SA-11.1

A segmentation of system and network environments with a compliance, law, protection, and regulatory as well as a protection of a network environment parameter

An internal segmentation is in alignment with ISO and similar to the CO-05.1-2 while external is a part of the customer responsibility. Internally, a traffic restriction is too and has ‘deny/allow’ option in EC2/S3 by default (but the explicitly cfg is recommended), etc.

��

�� !� �"�� !�#�

185

Externally, the customers are able to use SSL, encryption key, encryption solutions, security policies to explicitly approve the security settings (AWS, 3rd party or their own) according to the security docs, whitepapers

SA-12.1 A NTP or other similar services AWS services rely on the internal system clocks synchronized via NTP

SA-13.1 An equipment identification is as a method to validate connection authentication integrity based on known location

AWS provides such ability, for example due the AWS metadata, geo tags and other tags created by the customers

SA-14.1-3 Any host and network IDS to detect, investigate in case of incidents with audit of an user access (authorized personnel)

Similar to the IS-22.1 and IS-23.1-2

SA-15.1-2 A mobile code authorization before its installation, prevention from executing and using to a clearly defined security policy

The customers are responsible to manage it to meet their requirements.

TABLE 4: AWS SOLUTIONS AGAINST A CCM

CID Control Specification AWS Response CO-01 Audit plans, activities and

operational action items focusing on data duplication, access, and data boundary limitations with aim to minimize the risk of business process disruption.

AWS has appropriate technical solutions, internal controls to protect customer data against alteration/destruction/loss/etc. Any kind of additional audit information is provided to the customers under NDA

CO-02 Independent reviews shall be performed annually/planned intervals to aim a high effective compliance policies, standards and regulations (i.e., internal/external audits, certifications, vulnerability and penetration testing)

AWS shares 3rd audit reports under NDA with their customers. Such audit covers regularly scans of their (non-customer) services for vulnerabilities [41-42] while the customers are allowed to request for a pentest [40] of their own instances

CO-03 3rd party service providers shall demonstrate compliance with security due; their reports and services should undergo audit and review.

AWS requires to meet important privacy and security requirements conducting 3rd parties in alignment ISO 27001 (domain 6.2)

CO-04 Responsible persons to contact with local authorities in accordance with business and customer requirements and compliance requirements.

AWS maintains contacts with external parties in alignment with ISO standards

CO-05 The organization's approach to meet known requirements, and adapt to new mandate shall be

Updates to AWS security policies, procedures, standards and controls occur on an annual basis in alignment with the

��

�� !� �"�� !�#�

186

explicitly defined, documented, and kept up to date for each information system element in the organization. Information system elements may include data, objects, applications, infrastructure and hardware

ISO 27001 standard.

CO-06 A policy to safeguard intellectual property

AWS will not disclose customer data to a 3rd party unless it is required by law and will not use data except to detect/repair problems affecting the services

DG-01 All data shall be designated with stewardship with assigned responsibilities defined, documented and communicated.

Customers are responsible for maintaining it regarding their assets

DG-02 Data, and objects containing data, shall be assigned a classification based on data type, jurisdiction of origin, jurisdiction domiciled, etc.

AWS allows customers to classify their resources by themselves (ex. applying any metadata and tagging to the EC2VMs to set the user-friendly names & enhance searchability)

DG-03 Policies/mechanisms for labeling, handling and security of data and objects which contain data

Similar to DG-02

DG-04 Policies for data retention and storage as well as implementation of backup or redundancy mechanisms to ensure compliance with regulatory and other requirements that validated regularly

AWS infrastructure is validated regularly any purposes in alignment with security standards and featured by AWS EBS and Glacier (for data archiving and backup), but the customers have capability manage it due the API/SDK

DG-05 Policies and mechanisms for the secure disposal and complete removal of data from all storage media, ensuring data is not recoverable by any computer forensic means.

AWS rely on best practices to wipe data via DoD 5220.22-M/NIST 800-88 techniques; if it is not possible the physical destruction happens

DG-06 Production data shall not be replicated or used in non-production environments.

AWS has implemented the segmentation of customers data to prevent its movement by default, however the end-users are responsible to manage the right sharing permissions

DG-07 Security mechanisms to prevent data leakage.

AWS has implemented logical (permissions) and physical (segmentation) controls to prevent data leakage. (ex. a hypervisor is designed to restrict non-allowed connections between tenant resources that has validated by independent PCI QSA in alignment with PCI DSS 2.0 requirements)

DG-08 Risk assessments associated with AWS provides the independent auditor

��

�� !� �"�� !�#�

187

data governance requirements shall be conducted at planned intervals

reports under NDA and customers on their own systems can build a continuous monitoring of logical controls additionally implementing [38].

FS-01 Procedures for maintaining a safe and secure working environment in offices, rooms, facilities and secure areas.

AWS controls any access to buildings, room and other areas, has a strong requirement to pass two-factor authentication. All procedures are validated by independent auditors

FS-02 Physical access to information assets and functions by users and support personnel shall be restricted.

AWS regularly train employees in regards their roles vs. those customers that documented and validated periodically. Also, any ‘redundant’ access is automatically revoked when an employee’s record is terminated or changed with his job functions in Amazon’s HR system. If employee was not fired he will be reassigned with new access rights that reviewed every 90 days

FS-03 FS-05

An implementation of the physical security perimeters, providing the secure areas controlling from unauthorized personnel actions

AWS has been implemented the various physical security controls like fencing, walls, security staff, video surveillance, intrusion detection systems and other electronic means in alignment ISO 27001. It extends by utilizing video surveillance and requirement to pass two-factor authentication a minimum two times to access datacenter floors for staff.

FS-04 Ingress and egress to secure areas shall be constrained and monitored by physical access control mechanisms to ensure that only authorized personnel are allowed access.

Similar to the FS-03/FS-05

FS-06 FS-07

Policies and procedures shall be established for securing and asset management for the use and secure disposal of equipment maintained and used outside the organization's premise.

AWS imposes control the customers to manage the data locations. Data will not be moved between different regions, only inside that were chosen to prevent failure.

FS-08 A complete inventory of critical assets shall be maintained with ownership defined and documented.

AWS maintains a formal policy that requires assets, the hardware assets monitored by the AWS personnel and maintain the relationships with all AWS suppliers are possible in comply ISO 27001 (domain 7.1) for additional details.

HR-01 HR-02

An employment candidates background verification in

According to AWS they perform such checks in comply with law. Every

��

�� !� �"�� !�#�

188

HR-03 regards to local laws, regulations, etc. Any agreements prior to granting individuals physical or logical access to facilities, systems or data, employees, contractors, 3rd party users, etc. Define the roles and responsibilities for performing employment termination or change in employment procedures

employee is provided with Company’s Code of Business Conduct and Ethics internally and regularly trained. Employee or a third-party contractor has a minimum set of privileges and can be disabled by the hiring manager. All types of access to any resources logged, as well as its changes, it must be explicitly approved in Amazon's proprietary permission management system. All changes led to revocation of previous access because of explicitly approving type to the resource

IS-01 IS-02 IS-03

An implementation of ISMP included administrative, technical, and physical safeguards to protect assets and data from loss, misuse, unauthorized access, disclosure, alteration, and destruction

AWS implements ISMS to address security/privacy best practices and provides details under NDA the appropriate documentation

IS-04 An implementation of baseline security requirements for applications/DB/systems/network in compliance with policies/regulations/standards.

Baseline security requirements are technically implemented with ‘deny’ configuration by default and documents among the AWS security documents for all services (ex. [8-24])

IS-05 An information security policy review at planned intervals

Despite of AWS provides a lot of how-to-docs, binary & sources [8-24], [28-29] are regularly updated, it’s better to subscribe to the news via RSS and email, because there is no other directly way to be notified by AWS

IS-06 A sanction policy for violation security policies

According to AWS If violation happens, the appropriate disciplinary action is followed

IS-07 An implementation of user access policies to apps, DB, and the rest in accordance with security, compliance and SLA.

All AWS services featured by IAM that provides powerful permissions items with predefined templates; the rest similar to the FS-02, HR-03, IS-04

IS-08 Documented policies for granting/revoking access to apps, DB, and the rest in accordance with security, compliance and SLA

Similar to the IS-07

IS-09 A revocation/modification of user access to data upon any change in status of employees, contractors, customers, etc.

Any access is automatically revoked when an employee’s/3rd contributor record is terminated or changed with his job functions in Amazon’s HR system. If employee/3rd contributor was not fired he will be reassigned with new access rights that reviewed every 90 days

��

�� !� �"�� !�#�

189

IS-10 IS-11

All levels of user access shall be reviewed by management at planned intervals and documented while a security awareness training program shall be established for all contractors, 3rd parties and employees and mandated when appropriate.

Similar to the HR-02, HR-03

IS-12 Industry security knowledge and benchmarking through networking, specialist security forums, and professional associations

AWS is a member of industry organizations and organizers events

IS-13 Roles and responsibilities of contractors, employees and 3rd party users shall be documented as they relate to information assets and security.

Similar to the HR-03

IS-14 IS-15

A responsibilities for maintaining awareness of and complying with security policies, procedures and standards that are relevant to manager area of responsibility with providing a documentation how maintains the segregation of duties

Each employee have a Company's Code of Business Conduct and Ethics and have to complete a periodic training. Customers should manage the segregations of duties by themself. The rest are certified by certified by independent auditors

IS-16 Informing the users of their responsibilities in regards to the security policies, standards, regulations and rules how to keep the equipment

AWS provides the various ways to train (newly hired employee; others by the mails in AWS intranet) the employees understand their roles and responsibilities that certified by independent auditors

IS-17 Documented procedures for clearing visible documents containing sensitive data when a workspace is unattended and enforcement of workstation session logout for a period of inactivity.

Similar to the IS-16

IS-18 IS-19

Implemented policies/mechanisms allowing data encryption in storage (e.g., file servers, databases, and end-user workstations) and data in transmission (e.g., system interfaces, over public networks, and electronic messaging) as well, key management too

If keys created on server side, AWS creates the unique keys and utilizes it, if it did on client side due the own or 3rd party solutions, the customers can manage it only. AWS encryption mechanisms are available for S3 (Server Side Encryption), EBS (encryption storage for EC2 AMIs), SimpleDB, EC2 (due the EBS plus SSL), VPC (encrypted connections and sessions), etc.

IS-20 Implemented policies and mechanisms for vulnerability and

AWS provides their services with the latest updates, performs analyzing

��

�� !� �"�� !�#�

190

patch management on side of apps, system, and network devices

software updates on their criticality as well as customer partially ability to perform vuln scans and patching despite of that and not violate the Policy [40],[41-42]

IS-21 A capability of AV solutions to detect, remove, and protect against all known types of malicious or unauthorized software with antivirus signature updates at least every 12 hours.

AWS does manage AV solutions & updates in compliance to ISO 27001 that confirmed by independent auditors. Additionally, customers should maintain their own solutions to meet their requirements

IS-22 Policies and procedures to triage security related events and ensure timely and thorough incident management.

AWS has defined role responsibilities and incident handling in internal documents in compliance with ISO and provides the AWS SOC 1 Type Report

IS-23 IS-24

Information security events shall be reported through predefined communications channels in a prompt and expedient manner in compliance with statutory, regulatory and contractual requirements

AWS contributes with it over [40-42]

IS-25 Availability mechanisms to monitor and quantify the types, volumes in case of information security incidents.

AWS provides it in alignment with ISO 27001 that validated by independent auditors

IS-26 Policies and procedures shall be established for the acceptable use of information assets.

According to AWS, the customers manage and control their data only unless it needs due the law requirements or troubleshooting aimed at fix services issues

IS-27 Employees, contractors and 3rd party users must return all assets owned by the organization within a defined and documented time frame once the employment, contract or agreement has been terminated.

N/A

IS-28 IS-29

A protection of e-commerce related data traversing over public networks. Strong segmentation and restriction due access to, and use of, audit tools that interact with the organizations information systems to prevent compromise and misuse of log data.

There is no information that AWS involve in e-commerce solutions. Internal audit tools are restricted to AWS personnel to have only the access they need to perform specific tasks; each access is reviewed every 90 days.

IS-30 User access to diagnostic and configuration ports shall be

Administrators are required to use MFA to access such hosts that are designed

��

�� !� �"�� !�#�

191

restricted to authorized individuals and applications.

protect and continue have this access unless no longer has a business need. All such access is logged, audited and reviewed every 90 days.

IS-31 Network and infrastructure SLA (in-house or outsourced) shall clearly document security controls, capacity and other requirements.

SLAs validated and certified by independent auditors; utilization of customer services housed in the cloud is not mined.

IS-32 IS-33

Policies and mechanism to limit access to sensitive data (especially an application, program or object source code) from portable and mobile devices

AWS has this one, delineates the minimum rights for logical access to AWS resources and provides details with AWS SOC 1 Type II report

IS-34 Utility programs capable of potentially overriding system, object, network, virtual machine and application controls shall be restricted.

AWS provides internal system tools provided to perform specific tasks; each access is reviewed every 90 days.

LG-01 LG-02

Periodically reviewing the NDA and others requirements and agreements by legal counsel. An ability to monitor outsourced providers in compliance with laws per country.

Amazon Legal Counsel reviews 3rd party agreements and NDA according to the business needs. AWS does not leverage any 3rd party cloud providers to deliver AWS services to the customers.

OP-01 OP-02

Any policies, system documentation are available for all personnel to support services operations roles with an information system documentation to the authorized personnel to ensure the following: • Configuring, installing, and operating the information system • Effectively using the system’s security features

According to AWS, the policies are alignment with AWS Information Security framework based upon the COBIT framework, ISO 27001 standard and the PCI DSS requirements. Such docs are available through the Amazon's Intranet site.

OP-03 The availability, quality, and adequate capacity and resources shall be planned, prepared, and measured to deliver the required system performance.

AWS manages capacity and utilization data in compliance to ISO 27001 that certified by independent auditor

OP-04 Policies and procedures shall be established for equipment maintenance ensuring continuity and availability of operations.

AWS has continuity policies developed in order to ISO 27001 (domain 14.1) and provides details in AWS SOC 1 report

RI-01 RI-02 RI-03 RI-04

A cloud insurance by a 3rd party for the losses in regards to the cloud vendors, tenants (due the SLA) in alignment with the documents procedures reviewed

AWS provides the detailed customer remuneration for losses in SLA. The rest internal procedures of managing and mitigation the risks in alignment ISO 27001 (domain 4.2, 5.1) validated by

��

�� !� �"�� !�#�

192

annually at least considering all risk categories (e.g., audit results, threat and vulnerability analysis, and regulatory compliance)

independent auditors and a few details among the AWS risks documents. Any updates to such procedures occur each year

RI-05 The identification, assessment, and prioritization of risks posed by business processes requiring 3rd party access to the organization's information systems and data shall be followed by coordinated application of resources to minimize, monitor, and measure likelihood and impact of unauthorized or inappropriate access. Compensating controls derived from the risk analysis shall be implemented prior to provisioning access.

Employee or a third-party contractor has a minimum set of privileges and can be disabled by the hiring manager. All types of access to any resources logged, as well as its changes, it must be explicitly approved in Amazon's proprietary permission management system. All changes led to revocation of previous access because of explicitly approving type to the resource OR Similar to the HR-02

RM-01 Any policies for new development acquisitions

All new developed resources certified by independent auditors in regards to ISO.

RM-02 RM-03

Changes to the production environment shall be documented, tested and approved prior to implementation. A program for the systematic monitoring and evaluation to ensure that standards of quality are being met shall be established for all software developed by the organization.

All details provided with AWS SOC 1 Type II report. The standards of quality are part of SDLC in compliance ISO 27001 (domain 10.1)

RM-04 A program for the systematic monitoring and evaluation to ensure that standards of quality are being met shall be established for all outsourced software development. The development of all outsourced software shall be supervised and monitored by the organization and must include security requirements, independent security review of the outsourced environment by a certified individual, certified security training for outsourced software developers, and code reviews.

The standards of quality are part of SDLC in compliance ISO 27001 (domain 10.1) that certified and validated by independent auditors, however AWS does not generally outsource development of software

RM-05 An implementation of policies and mechanisms to restrict the installation of unauthorized

AWS does monitor the malicious software in compliance with ISO 27001 (domain 10.4).

��

�� !� �"�� !�#�

193

software. RS-01 RS-02 RS-03 RS-04 RS-05 RS-06 RS-07 RS-08

Documented policy and procedures defining continuity and disaster recovery shall be put in place to minimize the impact of a realized risk event on the organization to an acceptable level and facilitate recovery of information assets through a combination of preventive and recovery controls, in accordance with regulations and standards. Physical protection against damage from natural causes and disasters as well as deliberate attacks including fire, flood, etc. shall be implemented.

Such policies are in alignment with ISO 27001 ( domain 14.1); AWS provides a Cloudwatch services to monitor the state of AWS EC2, EBS, ELB, SQS, SNS, DynamoDB, Storage Gateways as well as a status history [38]. AWS provides several Availability Zones in each of six regions to prevent failures, but the customers are responsible to manage it across regions or other clouds vendors via API and SDK. A physical protection is in compliance ISO 27001 and 27002. Information about the transport routes is similar to the FS-06.1

SA-01 Prior to granting customers access to data, assets and information systems, all identified security, contractual and regulatory requirements for customer access shall be addressed and remediated.

Prior to using AWS services, customers are required to review and agree to a SLA

A-02 An implementation of user credential and password controls for apps, DB, server and network infrastructure, requiring the following minimum standards

AWS IAM [21-24] provides the securely access and roles to the resources with features to control access, create unique entry points of users, cross AWS-accounts access due API/SDK or IAM console, create the powerful permissions with duration and geo auth. AWS offers identity federation and VPC tunnels led to utilizing existing corporate identities to access, temporary security credentials. Additionally, the customers may avoid the mistakes and risks by using an AWS Policy Generator and MFA devices [39]. Covered the services are AWS Auto Scaling, CloudFormation, CloudFront, CloudSearch, CloudWatch, DynamoDB, EBS, EC2, Elastic Beanstalk, ElastiCache, ELB, Elastic MapReduce, RDS, Route 53, S3, SES, SQS, SNS, SimpleDB, Storage Gateway, VPC. IAM allows creating and handling the sets defined in accordance with the subrules of SA-02 (in original version of CMM). On AWS Side it is similar to FS-02 except ‘training’

��

�� !� �"�� !�#�

194

SA-03 SA-04 SA-05

Implemented policies and mechanisms designed in accordance with industry accepted security standards to ensure security and integrity of data exchanged between system interfaces to prevent disclosure, alteration or destruction complying with legislative, regulatory, and contractual requirements. An availability of I/O integrity routines for the application interfaces and DB to prevent errors and data corruption

AWS Security based upon the best practices and standards (ISO 27001/27002, CoBIT, PCI DSS) that certified by independent auditors to build threat modeling and completion of a risk assessment as a part of SDLC. AWS implements this one through all phases including transmission, storage and processing data in compliance to ISO 27001 (domain 12.2) that certified by independent auditors.

SA-06 SA-08

A segmentation of production and non-production environments to prevent unauthorized access, to restrict connections between trusted and untrusted networks for use of all services, protocols, and ports allowed

AWS provides a lot of how-to-docs, binary & sources (as an example [8-24],[28-29])

SA-07 A requirement of MFA for all remote user access.

MFA is not by default and depends on the customer configuration [39]

SA-09 SA-10 SA-11

A system and network environments separation via firewalls in regards to isolation of sensitive data, restrict unauthorized traffic, enhanced with strong encryption for authentication and transmission, replacing vendor default settings (e.g., encryption keys, passwords, SNMP community strings, etc.)

An internal segmentation is in alignment with ISO and similar to the CO-05.1-2 while external is a part of the customer responsibility. Internally, a traffic restriction is too and has ‘deny/allow’ option in EC2/S3 by default (but the explicitly cfg is recommended), etc. Externally, the customers are able to use SSL, encryption key, encryption solutions, security policies to explicitly approve the security settings (AWS, 3rd party or their own) according to the security docs, whitepapers

SA-12 An external accurate, externally agreed upon, time source shall be used to synchronize the system clocks of all relevant information-processing systems (US GPS & EU Galileo Satellite Network)

AWS services rely on the internal system clocks synchronized via NTP

SA-13 A capability of an automated equipment identification as a part of authentication.

AWS provides such ability, for example due the metadata, geo tags and other tags created by the customers

SA-14 Audit logs recording privileged user access activities, shall be retained, complying with applicable policies and regulations, reviewed at least

AWS have this one in compliance with ISO and provides the results with AWS SOC 1 Type II Report. AWS has the incident response program in compliance too. Even the customers’ data stored with

��

�� !� �"�� !�#�

195

daily and file integrity (host) and network intrusion detection (IDS) tools implemented to help investigation in case of incidents.

strong isolation from AWS side and restrictions made by them, additional materials (SOC 1 Type II report) must be requested to clarify all questions on forensics. All data should be encrypted on client side, because it leads to the customers participation with law directly as AWS do not have the keys in this case.

SA-15 A mobile code authorization before its installation, prevention from executing and using to a clearly defined security policy

The customers are responsible to manage it to meet their requirements.

IV. CONCLUSION

Any complex solutions and systems like AWS, Azure, or GAE tend to prone to securitycompromise, because they have to operate large-scale computations, dynamic configuration. Clouds vendors do usually not disclose the technical details on security to the customers, thus raising question how to verify with appropriate requirements. The cloud security depends on whether the cloud vendors have implemented security controls that documented and enhanced with policy. However, there is a lack visibility into how clouds operate; each of them differs from other in levels of control, monitoring and securing mechanisms that widely known for non-cloud systems. The potential vulnerability requires a high degree of security combined with transparency and compliance. AWS relies on security frameworks based on various standards that certified by third auditors and help the customers to evaluate if/how AWS meets the requirements. CAIQ/CCM provides equivalent of recommendations over several standards. The bad is allowing vendors to provide fewer public details taking it to NDA reports and writing general explanations multiplied by general standards recommendations (even in modern documents like CSA).. CAIQ provides more details on security and privacy than matrix aligned to Cloud Security Guidance in 13 domains.

Besides the details from 3rd party audit reports customers may require assurance in order t o local laws and regulations. It is quite complicated of reducing the implementation and configuration information as a part of proprietary information (that is not bad or good, just complicated). In other words it may call for specific levels of audit logging, activity reporting, security controlling and data retention that are often not a part of SLA offered by providers. A result of an examination of AWS security controls against Russian security standards/regulations shown in [45] and partially in [7] is successfully passing standards by use of native security features implemented in AWS Console, CLI and API/SDK only. It additionally includes cases that the current AWS security features should to be enhanced via third party security solutions like national encryption on client side before uploading data and ability to indirectly comply with requirements. Talking about security enhance, not only security controls belong to cloud layer (outside the VMs) should be used to protect data, communications, memory etc. but also internal OS controls and third party solutions together. However, it excludes obsolescent clauses and cases we need ‘just wait’ a solution from AWS of inability to build and implement appropriate and their promise to ‘release it soon’ in FAQ or others documents. OS and third party solutions are

��

�� !� �"�� !�#�

196

known for non-clouds system allow protecting critical and confidential information is present in different system, configuration and other files to avoid alteration, exposing, accessing of them. Examination cloud solutions like Azure, BES with AWS & Azure, and Office365 with Cloud BES against other standards (incl. Russians docs) is a part of further research, however the signification direction is improving existing CSA and NIST recommendations in order to enhance transparency via utilization primarily technical requirements: on cloud layer, on inter-VM/DB & inter-cloud-services layer, and on VM/DB layer.

REFERENCES

[1] P. Mell and T. Grance. The NIST definition of

cloud computing. recommendation of the national institute of standards and technology, NIST, 2011

[2] Abdullah Abuhussein, Harkeerat Bedi, Sajjan Shiva, “Evaluating Security and Privacy in Cloud Computing Services:A Stakeholder’s Perspective”, The 7th International Conference for Internet Technology and Secured Transactions (ICITST-2012), pp. 388 – 395, December 2012

[3] Jun Feng, Yu Chen, Pu Liu, “Bridging the Missing Link of Cloud Data Storage Security in AWS,” 7th Consumer Communications and networking Conference (CCNC), pp.1-2, Januray 2010

[4] Yan Hu, Fangjie Lu, Israr Khan, Guohua Bai, "A Cloud Computing Solution for Sharing Healthcare Information”, The 7th International Conference for Internet Technology and Secured Transactions (ICITST-2012), pp. 465 – 470, December 2012“

[5] Google cloud services – App Engine”. [Online resource: http://www.google.com/enterprise/cloud/appengine/, Accessed:23-November-2012]

[6] “Technical Overview of the Security Features in the Windows Azure Platform”. [Online resource: http://www.google.com/enterprise/cloud/appengine/, Accessed:23-November-2012]

[7] Y. Chemerkin, “AWS Cloud Security from the point of view of the Compliance”, PenTest Magazine, Software Press Sp. z o.o. Sp. Komandytowa Warszawa, vol. 2 �10 Issue 10/2012 (12) ISSN 2084-1116, pp. 50-59, December 2012

[8] “Amazon EC2 User Guide. [Online resource: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/, Accessed:05-December-2012]

[9] “Amazon EC2 Microsoft Windows Guide. [Online resource: http://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/, Accessed:05-December-2012]

[10] “Amazon EC2 Microsoft API Reference. [Online resource: http://docs.aws.amazon.com/AWSEC2/latest/APIReference/, Accessed:05-December-2012]

[11] “AWS Import/Export Developer Guide. [Online resource: http://aws.amazon.com/documentation/importexport/, Accessed:16-December-2012]

[12] “Amazon Virtual Private Cloud Network Administrator Guide. [Online resource: http://docs.aws.amazon.com/AmazonVPC/latest/NetworkAdminGuide, Accessed:05-December-2012]

[13] “Amazon Virtual Private Cloud User Guide. [Online resource:

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide, Accessed:05-December-2012]

[14]“Amazon Direct Connect User Guide. [Online resource: http://docs.aws.amazon.com/DirectConnect/latest/UserGuide/, Accessed:05-December-2012]

[15]“Amazon Direct Connect API Reference . [Online resource: http://docs.aws.amazon.com/DirectConnect/latest/APIReference/Welcome.html, Accessed:05-December-2012]

[16]“Amazon S3 Developer Guide. [Online resource: http://docs.aws.amazon.com/AmazonS3/latest/dev/, Accessed:20-December-2012]

[17]“Amazon S3 API Reference. [Online resource: http://docs.aws.amazon.com/AmazonS3/latest/API/, Accessed:20-December-2012]

[18]“Amazon S3 Console User Guide. [Online resource: http://docs.aws.amazon.com/AmazonS3/latest/UG/, Accessed:20-December-2012]

[19]“Amazon Glacier Developer Guide. [Online resource: http://docs.aws.amazon.com/amazonglacier/latest/dev/, Accessed:20-December-2012]

[20]“Amazon Storage Gateway. [Online resource: http://docs.aws.amazon.com/storagegateway/latest/userguide/WhatIsStorageGateway.html, Accessed:20-December-2012]

[21]“Amazon IAM API Reference. [Online resource: http://docs.aws.amazon.com/IAM/latest/APIReference/, Accessed:29-December-2012]

[22]“Amazon Using Temporary Security Credentials. [Online resource: http://docs.aws.amazon.com/IAM/latest/UsingSTS/, Accessed:29-December-2012]

��

�� !� �"�� !�#�

197

[23] “Amazon AWS Security Token Service API Reference. [Online resource: http://docs.aws.amazon.com/STS/latest/APIReference/, Accessed:29-December-2012]

[24] “Amazon Command Line Reference. [Online resource: http://docs.aws.amazon.com/IAM/latest/CLIReference/, Accessed:29-December-2012]

[25] “DRAFT Cloud Computing Synopsis and Recommendations,” NIST Special Publication 800-146. [Online resource: http://csrc.nist.gov/publications/drafts/800-146/Draft-NIST-SP800-146.pdf, Accessed:06-January-2013]

[26] “Security Whitepaper. Google Apps Messaging and Collaboration Products”, [Online resource: http://cryptome.org/2012/12/google-cloud-sec.pdf, Accessed:23-November-2013]

[27] Juraj Somorovsky, Mario Heiderich, Meiko Jensen, Jorg Schwenk, Nils Gruschka, Luigi Lo Iacono, "All Your Clouds are Belong to us – Security Analysis of Cloud Management Interfaces", 3rd ACM workshop on Cloud computing security workshop (CCSW), pp. 3-14, October 2011

[28] “Reported SOAP Request Parsing Vulnerabilities”, [Online resource: https://aws.amazon.com/security/security-bulletins/reported-soap-request-parsing-vulnerabilities-reso/, Accessed 15-January-2013]

[29] “Xen Security Advisories”, [Online resource: https://aws.amazon.com/security/security-bulletins/xen-security-advisories/, Accessed 15-January-2013]

[30] “The Essential Intelligent Client”, [Online resource: http://www.vmworld.com/servlet/JiveServlet/downloadBody/5700-102-1-8823/Intel%20The%20Essential%20Intelligent%20Client.pdf, Accessed 15-January-2013]

[31] Cracking Passwords in the Cloud: Breaking PGP on EC2 with EDPR [Online resource: http://news.electricalchemy.net/2009/10/cracking-passwords-in-cloud.html/, Accessed 22-November-2013]

[32] “The most dangerous code in the world: validating SSL certificates in non-browser software”, 19th ACM Conference on Computer and Communications Security, pp. 38-49, October 2012

[33] “Reported SSL Certificate Validation Errors in API Tools and SDKs”, [Online resource: https://aws.amazon.com/security/security-bulletins/reported-ssl-certificate-validation-errors-in-api-tools-and-sdks/, Accessed 15-

January-2013] [34]“CSA Cloud Controls Matrix v1.3” [Online

resource: https://cloudsecurityalliance.org/research/cai/, Accessed 22-January-2013]

[35]“CSA Consensus Assessments Initiative Questionnaire v1.1” [Online resource: https://cloudsecurityalliance.org/research/cai/, Accessed 22-December-2012]

[36]“AWS Securtiy Bulletins” [Online resource: https://aws.amazon.com/security/security-bulletins/, Accessed 16-February-2013[

[37]“Products and Services by Region with AWS Edge Locations” [Online resource: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html, Accessed 10-February-2013]

[38]“AWS Services Health Status with the history status” [Online resource: http://status.aws.amazon.com/, Accessed 16-February-2013]

[39]“AWS MFA” [Online resource: http://aws.amazon.com/mfa, Accessed 16-February-2013]

[40]“AWS Vulnerability/Pentesting Request Form” [Online resource: https://portal.aws.amazon.com/gp/aws/html-forms-controller/contactus/AWSSecurityPenTestRequest, Accessed 16-February-2013]

[41]“AWS Abuses reports (EC2, other AWS services)” [Online resource: https://portal.aws.amazon.com/gp/aws/html-forms-controller/contactus/AWSAbuse, Accessed 16-February-2013]

[42]“AWS Vulnerability Reporting” [Online resource: https://aws.amazon.com/security/vulnerability-reporting/, Accessed 16-February-2013]

[43] Jeffrey Medsger, Avinash Srinivasan, "ERASE- EntRopy-based SAnitization of SEnsitive Data for Privacy Preservation", The 7th International Conference for Internet Technology and Secured Transactions (ICITST-2012), pp. 427 – 432, December 2012

[44]R. Kissel, M. Scholl, S. Skolochenko, and X. Li, “Guidelines for media sanitization: Recommendations of the national institute of standards and technology,” in NIST SP 800-88 Report, 2006

[45]Y. Chemerkin, “Analysis of Cloud Security against the modern security standards”, draft (is going to be published in PenTest Magazine, Software Press Sp. z o.o. Sp. Komandytowa Warszawa in April-May


CALL FOR PAPERS At the outset, I take this opportunity to introduce “Cyber Times – International Journal of Technology & Management” which is a platform to provide an innovative view of Technology, Management thinking, Realistic Research Studies and various Management Practices in the Indian and Global perspective. “Cyber Times – International Journal of Technology & Management”, is a Bi-Annual Journal and invites original research papers from different Research Scholars, Faculty Members, and Industry Professionals in various domains of Technology, Management, Science and all other categories. The detailed guidelines are attached along with this copy of journal for the submission of research Paper for Publication.

Last date of Abstract Submission: 30th July’ 2013 Last date of Full Paper Submission: 30th August’ 2013 (Without Late Fee) Last Date of Full Paper Submission: 15th September’2013 (With Late Fee)

Note:

• The papers received for the final publication will be screened by the Evaluation Committee for approval and only the selected Papers will be published in the coming edition. Further information is available on the website (http://journal.cybertimes.in) under the “Guidelines for paper Submission” section.

You are cordially invited to contribute your Research Paper for the publication in our next edition. Authors are encouraged to submit their Research work document via Email. Abstract, and Full Length Paper should be sent in .doc or .docx as an attachment separately to [email protected] Moreover, in case of any further queries; please feel free to contact us and we’ll be happy to assist you in a better way. Looking for a Long-Term Association Thanks & Regards, Dr. ANUP GIRDHAR Editor-in-Chief (CYBER TIMES)



Guidelines to write Research Papers 1. RESEARCH PAPER TITLE: The title of the paper should be in Times New Roman

with Font Size 24. It should be Bold Typed, Centered Aligned and Fully Capitalized.

2. AUTHOR NAME (S) & INFORMATION: The author (s) Full Name (with initials), Designation, Address, Mobile/ Landline numbers, and E-mail/ Alternate Email Address should be in Italic & 12-Point with Times New Roman Font.

3. ABSTRACT: The abstract should not be more than 200-250 words and should be in full Italics. The abstract must be illuminating and explain the Purpose, Scope & Conclusion of the research paper.

4. KEYWORDS: Abstract must be followed by a list of keywords. It should be 12-point with Times New Roman Font. Keywords should be arranged in alphabetic order separated by commas.

5. RESEARCH PAPER: Research Paper should be prepared in US ENGLISH on a standard A4 size in PORTRAIT PAPER SETTING. The paper should be typed with Double Column, Single-Line Spacing, 12 font, Times New Roman, and 1” margin on all four sides of the page, MS Word compatible format text. It should be free from all the grammatical, spelling and punctuation errors and must be edited carefully with the support of your Guide. It should not be more than 10-12 pages.

6. HEADINGS: All the headings should be in14 point Times New Roman Font. The

heading text should be in Bold, Left Aligned and Fully Capitalized. 7. SUB-HEADINGS: All the sub-headings should be in 12 point Times New Roman Font.

The sub-heading text should be in Bold, Left Aligned and Fully Capitalized. 8. FIGURES & TABLES: The Figure & Table headings should be in 10 point Times New

Roman Font. It should be in Bold, Centre Aligned and Tittle Case. The figures & Tables should be Self-Made, Simple, Crystal clear, centered aligned, separately numbered & self-explained. Sources of data should be mentioned below the table/ figure and it should be ensured that the tables/ figures are referred to, from the main text.

9. EQUATIONS: These should be consecutively numbered in parentheses, horizontally

centered with equation number placed at the right.

10. REFERENCES: The list of all references should be arranged alphabetically. The author (s) should mention the actual utilized references in the preparation of Research Paper only and should also mention it with numbering ([1] [2]) wherever it is used throughout the paper. The title of books and journals should be in Italics. Double quotation marks should be used for Titles of Journals, Articles, Book Chapters, Dissertations, Reports, Working Papers, Unpublished material, etc.


“SEDULITY SOLUTIONS & TECHNOLOGIES” is an ISO 9001:2008 Certified Organization. It is a channel to provide the best Technical Solutions to various Corporate, Law-Enforcement Agencies, Private/ Govt. Institutions etc. We offer innovative technical solutions with an in-depth security & Legal countermeasures that has helped various Govt. and Private sector professionals, to provide advanced knowledge in terms of securing their Networks. Our Expertise Team has been well recognized with their excellent performance many times in everything it undertakes, be it Penetration Testing, IT Audits, E-Learning Solutions, Website Developments, Cyber Security AMC’s via Sedulity Operating System, Consultancies and Hi- Tech Trainings, Placement Activities, etc.

Services/ Solutions/ Products Offered are as follows:

• Penetration Testing • IT Auditing • Cyber Crime Investigation • Network Security • Security AMC’s • Server Configurations (File Sever, SMS Server, Web Server, Database Server, E-

Mail Server, Proxy Server, and many more….) • Hi-Tech Industrial Trainings for Engineering Facult ies, Students, Corporate &

Govt. Professionals. • Secure Web development • E-Learning Solutions via Web Portals and Products. • SEO • Sedulity Operating System (Editions available for Corporate, Developers, Ethical

Hackers, and Cyber Forensics) available in 32/ 64 bit, Client/ Server and many more…….

For More details; Contact: Ph: 011-45651674, +91-9811572430 Email: [email protected] Website: http://sedulitygroups.com



Documents

CYBER TIMES