2.1.  Purpose

In response to the use of cloud computing emerging as a global trend, this document is developed for providing guidance notes to Bureaux and Departments (B/Ds) for the purposes as described below:

• Enhance B/Ds’ understanding on the basics of cloud security; and

• Facilitate B/Ds on secure use of cloud computing when building their own private cloud or acquiring cloud services from external parties.

This document highlights common security considerations and industry security best practices for the adoption of cloud computing.

2.2.  Normative References

The following referenced documents are indispensable for the application of this document.

• Baseline IT Security Policy [S17] , the Government of Hong Kong Special Administrative Region

• IT Security Guidelines [G3] , the Government of Hong Kong Special Administrative Region

• Information technology -Security techniques -Information security management systems -Requirements (second edition), ISO/IEC 27001:2013

• Information technology -Security techniques -Code of practice for information security controls (second edition), ISO/IEC 27002:2013

• Information technology – Security techniques – Governance of information security, ISO/IEC 27014:2013

• Information technology – Security techniques – Code of practice for information security controls based on ISO/IEC 27002 for cloud services, ISO/IEC 27017:2015

• Information technology – Security techniques – Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors, ISO/IEC 27018:2014

• Information technology – Security techniques – Information security for supplier relationships, ISO/IEC 27036:2014

• Information technology – Security techniques – Storage security, ISO/IEC 27040:2015

2.3.  Terms and Convention

For the purposes of this document, the terms and convention given in S17, G3, and the following apply.

2.4.  Contact

This document is produced and maintained by the Office of the Government Chief Information Officer (OGCIO). For comments or suggestions, please send to:

Email: it_security@ogcio.gov.hk

Lotus Notes mail: IT Security Team/OGCIO/HKSARG@OGCIO

4.1.  Cloud Computing

Figure 1 — Cloud Models

Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. Cloud computing under cloud infrastructure can be basically described as three service models and four deployment models¹, which are summarised in the visual model as shown in Figure 1 above.

4.2.  Cloud Infrastructure

A cloud infrastructure is the collection of hardware and software that enables essential characteristics of cloud computing such as resource pooling, rapid elasticity, measured service, on-demand self-service and broadband network access. The cloud infrastructure can be viewed as containing both a physical layer and an abstraction layer. The physical layer consists of the hardware resources that are necessary to support the cloud services being provided, and typically includes server, storage and network components. The abstraction layer consists of the software deployed across the physical layer, which manifests the essential cloud characteristics. Conceptually the abstraction layer sits above the physical layer.

4.3.  Cloud Service Models

There are three typical types of cloud service models as follows:

• Infrastructure as a Service (IaaS): Cloud Service Provider (CSP) delivers a service with fundamental computing resources/equipment (storage, hardware, servers and network components) to B/D while the B/D remains in control of the operating system and applications installed;

• Platform as a Service (PaaS): CSP delivers a service with the fundamental computing resources/equipment and the virtualisation environment to B/D, which deploys its own applications on this environment or cloud infrastructure; and

• Software as a Service (SaaS): CSP delivers a service with infrastructure, platform (or virtualisation environment), and software to B/D. Users from B/D connect to this environment and run the IT applications after customisation.

4.4.  Cloud Deployment Models

There are four typical types of cloud deployment models as follows:

• Public Cloud: the cloud infrastructure is provisioned for the public. It supports multi-tenancy. It may be owned, managed, and operated, or in any combination of them by a third party; it is hosted on the CSP’s premises;

• Private Cloud: the cloud infrastructure is provisioned for exclusive use by a single organisation comprising multiple B/Ds. It may be owned, managed, and operated, or in any combination of them, by the organisation (i.e. In-house Private Cloud), a third party (i.e. Outsourced Private Cloud); it is hosted on or off premises;

• Community Cloud: the cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organisations that have common goals, interests and/or shared concerns. It may be owned, managed, and operated, or in any combination of them, by one or more of the organisation(s) in the community; it is hosted on or off premises; and

• Hybrid Cloud: the cloud infrastructure is composed of two or more distinct cloud infrastructures (private, community, or public) that may be provisioned by different CSPs. This model enables data and application portability.

4.5.  Comparison of the Four Deployment Models

A comparison table on the aspects relating to information security for the four deployment models is given below:

The move to cloud computing is a business decision, in which the business case should consider relevant factors such as transition cost, life-cycle cost and readiness of the applications besides security. Nevertheless, B/Ds should assess the sensitivity of their data and determine the suitable deployment model for processing and storing their data. B/Ds shall ensure that classified data are protected no matter which cloud service model it adopts and all government security requirements are fulfilled as well as business needs are catered. With an overall security assessment of a potential cloud platform, B/Ds should identify gaps in security protections offered by the CSP and determine effective approaches to mitigate the risk to their data.

5.1.  Cloud Service Model and Information Security

As a general principle, a client organisation can have greater security control over more resources as one moves from SaaS to PaaS and again from PaaS to IaaS service model. Figure 2 shows the scope of control between responsible parties in cloud:

Figure 2 — Level of control/ responsibility for B/D and CSP across different cloud service models

SaaS services are typically accessed by clients using a web browser over the Internet, and the clients do not manage or control the underlying cloud platform and infrastructure. With SaaS, client organisations usually have little direct control over critical security capabilities such as data encryption or compliance auditing.

PaaS provides cloud facilities at middle layer and it tends to be more extensible than SaaS, at the expense of customer-ready features. Client organisations usually have certain control over the platform and more flexibility to put in place additional security measures on resources at upper layer.

IaaS requires the client organisation to implement its own applications and set up its platform riding on the infrastructure provided by the IaaS CSP. The client organisation remains entitled to the flexibility to manage and control the security of operating systems, deployed applications and customised settings of storage, network and computing resources.

No matter which cloud service model it is, the CSP is still responsible to control and secure the underlying cloud infrastructure components, such as processing, storage, networks, and other fundamental computing resources, to ensure basic service availability and security.

5.2.  Cloud Implementation Scenarios and Information Security

The degree of security control under the client organisation varies between the public cloud and private cloud. As public cloud is provisioned for the general public and shared use by multiple tenants while private cloud is provisioned for exclusive use by a single organisation, private cloud would give the organisation better control over the network infrastructure and security policies with stronger access controls. Hence, public cloud may face more security threats while private cloud may be more robust to security threats. Implementation scenarios on whether the cloud services are in-house or outsourced as well as on premises or off premises are also important to the security protection for a cloud environment.

Figure 3 — Cloud implementation scenarios

For the purpose of further discussion on security considerations and controls for cloud deployment within government, the four scenarios in Figure 3 will be referenced:

• “In-house Private Cloud Scenario” owned and operated by the Government in on premise data centres.

• “Outsourced Private Cloud Scenario” comprising facilities dedicated to the Government in off premise data centres operated by external CSPs, for instance, the Government Cloud Platform (GovCloud).

• “Public Cloud Scenario” provided by external CSPs offering services for use by the public.

• “Hybrid Cloud Scenario” composed of two or more cloud scenarios (private or public)

5.2.4.  Hybrid Cloud Scenario

On top of the above three implementation scenarios, there exists another possible type of implementation scenario – Hybrid Cloud Scenario. As mentioned in Clause 4.4, hybrid cloud infrastructure is composed of two or more distinct cloud infrastructures (such as private and public). Hybrid Cloud implementation scenario, consequently, is a composition of the other three implementation scenarios (In-house Private Cloud, Outsourced Private Cloud and Public Cloud scenarios).

Connection of the cloud environment offered by the CSP to the network of client organisation should not compromise the existing security level. The client organisation should assess the security risks when acquiring cloud service and be based on the principle that stronger security protection is adopted on both sides if the security protection level of the parties is different.

Figure 4 depicts a theoretical hybrid cloud implementation scenario.

Figure 4 — Hybrid Cloud Scenario

A common adoption of the Hybrid Cloud scenarios is “cloud bursting”, in which an enterprise uses an in-house private cloud for primary operations, but optionally accesses one or more out-sourced private clouds during peak demand periods for the sake of load balancing.

6.1.  Management Responsibilities

Users are ultimately accountable for managing security and control over their organisational data. A risk-based approach should be adopted to incorporate a cloud computing strategy in their information systems strategic plans and/or organisational IT plans. Appropriate security management practices and controls should also be adopted and strictly implemented. Strong management practices are essential for operating and maintaining a secure cloud computing solution. Good practices entail monitoring of the organisation’s information system assets and implementing of policies, guidelines and procedures for the purposes to establish and preserve the confidentiality, integrity, and availability of information system resources.

In a cloud environment, data are moving around in distributed cloud storage. It is not easy to maintain an auditable record on data location and ascertain whether sufficient safeguards are in place to protect the data under different jurisdictions. Furthermore, CSPs provide their services with many emerging technologies. Running behind these services are massive hardware infrastructures and complex management tasks. If they are not configured and handled correctly by the CSP, system failure or security incident could happen. For outsourced private clouds or public clouds, another challenge is cloud lock-in. It refers to a situation in which a client organisation is attached to its current CSP due to the complexity in switching to another CSP. There may be difficulties to have one’s business migrated from its current CSP to a new one.

• Analyse the impacts to the security procedures in light of different jurisdictions [O] [P]

  Data in cloud could be stored in and transferred between different physical locations and jurisdictions. B/Ds should consider that their rights are at risk in CSP jurisdiction. Moving data and applications to cloud services will likely have impacts on security procedures in light of the differences in legal and regulatory compliance requirements. All these potential impacts should be analysed in detail and the relevant procedures should be identified. Enhancement to the security measures should be considered to compensate for any areas outside B/D’s direct control. The affected procedures may include incident reporting, activity logging, data retention and application testing.

• Verify the compliance of industry security standards [O] [P]

  Security certification is the proof for the security management, maturity level and quality assurance of an external CSP. Cloud services should be checked to understand its compliance level to the globally recognised industry security standards, such as ISO 27001 (information security management) and ISO 27017 (code of practice for information security controls for cloud services) and to ensure the compliance with government security requirements as well as to meet business needs. The Consensus Assessments Initiative Questionnaire created by the Cloud Security Alliance provides a reference set of questions for assessing a CSP. Compliance certificates and reports should be requested from external CSPs for verification on their validity.

6.2.  IT Security Policies

• Review departmental security policy [I] [O] [P]

Departmental security policy should be reviewed and modified with the necessary adjustments for protecting data to ensure the security controls are effective when deploying business applications in a cloud environment. The adjustments may include new or revised security requirements and controls specific to cloud-related areas such as multi-tenancy, data location, virtualisation and secure use of cloud services.

6.3.  Human Resource Security

• Define roles and responsibilities on resource control and information security [I] [O] [P]

  Roles and responsibilities of the personnel to support the operation and account for information security of the cloud services should be clearly defined, especially in data centres of an outsourced multi-tenancy cloud environment. CSPs should be requested to have clear segregation of job duties, for example, a single person should not take up both system administration and security administration activities. Need-to-know principle shall be strictly enforced. Moreover, updated contact information of responsible supervisory authorises should be maintained.

• Request non-disclosure agreement and ensure proper human resource management [O][P]

  Where appropriate, the staff from the CSP and its subcontractors should agree and sign a non-disclosure agreement. Alternatively, B/Ds should use contractual means such as the cloud contract to ensure the staff from the CSP and its subcontractors undertake the obligation of confidentiality. Selection of CSP should also consider CSP’s background check procedures for staff with high privilege on access authority, as well as clear process and procedure for employment termination. Background check may include review of the person’s history on education, employment, and criminal records as appropriate while employment termination procedure may require the staff to return all assets, particularly classified data, keys and tokens, relating to his/her duties, and all relevant access rights must be removed.

• Issue guidelines or reminders for user awareness [I] [O] [P]

  Cloud application specific guidelines or reminders should be issued regularly to ensure that end-users of the cloud services are fully aware of the sensitivity of data and stay vigilant on possible security threats so that necessary actions can be taken during the data lifecycle, such as removing data stored in cloud when the data are unused.

• Ensure adequate security training to relevant personnel [I] [O] [P]

  Internal and external staff including subcontractors of the CSP should be well trained in order to ascertain their security awareness and understanding of the security requirements. It is desirable for the personnel who are responsible for the security management and operation to have renowned international, national or industry recognised certificates, such as CCSK², CCSP³, CISM⁴, CISP⁵, CISSP⁶, ITIL⁷ or equivalent.

6.4.  Asset Management

Off premises, outsourced data centre, multi-tenancy, use of Internet and many other cloud features dovetail security threats of unauthorised access to the sensitive data through physical and network access. Data confidentiality may also be affected due to potential risks of CSP’s lack of commitment in protecting client data and exposing the client applications and data to various Internet threats. Moreover, it may be difficult or impossible for the client organisation to reclaim data from an external CSP under unexpected service termination, such as company merging and amalgamation, CSP bankruptcies, service shutdowns and any unexpected events.

• Protect data by encryption [I] [O] [P]⁸

  Data encryption is a way to enhance data confidentiality. B/Ds should confirm that encryption capabilities provided on cloud service are adequate with the cryptographic policy on the use of cryptographic controls. Classified data shall be protected using strong encryption method both at rest and in transit in accordance with government security requirements and business needs. Open and proven encryption algorithms should be adopted to avoid locking in proprietary algorithms. The encryption key should also be properly protected and managed (refer to Clause 6.6 Cryptography).

• Observe data protection and privacy legislation for outsourced data centres [O] [P]

  Data protection and privacy legislation shall be observed. For protection of the privacy of individuals in relation to their personal data in Hong Kong, Personal Data (Privacy) Ordinance (PDPO) (Cap. 486), particularly the Data Protection Principle 4 (on security of personal data), shall be observed.

  With increasing demand on a better cost-effective model, some outsourced data centres are located offshore. Data storing at or moving between the offshore data centres where information crossing borders may be subject to local legislations of the data centres, hence adoption of offshore outsourcing should be carefully considered.

  For local legislation development, Section 33 of the Personal Data (Privacy) Ordinance (PDPO) (Cap. 486), although not yet enacted, should be made reference if applicable. Section 33 restricts the transfer of personal data to places outside Hong Kong unless one of a number of conditions is met. The Office of the Privacy Commissioner for Personal Data (PCPD) published a document “Guidance on Personal Data Protection in Cross-border Data Transfer” providing relevant information for reference. B/Ds must ensure service providers seek their approval before allowing information to leave outside Hong Kong borders. To further protect personal data record, additional technical measures, such as data anonymisation⁹, tokenisation¹⁰ and pseudonymisation¹¹ can be considered in order to fulfill the requirements of local ordinance and global regulations, wherever applicable.

• Keep track of data location [O] [P]

  Data location is one of the reasons most cloud users favour a private cloud solution over a public cloud. It is appropriate for the CSP to provide a data map documenting the flow of data between data centres. Customer’s data location should be made known for data at rest, data in transit, as well as for the backup location. Commitments should be made with CSPs to ensure the data will not move to other regions when sensitive information, in particular personal information, is involved.

• Detect and prevent data migrations to the cloud [O] [P]

  In addition to traditional data security controls (like access controls or encryption), B/D should prevent government data, particularly classified data, moving to cloud without prior approval by either monitoring large internal data migrations with Database Activity Monitoring (DAM) and File Activity Monitoring (FAM) or monitoring data moving to cloud with URL filtering and Data Loss Prevention (DLP).

• Maintain an up-to-date inventory of assets [I] [O] [P]

  Assets include all elements of software and hardware that are found in the cloud environment, while types of B/D’s assets vary depending upon the cloud service model. An up-to-date inventory of B/D’s assets in the cloud environment shall be identified and maintained. The assets should include the following:

  1. Business information.

  2. Virtualised equipment.

  3. Virtualised storage.

  4. Software.

• Ensure the controls for disposal or re-use of computer equipment are adequate and properly implemented [I] [O] [P]

  The completeness and effectiveness of mechanisms for locating and securely deleting data before the disposal or re-use of computer equipment such as hard disks and backup media should be well aware, as some multi-tenant environments such as public cloud service may be difficult to support secure data destruction. The requirements of secure data destruction for disposal or reuse of computer equipment containing classified information should be included as one of the selection criteria for external CSPs. Relevant security audit reports should be obtained periodically from the CSP for analysis to ensure the required security requirements are met.

6.5.  Access Control

In a public cloud, the client organisation does not have the same first line of defence as a private cloud in which the client controls the network and authorises who is on that network. The client organisation of a public cloud may have no idea who may or may not have access to its data, including the people who manage the data and the other users on that system. Sufficient understanding on security controls for monitoring and protection against unauthorised access, especially to privileged accounts offered by CSPs, should be obtained prior to procurement and deployment of cloud services. Mechanism should be established to resume access to privileged user account in case a privileged user is denied access.

Due to the multi-tenancy environment in a cloud environment, there exist risks of compromise to data via third party access to common information storage through the network in the cloud. If there is a lack of granular access control to the information, the associated risks of sensitive data disclosure to unauthorised persons would become higher.

For example, an unexpected software bug or human mistake mixing up the user rights may lead to an unintentional or intentional access to client data by unknown co-tenants. Moreover, if the cloud applications hold different sets of user identities, the update between the corporate user directory and its cloud applications will introduce a lag time in the revocation of user access rights, causing possible access to the sensitive data by unauthorised staff before changes effected.

Under a private cloud environment, client organisations could have a better control and assurance on the security measures, such as data encryption, cryptographic key management, information access controls, etc. Access to information by the people outside the client organisations could be tightly restricted.

• Define logical access control clearly [I] [O] [P]

  Operating a cloud environment may involve many parties including operator team, application support team, infrastructure support team and data centre maintenance team. The authorised persons may be in-house or employed by the CSP or its subcontractors. Allowing more people to handle information assets would increase the risks on unauthorised access to the data. Thus, authentication and authorisation on logical access control should be clearly defined, such as who should be granted with the rights to access the data, what their access rights are, and under what conditions these access rights are provided. A “Default Deny All” policy should be maintained and least privilege principle shall be followed for staff accessing the cloud data.

• Establish Identity and Access Management (IAM) architecture [I] [O] [P]

  Identity and Access Management (IAM) architecture should be considered. It allows broadening of the IAM practice using open standards, such as OpenID, to manage user account provisioning, authentication, and authorisation in the cloud. Mature and industry-proven authentication and authorisation standards, such as Security Assertion Markup Language (SAML) and eXtensible Access Control Markup Language (XACML), could further improve the security status. Security features specified by these standards, such as XML Signature and XML Encryption for message-level security in SAML, should be used as appropriate. Adoption of identity federation in IAM architecture can facilitate the interconnection of disparate identity repositories, allowing users make use of single sign-on when accessing different applications.

• Adopt access control standards [I] [O] [P]

  Once adopting a cloud service, users’ identities may be extended into the cloud by connecting the identity repository or directory service to the CSP. When selecting cloud services, it is desirable that they should leverage industry standards (e.g. SAML) for implementing secure single sign-on solutions for passing identity and attributes, as well as enforcing authorisation policies.

• Ask for strong authentication options [I] [O] [P]

  Since the cloud services could be accessed through various devices and different channels, authenticating with a simple user ID and password may not be strong enough to protect accounts from being compromised. When selecting cloud services, those cloud services with two-factor authentication (2FA) should be considered and 2FA should be enabled for as many accounts, especially privileged user accounts, as possible. Some common 2FA authentication options are One-Time Passwords, biometrics and digital certificates.

  For further protection, user access, especially privileged user account, should be limited to dedicated workstation, network or location. The e-Authentication Framework¹² published by the OGCIO provides a basis to evaluate the risks, determine the security requirements and implement the appropriate authentication methods. The Framework should be followed in determining and implementing the electronic authentication requirements of electronic transactions for cloud services.

• Restrict and control the use of privileged utility programs [I] [O] [P]

  Unauthorised use of privileged utility programs running in the cloud environment might be capable of overriding system and application controls. B/Ds should request the CSP for the functional specifications of the privileged utility programs to ensure the security controls on the use of the programs accessing cloud service are in place.

6.6.  Cryptography

• Manage and protect cryptographic keys [I] [O] [P]¹³

  Cryptographic keys should be managed and protected properly in accordance with security regulations and policies. Key management on storage should be enforced and keys should be managed in the custody of the B/Ds. Processes for a key management lifecycle should be defined: how keys are generated, used, stored, backed up, recovered, rotated, and deleted. Cryptographic operations and key management may be bound to the identity and access management systems for strengthening the security protection. B/Ds should not re-use a key across different cloud platforms to avoid the risk of compromising all cloud platforms especially under hybrid cloud scenario.

6.7.  Physical and Environmental Security

In public clouds, like outsourced private clouds, data centres are located off premises and a cloud may span across multiple data centres in different geographic locations. When the data move to the cloud data centre which is not managed by the client organisation, physical controls on data are handed over to the CSP. Due to multi-tenancy nature of public clouds, the risks of unauthorised physical access by unknown co-tenants or third parties become one of the key security concerns.

Adequate physical security measures in a cloud data centre could protect against trespassing activities to the computing resources at the physical layer. For some CSPs, only computer racks without key lock are provided. It is obviously not enough for multi-tenancy environment. Anyone who has the right to access the data centre will have the opportunity to access the computer devices holding data of its tenants. The environment security and equipment security as well as physical access control in an off premises cloud data centre are the primary concerns in physical security domain.

Usually, services offered by public cloud services CSPs are not targeted for single tenant environment. From time to time, these CSPs may offer new solutions and services to cater for the market need, such as single tenant solution for cloud user. B/Ds are advised to study carefully the entire cloud solution package including infrastructure when choosing appropriate deployment model. For example, if B/Ds are considering a private cloud to meet business needs and security requirements, then single tenant solution is just one of the considerations. B/Ds should also evaluate whether the cloud infrastructure should be dedicated so as to match the requirements as private cloud solution. In short, B/Ds should assess what security control on overall infrastructure should be implemented based on their business needs and government security requirements.

• Analyse risks for selection of site location and its facilities [O] [P]

  In practice, an off-premises data centre may not be designed or managed with security as the first priority, instead most of the CSPs focus on cost-effectiveness. Therefore, on-site inspections of related facilities such as uninterruptible power supply (UPS), air conditioning and ventilation, fire suppression system as well as water damage and flood control system should be conducted if appropriate. Site location of data centres, disaster recovery (DR) centres and their operation functions should be assessed in consideration of natural hazards, locality (e.g. local jurisdictions), network dependency (e.g. Internet network hubs), etc. If on-site inspection is not feasible, then the CSP should provide the relevant certifications or audit reports for B/D’s reference.

• Adopt adequate physical protection for all IT equipment and data storage media for outsourced data centres [O] [P]

  In an outsourced cloud data centre, there may be potential unauthorised access due to the multi-tenant nature. Security requirements of proper physical protection for all IT equipment and data storage media within the shared data centre, and also for all off-site backup media should be defined. Implementation of security measures by the CSP should meet the security requirements.

• Adopt an isolated area for dedicated use as necessary [I] [O]

  If there is special requirement of not sharing equipment or equipment racks with application systems of other tenants due to the sensitivity of data or other security requirements, an isolated area could be considered to segregate the application owner’s data and resources from that of other tenants. The segregated components usually include servers, network equipment, storage, power supply and signal cabling. The area under the perimeter of the application owners in a data centre should be clearly identified. Access to the area should be restricted to authorised persons only. In addition, entries into the data centre should not be open and easily accessed by the general public. It is desirable that the isolated area should not be at or near the common area, such as corridors and the main exit, in order to limit unauthorised or unavoidable access. All physical access to the data centre should be approved by the data centre manager with records.

• Restrict access to the isolated area [I] [O]

  Access to the isolated area should be under strict control by means of electronically controlled access system or other equivalent access control measures. The isolated area should always be locked even when attended. Dual control should be enforced in the authorisation and approval for access to, including authorisation and approval for adding in and removal from standing access lists, the isolated area. The standing access list should be authorised by the application owner or other authorised person. All physical access to the isolated area and equipment racks on a need basis should obtain the authorised approval with proper records. Periodic reviews of the area access logs, for example on a quarterly basis, should be performed to ensure completeness and accuracy. Also, the standing access list should be reviewed regularly.

• Consider defining different security levels of controlled area [I] [O]

  To achieve a higher level of security, implementation of areas with different levels of controls in a data centre is worth considering. Generally, the levels of physical access controls may be determined based on the importance of the application service and the sensitivity of information hosted in the area. The physical and management controls for the controlled areas should be clearly documented and labelled.

• Ensure adequate access controls for multiple application systems sharing the same equipment rack [I] [O]

  If sharing of equipment rack among application systems is adopted, it is important to note that the approval for physical access should be defined at the equipment level rather than the equipment rack level. In addition, other access controls, such as individual key locks, account lockout policy and regular system log review, should be implemented to mitigate the risks of sharing of equipment racks.

6.8.  Operations Security

6.9.  Communications Security

In a cloud data centre, physical servers and network components are virtualised and probably shared by multiple tenants. Security measures applied to traditional network systems may not effectively protect against network attacks between virtual machines (VM) on the same server in the cloud environment. As some security threats are unique to a virtualisation infrastructure including communication blind spots, inter-VM attacks, and mixed trust level VMs, the dynamic and fluid nature of VM will make it difficult to maintain the security standards and ensure that records can be audited. The ease of cloning and distribution between physical servers could result in the propagation of configuration errors and other vulnerabilities. These security threats and issues arising from virtualisation are required to deal with when adopting and implementing cloud infrastructure.

Furthermore, for cloud services, data may be transported across untrusted network (e.g. Internet, public network) and/or government network as data are shared in distributed cloud deployments. Data in transit should be well secured. The security practices on network and communication are crucial to a cloud service.

6.10.  System Acquisition, Development and Maintenance

With the rise of cloud computing, security architecture becomes highly dynamic. Cloud characteristics, such as sharing of computing resources by multi-tenancy within a data centre, make configuration management and on-going provisioning far more complex than that in a traditional IT environment. Cloud computing affects all aspects of Software Development Life Cycle (SDLC), and introduces a number of new challenges around the tools and services required to build and maintain running applications.

For some SaaS applications, CSP stores multiple tenant data into an application database by introducing an extra attribute such as “tenant_id” in every table of the database for tenant identification. Through software vulnerabilities, such as scripting bugs or specially-crafted SQL queries, a malicious tenant is possible to compromise the application and access the data of others. Moreover, security weaknesses such as outdated web browsers and unprotected web sessions may lead to compromise of application integrity and data confidentiality. All of the security issues related to application security still apply when applications move to a cloud platform.

• Apply secure software development lifecycle to cloud applications [I] [O] [P]

  Secure software development lifecycle processes (or other development methodology as appropriate), e.g. security design review and software testing, should be applied to applications built on the cloud platform to make application less vulnerable to potential threats after release. The lifecycle addresses security threats throughout the development process by proactive checks during development, including:

  1. Threat modelling during the design process to identify and mitigate potential security issues early;

  2. Following development best practices and secure coding standards (e.g. security code review, data input validation and output encoding requirements) for preventing web application vulnerabilities; and

  3. Requiring various tools (e.g. code scanning and analysis tools, testing tools and code obfuscation tools) for testing, verification and code protection before deployment.

• Manage and protect credentials [I] [O] [P]

  Cloud technology enables easy deployment of applications and the deployment tasks are always dedicated to the development staff in the cloud. Managing and protecting credentials for entering to the production environment become critical. Credentials should be kept securely to help prevent unauthorised access to as well as illicit tampering of application programs and control files. Comprehensive policies and procedures should be defined and strictly adhered for maintaining the integrity of the application environment.

6.11.  Outsourcing Security

The cloud services of public clouds and outsourced private clouds are not managed or operated by in-house staff. In respect of the relevant security practices for cloud services managed by external CSPs, the following aspects need to be considered:

• Analyse security risks before making decision to commence using outsourced cloud services at outsourced data centres [O] [P]

  All security risks should be analysed with IT security requirements. Results of the analysis will provide a basis for management to make appropriate decisions on commencing outsourced cloud services.

• Define clearly the security requirements of the areas to be outsourced when preparing the outsourcing tender [O] [P]

  Relevant requirements in business and security domains such as physical security, management responsibilities, security incident management and security risk assessment and audit (SRAA) should be defined clearly with measurable performance indicators when preparing the outsourcing tender and the requirements should also be included in a tailored SLA. As in any outsourcing arrangements, data ownership should also be clearly defined and agreed with the CSP.

• Tailor SLA and check on changes [O] [P]

  The consequences of terms in a SLA such as data location, roles and responsibilities of different parties, compliance as well as data backup and recovery should be well aware. Modifications on the SLA are required, as appropriate, to address any potential security issues that may probably lead to security incident. B/Ds should evaluate and ensure the terms in the SLA to fulfil their business and security requirements. For public cloud services, CSP website should be checked periodically for any notices of changes in the common statements of SLA, as CSPs may reserve right to update some terms in the SLA at any time with limited advance notice.

• Ensure the external CSP provides security controls that meet government security requirements [O] [P]

  Control mechanisms should be implemented so as to meet government security requirements commensurate with the involved data classification and sensitivity. B/Ds should apply due diligence and oversight, wherever applicable, for external CSPs satisfying the business, security and privacy needs. B/Ds should develop additional controls to mitigate a given risk that is not fully covered by CSP.

• Ensure external threats are properly addressed [O] [P]

  The outsourced CSP should secure hosts and applications provided by them using best practices against external threats and unauthorised access. Such practices would include, but not limited to, hardening of the OS, keeping it upto-date with the latest patches, and installing of hypervisor-based, network-based or host-based anti-malware software, Intrusion Detection System (IDS)/ Intrusion Prevention System (IPS), and firewalls as appropriate. Security risk assessments should be regularly conducted by the CSP to ensure the system attains the required security level, and B/Ds should review the SRAA report provided by the CSP regularly.

• Formulate exit strategy [O] [P]

  The existence of exit strategy or exit plan should be ready and should be established at an early stage when adopting cloud services. An exit plan may be provided by the CSP or B/D. The exit plan should include how to retrieve data and the virtual environments out of the CSP, and how to clean up data and the virtual environments. Through the development of this plan, the risk of ‘Lock-in’ to one CSP is also addressed. Further negotiation on the exit term could also reduce the risk.

6.12.  Information Security Incident Management

Despite all necessary security measures adopted in an information system, security incidents do occasionally occur in the system. Security incident handling is a set of continuous processes governing the activities before, during and after a security incident occurs. The nature of cloud computing makes it more difficult for client organisations to determine what to do in case of a security incident, data breach or other security issues that require investigation. For example, the client organisation may consider a security incident be classified as critical, but the CSP may not agree and exert little effort for follow-up on the case.

The adoption of cloud computing alters the fabric of incident response. Especially, in public clouds, the client organisation does not have direct access to network logs because it does not own the network. Some CSPs, as declared in their standard SLAs, do not have any obligations to investigate any security violations and misuse of services which may lead to security incidents. Client organisations are advised to take note of the security practices on incident monitoring and response as described below.

6.13.  IT Security Aspects of Business Continuity Management

• Ensure effective data backup and Disaster Recovery (DR) arrangements [I] [O] [P]

  No matter the DR arrangements are managed by B/D or CSP, B/D should ensure the effectiveness of these arrangements and align with B/D’s requirements. Recovery Point Objective (RPO) and Recovery Time Objective (RTO), location of the DR centre, roles and responsibilities of the recovery teams, lines of communication for the event of DR, and the restoration priorities should be defined and be correlated with SLA.

• Develop Business Continuity Plan (BCP) [I] [O] [P]

  Business Continuity Plan (BCP) of B/Ds should include scenarios for loss of the CSP’s services and third party-dependent capabilities. Testing of this part of the plan should be coordinated with the CSP. If possible, CSP’s BCPs should also be inspected. It would be good to ask for evidence of active management support and periodic review of the CSP’s BCPs.

6.14.  Compliance

In consideration of economy of scale, CSPs implement multi-tenancy environment and commingle resources pool. Particularly for public clouds, the data centres, computing devices, data storage and human resources are shared by users. Due to privacy issues, conducting in-depth assessment and audit exercises by specific client organisation is normally not permitted. In most public clouds, the CSP may not be able to agree to custom audit obligations for a specific client organisation. If a CSP does not allow clients to directly conduct SRAA on it, it should be requested to provide third party audit reports which meet industry standards and satisfy B/D’s requirement.

It is important to note that cloud computing can refer to several different service models, including SaaS, PaaS and IaaS. The risks and security controls associated with each model as well as the key considerations in outsourcing for the model of service will differ. As a result, the process for conducting the SRAA may also be different.