Cloud Security. If you are in IT today, you are hearing a lot about (and

Full text




Cloud Security




26 – ISSA Journal | June 2013 Abstract

One of the most effective means for managing the security challenges of cloud computing is to develop effective mea-surement capabilities. Security metrics provide visibility into how well the organization is executing on cloud secu-rity strategies. This article introduces concepts for securing cloud architectures and describes ways that measurement can be applied to securing cloud technologies. By evaluating the relationship between the do’s and the get’s inherent in cloud adoption, security professionals can create cloud security de-signs that both complement other cloud strategies, as well as provide evidence-based decision support for security require-ments.


f you are in IT today, you are hearing a lot about (and

probably considering deploying yourself) some form of cloud-based solution. From outsourcing some of your corporate functions to a cloud provider or allowing your us-ers to access consumer cloud services on devices with

enter-prise access, the types and use cases of the cloud are as diverse as imagination allows.

If you are an IT security professional, then you are probably imagining all the ways things can go wrong when you give up control of corporate information assets. For every cloud use case promoted, there seems to be both general and specific concerns about how to protect users, organizations, and data. Security professionals may feel the added pressure of address-ing concerns in technology initiatives that are already under-way and enjoy wide corporate support.

When considering the security challenges of cloud adop-tion, as good a place to start as any (and better than most) is measurement and metrics. Together with strategy, measure-ment is a core component of success for any IT initiative, par-ticularly those dealing with security. Put simply, if strategy represents a set of do’s and get’s that we imagine we will ac-complish, measurement is the means by which we determine whether or not we succeeded. Everything else, from the poli-cies we write to the specific technologies we deploy, is ruled

One of the most effective means for managing the security challenges of cloud computing

is to develop effective measurement capabilities. Security metrics provide visibility into

how well the organization is executing on cloud security strategies. This article introduces

concepts for securing cloud architectures and describes ways that measurement can be

applied to securing cloud technologies.

By Lance Hayden

– ISSA member, Capitol of Texas, USA Chapter

and Ken Stavinoha


by these two activities. Most organizations get the strategy part and develop more or less sophisticated goals and objec-tives for their actions. But not as many organizations are as adept at actually measuring strategy and its achievement.

What is the cloud?

A big part of strategy is definitional. We even talk about “de-fining our strategy” before we begin on a course of action. So it’s useful for a moment to talk about how we define the cloud. There are several types and classifications of cloud comput-ing, as well as different functions that comprise cloud archi-tectures. Securing these different cloud implementations re-quires us to know what we are talking about beforehand. While there is no universally accepted definition for cloud computing, the US National Institute of Standards and Tech-nology (NIST) has developed a broadly accepted candidate. Cloud computing is “a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, appli-cations, and services) that can be rapidly provisioned and re-leased with minimal management effort or service provider interaction” (Mell and Grance, 2011). Figure 1 illustrates the visual model for NIST’s definition.

Figure 1 – NIST visual model of cloud computing definition

Of the four deployment models shown, public and private clouds appear to be the most widely adopted thus far. From a security standpoint, the private cloud is most similar to tra-ditional IT environments, allowing the most control. Public clouds are the opposite, allowing little or no direct control over security.

As shown in figure 2, there are varying levels of control di-vided between cloud service providers and cloud consumers, depending on the cloud service model. In this context, Bad-ger, Grance, Patt-Corner, and Voas (2012) defined control as: “The ability to decide, with high confidence, who and what is allowed to access subscriber data and programs, and the ability to perform actions (such as erasing data or discon-necting a network) with high confidence both that the ac-tions have been taken and that no additional acac-tions were taken that would subvert the subscriber’s intent…”. (p. 4-3)

In every cloud service model, the cloud service provider con-trols the facility layer (i.e., data center) and any associated physical hardware utilized to offer and maintain cloud ser-vices. The cloud consumer yields increasing degrees of con-trol to the cloud provider as the service models move up the stack from IaaS to SaaS. (Note: Consumer and provider are roles in the NIST cloud computing reference architecture and an organization may play more than one role.)

Figure 2 – NIST cloud service model scope and control

Questions of scope and control depend upon the type of ser-vice – IaaS, PaaS, and SaaS – and whether the cloud is public, private, community, or hybrid. Arguably, a consumer using SaaS in a public cloud has the least amount of control, where-as a consumer utilizing IaaS in a private cloud hwhere-as the most control. Control impacts the ability of the cloud consumer to directly enforce compliance and security policies, which can affect the ability of the consumer to protect his data.

Security challenges for the cloud

Cloud computing adoption surveys frequently cite infor-mation security, loss of control, or similar issues as the top reasons that organizations hesitate to utilize cloud services. Ironically, the virtualization and multi-tenancy that provide much of cloud’s scalability, elasticity, and potential cost ben-efits drive many of these security and privacy concerns. The protection afforded by traditional IT security perimeters is significantly challenged by the dynamic nature of large vir-tualized infrastructures that may span multiple geographic locations and involve assets beyond the immediate control of the organization.

As the data owner, the consumer maintains liability for pro-tecting data even if managed by a third party. Encryption is frequently touted as a solution, but practical and business limitations exist for encrypting data at rest, data in transit, and key management. Data in use remains vulnerable, with affordable and efficient homomorphic encryption solutions still years away for many cloud consumers. Thus cloud con-sumers must partner with cloud providers in a shared control model whereby each party has a stake, enforced by contract, in the security effectiveness of the cloud solution.

Another potential issue in cloud computing is, like the Wiz-ard of Oz, “that man behind the curtain.” A consumer signs a contract with a cloud provider who claims to provide the

Community Public Private Hybrid

Deployment Models Service Models Essential Characteristics

Software as a

Service (SaaS) Service (PaaS)Platform as a Infrastructure as aService (IaaS)


Network Access ElasticityRapid MeasuredService Resource Pooling On-Demand Self-Service Virtualization Infrastructure Platform Architecture Facility Hardware Application


IaaS PaaS SaaS





In our experience consulting with large IT organizations around the world, a robust measurement program is among the best remedies for security program uncertainty. By estab-lishing measurement goals and collecting metrics to support those objectives, CISOs and other security stakeholders can provide empirical evidence to support what they want to do, what they are doing, and why they are not doing other things. While interest in security metrics has grown in recent years, measuring security is still a young initiative, and security practitioners cannot match the experience and insights of other industries that have been measuring their activities for decades or even centuries. But the proliferation of threats, risks, and proposed solutions demands that security teams pay more attention to how they evaluate their own activities. Measurement is becoming an accepted best practice for IT security in general, and so it is a great place to begin when considering cloud security.

The primary way that metrics serve security is by providing a window of visibility into how well the organization is ex-ecuting on its strategy. The attempt to move from unsophis-ticated and anecdotal performance indicators like “well, we didn’t get hacked last year…” to evidence-based management of the security program forces organizations to reexamine strategic goals and objectives and the means by which they move from these do’s into verifiable get’s. In some organiza-tions this results in a complete revisiting of strategy itself, particularly where the strategy in question proves more of a non-measurable mission statement than something that can be implemented and managed.

In the case of the cloud, some organizations seem to be fol-lowing a strategy of “keeping up with the Joneses” in that they are moving to the cloud because everyone else seems to be (or at least that is what the media, the analysts, and their IT vendors are telling them). This is not necessarily a bad strate-gy. It’s certainly no worse than some cloud security strategies we have seen where all cloud development is stymied out of fear, uncertainty, and doubt. But neither approach is likely to be as successful as a more thoughtful strategy that recognizes legitimate reasons to adopt cloud architectures (and which ones are right for the organization) as well as significant risks of doing so (and to manage those that are most important). Measurement and metrics provide the data necessary to make these decisions.

Applying security metrics to the cloud

Cloud metrics has fallen into the cross hairs for standards development organizations, business consortiums, and aca-demia for study, and there is much work in this area to be done. The challenge of cloud security metrics is twofold. First, one cannot measure something that is undefined. There is no formally accepted definition for cloud security as yet. Indeed, the cloud concept itself remains in a formative state as stan-dards and deployment models are developed and refined. A second challenge involves measurement in the security in-dustry. IT security measurement is a fairly new area, at least entire solution. In reality, the provider will likely have

de-pendencies on other providers (storage, network, application, processing, etc.) – none of which are necessarily obligated to the consumer. These dependencies may change frequently without the consumer’s knowledge, especially when cloud service providers are trying to meet elasticity requirements. The consumer is challenged to know where his data is and how or if it is being appropri-ately protected at any given mo-ment. This daisy chain of trust may pose risks not addressed by contract and for which the con-sumer has no direct legal reme-dy. The Service Level Agreement (SLA) is often bandied about as a solution, but it is designed to ad-dress service performance issues – not security controls. Potential ramifications of a breach or in-advertent data disclosure often lie beyond the scope of what an SLA alone can remedy.

Having covered what makes a cloud computing architecture and discussed some of the secu-rity risks and challenges orga-nizations face, we can turn our attention back to questions of strategy and measurement. Most IT security practitioners have realized that simply saying “no, we will not adopt cloud computing” is not a sustainable option within their organiza-tions. But having a desire to secure cloud architectures is not the same as having a strategy to secure them. Just like the IT department must formulate a cloud strategy, so too must the security team. And these strategies should be at least somewhat compatible. If they are not, then usually the strat-egy with the most political support will win. In the case of the cloud, with all the attending hype and real benefits from implementation, security may lose.

Given powerful drivers for cloud adoption, one of the key se-curity challenges we face is developing realistic and measur-able security strategies that complement and compete with IT and business strategy. If the security strategy is weak, too cumbersome, or not measurable in a way that can show the benefits of not doing something, then proposed controls and technologies will not matter. The security strategy will get steam rolled in favor of other priorities. Of course, manage-ment will always acknowledge concerns about data loss and compliance, but the security team will rarely have the advan-tage in conflicts over cloud adoptions.

Measurement in information security

Security practitioners struggling over the cloud face the same challenges security programs always face. They must dem-onstrate the value of something that is not well understood, which deals in negative rather than positive outcomes, and that demands people not do what they want or what is easy.




| JULY 31-AUG 1, 2013 | 09:00-18:00




| JULY 27-30, 2013 | 09:00-18:00


USA 2013

Black Hat USA 2013

- The premiere conference on information security - returns to

Caesars Palace on July 27 - August 1, 2013. This year’s event will feature more than 50

hands on training courses over the first four days, followed by two days of Briefings

comprised of over 9 tracks and two full days of Arsenal.

Register with the code


to save $200 off Briefings!

Thus cloud

consumers must

partner with cloud

providers in a

shared control

model whereby each

party has a stake,

enforced by contract,

in the security

effectiveness of the

cloud solution.

28 – ISSA Journal | June 2013

Measuring Cloud Security | Lance Hayden and Ken Stavinoha





| JULY 31-AUG 1, 2013 | 09:00-18:00




| JULY 27-30, 2013 | 09:00-18:00


Black Hat USA 2013

- The premiere conference on information security - returns to

Caesars Palace on July 27 - August 1, 2013. This year’s event will feature more than 50

hands on training courses over the first four days, followed by two days of Briefings

comprised of over 9 tracks and two full days of Arsenal.


met…The measures define the mea-surement characteristics of the prop-erties to be observed. This creates a direct path between the measurable properties and plans such as service level agreements, which in turn can improve the visibility and account-ability of the underlying process or system.” (NIST, 2013)

GQM for cloud security

In part because there are no universally recognized metrics for cloud security, it is very important that organizations adopting cloud infrastructures carefully develop measure-ments appropriate to their unique strategies and goals. A useful method for developing metrics that successfully align with specific strategic objectives is the Goal-Question-Metric (GQM) framework. Developed out of research in software engineering and quality control, GQM is an elegant yet so-phisticated way of vertically integrating strategy and mea-surement into a cohesive relationship.

Beginning with goals, the organization defines strategic ob-jectives for cloud security (GQM is not security-specific, and could be used to define strategy and metrics for the entire cloud initiative, if desired). These goals naturally trigger ques-tions that must be answered to determine whether the goal has been met. For instance, if the goal is ensuring that a cloud provider is protecting sensitive data as well as the consumer, certain questions emerge: How well does the consumer pro-tect data today? How well does the provider propro-tect internal data? What controls are in place in each organization? Many questions may emerge, all representing the process by which the company verifies performance against the goal. Ques-tions in turn trigger demands for data and measurement. Our example consumer may realize the organization does not measure its own security controls effectively, thereby pro-viding no benchmark against which it can measure the cloud provider’s. As these metrics are defined and collected, they support questions and goals at a higher level of abstraction, while keeping the measurement focus on what is strategically important to the organization. An illustration of the GQM framework can be found in figure 5.

Figure 5 – GQM framework

as a defined discipline. When you combine a relatively new approach with an even newer technology development, it be-comes difficult to make definitive judgments about anything. It is understandable that stakeholders want specific metrics for their cloud security, but any prescriptive or definitive claims as to what those metrics should be are suspect. One public project currently underway is led by NIST to ad-dress the process of identifying key terms, definitions, and the contextual challenges around effectively measuring and comparing cloud performance. NIST (2013) has proposed several roles that metrics can play in cloud service selection (Figure 3a) and service management (Figure 3b).

Figure 3a illustrates an example of metrics being utilized to compare the two cloud offerings. Figure 3b shows an instance where metrics are utilized in monitoring the SLA to ensure that the service is being delivered per the contract specifica-tions. Standardized metrics might certainly be useful in each of these cases, however, there may be contextual elements of measurement that are unique to each case even though the same terms may be found in both.

Figure 4 shows the NIST Cloud Metrics working group

pro-posed concept model and defines the objects plan, metric,

and measure and their relationship:

“From a top-down approach, stakeholders use the plan to define the expectations of the underlying process (e.g., SLA or Operation) and what should happen if it is not

Figure 3a – Cloud service selection Figure 3b – Cloud service management

Figure 4 – NIST Cloud Metrics working group concept model

A Plan uses a Metric as basis of decisions

A Metric is a context-aware Measure

A Measure is a property of a phenomena. The property has a magnitude that can be expressed

as a number and a unit or a string.

Measure (Composed): Speed Unit: meter/second



Metric: ControlledSpeed Goal: Make sure the speed stays within the bounds, otherwise trigger an action.

Measure: Measure.Speed Minimum-limit Maximum-limit Measure: Distance Unit: meter Measure: ElapsedTime Unit: Second





Question Question Question Question

Metric Metric Metric Metric Metric Metric

Cloud Consumer


Choice A0? Choice A1?

Cloud Offering

A0 Metric Cloud OfferingA1

Definition Decision 1 2 3

Cloud Consumer

Metrics Cloud Offering A1 Metric Definition Monitoring SLA



30 – ISSA Journal | June 2013

Measuring Cloud Security | Lance Hayden and Ken Stavinoha


Utilizing established metrics frameworks for cloud security, as well as building customized measurement capabilities us-ing tools like GQM, can lay the foundation of an effective, strategically aligned, and evidence-based cloud security pro-gram.


—Lee Badger, Tim Grance, Robert Patt-Corner, and Jeff Voas, 2012. “Cloud Computing Synopsis and Recommendations,”

NIST Special Publication 800-146, May – publications/nistpubs/800-146/sp800-146.pdf.

—National Institute of Standards and Technology (NIST), 2013. “NIST Cloud Computing Reference Architecture Cloud Service Metrics Description,” NIST Draft Publication, April 3 – http:// —Peter Mell and Tim Grance, 2011. “The NIST Definition of Cloud

Computing,” NIST Special Publication 800-45, September – pdf.

About the Authors

Dr. Lance Hayden is a Solutions Architect for Cisco Systems, responsible for IT governance, risk, and compliance services. He is the au-thor of IT Security Metrics from McGraw-Hill. He received his PhD in Information Sci-ence from the University of Texas. He can be reached at

Dr. Ken E. Stavinoha is a Solutions Archi-tect for Cisco Systems in the IT governance, risk, and compliance services practice and contributes to several of the NIST cloud com-puting public working groups. He received his PhD in Information Assurance from the University of Fairfax. He can be reached at

Considering specific cloud security metrics

As previously discussed, it is inappropriate to discuss uni-versally prescribed metrics for cloud security until standards and definitions around these technologies and implementa-tion are more mature. But it is possible to consider possible cloud security metrics that would likely prove useful to many organizations considering cloud adoption. Many of these metrics are similar to other measures of security effective-ness, as well as more general business measures. This makes sense, considering that cloud technologies neither reinvent the concept of information security nor obviate the need for organizations to manage cloud deployments as part of their business operations. Table 1 offers examples of metrics that could be applied to cloud security and may serve as a starting point for discussion.

Recommendations and conclusions

Any organization considering cloud adoption, including managing the security challenges and risks presented by the cloud, should consider how they would measure what they accomplish. This begins by understanding why they are “do-ing cloud” in the first place. Measurement allows the CISO or other security stakeholders the opportunity to compete in the “marketplace of ideas” around cloud adoption that may exist in their organization.

Cloud consumers and cloud providers are likely to have dif-ferent goals in offering and consuming cloud services, and thus may have different security measures in place. Therefore, in the shared control model, organizations should commu-nicate their expectations around security measurements to their cloud provider as part of the service provider selection and contract negotiation processes. This will help ensure that both parties are utilizing measurements that can be recon-ciled effectively.

Metric Type Description Utility

Contractual Security

Coverage Business / Legal Number or ratio of cloud-related contracts (vendor, partner, customer) that specifically address security requirements.

Can be used to determine how well security is embedded in business and legal relationships around cloud deployments.

Total Cost of Cloud

Security Financial / Business Aggregate costs of implementing, managing, and improving security for a cloud implementation. Includes people, process, and technology costs.

Can be used to develop baselines for cloud security efficiency and cost effectiveness. May require new data sources (time tracking, problem resolution, TCO estimates for specific technologies, etc.)

Cloud Security Posture Technical /

Operational Results from security audits and vulnerability testing indicating overall security and risk state of a cloud architecture or implementation.

Used like other posture assessments to identify weaknesses, threats, and risks associated with a cloud infrastructure.

Cloud Security Program

Capabilities Maturity Operational / Process Determines the level to which a cloud architecture or implementation is well governed and managed, through standard capabilities maturity scoring (from ad hoc management through processes of continuous improvement)

Can be used to justify formal processes around cloud security management; more mature cloud security capabilities mean more empirically verifiable contributions of security to overall business value of the cloud.

Table 1 – Example cloud security metrics

32 – ISSA Journal | June 2013

Measuring Cloud Security | Lance Hayden and Ken Stavinoha



Related subjects :