Cloud Management. Description

B 5.XXCloud Management

B 5.XX

Cloud Management

Description

Cloud Computing refers to the dynamic provisioning, use and invoicing of IT services, based on demand, via a network. These services are only made available and used via defined technical interfaces and protocols.

The Cloud Management module aims at cloud service providers. It does not make any difference whether you offer your cloud services on an internal (private cloud) or external (public cloud) basis, or which service model (infrastructure as a service, platform as a service or software as a service) you have opted for.

The main task of cloud service providers is the cloud management, i.e. the provision, administration and operation of offered cloud services.

A cloud computing reference model covering the main aspects of cloud computing is used to describe the operating processes of cloud management. The basis of the module is the reference model (cloud reference framework) of the Internet Engineering Task Force (IETF) which is provided as a so-called internet draft during the preparation of the module.

The reference model is structured in layers for cloud services, virtualisation (virtual machines for cloud service operation) and physical components (as carriers for the virtual machines) describing their interaction. These layers are referred to as horizontal layers.

Interacting with these layers, the reference model implements cloud management as a vertical layer effecting all horizontal layers. Cloud management in particular includes security (i.e. security management and security safeguards).

The typical tasks of cloud service providers in cloud management include: - provision of a service catalogue describing the cloud services offered;

- provisioning and de-provisioning, respectively, of cloud resources (including: virtual machines, virtual data memories, virtual networks) and cloud service profiles (defined configurations for cloud resources used to provide the services offered);

- allocation of physical and virtual resources to the cloud service users and the configuration of these resources;

- access management for cloud resources and the authentication of access;

- monitoring of provided cloud services and resources in order to comply with the stipulated quality of service;

- billing of the cloud services used (on the basis of the service catalogue) in a traceable way for the customer.

B 5.XXCloud Management

services. Useful and appropriate security requirements for the cloud management are developed to protect the provided services and underlying information, applications and systems from within the "cloud".

The module mentions concrete and detailed threats and safeguards for cloud management. Wherever cloud management overlaps with the general management of IT operation and IT services (see above), the module is restricted to the areas which are specific for cloud computing.

Security aspects in association with the original features of cloud computing are thus the focus of the cloud management module. This mainly includes the particularities of multi-tenant capabilities, the so-called

orchestration (generic term for provisioning and de-provisioning) of cloud resources and the automation in

the cloud administration.

The threats and safeguards of this module are mainly aimed at cloud service providers which provide private cloud services for SMEs and public authorities. The basic security recommendations are also applicable to public cloud services and hybrid cloud services (utilisation of several cloud infrastructures via standardised interfaces); whereby, for this purpose, the cloud usage module must additionally be respected.

The module neither covers security safeguards which secure the cloud service itself (please refer to the modules B 5.21 Web applications and B 5.X Web services) or which must be taken by cloud service customers (e.g. formulation of the contract with the cloud service provider). These are security topics of cloud computing which are specified in the cloud usage module. Nor does the module cover the securing of underlying (virtual and physical) IT systems and applications and their administration. Please refer to the corresponding modules, e.g. for virtualisation, network management and storage systems.

Threat scenarios

Cloud services have a wide range of functions and accordingly a huge number of interfaces. Theses interfaces are targets and starting points for manipulation attempts, in particular if the cloud services are accessible from "external" insecure networks.

On the one hand, this results in new organisational deficiencies, technical faults and human errors. On the other hand, the threats for target objects which are not cloud-related but basically required for the rendering of cloud services (i.e. threats for web applications, threats for servers, threats for physical security) must be re-evaluated, taking into account the new facts and features of cloud computing. The following typical threats (T) are assumed for cloud management as regards IT-Grundschutz.

Organisational Shortcomings

- T 2.CM.01 Incorrect provisioning and de-provisioning of cloud services

- T 2.CM.02 Missing support of the manufacturer regarding the provision of cloud services - T 2.CM.03 Inadequate isolation and separation of cloud resources

- T 2.CM.04 Inadequate business continuity management at the cloud service provider - T 2.CM.05 Lack of communication with the cloud service customer

- T 2.22 Lack of or insufficient evaluation of auditing data - T 2.CM.06 Incorrect planning of cloud service profiles

- T 2.67 Incorrect administration of site and data access rights - T 2.103 Insufficient training of employees

- T 2.137 Poor and inadequate planning when distributing patches and changes - T 2.160 Lack of or insufficient logging

Human Error

- T 3.CM.07 Inadequate configuration of cloud services and cloud administration systems - T 3.CM.08 Incorrect automation during cloud management

- T 3.9 Improper IT system administration - T 3.36 Misinterpretation of events

B 5.XXCloud Management

- T 4.CM.11 Incompatibility of cloud administration and administration of cloud elements - T 4.CM.12 Information unintentionally revealed by cloud cartography

- T 4.20 Overloaded information systems - T 4.22 Software vulnerabilities or errors Deliberate Acts

- T 5.CM.13 Misuse of administrator rights in the cloud management - T 5.23 Malicious software

- T 5.28 Denial of services - T 5.114 Misuse of Spanning Tree

Recommended Safeguards

To secure an IT system, other modules will need to be implemented in addition to this module. These modules are selected based on the results of the IT-Grundschutz modelling process.

Various elements must be taken into account when mapping the cloud infrastructure in the IT-Grundschutz: physical components (hardware), virtualisation server, virtual machines (IaaS) and cloud applications (PaaS and SaaS). The following elements should be taken into account for cloud management modelling:

- Physical components (hardware): For the cloud infrastructure hardware (such as servers and connected storage systems), the appropriate basic IT modules of layer 3 must be used (e.g. B 3.101

General server or B 3.303 Storage systems and storage networks).

- Virtualisation server: Module B 3.304 Virtualisation must be applied to each virtualisation server or each group of virtualisation servers. A virtualisation server is a physical IT system (client or server) where virtual IT systems are operated. In addition to module B 3.304 Virtualisation, each relevant server or client module of layer 3 should be applied to the virtualisation servers. The Cloud

Management module is modelled on the server for the administration software of the cloud

infrastructure.

- Virtual machines: Virtual IT systems (virtual machines, VMs) are modelled by means of the modules from the IT Grundschutz catalogues. VMs are basically modelled in the same way as physical IT systems, i.e. each relevant module of layer 3 and 5 is used. In practice it is often the case that many VMs are modelled. Useful VM modelling is therefore often only possible by forming suitable groups. - Cloud applications: Cloud applications are mapped by the relevant modules of layer 5 in relation to

the corresponding virtual machines. Here, modules such as B 5.7 Databases, B 5.4 Web servers or B 5.21 Web applications are modelled.

Further information regarding the modelling of virtual IT systems is provided in the safeguard S 2.CM.05

Modelling of cloud management (W).

Planning and design

A set of prevailing conditions must be observed when planning the environment for cloud computing . On the one hand, the physical and virtual IT infrastructures for efficient provisioning must be planned. Suitability, compatibility and easy administration must be taken into account when selecting components

B 5.XXCloud Management

Access paths are additional components of the cloud infrastructure. In most cases, the access to cloud offers are web-based via insecure networks. These access paths must therefore be secured in the cloud management (S 5.CM.08 Protection of communication to cloud access)

Before offering cloud services, the responsible administrators must be trained for the secure operation of cloud components (S 3.CM.11 Training of the administrators of cloud infrastructures).

Operation

For the operation of cloud services, the cloud management is responsible for provisioning and de-provisioning, automation, the separation of clients and the monitoring of cloud resources.

During the operation of cloud services, the cloud management ensures the correct and efficient setting of the cloud infrastructure and services. An important part in this context is the controlled orchestration, i.e. the provisioning and de-provisioning of cloud resources (S 2.CM.19 Controlled provisioning and

de-provisioning of cloud services). In this connection, the cloud components are configured and the

configuration settings are regularly controlled.

Automation brings about a high degree of flexibility and operational facilitation but at the same time involves significant damage potential in case of incorrect configuration in the cloud administration software. Therefore it is necessary to provide and carry out effective controls (S 2.CM.21 Secure automation of cloud

control processes).

The central requirement for cloud offers is the "separation of clients", i.e. the safe separation of users, IT systems and data of different cloud service customers. Such security safeguards for separation are set up at different levels of the IT-Grundschutz (e.g. network, storage networks, virtualisation) and therefore also implemented by means of the modules of other layers. The cloud management must ensure that the overall separation of clients works correctly and consistently for all components of the cloud infrastructure (S 4.CM.16 Consistent separation of clients of cloud services).

Since the cloud infrastructure is highly integrated and has a central cloud management, it is necessary to introduce central logs and implement module B 5.22 Logging. The specific safeguards for the logging and monitoring of cloud resources, cloud performance and the utilisation of cloud services must be observed (S 4.CM.14 Logging of events in the cloud infrastructure). On the one hand, the cloud service provider must control the utilisation and use of his resources in order to identify possible bottlenecks, on the other hand, he must provide proof of the promised performance to the cloud service customers (S 2.CM.20 Reporting and

communication to the cloud service customers).

Contingency Planning

The contracts between cloud service customers and cloud service providers include agreements regarding the quality of service (availability periods, downtimes). In order to ensure this quality of service, cloud management also involves contingency planning.

The contingency planning for cloud offers includes certain virtualisation mechanisms (e.g. high availability), physical and network-based redundancies and standard data backup and restoring processes. Existing contingency planning components of the cloud service provider, also from other parts of his IT operation, may be adopted for cloud management; if necessary, cloud-specific parts must be added (S 6.CM.23

Contingency planning and regular data backup in cloud computing).

The bundle of security safeguards relating to the cloud management are presented in the following. Planning and design

- S 4.CM.01 (A) Planning of resources for cloud services - S 4.CM.02 (A) Planning of cloud service profiles

B 5.XXCloud Management

Implementation

- S 4.CM.07 (Z) Virtual security gateways (firewalls) in clouds - S 5.CM.08 (A) Securing the communication to the cloud access - S 4.CM.09 (Z) Encrypted storage of cloud service customer data - S 4.CM.10 (Z) Multi-factor authentication for cloud service user access - S 3.CM.11 (B) Training for the administrators of cloud infrastructures - S 5.71 (C) Intrusion detection and intrusion response systems Operation

- S 2.CM.12 (C) Use of a highly-available firewall

- S 4.CM.13 (C) Central protection against malware in the cloud infrastructure - S 4.CM.14 (B) Logging and monitoring of events in the cloud infrastructure - S 4.CM.15 (A) Patch management for cloud components

- S 4.CM.16 (A) Consistent separation of clients from the cloud services

- S 2.CM.17 (A) Controlled administration of users and authorisations in cloud computing - S 2.CM.18 (C) Secure and complete deletion of cloud service customer data

- S 2.CM.19 (A) Controlled provisioning and de-provisioning of cloud services - S 2.CM.20 (B) Reporting and communication to the cloud service customers - S 2.CM.21 (C) Secure automation of cloud control processes

- S 4.CM.22 (W) Introduction to cloud management - S 2.38 (B) Division of administrator roles - S 4.430 (A) Analysing the logged data Contingency Planning

- S 6.CM.23 (A) Contingency planning and regular data backup in cloud computing - S 6.CM.24 (C) Use of redundant cloud management components

T 2.CM.01 Incorrect provisioning and de-provisioning of cloud services

T 2.CM.01 Incorrect provisioning and

de-provisioning of cloud services

During the operation of cloud services, the cloud management ensures the correct and efficient configuration of the cloud infrastructure and services. An important part in this context is controlled orchestration, i.e. the provisioning and de-provisioning of cloud resources.

The compilation of cloud resources (main memory, CPU, storage, virtual networks, etc.) and their configuration (set-up of virtual machines, etc.) is the basis for the provision of cloud services. This basis is also referred to as cloud service profile. Cloud resources are thus provisioned and de-provisioned by the orchestration of cloud services.

Threats within the framework of the provisioning and de-provisioning of cloud services result from planning and conception errors. If the cloud services lack the promised properties and qualifications, you speak of inadequate provisioning and de-provisioning. Inadequate provisioning and de-provisioning is manifested in the incorrect allocation of cloud resources and in the incorrect allocation of cloud service profiles.

Examples:

- If the required resources for the cloud service profiles are not adequately planned, the operation of the cloud infrastructure is at risk. This can be traced back to deficiencies in the requirements management. The incorrect or inadequate inclusion of cloud service requirements may result in the incorrect provision of cloud services and the associated incorrect provisioning of cloud resources.

- The implementation of provisioning processes is not checked in the components used for the provision of cloud resources (the so-called

cloud element manager or in short the element manager). Thus,

provisioning is not adequately tested.

- If cloud resources are incorrectly prioritised, the cloud infrastructure is overloaded during "peak times", e.g. for end-of-month accounts.

- Virtual systems for cloud services are equipped with sufficient memory and CPU, however the external connection to cloud service customers is not adequately dimensioned.

T 2.CM.02 Missing support of the manufacturer regarding the provision of cloud services

T 2.CM.02 Missing support of the manufacturer

regarding the provision of cloud

services

Only rarely do cloud service providers take the responsibility for all cloud applications, products or platforms or develop them autonomously. A more frequent constellation is that cloud service providers provide third-party applications or products in the cloud, or base their cloud services on third-party products. The utilisation of third-party products and solutions involves the risk for cloud service providers that the cloud services offered are affected by the dependency on third-party components or products.

This can result in various risk scenarios for the cloud services which can arise in association with missing manufacturer support (i.e. support of third parties involved).

Incorrect security settings carried out by third-party manufacturers The cloud service provider carries out all required configurations for cloud services based on the applications of third-party manufacturers. The configurations of third-party applications are associated with security settings. This creates the risk that third-party manufacturers do not refer to the required security configurations, or do not adequately support the cloud service provider in the implementation of security settings.

If only third-party manufacturers are allowed to make security settings due to reasons of warranty, the cloud service provider risks the incorrect configuration by the third-party manufacturer. This is, for example, the case if the cloud service provider buys an application with security-relevant configurations (such as the selection of an adequately secure encryption algorithm) which are only possible with the support of the software manufacturer.

Restricted compatibility of third-party cloud components used

It might be that cloud services which are based on third-party applications are not compatible with the basic cloud infrastructure. In many cases, the manufacturer enables applications for a certain combination of operating systems and hardware platforms. A cloud application, for example, may be enabled by a third-party manufacturer only for a certain version of the Windows operating system, and the manufacturer will only provide support if these compatibility standards are complied with. This creates the risk that in

T 2.CM.02 Missing support of the manufacturer regarding the provision of cloud services

and operations in the cloud management for the distribution of cloud services. This makes the cloud configuration management process more prone to errors.

T 2.CM.03 Inadequate isolation and separation of cloud resources

T 2.CM.03 Inadequate isolation and separation of

cloud resources

The provision of cloud services for different cloud service customers (clients) from a common and distributed cloud infrastructure is a main feature of cloud computing. The commonly used cloud infrastructure creates the risk that one cloud client has unauthorised access to or view of the information of other clients.

The unauthorised reading of information, the deletion of data or the unintended or wilful manipulation of data may cause damage for cloud service providers or cloud service customers.

Examples:

- The incorrect planning and configuration of different components of the cloud infrastructure may be the reason for inadequate isolation. - The separately used storage resources in the memory may be

inadequately separated which creates a risk for the consistent isolation of the cloud.

- Inadequate isolation may occur if services are commonly operated on

one virtual machine, or if shared storage areas are used.

- The inadequate isolation of cloud resources may be caused by incorrect network separation, e.g. if shared network segments are used for different cloud clients.

- The separation of cloud resources is inadequate if cloud service customers use a shared database, and if they can read the data of other clients due to inadequate separation on database level.

T 2.CM.04 Inadequate business continuity management at the cloud service provider

T 2.CM.04 Inadequate business continuity

management at the cloud service

provider

Experience shows that malfunctions and accidents, even major ones, cannot be completely ruled out for IT systems. Omissions in business continuity management will very soon have severe impacts on cloud management because many cloud resources, cloud services and cloud service customers (clients) may be affected. Inadequate business continuity management may significantly worsen the problems resulting from malfunctions and accidents in the cloud infrastructure, increase downtimes and thus increase the losses in productivity for the cloud service provider in case of emergency.

Beyond the actual emergency, inadequate business continuity management may impair the mutual trust between cloud service customer and cloud service provider which may finally result in the termination of the service agreement. Inadequate business continuity management manifests itself in inadequate coordination and an unstructured approach of the troubleshooting of arising problems.

Inadequate business continuity management can manifest itself in disaster recovery or in business continuity management or in both.

Examples:

- Missing definition of basic parameters for business continuity management, in particular of maximum tolerable outage (MTO), recovery time objective (RTO), recovery point objective (RPO) for the cloud infrastructure or cloud services. Thus, reliable planning for an effective and proper approach in case of emergency is not possible. - Missing, inadequate or outdated contingency plans for the cloud

infrastructure or for cloud services

- Not tested contingency plans for the cloud infrastructure or for cloud services

Deficiencies in contingency planning may have many different aspects as illustrated in the following typical examples:

- Responsibilities for business continuity management in the cloud infrastructure or in cloud services are not or insufficiently controlled - Persons responsible for business continuity management in the cloud

infrastructure or in cloud services are not nominated

- Communication paths for business continuity management in the cloud infrastructure or in cloud services are not defined

- No communication between the cloud service provider and the cloud service customers in case of crises

- Ways of escalations and decisions for business continuity management in the cloud infrastructure or in cloud services are not defined

- Ways of escalations and decisions for business continuity management in the cloud infrastructure or in cloud services are not observed

T 2.CM.04 Inadequate business continuity management at the cloud service provider

connection with an alternative data processing centre. This may primarily occur if there is no prioritisation or an incorrect prioritisation of cloud services for connection, or if dependencies which require a certain order were not defined or observed.

- Lacking or inadequate immediate safeguards for business continuity management in the cloud infrastructure or in cloud services

- Lacking or inadequate disaster recovery scripts for the cloud services - The absence of cloud administrators cannot be compensated because

operation instructions were not documented. This may primarily occur if administrators do everything "by heart" and do not plan that they might not be available sometimes.

- Data backup of the cloud services or the underlying infrastructure is not updated. This may primarily occur if backup cycles or storage periods are incorrectly defined or not defined at all.

- Data backup of the cloud services or the underlying infrastructure is incomplete. This may primarily occur if the successful completion of data backups carried out is not checked.

- The recovery of cloud services from the data backup was not successful. This may primarily occur if data backups failed, or if recovery fails.

- Missing, inadequate or incorrect restart plans for the cloud infrastructure or for cloud services

- Missing, inadequately or incorrectly defined prioritisation of cloud services for restart

- Missing, inadequately or incorrectly defined order for the restart of the cloud infrastructure or the cloud services

T 2.CM.05Lack of communication with the cloud service customer

T 2.CM.05 Lack of communication with the cloud

service customer

The use of cloud services requires the comprehensive communication between cloud service provider and cloud service customer. Due to the fact that the cloud service customer receives external services and that associated security management activities might be outsourced, a close coordination between both parties is necessary.

A lack of communication with the cloud service customer may occur in different phases and processes which may have various negative impacts. This is illustrated in the following examples.

Examples:

- Lack of communication during planning and commissioning Lack of communication and agreement between the participating parties may have extensive negative impacts on performance, in particular during the planning and commissioning of the cloud services. Not communicating and considering various requirements during this phase will result in different problems with the services to be provided. This may result in considerable additional costs on both sides, for example due to contractual modifications, additional security safeguards, additional audits or possibly even legal consequences.

- Lack of communication regarding the compliance with the service level If it is not possible to provide the cloud service customer with the proof of the service level due to a lack of communication or undefined communication interfaces, it is not possible to provide doubt-free proof of the correct performance in case of disagreements, which in turn will endanger correct billing.

- Inadequate or not communicated parameters regarding the service level could mean that the cloud service provider will exceed or not fulfil the agreed requirements unnoticed. Thus, inefficient resource allocation may remain unnoticed by the cloud service customer and the cloud service provider.

- Lack of communication in security incident management interfaces might be unknown or contact persons cannot be contacted outside the office hours due to a lack of communication within the framework of fault management or security incident management. This may result in significant delays in the processing of malfunctions and incidents.

T 2.22Lack of or insufficient evaluation of auditing data

T 2.22

Lack of or insufficient evaluation of

auditing data

Functionalities designed to log certain events regarding their chronology are integrated into many IT systems and applications. This way, large amounts of auditing data are often generated in an information system the evaluation of which is complex and very time-consuming. However, reasonably evaluating this auditing data is necessary in order to be able to perform error analyses and to identify attempted attacks.

A variety of logging concepts will be used during the life cycle of an IT system. For example, comprehensive logs are created during the development phase in order to facilitate problem analysis in the event of errors.

In the implementation phase, logs are used to optimise the performance of the IT system in the production environment or to examine the effectiveness of the security concept in actual practice for the first time, amongst other things. In the production phase, logs are mainly used in order to ensure proper operation. Auditing data is then used to subsequently identify security violations within the IT system or attempted attacks, amongst other things. Logging can also be used to determine who the perpetrator was and can serve as a deterrent to potential attackers as a consequence. Regular evaluation of the auditing data allows for use of the data for preventive measures such as an early warning system, whereby deliberate attacks to an IT system may be detected or defeated prematurely.

Central logging

If auditing data is evaluated at a central location, it is possible that important information is overlooked and attacks are not detected due to the large amount of data, for example. For this reason, there are systems supporting the administrator in evaluating the auditing data or even automatically evaluating the data. Depending on the product, the information of the different data sources can be combined and processed to become one log report. However, there is the risk that the auditing data possibly can no longer be traced back to their original data source so that it cannot be instantly seen where the event initially occurred.

Improperly configured filter functions of the evaluation tools may cause further evaluation issues. This may result in auditing data required for failure detection, troubleshooting, or early warning not being evaluated.

T 2.CM.06 Incorrect planning of cloud service profiles

T 2.CM.06 Incorrect planning of cloud service

profiles

Cloud service profiles consist of a set of information defining the cloud resources (e.g. memory, CPU, storage) and their configuration for the provision of the cloud service.

If the cloud service profiles are badly planned, the promised performance of the cloud service is not possible or is inhibited. Cloud service profiles are badly planned if the configuration of the profiles or the allocated cloud resources do not allow for or inhibit the promised performance of the cloud service. The same effect is caused by cloud service profiles which are not checked.

Examples:

- Via a static path, there is a reference to a storage system in the configuration of a cloud service profile. The access to this storage area is restricted on the basis of source addresses. The reproduction of the cloud service generates another source address, and there is no more access to the cloud storage. In this example, the configuration and the data model of the cloud application are incorrect and not designed for the scalable automation of cloud services.

- Cloud service profiles are not adequately tested. As a result, the cloud services are provided incorrectly or in a quality which was not agreed.

T 2.67Incorrect administration of site and data access rights

T 2.67

Incorrect administration of site and data

access rights

If the assignment of site and data access rights is controlled poorly, this may quickly result in serious security gaps, e.g. due to chaotically assigned rights. In many organisations, the administration of site and data access rights is an extremely labour-intensive task, because it is controlled poorly or the wrong tools are used. For example, this may require comprehensive "manual work", which in turn is very susceptible to error. Furthermore, this process frequently involves a host of different roles and groups of persons so that the tasks performed are also easily lost track of.

Moreover, there are organisations without any control regarding all users and their assigned rights configured on the different IT systems. This typically leads to finding accounts of users who have left the government agency and/or the company long since or who accumulated too many rights due to different activities.

If the tools for the administration of the site and data access rights were poorly chosen, they will often lack the flexibility to adapt to changes in the organisational structure or to migrations to other IT systems.

The roles of the users may have been separated improperly, which may then result in security gaps, for example by incorrectly assigning users to user groups or granting users rights that are too extensive. Users may have been assigned roles that do not correspond to their tasks (too many or too few rights) or which they should not have due to the tasks they perform (role conflicts).

High amount of work

Control is lost

Improper assignment of roles

T 2.103Insufficient training of employees

T 2.103

Insufficient training of employees

IT users of all kinds often do not receive enough training in the operation of the IT systems they use. Unfortunately, this also often applies as well as to administrators and those providing user support. Expensive systems and applications are frequently purchased without providing enough resources, if any at all, to train the IT users.

This may result in serious security problems in case of unintentional user errors, incorrect configurations, and unsuitable operating resources. In many cases, users will not use recently installed security programs because they do not know how to operate them and learning how to use them by themselves parallel to their daily work routine is often considered to be too time-consuming. For this reason, it is not enough by any means just to purchase and install the security software.

Examples:

- An unknown error message appeared on the screen while a user was entering data. Since clicking "OK" for error messages had never caused any damage so far, the user also selected "OK" this time. However, this time it caused the system to shut down and a loss of all data entered up until then as a consequence.

- An expensive firewall system was purchased. The administrator of another IT system was appointed to be the administrator of this firewall system. Since this person was considered indispensable and all available funds were used to purchase the system, he did not receive any training on the operation of the system platform or on the type of firewall used. Requests for external seminars were rejected due to a lack of funds, and the organisation did not even purchase any additional manuals. Two months after starting operation of the firewall system, it was discovered that internal systems were freely accessible from the Internet due to the incorrect configuration of the firewall.

- A company was preparing to migrate to a new operating system. The employee responsible for this had expert knowledge of the platform used up until then, but was not familiar with new systems being discussed and was not provided with the corresponding training either. For this reason, he visited some free events held by a manufacturer, whose products he then favoured. This resulted in a poor and costly decision to introduce an unsuitable product.

- To use the Internet during business trips, personnel firewalls were installed on the notebooks of the employees. The employees were not trained as to how to adjust the settings of the firewall to meet their needs. As a consequence, many employees then disabled the firewall so they could visit any Internet site they needed without any problems. The result was that many of the computers were infected with malware after just a few weeks. In addition to losing data, the organisation's image was also seriously damaged because e-mails containing malware were sent by the organisation to its customers.

T 2.103Insufficient training of employees

administration systems of the cloud infrastructure. Due to a lack of time, the administrators were neither trained on the administration systems for the cloud infrastructure nor for the administration of virtual IT infrastructures. Due to a lack of knowledge necessary for the correct configuration and associated planning, the clients were not separated during the VLAN configuration and the allocation of separate storage areas. After the commissioning of the cloud services, the organisation found out that all employees had access to the cloud storage of the HR department which was not separated from the other clients.

T 2.137 Poor and inadequate planning when distributing patches and changes

T 2.137

Poor and inadequate planning when

distributing patches and changes

To ensure that patches and changes can be distributed in the organisation within the defined period of time, the technical and personnel resources required for this purpose must be planned in the framework of the patch and change management. If no adequate resources are available, there is the risk that the distribution of changes takes more time than planned or even fails. Thus, business processes with high availability requirements might be impaired if, for example, servers or databases required for this purpose fail. Patches and changes may also be distributed in a software-based manner. If the software used for this purpose, however, cannot be adapted to the growing and ever more complex IT landscape, the distribution ultimately becomes more time-consuming. Therefore, it is no longer be possible to distribute security updates promptly.

Sometimes, the order in which patches and changes have to be distributed are relevant for the consistency and security of the entire system. For example, a new version of a security software program might require an operating system on which all current patches have been installed. In this case, first the operating systems in the information system must be updated, restarted if necessary and only then can the new security software be installed. A distributing software that does not check the existing patches and changes might try to install the security software before the operating system has been updated successfully. Thus, it would leave an inconsistent or even unpatched system.

If the software on IT systems is updated, it is often necessary to restart the application or the operating system afterwards. It takes some time until complex applications such as databases make their data available again following an update. During this period of time, the applications and data of the systems are not available. For systems with high availability requirements, this can have a negative impact on the organisation. This is particularly the case when the systems are not available for a longer period of time than expected due to errors during the change operation. Such failures might mean that employees or customers are impaired in carrying out their work.

Examples:

- In on organisation, a security patch for a Windows server is installed. This server must be restarted afterwards. During this period of time, the system is not available. Since the login process to the internal LAN runs on this server, the users cannot log in or carry out their work only work to a limited extent during this period of time. With its customers, the organisation has agreed upon a high level of availability by means of Services Level Agreements and thus violates existing contracts.

- The IT department of a company installs a security patch on a Voice over IP server. When restarting the system, the configuration file of the VoIP service must still be adapted in addition to this. During this period of time, it was not possible to answer external telephone calls. The company's lack

T 2.160Lack of or insufficient logging

T 2.160

Lack of or insufficient logging

Logged data can be used, for example, in order to determine whether security specifications were violated or whether attacks were attempted. Additionally, the logged information can be used for error analysis in the event of damage and for determining the causes or for integrity tests.

Within an information system, there are often IT systems and applications for which the logging of the basic settings has not been enabled. Such systems and applications must be configured accordingly in advance. Logging may not be possible for systems and applications. An insufficient planning concept may also cause a lack of logging.

Even if logging is used for individual systems, information and findings resulting from this may be lost, because they are not collected at a central location. In information systems without centralised logging, it is difficult to ensure that the relevant logged information of all IT systems is maintained and analysed.

If the users of the IT systems and applications are allowed to disable the logging function themselves, this may also cause problems. For example, a user may violate policies without this having any consequences for him/her. If the users are allowed to change or delete existing log files, there is the risk that security violations are not detected.

Example:

- An unauthorised user tries to guess passwords for the web email account of other users. Since the password can often be used for other services (single sign-on), this is particularly interesting for the attacker. This attack is not detected due to a lack of logging on the email server. The attacker can guess the passwords of the users unobtrusively by using the brute-force methods.

T 3.CM.07 Inadequate configuration of cloud services and cloud administration systems

T 3.CM.07 Inadequate configuration of cloud

services and cloud administration

systems

The cloud administration consists of the settings of the administration systems for virtualisation and for the cloud. The multitude of cloud components to be administered make the changes, which must be consistently implemented for all systems, complex and error-prone for the administration in the cloud management. In particular human error of persons which work in the cloud administration may result in inadequate configurations after incorrect entries in the administration system.

Inadequate configuration of cloud services

Due to human error, the confidentiality, integrity or availability of cloud service information might be at risk as a result of their inadequate configuration which might be the allocation of cloud resources to a cloud service, or incorrectly granted authorisations.

If inaccurate cloud service profiles are used, such inadequate configurations will effect all cloud services based on these profiles.

Inadequate configurations of the cloud administration systems

Whenever cloud services are automatically configured via the cloud administration software, there is a risk that the configurations are incorrectly implemented, if at all, for each administration component (the so-called

element manager) of the cloud infrastructure. This might be caused by errors

in the configuration datasets to be implemented or by the incorrect transmission or implementation of the element manager.

Examples:

- A virtual machine (as part of a cloud infrastructure) is allocated to the wrong security zone.

- A virtual machine (as part of a cloud infrastructure) is allocated to the wrong client.

- There is a faulty configuration in the cloud administration regarding the allocation of administration servers to virtual storage networks (so-called VSAN). As a result, there are no storage resources available for the virtual machines of the administered cloud services.

T 3.CM.08 Incorrect automation during cloud management

T 3.CM.08 Incorrect automation during cloud

management

The properties of cloud computing solutions require the automation of routine tasks for the flexible and demand-oriented provision of resources.

The orchestration automation is an important feature of cloud computing solutions. Automation is the multiplication of cloud services on the basis of cloud service profiles.

Automation is considered as incorrect if, during the reproduction of a cloud service, the automated provision of required cloud resources (virtual machine, memory, CPU, hard disk capacity) is insufficient for the provision of the cloud service with the promised properties.

Incorrect automation may have technical causes. This is the case if the configurations for automated provisioning and de-provisioning are not implemented at the technical cloud components.

Incorrect automation may have more severe impacts than individual manual configurations.

Incorrect automation involves major damage if the use and allocation of resources via automated processes is not restricted by policies. The lack of prioritisations and limits defined for the cloud resources of each cloud service may cause resource bottlenecks or the waste of resources.

Examples:

- For each cloud service customer, 4 GB of storage space must be provided for each cloud application. By mistake, a value of 400 GB for each cloud service customer is entered in the policy for the automated provision of cloud applications. If this cloud application is provided by an automated procedure, it will soon be impossible to provide storage space for a lot of the clients.

- In case of the automated provisioning of cloud resources, the configurations are forwarded to an administration system for memories. However, this administration system is not available; consequently, neither the configuration is implemented nor is an error message issued.

T 3.9Improper IT system administration

T 3.9

Improper IT system administration

Improper IT system administration can place the security of an IT system at risk when it results in the disregarding or bypassing of security safeguards. An example of improper administration is when network access capabilities are created (or not disabled) that are not necessary for the proper operation of the IT systems or that represent a particularly serious threat due to their tendency to contain errors.

A problem frequently encountered is that the user names used to work on the IT system are granted more privileges than are absolutely necessary for the tasks at hand. If a computer becomes infected with a computer virus or a Trojan horse in this case and the user works with administrator rights, there may be wide-ranging consequences since the malware will also run with administrator rights.

Incorrectly installing new or existing software can create security problems. It is very uncommon for standard installations of operating systems or system programs to offer all the features required for a secure configuration. Improper modifications to meet the actual security requirements can pose a considerable risk in this case. The danger of configuration errors is especially serious in complex security systems such as RACF under z/OS. Many system functions have a mutual influence on each other.

Special attention must be paid to systems that, when poorly administrated, could affect the protection of other systems (e.g. routers and security gateways).

Every modification to the security settings and every extension of access rights constitutes a potential threat to the overall security.

Examples:

- When user IDs not needed any more are not deactivated, it is common for no one to take care of their privileges and contents. If an attacker is able to gain access to an unused user account, then he may be able to access internal information and applications using this account.

- Other examples of incorrect administration include the failure to use logging capabilities or to analyse existing log files, granting access rights too generously and then failing to review the access rights at regular intervals, multiple assignment of the same login name or UID, and the failure to use the security tools available, e.g. failure to use the shadow file for passwords in Unix.

- The effectiveness of a password decreases as it gets older. The reason for this is that the probability of a successful attack increases steadily over time.

- In a z/OS system, the user files were protected using RACF profiles via Universal Access so that no one was able to access them unchecked (UACC = NONE). Due to carelessness on the part of the administrator, an entry in the Conditional Access List of the profile granted READ access to all IDs (* entry). As a result, every user in the system could

T 3.36Misinterpretation of events

T 3.36

Misinterpretation of events

When using a management system, the respectively responsible system administrator is responsible for analysing and interpreting the messages of the management system in order to then initiate suitable safeguards. In general, the messages of the management system are based on monitoring mechanisms automatically searching through system logs of various types according to certain rules. In this, it is not easy to automatically detect anomalies indicating system errors in the profusion of log data generated and to then send the corresponding messages to the system administrator. In fact, errors can even remain undetected. For this reason, the incoming messages always need to be read and interpreted by the system administrator, since the messages (in case of an error) are based on the error symptoms and their (automatic) interpretation. A system administrator must also be able to recognise false alarms and incorrect error messages. If system messages are interpreted incorrectly by the administrator, then supposedly corrective countermeasures could even make the situation worse under some circumstances.

T 3.38Errors in configuration and operation

T 3.38

Errors in configuration and operation

Configuration errors arise when programme start-up parameters and options are set incorrectly or incompletely. This includes, for example, access rights that are specified incorrectly. When a user makes an operational mistake, not only individual settings may be incorrect, but the IT systems or applications may also be handled incorrectly. An example of this is starting programmes that are not necessary to fulfil the function of the computer, but can be misused by an attacker.

Examples of configuration or operator errors nowadays are storing passwords on a PC on which untested software is run off the Internet or loading and implementing malicious ActiveX controls. These programmes, which amongst other things are used to make web pages more attractive using dynamic content, are run with the same permissions as those possessed by the user. They can delete, change, or send any data desired

Many programmes intended to be used for publishing information in an open environment without restrictions can, when configured incorrectly, provide potential attackers with data that they can then misuse. In this manner, for example, the finger service can inform an attacker of how long a user has already been sitting at a computer. Browsers also transmit a substantial amount of information to the web server (e.g. the versions of the browser and operating system used, the name(s) and the Internet address of the PC) whenever a query is issued. Cookies should also be mentioned in this context. These are files on the user’s computer in which the operators of web servers store data relating to the web user. This data can be called up the next time the server is visited and can be used by the operator of the server to analyse which web pages on the server the user has already visited.

The use of a Domain Name System (DNS) is a further source of danger. On the one hand, an incorrectly configured DNS makes it possible to query a large quantity of information relating to a local network. On the other hand, an attacker can send forged IP addresses by taking over the server, enabling the attacker to control all data traffic.

Automatically executable content in e-mails or HTML pages is another serious threat. This is referred to as a content security problem. Files downloaded from the internet can contain code that is executed simply by being viewed, without confirmation from the user. This is the case, for example, with macros in Office files, and this capability is exploited to create so-called macro viruses. Even programming languages and programming interfaces such as ActiveX, JavaScript or Java, which were developed for applications on the Internet, also have the potential to cause damage if the control function is implemented incorrectly.

In z/OS operating systems, the availability of the RACF security system is of primary importance to the availability of the entire system. The availability could be restricted through improper use of z/OS utilities when backing up the RACD database or by using the RACF commands incorrectly.

T 3.114Incorrect administration during logging

T 3.114

Incorrect administration during logging

If logging servers are administrated incorrectly and security incidents are not recognised or discovered as a consequence, the security of the entire information system may be adversely affected. Configuration and operation errors are possible causes. Such administrator errors may additionally cause a loss of confidentiality of data requiring protection.

The configuration errors include incorrectly or incompletely configured parameters and options. This may be a threshold set too high, the exceeding of which generates an alarm, or filter settings that are too tolerant. Such misconfiguration may trigger frequent false alarms making premature warning more difficult.

Operation errors in the field of centralised logging may occur if the training measures are insufficient or non-existent. This may result in the administrators misinterpreting the analysis results of logged data and therefore overlooking a security incident. Improper operation may also result in logged data being deleted or changed accidentally. Another potential risk for the overall security is entailed by modified security settings and advanced access rights for the logging system. These may be exploited by unauthorised users in order to gain access to the monitored IT systems.

Examples:

- Within an organisation, the utilisation thresholds were set too low within the early-warning system. For this reason, a false alarm is triggered even when the server is only slightly utilised. Over the course of time, the alarms are neglected more and more and ultimately disregarded completely. This results in a high security risk, because real alarms indicating that the server actually is strongly overloaded are now ignored as well. Due to the overload condition, a server fails for a longer period of time and causes huge financial damage.

- An administrator accidentally changes the time of a login event from 07:13 am to 77:13 in one of the log files by entering an incorrect command in the text editor only controlled by the keyboard. Later, this log file is required in order to demonstrate that a user logged in to his computer at 07:13 using his user name on 14 April 2009. Due to the invalid time, the entry in this log file is of no use. Since the event cannot be found in any other log file, it cannot be demonstrated that the employee was at work this day at this time.

T 4.CM.09 Failure of administration servers and administration software

T 4.CM.09 Failure of administration servers and

administration software

Several virtualisation servers and, if necessary, also several servers for cloud administration are used for the cloud IT infrastructure. The failure of one administration server of the cloud does not necessarily directly effect the availability of all cloud services because the virtualisation components will continue their operation autonomously even without administration. If, however, the administration servers for the cloud fail, almost all cloud management processes will be effected directly or indirectly such that many or all of the functions of cloud management will fail.

Modifications to the configuration are no longer possible, and automated orchestration processes are no longer available.

This failure also effects the availability of the administrative interfaces. During the period of administration server failure, the cloud administrators can neither respond to occurring problems nor integrate new cloud resources (physically and virtually) into the cloud IT infrastructure.

Example:

- If the administration server or its monitoring component delivers improper data or no data at all, the administrators can no longer adequately monitor the function of the cloud infrastructure. Resource bottlenecks in the virtual infrastructure are not identified, and the virtual infrastructure cannot be extended in a timely manner. Neither can the failure of individual cloud components be identified in due time if the monitoring component has failed. Data storage and working memory are exhausted and parts of the system environment are no longer operable.

T 4.CM.10 Unauthorised restoration of snapshots

T 4.CM.10 Unauthorised restoration of snapshots

The status of virtual machines at a certain point in time can be saved by making a snapshots. Thus it is possible to quickly save the configuration and file system of virtual machines. Moreover, the complete current memory contents are saved on the snapshot. Whenever necessary (e.g. prior to installing a patch), cloud administrators can make a snapshot and thus a backup of the system. With this snapshot, the system can be restored at any time, e.g. if a patch does not function properly.

If the wrong snapshot is installed, an old version might be installed in the system with old security settings or patches which could cause vulnerabilities in the system.

It is also possible that the administrator installs snapshots without having the authorisation. Thus it is possible that the administrator installs a snapshot copy in an external system without authorisation, thus making a complete mirroring of the IT system in an external environment. In this external environment, he can try unnoticed to gain access to the system.

Example:

- A cloud administrator makes a snapshot of a system where a database with personal data for a HR application is operated. He copies this snapshot unnoticed to an external hard disk and later installs it on his private virtualisation platform. Then he converts the system to a bootable hard disk. By means of a restoration tool he can now start the operating system of this hard disk and reset the local administrator password of the system. Then he can start the system as administrator and assign all necessary database authorisations to himself in order to get access to the database contents.

T 4.CM.11Incompatibility of cloud administration and administration of cloud elements

T 4.CM.11 Incompatibility of cloud administration

and administration of cloud elements

The cloud infrastructure consists of a number of cloud elements. This does not only include the physical (with CPU, memory and miscellaneous hardware) and virtual servers (with the virtual equivalents of the hardware of the physical server), but also the network (with network coupling elements, cabling) and memory solutions. The areas mentioned have an administration software such as network management tools. These are also referred to as element managers. The cloud administration software usually communicates with the element

managers and not directly with the corresponding components (e.g. router).

A threat caused by the incorrect communication between cloud administration software and cloud elements occurs if products of different manufacturers (or the same manufacturer) are not compatible with each other and do not support equal logs.

The central administration software communicates with the cloud elements via interfaces in order to request the required cloud resources. The improper communication between cloud administration software and cloud elements creates the risk that the cloud elements (such as server, networks, memory) discard the configuration or that communication fails.

The feedback regarding the implementation of configurations and utilisation data of cloud elements to the cloud administration software is significant for the orchestration process. If the cloud elements fail to properly report these configurations and utilisation data to the cloud administration software, the cloud management cannot retrace the correct provision of cloud services. Example:

- A new version of the management protocol (e.g. SNMP) is used in the communication between cloud administration software and the cloud elements, virtual router and switches. The cloud element manager of the switches, however, does not support the new version. As a consequence, communication fails.

T 4.CM.12Information unintentionally revealed by cloud cartography

T 4.CM.12 Information unintentionally revealed by

cloud cartography

Inadequate separation, in particular in the cloud-internal network structure, can be identified by attackers via the cloud cartography.

The cloud cartography is a scheme for the identification of the physical location of the web servers for cloud applications which are provided by the cloud service provider. The cloud cartography aims at "mapping" the infrastructure of the cloud service provider in order to identify the location where a certain virtual machine is operated. In case of a successful cloud cartography, the attacker gets a detailed picture of the network structure at the cloud service provider from the information gained from accessible cloud elements. This information may be the basis for further attacks.

The basic layout of the network can be identified by queries both from outside and inside the cloud: Public IP address areas are identified with Who-is queries. Using tools for the download of web contents will provide you with information on which servers the HTTP service is operating; private IP addresses and host names, if necessary, can be identified via cloud-internal DNS queries. A beneficial result for attackers might be that they are in the position to allocate the geographic areas of availability and the leasable virtual performance levels of the cloud services and the associated virtual machines to the internal IP address ranges. Under certain circumstances, the static allocation of virtual authorities to physical cloud resources might lead to prioritised targets of attack. By means of different processes, attackers can find out whether a virtual authority which they started in the cloud is adjoining an external virtual authority, i.e. operating on the same physical machine. Thus, the external virtual authority might become a possible target of attack. Resources can also be overloaded deliberately when somebody generates an intensive demand for an operating resource provoking an intensive and permanent disturbance of the operating resource, see also T 5.28 Denial of

T 4.20Overloaded information Systems

T 4.20

Overloaded information Systems

If information or communication systems such as hardware, software, or networks are dimensioned insufficiently, there will come a point when they no longer meet the requirements of the users. Depending on the type of affected systems, this may have numerous adverse effects.

Information systems may be overloaded by

- existing storage disk space capacities being exceeded, for example when the mailbox is overcrowded during longer absence of the owner,

- a system being overused by numerous simultaneous queries overloading the processors,

- the applications requiring too much computational power, e.g. if the process output is insufficient for intensive graphics applications,

- sending a large number of messages at the same time as a newsletter. As a possible consequence, IT systems or services may be temporarily unavailable or data may be lost.

Each storage medium can only store a limited amount of data. When this limit is reached data may be lost or services are no longer available, for example: - users can no longer save data,

- incoming emails are rejected and no emails can be sent, - incoming and possibly outgoing faxes are interrupted,

- the logging function is disabled and/or protocol data not yet analysed is overwritten, or

- documents can no longer be archived electronically.

The capacity of the storage medium may be exhausted suddenly for different reasons, e.g. due to errors in application programs, increased memory requirements of the users, or even due to a targeted attack including the deliberate reduction of the existing disk space in order to prevent logging. Generally, large amounts of data must be saved when archiving electronically. On the one hand, the amounts of data are caused by the large number of documents to be archived for certain files. On the other hand, each newly created version of a document is saved newly under a new version number. Resources can also be overloaded deliberately when somebody generates an intensive demand for an operating resource provoking an intensive and permanent disturbance of the operating resource, see also T 5.28 Denial of

services.

large amounts of data during archiving

T 4.22Software vulnerabilities or errors

T 4.22

Software vulnerabilities or errors

The following applies to every piece of software: the more complex it is, the more frequently programming errors will occur. Software vulnerabilities are understood to refer to unintentional programme errors that are as of yet unknown to the user and constitute a security risk to the IT system. New security loopholes are constantly being found in existing software, including widely used and brand new software.

Software errors or vulnerabilities can have a multitude of causes. This includes, for example, communication errors between customers and developers, insufficient training of the programmers, or insufficient testing. Expectations that are too high on the part of the user together with tight release deadlines for standard software can also lead to the manufacturer offering a product before it is ready and which contains errors.

If software errors are not detected, the errors resulting from the use of the software can have serious consequences. In the case of common standard software, software vulnerabilities may rapidly result in the world-wide emergence of serious security problems for any type of institution.

Examples:

- A software error in the RACF security software of the z/OS operating system can mean that not only does RACF cease to operate, but that the entire system is now unable to function properly and needs to be restarted.

- The strength of the security functions implemented in standard software (such as passwords or encryption algorithms) is often overestimated by users. In many cases, these security functions cannot provide protection against a prolonged attack carried out by someone with the right knowledge. This applies, for example, to the encryption functions integrated into a number of word processing programmes. The Internet provides numerous tools to overcome the encryption available in almost all word processing programmes.

- It has been shown that the appearance of a certain word while running the spelling check in a certain word processing program will always cause the program to crash.

- Standard software often contains undocumented functions such as “Easter eggs” or “gag screens” that the product developers program to leave there own mark. This has the effect of consuming additional IT resources while making it clear, at the same time, that the full

T 4.22Software vulnerabilities or errors

for the entry and executed. These commands can be from any type of programme.

- A large number of warnings have also been due to denial of service (DoS) attacks, which can cause the entire computer to crash due to errors in individual routines used for processing network data.