Security_Compliance_Challenges_On_Clouds.pdf

CTICon-2013
Proceedings of the
International Conference on
“Diversifying Trends in
Technology & Management”
Organized by:
CYBER TIMES
Sponsored by:
SEDULITY SOLUTIONS & TECHNOLOGIES
Technically Co-Sponsored by:
CSI Region-I & Division-I

Cyber Times International Journal of
Technology & Management
Vol. 6, Issue 1, October 2012 – March 2013
ISSN: 2278-7518
EDITOR-IN-CHIEF
Dr. Anup Girdhar
EDITORIAL ADVISORY BOARD
Dr. Sushila Madan
Dr. A.K. Saini
Mr. Mukul Girdhar
EXECUTIVE EDITORS
Ms. Kanika Trehan
Mr. Rakesh Laxman Patil
CSI ADVISORY BOARD
Prof. S. V. Raghavan, President, CSI
Mr. H. R. Mohan, Vice President, CSI
Mr. S. Ramanathan, Hony. Secretary, CSI
Mr. Ranga Rajagopal, Hony. Treasurer, CSI
Mr. Satish Babu, Immediate Past President, CSI
Mr. R. K. Vyas, Regional Vice President, Region-I, CSI
Prof. M.N. Hoda, Chairman, Division-I, CSI

“Cyber Times International Journal of Technology & Management”. All rights reserved. No
part of this journal may be reproduced, republished, stored, or transmitted in any form or by
any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior
permission of the publisher in writing. Any person who does any unauthorized act in relation
to this journal publication may be liable to criminal prosecution and civil claims for damages.
Editorial Office & Administrative Address:
The Editor,
310 Suneja Tower-II,
District Centre, Janak Puri,
New Delhi-110058.
ISSN: 2278-7518
Phone: 011-25595729, +91-9312903095
Website: http://journal.cybertimes.in
Email: editor@cybertimes.in
Disclaimer: Views and information expressed in the Research Papers or Articles are those of
the respective authors. “Cyber Times International Journal of Technology & Management”,
its Editorial Board, Editor and Publisher (Cyber Times) disclaim the Responsibility and
Liability for any statement of fact or option made by the contributors. The content of the
papers are written by their respective authors. The originality and authenticity of the papers
and the explanation of information and views expressed therein are the sole responsibility of
the authors. However, effort is made to acknowledge source material relied upon or referred
to, however; “Cyber Times International Journal of Technology & Management” does not
accept any responsibility for any unintentional mistakes & errors.
Cyber Times International Journal of Technology & Management, Bi-Annually, Vol.6, Issue 1, has been
Published, Printed and Edited by Dr. Anup Girdhar, on behalf of Cyber Times, at 310 Suneja Tower-II, District
Centre, Janak Puri, New Delhi-110058.

From the Editor’s Desk
At the outset, I take this opportunity to thank all the contributors and readers for making
“Cyber Times – International Journal of Technology & Management” an outstanding
success.
The response that we have received from the Researchers, Authors, Academicians, Law-
Enforcement Agencies and Industry Professionals for sending their Research Papers/ Articles
for publication is duly acknowledged across the globe.
We are pleased to present the Volume 6, Issue 1, of “Cyber Times International Journal of
Technology & Management” which include two parts where Part-1 is for the area of
‘Technology’ and Part-2 is for the area of ‘Management’.
Part-1: Technology
Cloud Computing, Artificial Intelligence, Wireless Networks, Cyber Security and Network
Attacks, Penetration Testing, Cyber Laws, Cyber Crime Investigation, Data Mining,
Databases, Mobile Commerce, Software Testing, etc.
Part-2: Management
Management Strategies, Human Resources, Business Intelligence, Global Retail Industry,
Business Process Outsourcing, Indian Economy, Performance Management, Risk
Management, International Business, etc.
I am sure that this issue will generate immense interest amongst the Readers in different
aspects of Technology & Management.
We look forward to receive your valuable and future contributions to make this journal a joint
endeavor.
With Warm Regards,
Editor-in-Chief
Dr. ANUP GIRDHAR

General Information
“Cyber Times International Journal of Technology & Management” is published bi-
annually. All editorial and administrative correspondence for publication should be
addressed to The Editor, Cyber Times.
The Abstracts received for the final publication are screened by the Evaluation
Committee for approval and only the selected Papers/ Abstracts will be published in
each edition. Further information is available in the “Guidelines for paper
Submission” section.
Annual Subscription details for obtaining the journal are provided separately and the
interested persons may avail the same accordingly after filling the Annual
subscription form.
This journal is meant for education, reference and learning purposes. The author(s) of
this of the book has/have taken all reasonable care to ensure that the contents of the
book do not violate any existing copyright or other intellectual property rights of any
person/ company/ institution in any manner whatsoever. In the event the author(s)
has/have been unable to track any source and if any copyright has been inadvertently
infringed, please notify the publisher in writing for the corrective action.
Copyright © “Cyber Times International Journal of Technology & Management”. All
rights reserved. No part of this journal may be reproduced, republished, stored, or
transmitted in any form or by any means, electronic, mechanical, photocopying,
recording, or otherwise, without the prior permission of the publisher in writing. Any
person who does any unauthorized act in relation to this journal publication may be
liable to criminal prosecution and civil claims for damages.
Other Publications:
• Cyber Times Newspaper (English) – RNI No: DELENG/2008/25470
• Cyber Times Newspaper (Hindi) – RNI No. DELHIN/1999/00462
Printed & Published by: Cyber Times
310 Suneja Tower-II, District Centre,
Janak Puri, New Delhi-110058

Editorial Advisory Board Members
Name Designation, Organization/ University Country
Dr. Sushila Madan Associate Professor, Delhi University India
Dr. A. K. Saini Professor, GGS IP University India
Mr. J. R. Ahuja Former Consultant, AICTE India
Mr. Mukul Girdhar Vice President, Sedulity Solutions India
Mr. Geetesh Madan Q.A. Consultant with Tesco Bank, Newcastle UK
Dr. Deepak Shikarpur Chairman Board of Studies, Pune University India
Dr. B. B. Ahuja Deputy Director,COE Pune India
Prof. M. N. Hoda Director, Bharati Vidyapeeth's (BVICAM) India
Dr. S. C. Gupta Director, NIEC, GGS IP University India
Dr. S. K. Gupta Professor, IIT Delhi India
Dr. K. V. Arya Associate Professor, IIITM, Gwalior India
BRIG. Dr. S.S. Narula Director, Gitarattan International Bussiness School India
Dr. Sarika Sharma Director, JSPM'S ENIAC Institute of CA, Pune India
Dr. S.K.M. Bhagat Prof. & Head, MIT Academy of Engg., Pune India
Dr. Jack Ajowi Jaramogi Oginga Odinga University of Sci. & Tech. Kenya
Dr. Srinivas Sampalli Professor, Dalhousie University, Halifax Canada
Dr. Ijaz A. Qureshi V.P. Academic Affairs, JFK Inst. of Tech. and Mgmt. Pakistan
Aryya Bhattacharyya Director, CIP, Columbus State University US
Dr. M. M. Schiraldi Assistant Professor, 'Tor Vergata' University of Rome Italy
Executive Editorial Advisory Board Members
Name Designation, Organization/ University Country
Ms. Kanika Trehan Editor - Cyber Times, New Delhi India
Mr. Rakesh Laxman Patil Editor - Cyber Times, Pune India
Adv. Tushar Kale Cyber Lawyer, Pune India
Adv. Neeraj Aarora Cyber Lawyer, New Delhi India
Mr. Sanjeev Sehgal HOD, SJP Polytech, Damla, Haryana India
Mr. Rajinder Kumar Bajaj GM, Satake India Engg. Pvt. Ltd., (Japan) India
Dr. B. M. Patil Associate Professor MIT, Pune India
Dr. R. K. Sharma Professor, Bharati Vidyapeeth,(BVIMR), N. Delhi India
Dr. Rajesh S. Prasad Professor, DCOER, Pune University India
Dr. Binod Kumar Associate Professor, MIT Academy of Engg, Pune India
Dr. Vimal Mishra Head, UPTE, UP India
Dr. V.N. Wadekar Prof. & Head, MIT college of Engg. CMSR, Pune India
Dr. M.D. Goudar Associate Prof. & Head, Pune University India
Dr. Mohd. Rizwan Alam Sr. Lecturer, Amity University Dubai
Dr. Y.P. Singh Director, KLSIET, UP India

Cyber Times International Journal of Technology & Management
Vol.6 Issue 1, October 2012 – March 2013
PART-I
TECHNOLOGY
CONTENTS
SECTION-I
Research Papers
1. Symbiotic Association Between Cyber Security and Website Testing 01
Rajiv Chopra & Dr. Sushila Madan
2. Hybrid Approach of Face Recognition 06
B. Mohd. Jabarullah, Sandeep Saxena, Dr. C N Kennedy Babu & Dr. Mansaf Alam
3. An Improved and Scalable Digital Image Encryption Method Based 13
on One-Dimensional Random Scrambling
Madhu Rohini V, Balaji Venkatesh, A. Bhavana, N. Ravi Shankar & M. Seshu Kumar
4. Key Compromise Resilient Privacy Provisioning in Vertically Partitioned Data 18
S KumaraSwamy, Manjula S H, K R Venugopal, Iyengar S S & L M Patnaik
5. Security Against Keyloggers Using Pattern Based Locking Systems 30
Purnesh Tripathi
6. Two Factor Based Authentication Using Keystroke Biometrics 35
Shaveta Tatwani, Neeru Dubey, Nitya Vij, Tanvi Jain & Priyanka
7. Social Networking and Media: Current Applications and Considerations 42
Ishita Khar & Dr. Sharmishtha Bhattacharjee
8. Cloud Computing- A Breakthrough In The Obsolete Methods of Computing 48
Mr. Shahnawaz Sarwar & Miss Aiman Zubair
9. A Comprehensive Approach of Wireless Data Glove Using Gesture 53
Recognition Technique towards Development of a Supporting System
for Aged And Disabled People
Prof. Shantanu A. Lohi, Prof. Harish Gorewar, Prof. R. N. Jogekar
& Prof. Sandeep S. Ganorkar
10. Experimental Analysis of Stabilizing B.C. Soil with Murrum and Rice 63
Husk Ash
B D Ramteke & Neetu B Ramteke

11. Analytical Study of Attacks on Manets Based On Layered Architecture 66
Tushar Saxena & Nandini Deb
12. Impact of E-Learning And Knowledge Management In Indian 73
Rural Education
Shallu Joshi
13. Performance Analysis of SCTP Based Remote Monitoring Systems 79
against Service Failures
Piyush Yadav, Amit Sehgal & Rajeev Agrawal
14. Cloud Computing: ‘Analyses of Risk Involved in Cloud Environment’ 87
Sonali Bajaj & Dr. Sharad Saxena
15. Ann Based Fault Detection & Classification of A 400 Kv Electrical 95
Transmission Line
Gaurav Gangil & Prof. Rakesh Narvey
16. Design & Analysis of Documentation Taxonomy Approach with 102
Algorithmic Fusion towards Ambiguity Free Results for English Idiolect
Snehal A. Lohi & Prof. Rishi Kant Malviya
17. Computing Network Reliability where Nodes are Imperfectly Reliable 108
and Links are Perfectly Reliable
Moirangthem Marjit Singh
18. Predicting the Consumption Behavior of Smart Phones Using Social Media 114
Disha Verma & Kanika Minocha
19. An Experimental Approach to Study the Terminal Fall Velocity of 121
Particles in Different Types of Fluids
M. N. Umare, Prof. (Dr.) A. G. Bhole & Dr. D. P. Singh
20. Qualitative Analysis of Different Routing Protocols in Mobile Ad Hoc Network 126
Tushar Saxena, Rahul Raj & Prabhat Kumar
21. An Online Fuzzy Expert System using Rule Advancement Strategy for 135
Specific Domain
Abhishek Goel, Arun Solanki & Ela Kumar
22. Green Database 141
Pranav Kharbanda, Varun Chauhan & Sumit Jain
23. Re-Ranking Web Search Result for Semantic Searching 148
Rutuja Ajmire, Prof.A.V.Deorankar & Dr. P. N. Chatur
24. Implementation of Automatic Wrapper Adaptation System Using 154
Dom Tree for Web Mining
A. A. Tekale, Dr. Rajesh Prasad & S. S. Nandgaonkar
25. DDA Based Approach For Object Tracking & Detection In Large Motion Videos 164
Dimple Chawla

26. Security Compliance Challenges On Clouds 172
Yury Chemerkin
27. Modern Media: A Tool For Elt In Intercultural Communication 198
Kumari Pragya
28. Mircostrip Antenna Design Analysis Using Neural-Network 206
Shyam Babu
29. Efficient Auto Code Generation from UML Diagrams Using Semantic 214
Platform and DSL Semantic Annotations
Prof. Sonali R. Idate & Prof. kavita B. Supugade
30. Data Mining: Tools and Techniques 222
Swati Aggarwal & Preeti Raheja
31. Unraveling The Challenges Faced By Indian E-Governance 231
Priyanka Tayal & Dr. Alpana Kakkar
32. Intelligent and Synchronized Signal System for Urban Areas 239
Prashant Pathak
33. Various Methods Of Wireless Power Transmission Technologies for 242
Solar Power Satellites
Guru Raj C, Amita Murthy & Kendaganna Swamy
34. Efficient Method for Detection & Mitigation of Inconsistencies from a 249
all UML Diagrams Based on Description Logic Rules During the Owl Generation
Prof. Sonali R. Idate & Prof. Nilam I. Dalvi
35. Availability Analysis of Various Systems of Brewary Plant-A Review 255
Sunil Kadiyan, Deepanjali Nimker & Uma Gautam
36. Power Quality Analysis Using Various Techniques: A Review 263
Rajeev Kumar Chauhan & J. P. Pandey
37. A Review on Different Iii-V Multijunction Solar Cells 271
Kiran balaji P.S, Shashiraj yadav & Kendaganna swamy
38. Neural Steganography: An Aes-256 Bit PRP & Pseudo Random Hash 278
Based Neural Cryptographic Technique for Image Steganography
Gaurav Indra, Chesta Agarwal, Pawandeep Kaur & Aastha Diwan
39. Demand Forecasting Of Spare Parts Store By Moving Average Method 287
and Verification By Exponential Method
Sharda Pratap Shrivas, S.Gangopadhayay & Aruna Thakur
40. Data Mining: A Mode To Reform Today’s Higher Learning Institutions 292
Through Performance Indicators
Meenu Chopra & Dr. Mamta Madan

SECTION-II
RESEARCH ARTICLES
41. Cyber Crime: A Challenge Ahead With Special Reference to 298
Chandigarh Police
Narinder Singh
42. “Killed Two Birds With One Stone: Secure Data With Cloud” 307
Smita Bajpai
43. Analysis Of Tests Laid Down By Courts To Determine Copyright Violation 319
In Computer Software
Mr. Atmaram Fakirba Shelke
44. CYBER LAW: Various aspects of Cyber Legal System 326
S. Sai Sushanth
SECTION-III
CASE STUDY
45. A Comparative Study of Various CPU Scheduling Simulator 335
Ms. Prerna Ajmani & Ms. Amanpreet Kaur
46. Penetration Testing/ Cyber Security Assessment - XYZ Company 340
Parveen Sadotra & Dr. Anup Girdhar

SECTION-I
RESEARCH PAPERS

SECTION-II
RESEARCH ARTICLES

SECTION-III
CASE STUDY

›„‡”‹‡• –‡”ƒ–‹‘ƒŽ ‘—”ƒŽ‘ˆ‡ Š‘Ž‘‰›Ƭƒƒ‰‡‡–
‘ŽǤ͸ ••—‡ͳǡ –‘„‡”ʹͲͳʹȂƒ” ŠʹͲͳ͵
172
SECURITY COMPLIANCE CHALLENGES
ON CLOUDS
Yury Chemerkin
Independent Security Researcher / PhD in progress
Russian State University for the Humanities (RSUH), Moscow, Russia
Email: yury.chemerkin@gmail.com
ABSTRACT
Today cloud vendors provide amount features of integration and optimization in many fields
like business or education; there many way to adopt it for medical purposes, maintaining
medical records, or monitoring patients. Not all cloud solutions totally changed an original
security paradigm and customers still need to manage the accessibility, monitoring and
auditing. The security and privacy becomes very important issue led the customers choose an
appropriate security level. The compliance part of security is a cornerstone idea especially
when the cloud vendors talk and refer to worldwide security standards, best practices.
Keywords: cloud security, compliance, amazon web services, aws, csa cloud controls
matrix, csa, cmm, caiq, csa consensus assessments initiative questionnaire
I. INTRODUCTION
Cloud Computing has been one of the top
security topics for the last several years. The
clouds increasing popularity [1] is based on
flexibility of virtualization as a technology
for replacing and improving of complex
parts of systems reducing unnecessary
computation and usage of existing resources.
Besides the well-known threats, the clouds
introduce new security and management
level. Clouds transform small application
into the large infrastructure let managing by
itself (IaaS) to quick and easy access to any
data. Cloud security vendors (not only cloud
vendors, almost of all kind of vendors) claim
that the end-user companies prefer a cost
reduction instead the security to reduce the
operation complexity of their clouds (or
systems) that eventually ends with a lower
amount of security that the end-user will
accept. Some security questions about
clouds are: how is it implemented, how are
the data or communication channels secured,
how are the cloud and application
environments secure, etc. For example, the
well-known phrase “physical security does
not exist in clouds” make no serious sense
because it was this way as it had been when
the hosting service arrived. Customer must
make any improvements than by-default
configuration with each new technology. If
the virtual OS is a Windows Server, then the
OS has the quite similar security and patch
management state as Desktop/Server OS. In
addition, it is mere trust than downloading
and buying third-party solutions and it might
be more trustable, than cloud vendor (they
are all third-party solutions).The cloud
simply uses well-known protocols like
SMTP, HTTP, SSL, TCP/IP etc. to
communicate, send email, file handling and
other activity. The methods that are
compliant as a part of the RFC should
indicate that they are OK. Standards like the
ISO 27001 series still provide a measure on
information security, but as minimum set of
security only. However, a key problem is a
lack of a systematic analysis on the security
and privacy for such cloud services. Third
party organizations like the Cloud Security
Alliance (CSA) promote their best practices
and questionnaires to improve a cloud
security and have a registry of cloud

›„‡”‹‡• –‡”ƒ–‹‘ƒŽ ‘—”ƒŽ‘ˆ‡ Š‘Ž‘‰›Ƭƒƒ‰‡‡–
173
vendors' security controls to help the users to
make a right choice on security field.
This research examines and highlights
security things are background for cloud
security, for best practices and security
standards, those aspects the customers rely
as a trustable level and minimal security set
at least. Enterprises need to comply with of
the different regulations and standards (PCI,
CSA, HIPAA, ISO etc.) as well as they need
to prove compliance with security standards.
The aim of research is examination issues in
the security standards, regulations and best
practices (if they are) let the cloud vendors
or their customers successfully pass the
cloud audit checks and claim about a
compliance having difference security
features between clouds not to mention the
different configurations that meet with
different business needs and processes.The
general guidelines in such documents
operate at the high level that makes unclear
these guidelines missing the useful security
countermeasures and adding a superfluity in
the customer’s vision about the system
(cloud) which they apply it to.
II. RELATED WORK
Nowadays, AWS is one of the most popular
cloud platforms. It offers a virtual
computing, storage, VPN, archiving,
monitoring, health-watching, email and
others services environment for a user to run
applications, store data, operates with events
and deliver event-data due the different
services and by different ways. AWS offers
many services more accessibility that is
important with merging to the cloud. GAE
[5] is one more cloud to run web
applications written using interpretation and
scripts languages like Java/Python but it has
limited features (security and the rest).
Windows Azure makes a data spreading to
the cornerstone, via neither storage nor web-
server [6]. These different goals have a huge
influence on the security while all of them
were built in accordance with best practices,
and have security controls are well
documented.
As we have enough security problems and
the greater quantity of security solutions to
solve these problems on one hand and
standards with best practices that
successfully applied to the clouds (according
to the cloud vendors) on another hand, it
should be analyzed whether it is so difficult
to pass the cloud compliance audit in
accordance with these documents. In this
paper, the AWS services are going to be
examined as the most similar to known
existing technologies. The modern
recommendations for clouds are quite
similar to given in the Table I at least but
improved to the low details like “you should
choose the cloud vendor that offers an
encryption but you cannot choose those
vendors that offer the strong encryption e.g.
AES” the make a little sense. The answer
“why” is relied on the customers willingness
to see an action-to-do like ‘whether they
should rely on this AES encryption or they
need encrypt their data before uploading’. It
successfully works when the customers need
to cover all clouds (however, it is obliged to
provide more details) to choose those
provided the more security but it is bad for
clouds are provided many services and
security features because it is basic rules
only.
TABLE 1: THE COMMON SECURITY RECOMMENDATIONS
Object What to do
Data Ownership Full rights and access to data
Data Segmentation An isolation data from other customers’ data
Data Encryption A data encryption in transit/memory/storage, at rest
Backup/Recovery An availability for recovery
Data Destruction An Ability to securely destroy when no longer needed
Access Control Who has access to data?

›„‡”‹‡• –‡”ƒ–‹‘ƒŽ ‘—”ƒŽ‘ˆ‡ Š‘Ž‘‰›Ƭƒƒ‰‡‡–
174
Log Management A data access that logged and monitored regularly
Incident Response Are there processes and notifications in place for incidents
(including breaches) that affect data?
Security Controls An appropriate security and configuration control to data
protection
Patch Management Patching for the latest vulnerabilities and exploits?
One more example is how such documents
may substitute the customer understanding.
NIST [25] talks about cloud limits on
security: “the ability to decide who and what
is allowed to access subscriber data and
programs … the ability to monitor the status
of a subscriber’s data and programs …” may
follow the idea “no one cloud provides such
abilities” by mistake without a knowledge
about cloud infrastructure. Another
misthought is about cloud firewall takes
place with opinion that cloud features are
useless due the following statement: a cloud
firewall should provide a centralized
management, include pre-defined templates
for common enterprise server types and
enable the following:
x Source and Destination Addresses
Ports filtering
x Coverage of protocols, DoS prevention
x An ability to design policies per network
interface
x Location checks to monitoring who and
where were accessed to the data
Besides such detailed ‘how-to’ sets, there are
enough statements that the clouds can’t
provide with it, so it is still like a security
hole, while some of them (ex. AWS)
provides these features. The Table II [7]
shows a brief difference between AWS and
Azure on compliance vs. documented
technologies to secure and protect data. As a
part of ‘non-transparency’, it is quite
interesting that the different offered security
features and controls have passed e.g. ISO
27xxxx, while the cloud difference
(comparingeach other) looks like a medium
reduction.The cloud attributes examined [2]
are backup, encryption, authentication,
access controls, data isolation and
monitoring, security standards, disaster
recovery, client-side protection, etc. In
addition, the paper provided a medium-
detailed comparison what exactly each cloud
vendor offers to their clients (AWS, Azure,
GAE). Authors presented the cloud
security/privacy attributes mapped to NIST
guidelines that helps in examining security
standards. The [3], [4] give a brief
examination of AWS S3 and GAE [26]
provide us with more details but a summary
comparison over [2-6], [10], [12], [15], [21]
makes clear that AWS offers the most
powerful and flexible features and services,
however AWS was not examined deeply
(FAQs examination only) over [2-6] than
[7], [45].
TABLE 2: COMPLIANCE DIFFERENCE BETWEEN AWS AND AZURE
Type
Cloud Vendor
AWS Azure
Compliance
ISO 27001, CSA, HIPAA + +
PCI DSS, FISMA, FIPS 140-2, NIST + N/A
Physical
Security
Actions, events logging, logs audit + +
Minimum access rights + +
Auto revocation access after N days, role changed,
MFA, escort
+ N/A
Data
Privacy
Backup, redundancy across the location + +
Redundancy inside one geo location, encryption,
DoD/NIST Destruction
+ N/A
Network MITM Protection, Host-Based Firewall (ip,port,mac), + +

›„‡”‹‡• –‡”ƒ–‹‘ƒŽ ‘—”ƒŽ‘ˆ‡ Š‘Ž‘‰›Ƭƒƒ‰‡‡–
175
Type
Cloud Vendor
AWS Azure
Security Mandatory Firewall, Hypervisor protection from
promiscuous
Pentesting offer of services + -
Pentesting offer of apps + +
DDoS Protection, featured firewall + N/A
Credentials
Login and Passwords, SSL + +
Cross account IAM, MFA hardware/software, Key
Rotation
+ N/A
Such recommendations may also advise the
different sanitizing technique to use on client
of cloud side. Effective and efficient
sanitization is a forensics statement. There
are a lot of methods and techniques but some
of them rely on brute-force wiping that
extremely useless for the clouds due
financial matters. The ERASERS proposed
in [43] computes the entropy of each data
block in the target area and wipes that block
specified number of passes and pattern then.
Patterns and entropy are valuable because
the file types (docx, mp3, odf, pgp, acid*)
have a quite different characteristics. It
means that ERASERS has many
subpopulations which of them applied to
certain cases. It gives a faster wiping vs.
regular brute force methods of overwriting.
As the disk sizes increase up to petabyte
scale (recently AWS offer such storage), the
brute force methods is becoming near
impossible in time. Many drives contain
areas do not have data needing overwriting,
as known as for SSD that shuffles data
between data block every time, but keeps the
encrypted area untouched. According to
NIST SP800-88 [44], “studies have shown
that most of data can be effectively cleared
by one overwrite with random data rather
than zeroing”. The original version of DoD
5220.22-M (AWS implements this one)
recommends a 3-pass wipe with one pass of
a uniform character, one pass of its
complement, and one pass of random
characters, while the current DoD 5220.22-
M does not specify the number of passes or
the pattern. As the ERASERS shows the
good results, it should be implemented to the
AWS EC2 or other cloud VM services as an
additional and lower-cost protection (surely,
the price differs but it downs each time).
The one of the most serious work on
AWS security [27] gives results as a black
box analysis methodology in regards to the
control interfaces (AWS EC2 and S3)
compromised via the novel signature
wrapping and advanced XSS techniques,
HTML injections, as well as SOAP issues
with validation and man-in-the-middle
attacks. Authors also examined the possible
way of protection and found that AWS EC2
S3 services do not provide the suitable
opportunities to implement their solutions.
Despite of that, there was found solutions
based on available (native) security features
of AWS to protect against these attacks [28]:
x Utilizing the SSL/HTTPS only with
certificate validation and utilizing API
access mechanisms like REST/Query
instead of SOAP
x Activating access via MFA and creating
IAM accounts limited in access, AWS
credentials rotation enhanced with Key
pairs and X.509 certificates
x Limiting IP access enhanced with
API/SDK IAM
The virtualization refers to a hypervisor,
while a virtual machine works with a
configured snapshot of an OS image and
requires well-known shared resources like
memory, storage, or network. It is generally
agreed that, despite of the hypervisors are
isolating these shared resources without
affecting other instances, the VMs can be
trusted in few cases only, while it is
vulnerable to the most known XEN attacks,
however no one XEN vulnerability was not

›„‡”‹‡• –‡”ƒ–‹‘ƒŽ ‘—”ƒŽ‘ˆ‡ Š‘Ž‘‰›Ƭƒƒ‰‡‡–
176
applied to the AWS services according to the
[29] as an example. This brings us to
understanding the term “customize” in
regards to the clouds. Other ability to control
due the Intel AMT commands [30] or else is
applied for VMware but there is not known
successful implementations for AWS,
Azure, GAE or other clouds. Also may have
a serious performance problems due
overloading the virtual OS with analysing
CPU commands and system calls, regardless
of where the trusted/untrusted control agents
are, multiplied by known issues the best of
all demonstrated in case of GPU [31].
There are security virtualization issues even
in clouds, no doubt and it should be taken in
consideration that clouds have a builtsecurity
configuration to protect against most known
attacks or new-coming, it still need to be
patched or monitored installed and managed
the host-based firewalls and IDS, etc. One
exciting example [32] talks about an
incorrect behavior in the SSL certificate
validation mechanisms of AWS SDK for
EC2, ELB, and FPS. Despite of that, AWS
has updated all SDK (for all services) to
redress it [33].
III. EXAMINATION THE CSA
DOCUMENTS ON CLOUDS
The CSA documents provide vendors and
their customers with a medium-detailed
overview what the statements do the cloud
security compliance features applied to as
it defined in the Cloud Security Alliance
(CSA) and Cloud Control Matrix (CCM).
The cloud vendors or 3rd
party cloud
providers may announce that their services
operate in according to these
recommendations: However, the customers
have a responsibility to control their
environment and define whether it is really
configured in compliance to CSA best
practices. In other words, how much are
cloud controls and configurations
transparent to the appropriate policies and
procedures in accordance with their
regulatory requirements. Here the
regulations meet the technical equipment as
a public technical proof is going to be
examined at first from that point. Each
control ID will be kept to find it CAIQ [35]
CCM [34], while his explanation is
rewritten to reduced amount of text and
grouped by domain/control group, similar
questions/metrics. Also, the CID covers a
CAIQ and CCM together.
TABLE 3: AWS SOLUTIONS AGAINST A CAIQ
CID Questions AWS Response
CO-01.1 Any certifications, reports and
other relevant documentation in
regards to the standards
AWS has this one and provides it under
NDA.
CO-02.1-7 An ability to provide the tenants
the 3rd party audit reports, and
conduct the network/application
cloud penetration tests as well as
internal/external audits regularly
(in regards to the guidance) with
results
AWS engages with independent auditors
reviewing their services and provides the
customers with the relevant 3rd party
compliance/attestations/certifications
reports under NDA. Such audit covers
regularly scans of their (non-customer)
services for vulnerabilities [41-42] the
customers are also available to make
pentest [40] of their own instances due
the tentative agreement.
CO-03.1-2 An ability to perform the
vulnerability tests for customers
(means their own tests) on
Customers are able to perform it due the
permission (writing email with the
instances IDs and period) request via

›„‡”‹‡• –‡”ƒ–‹‘ƒŽ ‘—”ƒŽ‘ˆ‡ Š‘Ž‘‰›Ƭƒƒ‰‡‡–
177
applications and networks. AWS Vulnerability/Penetration Testing
Request Form [40]
CO-04.1 A person is responsible to contact
local authorities in accordance
with contracts and appropriate
regulations.
AWS does contact with local authorities,
industry organizations, and regulatory
bodies in according to the ISO 27001.
CO-05.1-2 An ability to logically split the
tenants data into the segments
(additionally, due the encryption)
as well as data recovering for
specific customers in case of
failure or data loss
Despite of the flat space implemented in
AWS services, all data stored by the
customers has canonical isolation by path
and additional security capabilities like
the permissions, personal entry points to
access the data as well as MFA. AWS
encryption mechanisms are available for
S3 (Server Side Encryption), EBS
(encryption storage for EC2 AMIs),
SimpleDB, EC2 (due the EBS plus SSL),
VPC (encrypted connections and
sessions). Additionally, the customer can
use any cloud services offered a backup
from and to AWS services like SME
Storage for various cloud vendors (AWS
S3, Azure, Dropbox, etc.) or Veeam
Backup Cloud Edition for VMs (AWS,
Azure, etc.)
CO-06.1
CO-07.1
CO-08.1
Documented policies on a
tenant’s intellectual property
protection
It is in alignment with COBIT, ISO
27002 and PCI Data Security Standards
DG-01.1 An implementation of structured
data-labeling standard
Depends on the customers’ needs and
their requirements.
DG-02.1-5 An identifying ability of the VM
via policy tags/metadata to
perform any quality
control/restrict actions like
identifying hardware via policy
and tags/metadata, using the geo
location as an authentication,
providing a physical geo location,
allowing to choose suitable geo
locations for resources and data
routing
The tenants are featured to apply any
metadata and tagging to the EC2 VMs to
set the user-friendly names and enhance
searchability.
AWS offer several regions (partially is in
[38]) and which one can be chosen at the
beginning of data pulling. Each of them
is covered by geo location policy and
access as well as is able to be restricted
by SSL, IP address and a time of day.
They offer move data between each other
directly by the customers or via API and
SDK
DG-03.1 Any policies and mechanisms for
labeling, handling and security of
data
As the customers retain ownership, they
are responsible to implement it.
DG-04.1-2 The technical capabilities to
enforce tenant data retention
policies and documented policy
on government requests
The customers have capability manage
retention, control, and delete their data
except case when AWS must comply
with law.
DG-05.1-2 A secure deletion (ex. degaussing At the end of a storage useful life, AWS

›„‡”‹‡• –‡”ƒ–‹‘ƒŽ ‘—”ƒŽ‘ˆ‡ Š‘Ž‘‰›Ƭƒƒ‰‡‡–
178
/ cryptographic wiping) and
providing the procedures how a
cloud vendor handles this deletion
performs a decommissioning process to
prevent data exposing via DoD 5220.22-
M/NIST 800-88 techniques. In additional
the device will be degaussed or
physically destroyed.
DG-06.1 A replication of production in
non-production environments
AWS provides the ability to (non-
)production delegates the responsibility
to the customers to manage it.
DG-07.1-2 A presence of the controls to
prevent data leakage /
compromising between AWS’
tenants
There were not known the serious
security bugs of AWS environment
successfully applied or that cannot
‘patched’ by using the implemented PCI
controls [27-29], and other security
controls that make the customer
resources segmented from each other. As
well, a hypervisor is designed to restrict
non-allowed connections between tenant
resources that has validated by
independent PCI QSA with PCI DSS 2.0
according to AWS
DG-08.1 An availability of control health
data to implementation a
continuous monitoring to validate
the services status
AWS provides the independent auditor
reports under NDA and customers on
their own systems can build a continuous
monitoring of logical controls
additionally implementing [38].
FS-01.1 Any ‘evidence’ if the policies are
established for having safe and
secure working environment in
offices and other areas?
AWS is certified by independent auditors
to confirm alignment with AWS SOC 1
Type II and ISO 27001 certification
standard (domain 9.1)
FS-02.1 A background verification (ex.
criminal) of AWS employees,
contractors and 3rd parties
According to AWS they perform such
checks in comply with law
FS-03.1
FS-05.1
An implementation of the
physical security perimeters,
providing the secure areas
controlling from unauthorized
personnel actions
AWS has been implemented the various
physical security controls like fencing,
walls, security staff, video surveillance,
intrusion detection systems and other
electronic means in alignment ISO
27001. It extends by utilizing video
surveillance and requirement to pass two-
factor authentication a minimum two
times to access datacenter floors for staff.
FS-04.1 A ability to provide the customers
a knowledge which geo locations
are under traversing into/out of it
in regards the law
AWS imposes not to move a customers'
content from them without notifying in
compliance the law. The rest is similar to
the DG-02.5.
FS-06.1
FS-07.1
Availability of docs that explain
if and where data may be moved
between different locations, (e.g.
backups) and repurpose
equipment as well as sanitizing of
AWS imposes control the customers to
manage the data locations. Data will not
be moved between different regions, only
inside that were chosen to prevent
failure. The rest is similar the DG-05.1-2

›„‡”‹‡• –‡”ƒ–‹‘ƒŽ ‘—”ƒŽ‘ˆ‡ Š‘Ž‘‰›Ƭƒƒ‰‡‡–
179
resources (talks about the AWS side only)
FS-08.1-2 An inventory of critical assets,
critical supplier relationships
The hardware assets monitored by the
AWS personnel and maintain the
relationships with all AWS suppliers are
possible in comply ISO 27001 (domain
7.1) for additional details.
HR-01.1
HR-02.1-2
HR-03.1
A background verification (ex.
criminal) of AWS employees
The security courses and training
employees
Similar to the FS-02.1. Also, AWS does
publish the Company’s Code of Business
Conduct and Ethics internally and
regularly train employees that
documented and validated periodically.
Other responsibility is shared across HR
IS-01.1
IS-02.1
IS-03.1-3
A description of ISMP in the
documents with clear direction,
assignment, verification for
supporting information security
that comply with ISO-
27001/22307, CoBIT, etc. Any
documents shown the evidence of
mapping it in comply to the
regulations
AWS does publish (under NDA) the
documentation about it in alignment ISO
and certified by independent auditors as
well as the policies based upon the
COBIT/ISO 27001/PCI DSS
IS-04.1-3 An ability to provide the
documents with security
recommendations per each
component, importing the trusted
VMs as well as capability to
continuously monitor and report
the compliance
Customers are able [11] to use their own
VMs due the image importing via AWS
VM Import, as well as AWS
Import/Export accelerates moving large
amounts of data into/out in case of
backup or disaster recover. The rest is
similar to the DG-08.1 in order to ISO
(domain 12.1, 15.2)
IS-05.1 An ability to notify the customers
on information security/privacy
polices changes
Despite of AWS provides a lot of how-
to-docs, binary sources [8-24], [28-29]
are regularly updated, it’s better to
subscribe to the news via RSS and email,
because there is no other directly way to
be notified
IS-06.1-2 Any sanctions for employees who
have violated security policies
According to AWS If violation happens,
the appropriate disciplinary action is
followed
IS-07.1-2 Established controls to remove
the employees access which is no
longer required and how quickly
it removes.
According to AWS docs, any ‘redundant’
access is automatically revoked when an
employee’s record is terminated or
changed with his job functions in
Amazon’s HR system. If employee was
not fired he will be reassigned with new
access rights that reviewed every 90 days
IS-08.1-2 A docs described how the cloud
vendor grant and approve access
to tenant data and if provider
tenant data classification
methodologies is aligned with
The customers as data owners are
responsible for the development, content,
operation, maintenance, and use of their
content.

›„‡”‹‡• –‡”ƒ–‹‘ƒŽ ‘—”ƒŽ‘ˆ‡ Š‘Ž‘‰›Ƭƒƒ‰‡‡–
180
each other
IS-09.1-2 A revocation/modification of user
access to data upon any change in
status of employees, contractors,
customers, etc.
Amazon provides enough security
control to maintain an appropriate
security policy and permissions not to let
spreading the data if it is explicitly not
allowed that also built by AWS. The rest
is similar to the IS-07.1-2 in regards
AWS staff
IS-10.1-3
IS-11.1-2
A certification of entitlements for
system administrators (exclusive
tenants), with remediation case of
inappropriateness of it and a
security awareness training
program for cloud-related issues
for administrators, engineers
AWS reviews the access grants every 90
days and reapproves or assign explicitly
the new access grants if it is the same
even. (SOC 1 Type II report, ISO 27001,
domain 11.2). A training course are quite
similar to the IS-06.1-2
IS-12.1-2 A participation in the security
groups with benchmarking the
controls against standards
AWS policies is based on COBIT, ISO
27001/27002 and PCI DSS
IS-13.1 A documentation clarifying the
difference between administrative
responsibilities vs. those of the
tenant
AWS provides these roles among the
general security documents (it means not
among the specific services documents)
IS-14.1
IS-15.1
A responsibilities for maintaining
awareness of and complying with
security policies, procedures and
standards that are relevant to an
area of responsibility with
providing docs how maintains the
segregation of duties
Each employee have a Company's Code
of Business Conduct and Ethics and have
to complete a periodic training.
Customers should manage the
segregations of duties by themselves. The
rest are certified by certified by
independent auditors
IS-16.1-3 Informing the users of their
responsibilities in regards to the
security policies, standards,
regulations and rules how to keep
the equipment
AWS provides the various ways to train
(newly hired employee; others by the
emails in AWS intranet) the employees
understand their roles and responsibilities
that certified by independent auditors
IS-17.1-3 Any policies to address the
conflicts of interests on SLA,
tamper audit, software integrity,
and detect changes of VM
configurations
AWS provides the details AWS SOC 1
Type II report in compliance with ISO
27001 (domain 8.2, 11.3) that validated
by independents auditors
IS-18.1-2
IS-19.1-4
Ability to create and manage
unique encryption keys per a
tenant, to encrypt data to an
identity without access to a public
key certificate (identity based
encryption) as well, to protect a
tenant data due the network
transmission, VMs, DB and other
data via encryption, and maintain
key management
If keys created on server side, AWS
creates the unique keys and utilizes it, if
it did on client side due the own or 3rd
party solutions, the customers can
manage it only. AWS encryption
mechanisms are available for S3 (Server
Side Encryption), EBS (encryption
storage for EC2 AMIs), SimpleDB, EC2
(due the EBS plus SSL), VPC (encrypted
connections and sessions), etc.

›„‡”‹‡• –‡”ƒ–‹‘ƒŽ ‘—”ƒŽ‘ˆ‡ Š‘Ž‘‰›Ƭƒƒ‰‡‡–
181
IS-20.1-6 An ability to perform
vulnerability scans in regards to
the recommendations on
application-layer, network-layer,
local OS layer and patching then.
Providing the info about issues to
AWS who makes it public
Similar to the CO-03.1-2 but more detail
that means the customers are should
performing vuln scan and patching
despite of the VMs’ OS are coming with
the latest updates; they are obliged to
come to the agreement with AWS and
not violate the Policy. Also similar to the
CO-02.6-7 on providing the results
[40],[41-42]
IS-21.1-2 Availability of AV solutions and
updated signatures, list or
behavioral patterns.
AWS does manage AV solutions
updates in compliance to ISO 27001 that
confirmed by independent auditors
IS-22.1 A document specifying the roles
and responsibilities of AWS and
tenets due handling security
incidents?
AWS have this one in compliance with
ISO and provides the AWS SOC 1 Type
Report
IS-23.1-2
IS-24.1-4
An ability of SIEM to merge data
sources (app logs, firewall logs,
IDS logs, physical access logs,
etc.) for granular analysis and
alerting. Additional providing an
isolation of the certain customers
due incident.
A capability to freeze of data
from a specific point in time, use
the forensic data collection and
analysis techniques.
ISO and provides the results with AWS
SOC 1 Type II Report. AWS has the
incident response program in compliance
too. Even the customers’ data stored with
strong isolation from AWS side and
restrictions made by them, additional
materials (SOC 1 Type II report) must be
requested to clarify all questions on
forensics. All data should be encrypted
on client side, because it leads to the
customers participation with law directly
as AWS do not have the keys in this case.
IS-25.1-2 An ability to monitor affecting of
security incidents and share the
results with the customers
AWS does it in alignment with ISO
27001 that validated by independent
auditors
IS-26.1-3 An ability to collect or create
metadata about the customers
data and provide a documentation
making clear what and how may
utilize
According to AWS, the customers
manage and control their data only
IS-27.1-2 An ability to provide the
monitoring system to check the
privacy breaches, notify the
customers, and provide a
confirmation that privacy policy
aligned with industry standards
The customers are responsible for
handling the security and privacy
IS-28.1-2
IS-29.1
An ability to use an open
encryption (3DES, AES, etc.) to
let tenants to protect their data on
storage and transferring over
public networks. As well, an
availability of logging,
monitoring and restriction any
AWS encryption mechanisms are
available for S3 (Server Side
Encryption), EBS (encryption storage for
EC2 AMIs), SimpleDB, EC2 (due the
EBS plus SSL), VPC (encrypted
connections and sessions). Customers
may use third-party encryption

›„‡”‹‡• –‡”ƒ–‹‘ƒŽ ‘—”ƒŽ‘ˆ‡ Š‘Ž‘‰›Ƭƒƒ‰‡‡–
182
access to the management
systems controlled hypervisors,
firewalls, APIs, etc.)
technologies too as well as rely on the
AWS APIs are available via SSL-
protected endpoints. AWS has a logging
feature, delineates the minimum
standards for logical access to AWS
resources and provides details with AWS
SOC 1 Type II report
IS-30.1 Securing and providing the
dedicated secure networks to
establish a management access to
clouds for administrators?
AWS systems are design to protect
management console but the
administrators must use MFA devices to
gain access to the clouds. In additional,
every 90 days their access rights are
reviewed, as well as all such actions are
reviewed and audited.
IS-31.1-2 An ability to collect and utilize
the data and provide the tenants
with reports
AWS does utilize data in compliance ISO
27001 that validated by an independent
auditors
IS-32.1
IS-33.1-2
Any restrictions in regards to
using the portable/mobile
devices/PDA and to prevent
unauthorized access to your
application, program or object
source code
AWS has this one, delineates the
minimum rights for logical access to
AWS resources and provides details with
AWS SOC 1 Type II report
IS-34.1-3 An ability to monitor and
segment/restrict the key utilities
managed virtualized partitions
(ex. shutdown, clone, etc.) as well
as ability to detect attacks (blue
pill, etc.) to the virtual key
components and prevent from
them
AWS has this one and provides details
with AWS SOC 1 Type II report. AWS
examines such attacks and provides
information if they apply in section
“Security Bulletins” [36]. An example of
blackbox attack [27],[28] was given in
the Section II of this paper with a native
security features as a solution
LG-01.1
LG-02.1-3
Periodically reviewing the NDA
and others requirements and
agreements by legal counsel. An
ability to monitor outsourced
providers in compliance with
laws per country.
Amazon Legal Counsel reviews 3rd party
agreements and NDA according to the
business needs. AWS does not leverage
any 3rd party cloud providers to deliver
AWS services to the customers.
OP-01.1
OP-02.1
Any policies, system
documentation are available for
all personnel to support services
operations roles with an
information system
documentation to the authorized
personnel
According to AWS, the policies are
alignment with AWS Information
Security framework based upon the
COBIT framework, ISO 27001 standard
and the PCI DSS requirements. Such
docs are available through the Amazon's
Intranet site.
OP-03.1-2 An ability to provide the
documentation regarding what
levels of system (network,
storage, memory, I/O, etc.)
oversubscription may maintain
and restrict
AWS does not disclose the capacity
management practices but publishes SLA
to communicate instead

›„‡”‹‡• –‡”ƒ–‹‘ƒŽ ‘—”ƒŽ‘ˆ‡ Š‘Ž‘‰›Ƭƒƒ‰‡‡–
183
OP-04.1-5 A capability to perform
independent hardware/software
restore, and replicate recovery
actions, move and port to another
cloud vendor
The customers should use an EBS
Snapshot functionality to manage the
VM images. Also, they allowed [11] to
export their AMIs to use on premise or at
another provider as well as import their
VMs, as well as AWS Import/Export
accelerates moving large amounts of data
in/out in case of backup or disaster
recover
RI-01.1-2
RI-02.1-2
RI-03.1-2
RI-04.1
A cloud insurance by a 3rd party
for the losses in regards to the
cloud vendors, tenants (due the
SLA) in alignment with the
documents procedures reviewed
annually at least considering all
risk categories (e.g., audit results,
threat and vulnerability analysis,
regulatory compliance)
AWS provides the detailed customer
remuneration for losses in SLA. The rest
internal procedures of managing and
mitigation the risks in alignment ISO
27001 (domain 4.2, 5.1) validated by
independent auditors and a few details
among the AWS risks documents. Any
updates to such procedures occur each
year
RI-05.1-7 An ability to provide a multi-
failure disaster recovery, monitor
a service continuity with
upstream providers in the event of
provider failure and to share the
redundancy plans with your
tenants
AWS has several geo regions each of
them has several independent
Availability Zones designed to move
customer data traffic away from the
affected area [37].
RM-01.1 Any policies for new
development acquisitions
All new developed resources certified by
independent auditors in regards to ISO.
RM-02.1
RM-03.1
An ability to obtain a
documentation that describes the
customers responsibilities within
it, quality assurance process
All details provided with AWS SOC 1
Type II report. The standards of quality
are part of SDLC in compliance ISO
27001 (domain 10.1)
RM-04.1-2 An ability to examine the
standards of quality against
software development and detect
the source code security defects
The standards of quality are part of
SDLC in compliance ISO 27001 (domain
10.1), however AWS does not generally
outsource development of software
RM-05.1 An ability to restrict the
installation of unauthorized
software onto clouds
AWS does monitor the malicious
software in compliance with ISO 27001
(domain 10.4).
RS-01.1
RS-04.1
RS-02.1-3
RS-03.1-2
RS-05.1
RS-06.1
RS-07.1
RS-08.1-2
A minimization risk due disaster
recovery policies, SLA, security
metrics, business continuity plans
to test the environment regularly;
technical solutions providing a
performance and health visibility
with failover capability to other
provides as well as physical
protection against damage from
natural causes, power failures,
and network disruptions.
Additionally, an ability to find out
Such policies are in alignment with ISO
27001 ( domain 14.1);
AWS provides a Cloudwatch services to
monitor the state of AWS EC2, EBS,
ELB, SQS, SNS, DynamoDB, Storage
Gateways as well as a status history [38].
AWS provides several Availability Zones
in each of six regions to prevent failures,
but the customers are responsible to
manage it across regions or other clouds
vendors via API and SDK. A physical
protection is in compliance ISO 27001

›„‡”‹‡• –‡”ƒ–‹‘ƒŽ ‘—”ƒŽ‘ˆ‡ Š‘Ž‘‰›Ƭƒƒ‰‡‡–
184
the transport route of the
customers data
and 27002. Information about the
transport routes is similar to the FS-06.1
SA-01.1 Any security/regulatory
requirements addressed to the
industry certifications on granting
access
The requirements are in compliance with
ISO 27001(domain 6.2) and reviewed by
an independent auditors
SA-02.1-7 A capability to use the SSO, an
identity management system,
MFA Policy Enforcement Point
capability (ex. XACML), to
delegate authentication
capabilities, to support identity
federation standards (SAML,
SPML, WS-Federation, etc.), use
3rd party identity assurance
services
AWS IAM [21-24] provides the securely
access and roles to the resources with
features to control access, create unique
entry points of users, cross AWS-
accounts access due API/SDK or IAM
console, create the powerful permissions
with duration and geo auth. AWS offers
identity federation and VPC tunnels led
to utilizing existing corporate identities
to access, temporary security credentials.
Additionally, the customers may avoid
the mistakes and risks by using an AWS
Policy Generator and MFA devices [39].
Covered the services are AWS Auto
Scaling, CloudFormation, CloudFront,
CloudSearch, CloudWatch, DynamoDB,
EBS, EC2, Elastic Beanstalk,
ElastiCache, ELB, Elastic MapReduce,
RDS, Route 53, S3, SES, SQS, SNS,
SimpleDB, Storage Gateway, VPC
SA-03.1
SA-04.1-3
SA-05.1
Any industry standards as a
background for a Data Security
Architecture (FedRAMP, etc.),
standards (BSIMM, NIST, etc.) to
build-in security for (SDLC),
tools detecting the security
defects and verify the software.
An availability of I/O integrity
routines for the application
interfaces and DB to prevent
errors and data corruption
AWS Security based upon the best
practices and standards (ISO
27001/27002, CoBIT, PCI DSS) that
certified by independent auditors to build
threat modeling and completion of a risk
assessment as a part of SDLC.
AWS implements this one through all
phases including transmission, storage
and processing data in compliance to ISO
27001 (domain 12.2) that certified by
independent auditors.
SA-06.1-2
SA-08.1
An environment separation for
SaaS, PaaS, IaaS and providing
the how-to-docs
AWS provides a lot of how-to-docs,
binary sources (as an example [8-
24],[28-29])
SA-07.1 A MFA features and strong
requirement for all remote user
access
MFA is not strong and depends on the
customer configuration [39]
SA-09.1-4
SA-10.1-3
SA-11.1
A segmentation of system and
network environments with a
compliance, law, protection, and
regulatory as well as a protection
of a network environment
parameter
An internal segmentation is in alignment
with ISO and similar to the CO-05.1-2
while external is a part of the customer
responsibility. Internally, a traffic
restriction is too and has ‘deny/allow’
option in EC2/S3 by default (but the
explicitly cfg is recommended), etc.

›„‡”‹‡• –‡”ƒ–‹‘ƒŽ ‘—”ƒŽ‘ˆ‡ Š‘Ž‘‰›Ƭƒƒ‰‡‡–
185
Externally, the customers are able to use
SSL, encryption key, encryption
solutions, security policies to explicitly
approve the security settings (AWS, 3rd
party or their own) according to the
security docs, whitepapers
SA-12.1 A NTP or other similar services AWS services rely on the internal system
clocks synchronized via NTP
SA-13.1 An equipment identification is as
a method to validate connection
authentication integrity based on
known location
AWS provides such ability, for example
due the AWS metadata, geo tags and
other tags created by the customers
SA-14.1-3 Any host and network IDS to
detect, investigate in case of
incidents with audit of an user
access (authorized personnel)
Similar to the IS-22.1 and IS-23.1-2
SA-15.1-2 A mobile code authorization
before its installation, prevention
from executing and using to a
clearly defined security policy
The customers are responsible to manage
it to meet their requirements.
TABLE 4: AWS SOLUTIONS AGAINST A CCM
CID Control Specification AWS Response
CO-01 Audit plans, activities and
operational action items focusing
on data duplication, access, and
data boundary limitations with
aim to minimize the risk of
business process disruption.
AWS has appropriate technical solutions,
internal controls to protect customer data
against alteration/destruction/loss/etc.
Any kind of additional audit information
is provided to the customers under NDA
CO-02 Independent reviews shall be
performed annually/planned
intervals to aim a high effective
compliance policies, standards
and regulations (i.e.,
internal/external audits,
certifications, vulnerability and
penetration testing)
AWS shares 3rd audit reports under
NDA with their customers. Such audit
covers regularly scans of their (non-
customer) services for vulnerabilities
[41-42] while the customers are allowed
to request for a pentest [40] of their own
instances
CO-03 3rd party service providers shall
demonstrate compliance with
security due; their reports and
services should undergo audit and
review.
AWS requires to meet important privacy
and security requirements conducting 3rd
parties in alignment ISO 27001 (domain
6.2)
CO-04 Responsible persons to contact
with local authorities in
accordance with business and
customer requirements and
compliance requirements.
AWS maintains contacts with external
parties in alignment with ISO standards
CO-05 The organization's approach to
meet known requirements, and
adapt to new mandate shall be
Updates to AWS security policies,
procedures, standards and controls occur
on an annual basis in alignment with the

›„‡”‹‡• –‡”ƒ–‹‘ƒŽ ‘—”ƒŽ‘ˆ‡ Š‘Ž‘‰›Ƭƒƒ‰‡‡–
186
explicitly defined, documented,
and kept up to date for each
information system element in the
organization. Information system
elements may include data,
objects, applications,
infrastructure and hardware
ISO 27001 standard.
CO-06 A policy to safeguard intellectual
property
AWS will not disclose customer data to a
3rd party unless it is required by law and
will not use data except to detect/repair
problems affecting the services
DG-01 All data shall be designated with
stewardship with assigned
responsibilities defined,
documented and communicated.
Customers are responsible for
maintaining it regarding their assets
DG-02 Data, and objects containing data,
shall be assigned a classification
based on data type, jurisdiction of
origin, jurisdiction domiciled, etc.
AWS allows customers to classify their
resources by themselves (ex. applying
any metadata and tagging to the
EC2VMs to set the user-friendly names
enhance searchability)
DG-03 Policies/mechanisms for labeling,
handling and security of data and
objects which contain data
Similar to DG-02
DG-04 Policies for data retention and
storage as well as implementation
of backup or redundancy
mechanisms to ensure compliance
with regulatory and other
requirements that validated
regularly
AWS infrastructure is validated regularly
any purposes in alignment with security
standards and featured by AWS EBS and
Glacier (for data archiving and backup),
but the customers have capability
manage it due the API/SDK
DG-05 Policies and mechanisms for the
secure disposal and complete
removal of data from all storage
media, ensuring data is not
recoverable by any computer
forensic means.
AWS rely on best practices to wipe data
via DoD 5220.22-M/NIST 800-88
techniques; if it is not possible the
physical destruction happens
DG-06 Production data shall not be
replicated or used in non-
production environments.
AWS has implemented the segmentation
of customers data to prevent its
movement by default, however the end-
users are responsible to manage the right
sharing permissions
DG-07 Security mechanisms to prevent
data leakage.
AWS has implemented logical
(permissions) and physical
(segmentation) controls to prevent data
leakage. (ex. a hypervisor is designed to
restrict non-allowed connections between
tenant resources that has validated by
independent PCI QSA in alignment with
PCI DSS 2.0 requirements)
DG-08 Risk assessments associated with AWS provides the independent auditor

›„‡”‹‡• –‡”ƒ–‹‘ƒŽ ‘—”ƒŽ‘ˆ‡ Š‘Ž‘‰›Ƭƒƒ‰‡‡–
187
data governance requirements
shall be conducted at planned
intervals
reports under NDA and customers on
their own systems can build a continuous
monitoring of logical controls
additionally implementing [38].
FS-01 Procedures for maintaining a safe
and secure working environment
in offices, rooms, facilities and
secure areas.
AWS controls any access to buildings,
room and other areas, has a strong
requirement to pass two-factor
authentication. All procedures are
validated by independent auditors
FS-02 Physical access to information
assets and functions by users and
support personnel shall be
restricted.
AWS regularly train employees in
regards their roles vs. those customers
that documented and validated
periodically. Also, any ‘redundant’
access is automatically revoked when an
employee’s record is terminated or
changed with his job functions in
Amazon’s HR system. If employee was
not fired he will be reassigned with new
access rights that reviewed every 90 days
FS-03
FS-05
An implementation of the
physical security perimeters,
providing the secure areas
controlling from unauthorized
personnel actions
AWS has been implemented the various
physical security controls like fencing,
walls, security staff, video surveillance,
intrusion detection systems and other
electronic means in alignment ISO
27001. It extends by utilizing video
surveillance and requirement to pass two-
factor authentication a minimum two
times to access datacenter floors for staff.
FS-04 Ingress and egress to secure areas
shall be constrained and
monitored by physical access
control mechanisms to ensure that
only authorized personnel are
allowed access.
Similar to the FS-03/FS-05
FS-06
FS-07
Policies and procedures shall be
established for securing and asset
management for the use and
secure disposal of equipment
maintained and used outside the
organization's premise.
AWS imposes control the customers to
manage the data locations. Data will not
be moved between different regions, only
inside that were chosen to prevent
failure.
FS-08 A complete inventory of critical
assets shall be maintained with
ownership defined and
documented.
AWS maintains a formal policy that
requires assets, the hardware assets
monitored by the AWS personnel and
maintain the relationships with all AWS
suppliers are possible in comply ISO
27001 (domain 7.1) for additional details.
HR-01
HR-02
An employment candidates
background verification in
According to AWS they perform such
checks in comply with law. Every

›„‡”‹‡• –‡”ƒ–‹‘ƒŽ ‘—”ƒŽ‘ˆ‡ Š‘Ž‘‰›Ƭƒƒ‰‡‡–
188
HR-03 regards to local laws, regulations,
etc. Any agreements prior to
granting individuals physical or
logical access to facilities,
systems or data, employees,
contractors, 3rd party users, etc.
Define the roles and
responsibilities for performing
employment termination or
change in employment
procedures
employee is provided with Company’s
Code of Business Conduct and Ethics
internally and regularly trained.
Employee or a third-party contractor has
a minimum set of privileges and can be
disabled by the hiring manager. All types
of access to any resources logged, as well
as its changes, it must be explicitly
approved in Amazon's proprietary
permission management system. All
changes led to revocation of previous
access because of explicitly approving
type to the resource
IS-01
IS-02
IS-03
An implementation of ISMP
included administrative,
technical, and physical safeguards
to protect assets and data from
loss, misuse, unauthorized access,
disclosure, alteration, and
destruction
AWS implements ISMS to address
security/privacy best practices and
provides details under NDA the
appropriate documentation
IS-04 An implementation of baseline
security requirements for
applications/DB/systems/network
in compliance with
policies/regulations/standards.
Baseline security requirements are
technically implemented with ‘deny’
configuration by default and documents
among the AWS security documents for
all services (ex. [8-24])
IS-05 An information security policy
review at planned intervals
Despite of AWS provides a lot of how-
to-docs, binary sources [8-24], [28-29]
are regularly updated, it’s better to
subscribe to the news via RSS and email,
because there is no other directly way to
be notified by AWS
IS-06 A sanction policy for violation
security policies
According to AWS If violation happens,
the appropriate disciplinary action is
followed
IS-07 An implementation of user access
policies to apps, DB, and the rest
in accordance with security,
compliance and SLA.
All AWS services featured by IAM that
provides powerful permissions items
with predefined templates; the rest
similar to the FS-02, HR-03, IS-04
IS-08 Documented policies for
granting/revoking access to apps,
DB, and the rest in accordance
with security, compliance and
SLA
Similar to the IS-07
IS-09 A revocation/modification of user
access to data upon any change in
status of employees, contractors,
customers, etc.
Any access is automatically revoked
when an employee’s/3rd contributor
record is terminated or changed with his
job functions in Amazon’s HR system. If
employee/3rd contributor was not fired
he will be reassigned with new access
rights that reviewed every 90 days

›„‡”‹‡• –‡”ƒ–‹‘ƒŽ ‘—”ƒŽ‘ˆ‡ Š‘Ž‘‰›Ƭƒƒ‰‡‡–
189
IS-10
IS-11
All levels of user access shall be
reviewed by management at
planned intervals and documented
while a security awareness
training program shall be
established for all contractors, 3rd
parties and employees and
mandated when appropriate.
Similar to the HR-02, HR-03
IS-12 Industry security knowledge and
benchmarking through
networking, specialist security
forums, and professional
associations
AWS is a member of industry
organizations and organizers events
IS-13 Roles and responsibilities of
contractors, employees and 3rd
party users shall be documented
as they relate to information
assets and security.
Similar to the HR-03
IS-14
IS-15
A responsibilities for maintaining
awareness of and complying with
security policies, procedures and
standards that are relevant to
manager area of responsibility
with providing a documentation
how maintains the segregation of
duties
Each employee have a Company's Code
of Business Conduct and Ethics and have
to complete a periodic training.
Customers should manage the
segregations of duties by themself. The
rest are certified by certified by
independent auditors
IS-16 Informing the users of their
responsibilities in regards to the
security policies, standards,
regulations and rules how to keep
the equipment
AWS provides the various ways to train
(newly hired employee; others by the
mails in AWS intranet) the employees
understand their roles and responsibilities
that certified by independent auditors
IS-17 Documented procedures for
clearing visible documents
containing sensitive data when a
workspace is unattended and
enforcement of workstation
session logout for a period of
inactivity.
Similar to the IS-16
IS-18
IS-19
Implemented
policies/mechanisms allowing
data encryption in storage (e.g.,
file servers, databases, and end-
user workstations) and data in
transmission (e.g., system
interfaces, over public networks,
and electronic messaging) as
well, key management too
If keys created on server side, AWS
creates the unique keys and utilizes it, if
it did on client side due the own or 3rd
party solutions, the customers can
manage it only. AWS encryption
mechanisms are available for S3 (Server
Side Encryption), EBS (encryption
storage for EC2 AMIs), SimpleDB, EC2
(due the EBS plus SSL), VPC (encrypted
connections and sessions), etc.
IS-20 Implemented policies and
mechanisms for vulnerability and
AWS provides their services with the
latest updates, performs analyzing

›„‡”‹‡• –‡”ƒ–‹‘ƒŽ ‘—”ƒŽ‘ˆ‡ Š‘Ž‘‰›Ƭƒƒ‰‡‡–
190
patch management on side of
apps, system, and network
devices
software updates on their criticality as
well as customer partially ability to
perform vuln scans and patching despite
of that and not violate the Policy
[40],[41-42]
IS-21 A capability of AV solutions to
detect, remove, and protect
against all known types of
malicious or unauthorized
software with antivirus signature
updates at least every 12 hours.
AWS does manage AV solutions
updates in compliance to ISO 27001 that
confirmed by independent auditors.
Additionally, customers should maintain
their own solutions to meet their
requirements
IS-22 Policies and procedures to triage
security related events and ensure
timely and thorough incident
management.
AWS has defined role responsibilities
and incident handling in internal
documents in compliance with ISO and
provides the AWS SOC 1 Type Report
IS-23
IS-24
Information security events shall
be reported through predefined
communications channels in a
prompt and expedient manner in
compliance with statutory,
regulatory and contractual
requirements
AWS contributes with it over [40-42]
IS-25 Availability mechanisms to
monitor and quantify the types,
volumes in case of information
security incidents.
AWS provides it in alignment with ISO
27001 that validated by independent
auditors
IS-26 Policies and procedures shall be
established for the acceptable use
of information assets.
According to AWS, the customers
manage and control their data only unless
it needs due the law requirements or
troubleshooting aimed at fix services
issues
IS-27 Employees, contractors and 3rd
party users must return all assets
owned by the organization within
a defined and documented time
frame once the employment,
contract or agreement has been
terminated.
N/A
IS-28
IS-29
A protection of e-commerce
related data traversing over public
networks.
Strong segmentation and
restriction due access to, and use
of, audit tools that interact with
the organizations information
systems to prevent compromise
and misuse of log data.
There is no information that AWS
involve in e-commerce solutions. Internal
audit tools are restricted to AWS
personnel to have only the access they
need to perform specific tasks; each
access is reviewed every 90 days.
IS-30 User access to diagnostic and
configuration ports shall be
Administrators are required to use MFA
to access such hosts that are designed

›„‡”‹‡• –‡”ƒ–‹‘ƒŽ ‘—”ƒŽ‘ˆ‡ Š‘Ž‘‰›Ƭƒƒ‰‡‡–
191
restricted to authorized
individuals and applications.
protect and continue have this access
unless no longer has a business need. All
such access is logged, audited and
reviewed every 90 days.
IS-31 Network and infrastructure SLA
(in-house or outsourced) shall
clearly document security
controls, capacity and other
requirements.
SLAs validated and certified by
independent auditors; utilization of
customer services housed in the cloud is
not mined.
IS-32
IS-33
Policies and mechanism to limit
access to sensitive data
(especially an application,
program or object source code)
from portable and mobile devices
AWS has this one, delineates the
minimum rights for logical access to
AWS resources and provides details with
AWS SOC 1 Type II report
IS-34 Utility programs capable of
potentially overriding system,
object, network, virtual machine
and application controls shall be
restricted.
AWS provides internal system tools
provided to perform specific tasks; each
access is reviewed every 90 days.
LG-01
LG-02
Periodically reviewing the NDA
and others requirements and
agreements by legal counsel. An
ability to monitor outsourced
providers in compliance with
laws per country.
Amazon Legal Counsel reviews 3rd party
agreements and NDA according to the
business needs. AWS does not leverage
any 3rd party cloud providers to deliver
AWS services to the customers.
OP-01
OP-02
Any policies, system
documentation are available for
all personnel to support services
operations roles with an
information system
documentation to the authorized
personnel to ensure the following:
• Configuring, installing, and
operating the information system
• Effectively using the system’s
security features
According to AWS, the policies are
alignment with AWS Information
Security framework based upon the
COBIT framework, ISO 27001 standard
and the PCI DSS requirements. Such
docs are available through the Amazon's
Intranet site.
OP-03 The availability, quality, and
adequate capacity and resources
shall be planned, prepared, and
measured to deliver the required
system performance.
AWS manages capacity and utilization
data in compliance to ISO 27001 that
certified by independent auditor
OP-04 Policies and procedures shall be
established for equipment
maintenance ensuring continuity
and availability of operations.
AWS has continuity policies developed
in order to ISO 27001 (domain 14.1) and
provides details in AWS SOC 1 report
RI-01
RI-02
RI-03
RI-04
A cloud insurance by a 3rd party
for the losses in regards to the
cloud vendors, tenants (due the
SLA) in alignment with the
documents procedures reviewed
AWS provides the detailed customer
remuneration for losses in SLA. The rest
internal procedures of managing and
mitigation the risks in alignment ISO
27001 (domain 4.2, 5.1) validated by

›„‡”‹‡• –‡”ƒ–‹‘ƒŽ ‘—”ƒŽ‘ˆ‡ Š‘Ž‘‰›Ƭƒƒ‰‡‡–
192
annually at least considering all
risk categories (e.g., audit results,
threat and vulnerability analysis,
and regulatory compliance)
independent auditors and a few details
among the AWS risks documents. Any
updates to such procedures occur each
year
RI-05 The identification, assessment,
and prioritization of risks posed
by business processes requiring
3rd party access to the
organization's information
systems and data shall be
followed by coordinated
application of resources to
minimize, monitor, and measure
likelihood and impact of
unauthorized or inappropriate
access. Compensating controls
derived from the risk analysis
shall be implemented prior to
provisioning access.
Employee or a third-party contractor has
a minimum set of privileges and can be
disabled by the hiring manager. All types
of access to any resources logged, as well
as its changes, it must be explicitly
approved in Amazon's proprietary
permission management system. All
changes led to revocation of previous
access because of explicitly approving
type to the resource
OR
Similar to the HR-02
RM-01 Any policies for new
development acquisitions
All new developed resources certified by
independent auditors in regards to ISO.
RM-02
RM-03
Changes to the production
environment shall be
documented, tested and approved
prior to implementation. A
program for the systematic
monitoring and evaluation to
ensure that standards of quality
are being met shall be established
for all software developed by the
organization.
All details provided with AWS SOC 1
Type II report. The standards of quality
are part of SDLC in compliance ISO
27001 (domain 10.1)
RM-04 A program for the systematic
monitoring and evaluation to
ensure that standards of quality
are being met shall be established
for all outsourced software
development. The development of
all outsourced software shall be
supervised and monitored by the
organization and must include
security requirements,
independent security review of
the outsourced environment by a
certified individual, certified
security training for outsourced
software developers, and code
reviews.
The standards of quality are part of
SDLC in compliance ISO 27001 (domain
10.1) that certified and validated by
independent auditors, however AWS
does not generally outsource
development of software
RM-05 An implementation of policies
and mechanisms to restrict the
installation of unauthorized
AWS does monitor the malicious
software in compliance with ISO 27001
(domain 10.4).

›„‡”‹‡• –‡”ƒ–‹‘ƒŽ ‘—”ƒŽ‘ˆ‡ Š‘Ž‘‰›Ƭƒƒ‰‡‡–
193
software.
RS-01
RS-02
RS-03
RS-04
RS-05
RS-06
RS-07
RS-08
Documented policy and
procedures defining continuity
and disaster recovery shall be put
in place to minimize the impact of
a realized risk event on the
organization to an acceptable
level and facilitate recovery of
information assets through a
combination of preventive and
recovery controls, in accordance
with regulations and standards.
Physical protection against
damage from natural causes and
disasters as well as deliberate
attacks including fire, flood, etc.
shall be implemented.
Such policies are in alignment with ISO
27001 ( domain 14.1);
AWS provides a Cloudwatch services to
monitor the state of AWS EC2, EBS,
ELB, SQS, SNS, DynamoDB, Storage
Gateways as well as a status history [38].
AWS provides several Availability Zones
in each of six regions to prevent failures,
but the customers are responsible to
manage it across regions or other clouds
vendors via API and SDK. A physical
protection is in compliance ISO 27001
and 27002. Information about the
transport routes is similar to the FS-06.1
SA-01 Prior to granting customers access
to data, assets and information
systems, all identified security,
contractual and regulatory
requirements for customer access
shall be addressed and
remediated.
Prior to using AWS services, customers
are required to review and agree to a
SLA
A-02 An implementation of user
credential and password controls
for apps, DB, server and network
infrastructure, requiring the
following minimum standards
AWS IAM [21-24] provides the securely
access and roles to the resources with
features to control access, create unique
entry points of users, cross AWS-
accounts access due API/SDK or IAM
console, create the powerful permissions
with duration and geo auth. AWS offers
identity federation and VPC tunnels led
to utilizing existing corporate identities
to access, temporary security credentials.
Additionally, the customers may avoid
the mistakes and risks by using an AWS
Policy Generator and MFA devices [39].
Covered the services are AWS Auto
Scaling, CloudFormation, CloudFront,
CloudSearch, CloudWatch, DynamoDB,
EBS, EC2, Elastic Beanstalk,
ElastiCache, ELB, Elastic MapReduce,
RDS, Route 53, S3, SES, SQS, SNS,
SimpleDB, Storage Gateway, VPC. IAM
allows creating and handling the sets
defined in accordance with the subrules
of SA-02 (in original version of CMM).
On AWS Side it is similar to FS-02
except ‘training’

›„‡”‹‡• –‡”ƒ–‹‘ƒŽ ‘—”ƒŽ‘ˆ‡ Š‘Ž‘‰›Ƭƒƒ‰‡‡–
194
SA-03
SA-04
SA-05
Implemented policies and
mechanisms designed in
accordance with industry
accepted security standards to
ensure security and integrity of
data exchanged between system
interfaces to prevent disclosure,
alteration or destruction
complying with legislative,
regulatory, and contractual
requirements. An availability of
I/O integrity routines for the
application interfaces and DB to
prevent errors and data corruption
AWS Security based upon the best
practices and standards (ISO
27001/27002, CoBIT, PCI DSS) that
certified by independent auditors to build
threat modeling and completion of a risk
assessment as a part of SDLC.
AWS implements this one through all
phases including transmission, storage
and processing data in compliance to ISO
27001 (domain 12.2) that certified by
independent auditors.
SA-06
SA-08
A segmentation of production and
non-production environments to
prevent unauthorized access, to
restrict connections between
trusted and untrusted networks for
use of all services, protocols, and
ports allowed
AWS provides a lot of how-to-docs,
binary sources (as an example [8-
24],[28-29])
SA-07 A requirement of MFA for all
remote user access.
MFA is not by default and depends on
the customer configuration [39]
SA-09
SA-10
SA-11
A system and network
environments separation via
firewalls in regards to isolation of
sensitive data, restrict
unauthorized traffic, enhanced
with strong encryption for
authentication and transmission,
replacing vendor default settings
(e.g., encryption keys, passwords,
SNMP community strings, etc.)
An internal segmentation is in alignment
with ISO and similar to the CO-05.1-2
while external is a part of the customer
responsibility. Internally, a traffic
restriction is too and has ‘deny/allow’
option in EC2/S3 by default (but the
explicitly cfg is recommended), etc.
Externally, the customers are able to use
SSL, encryption key, encryption
solutions, security policies to explicitly
approve the security settings (AWS, 3rd
party or their own) according to the
security docs, whitepapers
SA-12 An external accurate, externally
agreed upon, time source shall be
used to synchronize the system
clocks of all relevant information-
processing systems (US GPS
EU Galileo Satellite Network)
AWS services rely on the internal system
clocks synchronized via NTP
SA-13 A capability of an automated
equipment identification as a part
of authentication.
AWS provides such ability, for example
due the metadata, geo tags and other tags
created by the customers
SA-14 Audit logs recording privileged
user access activities, shall be
retained, complying with
applicable policies and
regulations, reviewed at least
ISO and provides the results with AWS
SOC 1 Type II Report. AWS has the
incident response program in compliance
too. Even the customers’ data stored with

›„‡”‹‡• –‡”ƒ–‹‘ƒŽ ‘—”ƒŽ‘ˆ‡ Š‘Ž‘‰›Ƭƒƒ‰‡‡–
195
daily and file integrity (host) and
network intrusion detection (IDS)
tools implemented to help
investigation in case of incidents.
strong isolation from AWS side and
restrictions made by them, additional
materials (SOC 1 Type II report) must be
requested to clarify all questions on
forensics. All data should be encrypted
on client side, because it leads to the
customers participation with law directly
as AWS do not have the keys in this case.
SA-15 A mobile code authorization
before its installation, prevention
from executing and using to a
clearly defined security policy
The customers are responsible to manage
it to meet their requirements.
IV. CONCLUSION
Any complex solutions and systems like
AWS, Azure, or GAE tend to prone to
securitycompromise, because they have to
operate large-scale computations, dynamic
configuration. Clouds vendors do usually not
disclose the technical details on security to
the customers, thus raising question how to
verify with appropriate requirements. The
cloud security depends on whether the cloud
vendors have implemented security controls
that documented and enhanced with policy.
However, there is a lack visibility into how
clouds operate; each of them differs from
other in levels of control, monitoring and
securing mechanisms that widely known for
non-cloud systems. The potential
vulnerability requires a high degree of
security combined with transparency and
compliance. AWS relies on security
frameworks based on various standards that
certified by third auditors and help the
customers to evaluate if/how AWS meets the
requirements. CAIQ/CCM provides
equivalent of recommendations over several
standards. The bad is allowing vendors to
provide fewer public details taking it to
NDA reports and writing general
explanations multiplied by general standards
recommendations (even in modern
documents like CSA).. CAIQ provides more
details on security and privacy than matrix
aligned to Cloud Security Guidance in 13
domains.
Besides the details from 3rd
party audit
reports customers may require assurance in
order t o local laws and regulations. It is
quite complicated of reducing the
implementation and configuration
information as a part of proprietary
information (that is not bad or good, just
complicated). In other words it may call for
specific levels of audit logging, activity
reporting, security controlling and data
retention that are often not a part of SLA
offered by providers. A result of an
examination of AWS security controls
against Russian security
standards/regulations shown in [45] and
partially in [7] is successfully passing
standards by use of native security features
implemented in AWS Console, CLI and
API/SDK only. It additionally includes
cases that the current AWS security features
should to be enhanced via third party
security solutions like national encryption on
client side before uploading data and ability
to indirectly comply with requirements.
Talking about security enhance, not only
security controls belong to cloud layer
(outside the VMs) should be used to protect
data, communications, memory etc. but also
internal OS controls and third party solutions
together. However, it excludes obsolescent
clauses and cases we need ‘just wait’ a
solution from AWS of inability to build and
implement appropriate and their promise to
‘release it soon’ in FAQ or others
documents. OS and third party solutions are

›„‡”‹‡• –‡”ƒ–‹‘ƒŽ ‘—”ƒŽ‘ˆ‡ Š‘Ž‘‰›Ƭƒƒ‰‡‡–
196
known for non-clouds system allow
protecting critical and confidential
information is present in different system,
configuration and other files to avoid
alteration, exposing, accessing of them.
Examination cloud solutions like Azure,
BES with AWS Azure, and Office365
with Cloud BES against other standards
(incl. Russians docs) is a part of further
research, however the signification direction
is improving existing CSA and NIST
recommendations in order to enhance
transparency via utilization primarily
technical requirements: on cloud layer, on
inter-VM/DB inter-cloud-services layer,
and on VM/DB layer.
REFERENCES
[1] P. Mell and T. Grance. The NIST definition of
cloud computing. recommendation of the
national institute of standards and technology,
NIST, 2011
[2] Abdullah Abuhussein, Harkeerat Bedi, Sajjan
Shiva, “Evaluating Security and Privacy in
Cloud Computing Services:A Stakeholder’s
Perspective”, The 7th International Conference
for Internet Technology and Secured
Transactions (ICITST-2012), pp. 388 – 395,
December 2012
[3] Jun Feng, Yu Chen, Pu Liu, “Bridging the
Missing Link of Cloud Data Storage Security in
AWS,” 7th
Consumer Communications and
networking Conference (CCNC), pp.1-2, Januray
2010
[4] Yan Hu, Fangjie Lu, Israr Khan, Guohua Bai, A
Cloud Computing Solution for Sharing
Healthcare Information”, The 7th International
Conference for Internet Technology and Secured
December 2012“
[5] Google cloud services – App Engine”. [Online
resource:
http://www.google.com/enterprise/cloud/appengi
ne/, Accessed:23-November-2012]
[6] “Technical Overview of the Security Features in
the Windows Azure Platform”. [Online resource:
http://www.google.com/enterprise/cloud/appengi
ne/, Accessed:23-November-2012]
[7] Y. Chemerkin, “AWS Cloud Security from the
point of view of the Compliance”, PenTest
Magazine, Software Press Sp. z o.o. Sp.
Komandytowa Warszawa, vol. 2 10 Issue
10/2012 (12) ISSN 2084-1116, pp. 50-59,
December 2012
[8] “Amazon EC2 User Guide. [Online resource:
http://docs.aws.amazon.com/AWSEC2/latest/Us
erGuide/, Accessed:05-December-2012]
[9] “Amazon EC2 Microsoft Windows Guide.
[Online resource:
http://docs.aws.amazon.com/AWSEC2/latest/Wi
ndowsGuide/, Accessed:05-December-2012]
[10]“Amazon EC2 Microsoft API Reference. [Online
resource:
http://docs.aws.amazon.com/AWSEC2/latest/AP
IReference/, Accessed:05-December-2012]
[11]“AWS Import/Export Developer Guide. [Online
resource:
http://aws.amazon.com/documentation/importex
port/, Accessed:16-December-2012]
[12]“Amazon Virtual Private Cloud Network
Administrator Guide. [Online resource:
http://docs.aws.amazon.com/AmazonVPC/latest/
NetworkAdminGuide, Accessed:05-December-
2012]
[13]“Amazon Virtual Private Cloud User Guide.
[Online resource:
http://docs.aws.amazon.com/AmazonVPC/latest/
UserGuide, Accessed:05-December-2012]
[14]“Amazon Direct Connect User Guide. [Online
resource:
http://docs.aws.amazon.com/DirectConnect/lates
t/UserGuide/, Accessed:05-December-2012]
[15]“Amazon Direct Connect API Reference .
[Online resource:
http://docs.aws.amazon.com/DirectConnect/lates
t/APIReference/Welcome.html, Accessed:05-
December-2012]
[16]“Amazon S3 Developer Guide. [Online resource:
http://docs.aws.amazon.com/AmazonS3/latest/de
v/, Accessed:20-December-2012]
[17]“Amazon S3 API Reference. [Online resource:
http://docs.aws.amazon.com/AmazonS3/latest/A
PI/, Accessed:20-December-2012]
[18]“Amazon S3 Console User Guide. [Online
resource:
http://docs.aws.amazon.com/AmazonS3/latest/U
G/, Accessed:20-December-2012]
[19]“Amazon Glacier Developer Guide. [Online
resource:
http://docs.aws.amazon.com/amazonglacier/lates
t/dev/, Accessed:20-December-2012]
[20]“Amazon Storage Gateway. [Online resource:
http://docs.aws.amazon.com/storagegateway/late
st/userguide/WhatIsStorageGateway.html,
Accessed:20-December-2012]
[21]“Amazon IAM API Reference. [Online resource:
http://docs.aws.amazon.com/IAM/latest/APIRefe
rence/, Accessed:29-December-2012]
[22]“Amazon Using Temporary Security Credentials.
[Online resource:
http://docs.aws.amazon.com/IAM/latest/UsingS
TS/, Accessed:29-December-2012]

›„‡”‹‡• –‡”ƒ–‹‘ƒŽ ‘—”ƒŽ‘ˆ‡ Š‘Ž‘‰›Ƭƒƒ‰‡‡–
197
[23]“Amazon AWS Security Token Service API
Reference. [Online resource:
http://docs.aws.amazon.com/STS/latest/APIRefe
[24]“Amazon Command Line Reference. [Online
resource:
http://docs.aws.amazon.com/IAM/latest/CLIRefe
[25]“DRAFT Cloud Computing Synopsis and
Recommendations,” NIST Special Publication
800-146. [Online resource:
http://csrc.nist.gov/publications/drafts/800-
146/Draft-NIST-SP800-146.pdf, Accessed:06-
January-2013]
[26]“Security Whitepaper. Google Apps Messaging
and Collaboration Products”, [Online resource:
http://cryptome.org/2012/12/google-cloud-
sec.pdf, Accessed:23-November-2013]
[27]Juraj Somorovsky, Mario Heiderich, Meiko
Jensen, Jorg Schwenk, Nils Gruschka, Luigi Lo
Iacono, All Your Clouds are Belong to us –
Security Analysis of Cloud Management
Interfaces, 3rd ACM workshop on Cloud
computing security workshop (CCSW), pp. 3-14,
October 2011
[28]“Reported SOAP Request Parsing
Vulnerabilities”, [Online resource:
https://aws.amazon.com/security/security-
bulletins/reported-soap-request-parsing-
vulnerabilities-reso/, Accessed 15-January-2013]
[29]“Xen Security Advisories”, [Online resource:
bulletins/xen-security-advisories/, Accessed 15-
January-2013]
[30]“The Essential Intelligent Client”, [Online
resource:
http://www.vmworld.com/servlet/JiveServlet/do
wnloadBody/5700-102-1-
8823/Intel%20The%20Essential%20Intelligent%
20Client.pdf, Accessed 15-January-2013]
[31]Cracking Passwords in the Cloud: Breaking PGP
on EC2 with EDPR [Online resource:
http://news.electricalchemy.net/2009/10/cracking
-passwords-in-cloud.html/, Accessed 22-
November-2013]
[32]“The most dangerous code in the world:
validating SSL certificates in non-browser
software”, 19th ACM Conference on Computer
and Communications Security, pp. 38-49,
October 2012
[33]“Reported SSL Certificate Validation Errors in
API Tools and SDKs”, [Online resource:
bulletins/reported-ssl-certificate-validation-
errors-in-api-tools-and-sdks/, Accessed 15-
January-2013]
[34]“CSA Cloud Controls Matrix v1.3” [Online
resource:
https://cloudsecurityalliance.org/research/cai/,
Accessed 22-January-2013]
[35]“CSA Consensus Assessments Initiative
Questionnaire v1.1” [Online resource:
https://cloudsecurityalliance.org/research/cai/,
Accessed 22-December-2012]
[36]“AWS Securtiy Bulletins” [Online resource:
bulletins/, Accessed 16-February-2013[
[37]“Products and Services by Region with AWS
Edge Locations” [Online resource:
http://docs.aws.amazon.com/AWSEC2/latest/Us
erGuide/using-regions-availability-zones.html,
Accessed 10-February-2013]
[38]“AWS Services Health Status with the history
status” [Online resource:
http://status.aws.amazon.com/, Accessed 16-
February-2013]
[39]“AWS MFA” [Online resource:
http://aws.amazon.com/mfa, Accessed 16-
February-2013]
[40]“AWS Vulnerability/Pentesting Request Form”
[Online resource:
https://portal.aws.amazon.com/gp/aws/html-
forms-
controller/contactus/AWSSecurityPenTestReque
st, Accessed 16-February-2013]
[41]“AWS Abuses reports (EC2, other AWS
services)” [Online resource:
https://portal.aws.amazon.com/gp/aws/html-
forms-controller/contactus/AWSAbuse,
Accessed 16-February-2013]
[42]“AWS Vulnerability Reporting” [Online
resource:
https://aws.amazon.com/security/vulnerability-
reporting/, Accessed 16-February-2013]
[43]Jeffrey Medsger, Avinash Srinivasan, ERASE-
EntRopy-based SAnitization of SEnsitive Data
for Privacy Preservation, The 7th International
Conference for Internet Technology and Secured
December 2012
[44]R. Kissel, M. Scholl, S. Skolochenko, and X. Li,
“Guidelines for media sanitization:
Recommendations of the national institute of
standards and technology,” in NIST SP 800-88
Report, 2006
[45]Y. Chemerkin, “Analysis of Cloud Security
against the modern security standards”, draft (is
going to be published in PenTest Magazine,
Software Press Sp. z o.o. Sp. Komandytowa
Warszawa in April-May

Cyber Times International Journal of Technology Management
CALL FOR PAPERS
At the outset, I take this opportunity to introduce “Cyber Times – International Journal of
Technology Management” which is a platform to provide an innovative view of Technology,
Management thinking, Realistic Research Studies and various Management Practices in the
Indian and Global perspective.
“Cyber Times – International Journal of Technology Management”, is a Bi-Annual Journal
and invites original research papers from different Research Scholars, Faculty Members, and
Industry Professionals in various domains of Technology, Management, Science and all other
categories. The detailed guidelines are attached along with this copy of journal for the
submission of research Paper for Publication.
Last date of Abstract Submission: 30th
July’ 2013
Last date of Full Paper Submission: 30th
August’ 2013 (Without Late Fee)
Last Date of Full Paper Submission: 15th
September’2013 (With Late Fee)
Note:
• The papers received for the final publication will be screened by the Evaluation
Committee for approval and only the selected Papers will be published in the coming
edition. Further information is available on the website (http://journal.cybertimes.in)
under the “Guidelines for paper Submission” section.
You are cordially invited to contribute your Research Paper for the publication in our next
edition. Authors are encouraged to submit their Research work document via Email. Abstract,
and Full Length Paper should be sent in .doc or .docx as an attachment separately to
editor@cybertimes.in
Moreover, in case of any further queries; please feel free to contact us and we’ll be happy to
assist you in a better way.
Looking for a Long-Term Association
Thanks Regards,
Dr. ANUP GIRDHAR
Editor-in-Chief (CYBER TIMES)

Guidelines to write Research Papers
1. RESEARCH PAPER TITLE: The title of the paper should be in Times New Roman
with Font Size 24. It should be Bold Typed, Centered Aligned and Fully Capitalized.
2. AUTHOR NAME (S) INFORMATION: The author (s) Full Name (with initials),
Designation, Address, Mobile/ Landline numbers, and E-mail/ Alternate Email
Address should be in Italic 12-Point with Times New Roman Font.
3. ABSTRACT: The abstract should not be more than 200-250 words and should be in full
Italics. The abstract must be illuminating and explain the Purpose, Scope Conclusion of
the research paper.
4. KEYWORDS: Abstract must be followed by a list of keywords. It should be 12-point
with Times New Roman Font. Keywords should be arranged in alphabetic order
separated by commas.
5. RESEARCH PAPER: Research Paper should be prepared in US ENGLISH on a
standard A4 size in PORTRAIT PAPER SETTING. The paper should be typed with
Double Column, Single-Line Spacing, 12 font, Times New Roman, and 1” margin on all
four sides of the page, MS Word compatible format text. It should be free from all the
grammatical, spelling and punctuation errors and must be edited carefully with the
support of your Guide. It should not be more than 10-12 pages.
6. HEADINGS: All the headings should be in14 point Times New Roman Font. The
heading text should be in Bold, Left Aligned and Fully Capitalized.
7. SUB-HEADINGS: All the sub-headings should be in 12 point Times New Roman Font.
The sub-heading text should be in Bold, Left Aligned and Fully Capitalized.
8. FIGURES TABLES: The Figure Table headings should be in 10 point Times New
Roman Font. It should be in Bold, Centre Aligned and Tittle Case. The figures Tables
should be Self-Made, Simple, Crystal clear, centered aligned, separately numbered
self-explained. Sources of data should be mentioned below the table/ figure and it
should be ensured that the tables/ figures are referred to, from the main text.
9. EQUATIONS: These should be consecutively numbered in parentheses, horizontally
centered with equation number placed at the right.
10. REFERENCES: The list of all references should be arranged alphabetically. The author
(s) should mention the actual utilized references in the preparation of Research Paper only
and should also mention it with numbering ([1] [2]) wherever it is used throughout the
paper. The title of books and journals should be in Italics. Double quotation marks should
be used for Titles of Journals, Articles, Book Chapters, Dissertations, Reports, Working
Papers, Unpublished material, etc.

“SEDULITY SOLUTIONS TECHNOLOGIES” is an ISO 9001:2008 Certified Organization.
It is a channel to provide the best Technical Solutions to various Corporate, Law-Enforcement
Agencies, Private/ Govt. Institutions etc. We offer innovative technical solutions with an in-
depth security Legal countermeasures that has helped various Govt. and Private sector
professionals, to provide advanced knowledge in terms of securing their Networks. Our
Expertise Team has been well recognized with their excellent performance many times in
everything it undertakes, be it Penetration Testing, IT Audits, E-Learning Solutions, Website
Developments, Cyber Security AMC’s via Sedulity Operating System, Consultancies and Hi-
Tech Trainings, Placement Activities, etc.
Services/ Solutions/ Products Offered are as follows:
• Penetration Testing
• IT Auditing
• Cyber Crime Investigation
• Network Security
• Security AMC’s
• Server Configurations (File Sever, SMS Server, Web Server, Database Server, E-
Mail Server, Proxy Server, and many more….)
• Hi-Tech Industrial Trainings for Engineering Faculties, Students, Corporate
Govt. Professionals.
• Secure Web development
• E-Learning Solutions via Web Portals and Products.
• SEO
• Sedulity Operating System (Editions available for Corporate, Developers, Ethical
Hackers, and Cyber Forensics) available in 32/ 64 bit, Client/ Server and many
more…….
For More details;
Contact:
Ph: 011-45651674, +91-9811572430
Email: contact@sedulitygroups.com
Website: http://sedulitygroups.com

Security_Compliance_Challenges_On_Clouds.pdf

More Related Content

Similar to Security_Compliance_Challenges_On_Clouds.pdf (20)

More from Yury Chemerkin (20)

Recently uploaded (20)

Security_Compliance_Challenges_On_Clouds.pdf