Misconfiguration of Software and Hardware
Primary reference(s)
NIST, no date. Misconfiguration. Glossary: Computer Security Resource Center. National Institute of Standards and Technology (NIST) Information Technology Laboratory. Accessed 9 November 2020.
Additional scientific description
Security configuration includes security rules configured in the cloud platform, network, virtual machines and various application components. It is different to a high-level security policy, which sets out the organisation’s approach to achieve its information security objectives (ITU, 2016). Misconfiguration implies an incorrect or suboptimal system component that may lead to vulnerabilities in the cloud platform, network, virtual machines and various application components (NIST, no date).
Cloud service providers (CSPs) should execute the integrated security configuration management to provide efficient implementation and fast deployment of the security configuration (ITU, 2016).
In security configuration management, it is suggested that CSPs set security policy configuration templates and security configuration policy baselines. Furthermore, CSPs should take measures to ensure the consistency and efficiency of security configuration when the cloud environment changes and to isolate the security configuration between Cloud service customers (CSCs) in a multi-tenancy environment (ITU, 2016).
Security configuration templates include the main templates of security configuration that the current cloud computing environment needs, such as account management, authentication, access control policies, audit policies, dynamic response policies, application and software update policies, and backup and recovery policies (ITU, 2016).
Security configuration baselines provide a criterion for the security configuration requirements of the entire cloud computing environment, which can help CSPs evaluate whether the current security configuration meets the fundamental security level or not, and further provide detailed guidance to reinforcement. The categories of security configuration baselines should include but are not limited to the following: operating system (OS) security configuration baselines, database security configuration baselines, firewall security configuration baselines, switch security configuration baselines, and router security configuration baselines, etc.
Security configuration management involves the following measures (ITU, 2016):
- Security configuration template management: CSPs should set the main security templates for the demands of the cloud environment to make security configuration deployment faster and more convenient. Security configuration template management should support customised templates, update and optimise templates continuously according to the changes of cloud platform, network status, service requirements, and so on. Furthermore, CSPs should provide CSCs with the capability to customise new security configuration templates according to their own requirements. CSCs should also be responsible for the effectiveness of the security configuration which they customised.
- Security configuration process management: CSPs should testify against the effectiveness of the security configuration. Security configuration can be configured according to CSC and cloud service requirements. The main process of security configuration management involves configuration request, configuration approval, testing and technical validation, implementing, configuration archiving and output report.
- Security configuration baseline management: CSPs should develop security configuration baseline by comprehensively considering the security requirements of the cloud computing platform, cloud service, CSCs, and the security clause of Service level agreement (SLA), etc. The main process of security configuration baseline management involves security configuration checking request and record, approval, checking implementing, checking report output, reinforcement implementing, and reinforcement report output. Security configuration checking should be executed periodically during daily operations and can be implemented through configuration collecting and baseline security analysis.
- Security configuration conflict management: In a resource sharing cloud environment, due to faults caused by either the security administrator or for other reasons, the security configuration might be compromised which may result in vulnerabilities in the cloud computing environment. CSPs should implement efficient measures to detect security configuration conflicts and establish a security configuration conflict handling process and retrieval mechanisms. The handling process of security configuration conflict should involve conflict alarm, conflict analysis (which includes reasons and influences analysis), conflict handling and output report.
- Security configuration migration management: When cloud computing resource or service changes (such as service capacity expansion, virtual machine [VM] migration, etc.), CSPs should provide dynamic security configuration adjustment means. For example, during VM migration, automatic security configuration policy migration can be implemented through migration status sensing, automatic matching and redeployment of the original security configuration policy, which could ensure security configuration policy consistency and fast deployment in the cloud environment and improve the efficiency of the security operation.
- Security configuration isolation management: In a multi-tenancy environment of cloud computing, CSPs should execute strict classification management of CSC security configuration, and take measures such as authentication, access control, etc. This is to ensure security configuration isolation between different CSCs.
Metrics and numeric limits
Not identified.
Key relevant UN convention / multilateral treaty
Not identified.
Examples of drivers, outcomes and risk management
Challenges to the management mode of cloud computing: The characteristics of cloud computing, such as cross-regional services, huge computing power, separation of data management and ownership, distinguishes it from the traditional information technology (IT) services. These challenges require effective management and co-operation between branch nodes to solve security problems by CSPs. For CSPs, some necessary technical measures, such as security configuration management, etc., a reasonable distribution of management authority, and a set of effective management rules and processes will be needed to prevent the leakage of user data. For example, CSPs should take measures to prevent internal administrators from overstepping their authority so as to prevent users from abusing the cloud computing resources (ITU, 2016).
Health status monitoring of the cloud computing infrastructure: CSPs should provide the capability to collect and monitor the security event logs, vulnerability information, alteration of security device configuration, performance and operational status on all objects of the cloud computing infrastructure, which include VM resources, cloud computing management platform, security devices, database, etc. This monitoring can help CSPs to keep a perceptive awareness of the overall health status and operating status of the cloud infrastructure (ITU, 2016).
References
ITU, 2016. Series X: Data Networks, Open System Communications And Security. Cloud computing security best practices and guidelines. ITU-T Telecommunication Standardization Sector of ITU (03/2016) SERIE X.1642. International Telecommunication Union (ITU). Accessed 29 April 2021.
NIST, no date. Misconfiguration. Glossary: Computer Security Resource Center. National Institute of Standards and Technology (NIST) Information Technology Laboratory. Accessed 9 November 2020.