Defined Categories of Service 2011 - Cloud Security Alliance [PDF]

0 downloads 102 Views 3MB Size Report
Welcome to the Cloud Security Alliance's “Security as a Service,” Version 1.0 ... Best Regards, .... https://cloudsecurityalliance.org/guidance/csaguide-dom12-v2.10.pdf .... Description: Web Security is real-time protection offered either on-premise through ..... Hybrid SaaS with third-party management and host-based or virtual ...
Defined Categories of Service 2011

CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE 2011

Introduction The permanent and official location for the Cloud Security Alliance Security as a Service research is: https://cloudsecurityalliance.org/research/working-groups/security-as-a-service/

© 2011 Cloud Security Alliance. All rights reserved. You may download, store, display on your computer, view, print, and link to the Cloud Security Alliance “Security as a Service” at https://cloudsecurityalliance.org/wpcontent/uploads/2011/09/SecaaS_V1_0.pdf subject to the following: (a) the Guidance may be used solely for your personal, informational, non-commercial use; (b) the Guidance may not be modified or altered in any way; (c) the Guidance may not be redistributed; and (d) the trademark, copyright or other notices may not be removed. You may quote portions of the Guidance as permitted by the Fair Use provisions of the United States Copyright Act, provided that you attribute the portions to the Cloud Security Alliance “Security as a Service” Version 1.0 (2011). Copyright © 2011 Cloud Security Alliance

2

CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE 2011

Table of Contents Introduction.................................................................................................................................................2 Foreword......................................................................................................................................................4 Acknowledgments......................................................................................................................................5 Executive Summary ...................................................................................................................................7 Category 1: Identity and Access Management ….................................................................................8 Category 2: Data Loss Prevention..........................................................................................................10 Category 3: Web Security........................................................................................................................12 Category 4: Email Security......................................................................................................................14 Category 5: Security Assessments.........................................................................................................16 Category 6: Intrusion Management.......................................................................................................18 Category 7: Security Information and Event Management (SIEM)..................................................20 Category 8: Encryption...........................................................................................................................22 Category 9: Business Continuity and Disaster Recovery...................................................................24 Category 10: Network Security..............................................................................................................26

Copyright © 2011 Cloud Security Alliance

3

CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE 2011

Foreword Welcome to the Cloud Security Alliance’s “Security as a Service,” Version 1.0. This is one of many research deliverables CSA will release in 2011. There is currently a lot of work regarding the security of the cloud and data in the cloud, but until now there has been limited research into the provision of security services in an elastic cloud model that scales as the client requirements change. This paper is the initial output from research into how security can be provided as a service (SecaaS). Also, we encourage you to download and review our flagship research, “Security Guidance for Critical Areas of Focus in Cloud Computing,” which you can download at: http://www.cloudsecurityalliance.org/guidance Best Regards, Jerry Archer

Alan Boehme

Dave Cullinane

Nils Puhlmann

Paul Kurtz

Jim Reavis

The Cloud Security Alliance Board of Directors

Copyright © 2011 Cloud Security Alliance

4

CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE 2011

Acknowledgments Co-chairs Kevin Fielder: GE, Cameron Smith: Zscaler

Working Group Leaders Runa Desai Delal: Agama Consulting, Ulrich Lang: ObjectSecurity, Atul Shah: Microsoft, Aaron Bryson: Cisco, Mark Hahn: TCB Technologies, Wolfgang Kandek: Qualys, John Hearton: Secure Mission Solutions, Justin Foster: Trend Micro, Ben Chung: HP, Jens Laundrup: Emagined Security, Geoff Webb: Credant Technologies, Kevin Fielder: GE, Cameron Smith: Zscaler, Ken Owens: Savvis

Steering Committee Scott Chasin: McAfee, Kevin Fielder: GE Global, Patrick Harding: Ping Indentity, John Hearton: Secure Mission Solutions, Bernd Jager: Colt, Joe Knape: AT&T, Marlin Pohlman: EMC, Jim Reavis: Cloud Security Alliance, Archie Reed: HP, J.R. Santos: Cloud Security Alliance, Cameron Smith: Zscaler, Michael Sutton: Zscaler, Brian Todd: ING

SecaaS Members Lenin Aboagye: Apollo Group Inc., Ravikanth Anisingaraju: Nexus Informatics, Dave Asprey: Trend Micro, Karim Benzidane, Aaron Bryson: Cisco, Ben Chung: HP, Joel Cort: Xerox, Ricardo Costa: ESTG, Runa Desai Dalal: Agama Consulting, Jeff Finch: Interoute, Justin Foster: Trend Micro, Matthew Gardiner: CA Technologies, Suptrotik Ghose: Microsoft, Mark Hahn: TCB Technologies, Jeff Huegel: AT&T, Wolfgank Kandek: Qualys, Tuhin Kumar, Vijay Kumar Teki: HCL Technologies, Taiye Lambo: eFortresses, Jens Laundrup: Emagined Security, David Lingenfelter: Fiberlink, Drew Maness: Technicolor, Ken Owens: Savvis, Naynesh Patel: Simeio Solutions, Mike Qu, Kanchanna Ramasamy Balraj, Atul Shah: Microsoft, Said Tabet: EMC, Hassan Takabi: University of Pittsburgh, Danielito Vizcayno: E*Trade, Geoff Webb: Credant Technologies, Arnold Webster: EC-Council University, Nick Yoo: McKesson Corp.

Contributors Jim Beadel: AT&T, Cheng-Yin Lee: CSA, Jie Wang: Converging Stream Technologies, Inc, Kapil Assudani: HCSC, Valmiki Mukherjee: (ISC)2, JP Morgenthal: Smartronix Cloud Security Alliance DC Chapter, Vladimir Jirasek: Nokia, Amol Godbole: Cisco Systems, Tuhin Kumar: Oracle Corp., Martin Lee: Symantec.cloud, Andrey Dulkin: Cyber-Ark Software, John Hearton: Secure Mission Solutions, Nandakumar: Novell, Bernd Jaeger: Colt Technology Services, Tyson Macaulay: Bell Canada, Lenin Aboagye: Apollo Group, David Treece: Edgile, Benzidane Karim: NTIQual, Atul Shah: Microsoft, Mark Hahn: TCB Technologies, Inc., Bradley Anstis: M86 Security, JD Hascup: Weyerhaeuser, Balaji Ramamoorthy: TCG, Hassan Takabi: University of Pittsburgh, Henry St. Andre: inContact, Faud Khan: TwelveDot, Inc., MS Prasad: Rediffmail, Gaurav Godhwani: Student, Ang Puay Young, Singapore Ministry of Health Holdings, Ted Skinner, Harris Corporation

Copyright © 2011 Cloud Security Alliance

5

CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE 2011

CSA Staff Jim Reavis: Executive Director, J.R. Santos: Research Director, John Yeoh: Research Analyst, Amy Van Antwerp: Technical Writer/Editor, Kendall Scoboria: Graphic Designer, Evan Scoboria: Web Developer

Copyright © 2011 Cloud Security Alliance

6

CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE 2011

Executive Summary Cloud Computing represents one of the most significant shifts in information technology many of us are likely to see in our lifetimes. Reaching the point where computing functions as a utility has great potential, promising innovations we cannot yet imagine. Customers are both excited and nervous at the prospects of Cloud Computing. They are excited by the opportunities to reduce capital costs. They are excited for a chance to divest infrastructure management and focus on core competencies. Most of all, they are excited by the agility offered by the on-demand provisioning of computing resources and the ability to align information technology with business strategies and needs more readily. However, customers are also very concerned about the security risks of Cloud Computing and the loss of direct control over the security of systems for which they are accountable. Vendors have attempted to satisfy this demand for security by offering security services in a cloud platform, but because these services take many forms, they have caused market confusion and complicated the selection process. This has led to limited adoption of cloud based security services thus far. However, the future looks bright for SecaaS, with Gartner predicting that cloud-based security service us will more than triple in many segments by 2013. To aid both cloud customers and cloud providers, CSA has embarked on a new research project to provide greater clarity on the area of Security as a Service. Security as a Service refers to the provision of security applications and services via the cloud either to cloud-based infrastructure and software or from the cloud to the customers’ on-premise systems. This will enable enterprises to make use of security services in new ways, or in ways that would not be cost effective if provisioned locally. Numerous security vendors are now leveraging cloud-based models to deliver security solutions. This shift has occurred for a variety of reasons, including greater economies of scale and streamlined delivery mechanisms. Consumers are increasingly faced with evaluating security solutions, which do not run on-premises. Consumers need to understand the unique nature of cloud-delivered security offerings so they can evaluate the offerings and understand if they will meet their needs. Based on survey results collected from prominent consumers of cloud services, the following security service categories are of most interest to experienced industry consumers and security professionals:  Identity and Access Management (IAM)  Data Loss Prevention (DLP)  Web Security  Email Security

 Security Assessments  Intrusion Management  Security Information and Event Management (SIEM)

 Encryption  Business Continuity and Disaster Recovery  Network Security

Copyright © 2011 Cloud Security Alliance

7

CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE 2011

Category #1: Identity and Access Management (IAM) Description: Identity and Access Management (IAM) should provide controls for assured identities and access management. IAM includes people, processes, and systems that are used to manage access to enterprise resources by assuring the identity of an entity is verified and is granted the correct level of access based on this assured identity. Audit logs of activity such as successful and failed authentication and access attempts should be kept by the application / solution. Class: Protective/Preventative SERVICES

CORE FUNCTIONALITIES               

Provisioning/de-provisioning of accounts (of both cloud & on-premise applications and resources) Authentication (multiple forms and factors) Directory services Directory synchronization (multilateral as required) Federated SSO Web SSO (e granular access enforcement & session management - different from Federated SSO) Authorization (both user and application/system) Authorization token management and provisioning User profile & entitlement management (both user and application/system) Support for policy& regulatory compliance monitoring and/or reporting Federated Provisioning of Cloud Applications Self-Service request processing, like password reset, setting up challenge questions, request for role/resource etc. Privileged user management/privileged user password management Policy management (incl. authorization management, role management, compliance policy management) Role Based Access Controls (RBAC) (Where supported by the underlying system/service)

OPTIONAL FEATURES    

Support for DLP Granular Activity Auditing broken down by individual Segregation of duties based on identity entitlement Compliance-centric reporting

Includes: User Centric ID Provider, Federated IDs, Web-SSO, Identity Provider, Authorization Management Policy Provider, Electronic Signature, Device Signature, User Managed Access Related Services: DLP, SIEM Related Technologies and Standards: SAML, SPML, XACML, (MOF/ECORE), OAuth, OpenID, Active Directory Federated Services (ADFS2), WSFederation Service Model: SaaS, PaaS CSA Domains (v2.1): 4, 12

THREATS ADDRESSED        

Identity theft Unauthorized access Privilege escalation Insider threat Non-repudiation Excess privileges / excessive access Delegation of authorizations / entitlements Fraud

CHALLENGES    

Lack of standards and vendor lock-in Identity theft Unauthorized access Privilege escalation

Continued on the following page… Copyright © 2011 Cloud Security Alliance

8

CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE 2011 Continued from the previous page…

CHALLENGES               

 

 

REFERENCE EXAMPLES

Insider threat Non-Repudiation Least privilege / need-to-know Segregation of administrative (provider) vs. end user (client) interface and access Delegation of authorizations/entitlements Attacks on Identity Services such as DDoS Eavesdropping on Identity Service messaging (NonRepudiation) Password management (communication, retrieval) – Different requirements across clients Resource hogging with unauthorized provisioning Complete removal of identity information at the end of the life cycle Real-time provisioning and de-provisioning Lack of interoperable representation of entitlement information Dynamic trust propagation and development of trusted relationships among service providers Transparency: security measures must be available to the customers to gain their trust. Developing a user centric access control where user requests to service providers are bundled with their identity and entitlement information Interoperability with existing IT systems and existing solutions with minimum changes Dynamically scale up and down; scale to hundreds of millions of transactions for millions of identities and thousands of connections in a reasonable time Privacy preservation across multiple tenants Multi-jurisdictional regulatory requirements

(Products and vendors. Non-exhaustive list)

Cloud

   



CA Arcot Webfort CyberArk Software Privileged Identity Manager Novell Cloud Security Services ObjectSecurity OpenPMF (authorization policy automation, for private cloud only) Symplified

Non-Cloud  Novell Identity Manager  Oracle Identity Manager  Oracle Access Manager Suite

REFERENCES / ADDITIONAL RESOURCES  

https://cloudsecurityalliance.org/guidance/csaguide-dom12-v2.10.pdf CSA Silicon Valley cloud authorization policy automation presentation: http://www.objectsecurity.com/en-resources-video-20110208-webinar-79898734.htm (Alternate download: http://www.objectsecurity.com/en-contact-resources.html)

Copyright © 2011 Cloud Security Alliance

9

CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE 2011

Category #2: Data Loss Prevention Description: Data Loss Prevention is the monitoring, protecting, and verifying the security of data at rest, in motion and in use both in the cloud and on-premises. DLP services offer protection of data usually by running as some sort of client on desktops / servers and running rules around what can be done. Where these differ from broad rules like “No FTP” or “No uploads” to web sites, etc. is the level to which the services understand data. A few examples of policies you can specify are “No documents with numbers that look like credit cards can be emailed,” “Anything saved to USB storage is automatically encrypted and can only be unencrypted on another office owned machine with a correctly installed DLP client,” and “Only clients with functioning DLP software can open files from the fileserver,” etc. Within the cloud, DLP services could be offered as something that is provided as part of the build, such that all servers built for that client get the DLP software installed with an agreed set of rules deployed. Class: Preventative CORE FUNCTIONALITIES              

SERVICES

Data labeling and classification Identification of Sensitive Data Predefined policies for major regulatory statues Context Detection Heuristics Structured Data Matching (data-at-rest) SQL regular expression detection Traffic Spanning (data-in-motion) detection Real Time User Awareness Security Level Assignment Custom Attribute Lookup Automated Incident Response Signing of Data Cryptographic data protection and access control Machine readable policy language

OPTIONAL FEATURES          

Includes: Encryption, Meta-data tagging, Data Identification, Multilingual fingerprinting, Data leakage detection, Policy management and classification, Transparent data encryption, Policy controlled data access, storage and transportation, Dynamic data masking Related Services: IAM Related Technologies and Standards: SAML, SPML, XACML, (MOF/ECORE), ESG Service Model: SaaS, PaaS

Rate domains Smart Response (integrated remediation workflow) Automated event escalation Automated false positive signature compensation Unstructured Data Matching File / directory integrity via hashing Integration with Intrusion Detection Systems Multiple Language Pack Data privacy Chain of evidence services to support investigations and prosecutions

THREATS ADDRESSED     

Data loss/leakage Unauthorized access Malicious compromises of data integrity Data sovereignty issues Regulatory sanctions and fines

Continued on the following page… Copyright © 2011 Cloud Security Alliance

10

CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE 2011 Continued from the previous page…

REFERENCE EXAMPLES

CHALLENGES           

Data may be stolen from the datacenter virtually or even physically Data could be misused by the datacenter operator or others employees with access Compliance requires certifying cloud stack at all levels repeatedly Data sovereignty issues reduce customer rights with regard to governments Encrypted Data Performance when analyzing and monitoring large / heavily accessed data sets False negatives / false positives (tuning) Rule base may be complex to manage Outside of ‘known’ items such as credit card numbers and social security numbers, data can only be classified with detailed input from the end user Lack of data classification standards Ensuring customer data segregation when multiple tenants present

(Products and vendors. Non-exhaustive list)

Cloud

        

BlueCoat IBM Imperva Oracle Reconnex RSA Symantec/Vontu WebSens Zscaler

Non-Cloud  Digital Guardian  Palisade Systems PacketSure  Symantec Protection Suite Enterprise Edition

REFERENCES      

http://www.technewsworld.com/story/66562.html http://www.datalossbarometer.com/14945.htm http://community.websense.com/blogs/websense-media-coverage/archive/2010/07/20/channelinsider-websense-plans-to-tap-microsoft-channel-cloud-dlp-innovatin-in-the-present-and-future.aspx http://www.asiacloudforum.com/content/vmmare-embeds-rsa-dlp-virtual-environments http://searchsecuritychannel.techtarget.com/news/1374080/Partner-Engage-2009-VARs-dish-on-DLPimplementation-and-the-cloud http://infinite-identities.blogspot.com/2009/12/next-cloud-security-frontier-dlp-for.html

Copyright © 2011 Cloud Security Alliance

11

CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE 2011

Category #3: Web Security Description: Web Security is real-time protection offered either on-premise through software/appliance installation or via the cloud by proxying or redirecting web traffic to the cloud provider. This provides an added layer of protection on top of things like AV to prevent malware from entering the enterprise via activities such as web browsing. Policy rules around the types of web access and the times this is acceptable can also be enforced via these technologies. Class: Protective, detective, reactive SERVICES

CORE FUNCTIONALITIES            

Web Filtering Malware, Spyware & Bot Network analyzer and blocking Phishing site blocker Instant Messaging Scanning Email Security Bandwidth management/traffic control Data Loss Prevention Fraud Prevention Web Access Control Backup SSL (decryption / hand off) Usage policy enforcement

Includes: Email Server, Anti-virus, Anti-spam, Web Filtering, Web Monitoring, Vulnerability Management, Anti-phishing Related Services: Firewalls, Proxy, DLP, Email Security Related Technologies and Standards: HTTP/HTTPS, RuleML, XML, PHP, anti-virus Service Model: SaaS, PaaS

OPTIONAL FEATURES          

CSA Domains (v2.1): 5, 10

Rate domains Categorize websites by URL/IP address Rate sites by user requests Transparent updating of user mistakes Categorize and rate websites as needed Categorize websites for policy enforcement Recognize multiple languages Categorize top-level domains Block downloads with spoofed file extensions Strip potential spyware downloads from high-risk sites

CHALLENGES        

Constantly evolving threats Insider circumvention of web security Compromise of the web filtering service by proxy Potentially higher cost of real time monitoring Lack of features vs. premise based solutions Lack of policy granularity and reporting Relinquishing control Encrypted traffic

THREATS ADDRESSED          

Keyloggers Domain Content Malware Spyware Bot Network Phishing Virus Bandwidth consumption Data Loss Prevention Spam

Continued on the following page… Copyright © 2011 Cloud Security Alliance

12

CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE 2011 Continued from the previous page…

REFERENCES / ADDITIONAL RESOURCES

REFERENCE EXAMPLES (Products and vendors. Non-exhaustive list)

 

 

http://www.technewsworld.com/story/66562.html BT case study: http://www.globalservices.bt.com/static/assets/pdf/case_s tudies/EN_NEW/edinburgh_cc_web_security_case_study.p df W3C Web Security FAQ: http://www.w3.org/Security/Faq/ OWASP: https://www.owasp.org/index.php/Main_Page

Cloud

    

BlueCoat RSA TrendMicro Websense zScaler

Non-Cloud  Barracuda  BlueCoat  Cisco  McAfee  Symantec  Watchguard

Copyright © 2011 Cloud Security Alliance

13

CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE 2011

Category #4: Email Security Description: Email Security should provide control over inbound and outbound email, thereby protecting the organization from phishing, malicious attachments, enforcing corporate polices such as acceptable use and spam, and providing business continuity options. In addition, the solution should allow for policy-based encryption of emails, as well as integrating with various email server solutions. Digital signatures enabling identification and non-repudiation are also features of many email security solutions. Class: Protective, detective, reactive CORE FUNCTIONALITIES       

SERVICES

Accurate filtering to block spam and phishing Deep protection against viruses and spyware before they enter the enterprise perimeter Flexible policies to define granular mail flow and encryption Rich, interactive and correlate real-time reporting Deep content scanning to enforce policies Option to encrypt some / all emails based on policy Integration with various email server solutions

      

Related Services: DLP, Web Security, Business Continuity Related Technologies and Standards: SMTP (ESMTP, SMTPS), IMAP, POP, MIME, S/MIME, PGP

OPTIONAL FEATURES   

Includes: Content security, Antivirus/Anti-malware, Spam filtering, Email encryption, DLP for outbound email, Web mail, Anti-phishing

Secure archiving Web-mail interface Full integration with in-house identity system (LDAP, Active Directory, etc.) Mail encryption, signing & time-stamping Flexible integration Data Loss Prevention (DLP) for SMTP and webmail E-discovery Email system backup (e.g., stores mails on cloud provider infrastructure until customer systems restored IDS / IPS for the mail servers Digital signatures

Service Model: SaaS CSA Domains (v2.1): 3, 5

THREATS ADDRESSED     

Phishing Intrusion Malware Spam Address spoofing

CHALLENGES     

Portability Storage Use of unauthorized webmail for business purposes Management of logs and access to logs Ensuring no access to emails by cloud provider staff

Continued on the following page… Copyright © 2011 Cloud Security Alliance

14

CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE 2011 Continued from the previous page…

REFERENCES / ADDITIONAL RESOURCES 



http://www.eweek.com/c/a/Messaging-andCollaboration/SAAS-Email-From-Google-Microsoft-ProvesCost-Effective-For-Up-to-15K-Seats/ http://www.symanteccloud.com/datasheet/Technical_doc_ Ext_Web_Global.pdf

REFERENCE EXAMPLES (Products and vendors. Non-exhaustive list)

Cloud

       

Barracuda Networks Gmail for Domains (Google Apps) McAfee Message Labs / Symantec Cloud Microsoft Cloud Services Postini (Google) TrendMicro Zscaler Email Security

Non-Cloud  Postini  Symantec  WebSense

Copyright © 2011 Cloud Security Alliance

15

CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE 2011

Category #5: Security Assessment Description: Security assessments are third-party audits of cloud services or assessments of onpremises systems via cloud-provided solutions based on industry standards. Traditional security assessments for infrastructure and applications and compliance audits are well defined and supported by multiple standards such as NIST, ISO, and CIS. A relatively mature toolset exists, and a number of tools have been implemented using the SaaS delivery model. In the SaaS delivery model, subscribers get the typical benefits of this cloud computing variant - elasticity, negligible setup time, low administration overhead, and pay-per-use with low initial investments. While not the focus of this effort, additional challenges arise when these tools are used to audit cloud environments. Multiple organizations, including the CSA, have been working on the guidelines to help organizations understand the additional challenges: • • • •

Virtualization awareness of the tool, frequently necessary for IaaS platform auditing Support for common web frameworks in PaaS applications Compliance Controls for IaaS, PaaS, and SaaS platforms Standardized questionnaires for XaaS environments, that help address: o What should be tested in a cloud environment? o How does one assure data isolation in a multi-tenant environment? o What should appear in a typical infrastructure vulnerability report? Is it acceptable to use results provided by cloud provider?

Class: Detective CORE FUNCTIONALITIES   

    

SERVICES

Governance — process by which policies are set and decision making is executed Risk Management — process for ensuring that important business processes and behaviors remain within the tolerances associated with those policies and decisions Compliance — process of adherence to policies and decisions. Policies can be derived from internal directives, procedures and requirements, or external laws, regulations, standards and agreements. Technical Compliance Audits - automated auditing of configuration settings in devices, operating systems, databases, and applications. Application Security Assessments - automated auditing of custom applications Vulnerability Assessments - automated probing of network devices, computers and applications for known vulnerabilities and configuration issues Penetration Testing - exploitation of vulnerabilities and configuration issues to gain access to a an environment, network or computer, typically requiring manual assistance Security / risk rating - assessment of the overall security / vulnerability of the systems being tested, e.g. based on the OWASP Risk Rating Methodology

Includes: Internal and / or external penetration test, Application penetration test, Host and guest assessments, Firewall / IPS (security components of the infrastructure) assessments, Virtual infrastructure assessment Related Services: Intrusion Management Related Technologies and Standards: SCAP (FDCC), CVSS, CVE, CWE, SCAP, CYBEX Service Model: SaaS, PaaS, IaaS CSA Domains (v2.1): 2, 4

Continued on the following page… Copyright © 2011 Cloud Security Alliance

16

CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE 2011 Continued from the previous page…

THREATS ADDRESSED

OPTIONAL FEATURES  

SI/EM Integration Physical security assessments

CHALLENGES       

Inaccurate inventory Lack of continuous monitoring Lack of correlation information Lack of complete auditing Failure to meet/prove adherence to Regulatory/Standards Compliance Insecure / vulnerable configurations Insecure architectures Insecure processes / processes not being followed

    

Standards are on different maturity levels in the various sections Certification & Accreditation Boundary definition for any assessments Skills of tester(s) / assessors Accuracy Inconsistent ratings from different individuals / vendors Typically limited to known vulnerabilities

  

REFERENCE EXAMPLES (Products and vendors. Non-exhaustive list)

REFERENCES / ADDITIONAL RESOURCES 





 



  

CSA Guidance: https://cloudsecurityalliance.org/research/projects/ https://cloudsecurityalliance.org/grcstack.html Gartner - GRC definition: http://blogs.gartner.com/french_caldwell/2010/01/12/wecome-to-kill-grc-not-to-praise-it/ NIST (800-146): http://csrc.nist.gov/publications/drafts/800-146/DraftNIST-SP800-146.pdf http://www.owasp.org/images/5/56/OWASP_Testing_Gui de_v3.pdf ENISA Information Assurance: http://www.enisa.europa.eu/act/rm/files/deliverables/clo ud-computing-information-assurance-framework BSI Cornerstones cloud Computing (in German): https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI /Mindestanforderungen/EckpunktepapierSicherheitsempfehlungen-CloudComputing-Anbieter.pdf CAMM-common-assurance.com http://objectsecurity-mds.blogspot.com/2009/06/modeldriven-security-accreditation.html http://www.oceg.org/

Cloud

     

Agiliance Core Security Modulo Qualys Veracode WhiteHat

Non-Cloud  Agiliance  Archer  Cenzic  Core Security  eEye  HP  Immunity  Modulo  nCircle  Rapid7  Saint  Symantec  Tenable

Copyright © 2011 Cloud Security Alliance

17

CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE 2011

Category #6: Intrusion Management Description: Intrusion Management is the process of using pattern recognition to detect and react to statistically unusual events. This may include reconfiguring system components in real time to stop / prevent an intrusion. The methods of intrusion detection, prevention, and response in physical environments are mature; however, the growth of virtualization and massive multi-tenancy is creating new targets for intrusion and raises many questions about the implementation of the same protection in cloud environments. Examples of how cloud-based Intrusion Management could be offered include: • • •

Provided by the Cloud Service Provider Provided by a third-party (routing traffic through a SecaaS) Hybrid SaaS with third-party management and host-based or virtual appliances running in the cloud consumer's context

Class: Detective, protective, reactive SERVICES

CORE FUNCTIONALITIES General

  



Identification of intrusions and policy violations Automatic or manual remediation actions Coverage for: Workloads Virtualization Layer (VMM/Hypervisor) Management Plane Cloud and other APIs Updates to address new vulnerabilities, exploits and policies

Network Security (NBA, NIPS/NIDS or HIPS/HIDS using network)



Deep Packet Inspection using one or more of the following techniques: statistical, behavioral, signature, heuristic

Includes: Packet Inspection, Detection, Prevention, IR Related Services: Web Security, Secure Cloud & Virtualization Security Related Technologies and Standards: DPI, Event correlation and pattern recognition Service Model: SaaS, PaaS, IaaS CSA Domains (v2.1): 13

THREATS ADDRESSED

System/Behavioral

 

One or more of:    



System Call Monitoring System/Application Log Inspection Integrity Monitoring OS (Files, Registry, Ports, Processes, Installed Software, etc) Integrity Monitoring VMM/Hypervisor VM Image Repository Monitoring

Continued on the following page…

Intrusion Malware

REFERENCE EXAMPLES (Products and vendors. Non-exhaustive list)

Cloud  Alert Logic Threat Manager  Arbor Peakflow X  Check Point - Security Gateway Virtual Edition  Cloudleverage Cloud IPS/firewall 

Copyright © 2011 Cloud Security Alliance

18

CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE 2011 Continued from the previous page…

REFERENCE EXAMPLES

OPTIONAL FEATURES       

Central Reporting SIEM Integration Administrator Notification Customization of policy (automatic or manual) Mapping to cloud-layer tenancy Cloud sourcing information to reduce false positives and improve coverage Remote storage or transmission of integrity information, to prevent local evasion

CHALLENGES General Challenges:    

Proliferation of SSL required by deployment in public clouds adds complexity or blocks visibility to network-based IDS/IPS Complexity and immaturity of Intrusion Management for APIs Lack of tools to manage instance-to-instance relationships Wire speed with full malware / attack coverage performance not meeting expectations

Specific to Cloud Consumers:        

Current lack of virtual SPAN ports in public cloud providers for typical deployment of NIDS or NBA Current lack of network-edge TAP interfaces for public cloud and virtual private cloud for typical deployment of NIPS Inability to utilize hypervisor (vSwitch/vNIC) introspection Latency, resiliency and bandwidth concerns with proxying network traffic through virtual appliances or 3rd party services Privacy concerns of service-based security Short lived instances (HIDS/HIPS logs can be lost) Performance limitations with network traffic in a shared environment Ownership / managing access to monitoring equipment and data

Specific to Cloud Service Providers:   

Policy management in a multi-tenant environment Policy management for application-layer multi-tenancy (SaaS, some PaaS services such as Microsoft SQL Azure) Complexity of deployment and configuration

Cloud  Cymtec Scout  eEye Digital Security Blink  IBM Proventia  McAfee - Host Intrusion Prevention  Sourcefire - 3D System  StoneGate - Virtual IPS  Symantec Critical System Protection  Symantec Endpoint Protection  Trend Micro Deep Security  Trend Micro Threat Detection Appliance  TrustNet iTrust SaaS Intrusion Detection  XO Enterprise Cloud Security Non-Cloud  AIDE  CA-eTrust Intrusion Detection  Check Point IPS  Cerero - Top Layer IPS  Cetacea Networks - OrcaFlow  Cisco Guard / IPS  Detector  DeepNines - BBX  e-Cop - Cyclops  Enterasys - IPS  HP S IPS  Intrusion – SecureNet / Host  iPolicy  Juniper Networks IDP  Lancope - StealthWatch  McAfee - Network Intrusion Prevention  OSSEC  Q1 Labs - QRadar  Radware - DefensePro  Samhain  SoftSphere Technologies HIPS  StillSecure - Strata Guard  StoneGate - IPS  Suricata  Symantec Network Security

REFERENCES / ADDITIONAL RESOURCES    

Cloud Security Alliance Guidance: https://cloudsecurityalliance.org/guidance/csaguide-dom12-v2.10.pdf NIST Guide to Intrusion Detection and Prevention Systems (IDPS): http://csrc.nist.gov/publications/nistpubs/800-94/SP800-94.pdf Intrusion Detection: http://en.wikipedia.org/wiki/Intrusion_detection_system Intrusion Prevention: http://en.wikipedia.org/wiki/Intrusion_prevention_system Copyright © 2011 Cloud Security Alliance

19

CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE 2011

Category #7: Security Information & Event Management (SIEM) Description: Security Information and Event Management (SIEM) systems accept (via push or pull mechanisms) log and event information. This information is then correlated and analyzed to provide real-time reporting and alerting on incidents / events that may require intervention. The logs are likely to be kept in a manner that prevents tampering to enable their use as evidence in any investigations. Class: Detective SERVICES

CORE FUNCTIONALITIES         

Real time log /event collection, de-duplication, normalization, aggregation and visualization Log normalization Real-time event correlation Forensics support Compliance reporting & support IR support Email anomaly detection Reporting Flexible data retention periods and policies management, compliance policy management)

OPTIONAL FEATURES      

Heuristic controls Specialized systems Physical log monitoring Access control system monitoring Physical security integration (cameras, alarms, phone, etc.) Integration with call / ticketing system

Includes: Log management, Event correlation, Security/Incident response, Scalability, Log and Event Storage, Interactive searching and parsing of log data, Logs immutable (for legal investigations) Related Services: Architectural considerations, Compliance reporting, Software inventory, Non-traditional correlation, On-traditional monitoring, Database monitoring, Request fulfillment Related Technologies and Standards: FIPS 140-2 compliant, Common Event Format (CEF), Common Event Expression (CEE), IF-MAP (TCG) Service Model: SaaS, PaaS CSA Domains (v2.1): 2, 3, 4, 5, 7, 9, 12

CHALLENGES      

Standardization of log formats Timing lag caused by translations from native log formats Unwillingness of providers to share logs Scaling for high volumes Identification and visualization of key information Usable, segregated by client interface

REFERENCES 



http://www.darkreading.com/securitymonitoring/167901086/security/securitymanagement/228000206/cloud-creates-siem-blind-spot.html http://securecloudreview.com/2010/08/service-provider-oftomorrow-part-9-as-the-cloud-thrives-siem-will-suffer/

THREATS ADDRESSED        

Abuse and Nefarious Use Insecure Interfaces and APIs Malicious Insiders Shared Technology Issues Data Loss and Leakage Account or Service Hijacking Unknown Risk Profile Fraud

Continued on the following page… Copyright © 2011 Cloud Security Alliance

20

CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE 2011 Continued from the previous page…

REFERENCES  

REFERENCE EXAMPLES

http://en.wikipedia.org/wiki/Security_information_and_ev ent_management http://en.wikipedia.org/wiki/Security_event_manager

(Products and vendors. Non-exhaustive list)

              

AccellOps Alien Vault (OSSIM) ArcSight ESM eIQnetworks Loglogic netForensics nFX One Novell Cloud Security Services / E-Sentinel OSSIM Prelude-SIEM Q1 Labs Quest Software RSA/EMC enVision SenSage Solar Winds Log and Event Manager Splunk

Copyright © 2011 Cloud Security Alliance

21

CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE 2011

Category #8: Encryption Description: Encryption is the process of obfuscating/encoding data (usually referred to as plain text) using cryptographic algorithms the product of which is encrypted data (usually referred to as ciphertext). Only the intended recipient or system that is in possession of the correct key can decode (unencrypt) this ciphertext. In the case of one-way cryptographic functions, a digest or hash is created instead. Encryption systems typically consist of an algorithm(s) that are computationally difficult (or infeasible) to break, along with the processes and procedures to manage encryption and decryption, hashing, digital signatures, certificate generation and renewal, key exchange, etc. Each part is effectively useless without the other, e.g. the best algorithm is easy to “crack” if an attacker can access the keys due to weak processes. Class: Protective SERVICES

CORE FUNCTIONALITIES              

Data protection (at rest and in motion) Data validation Message Authentication Message/data integrity Data Time-stamping (digital notary) Identity validation (certificates to identify IT assets/endpoints) Code Signing Forgery detection Identity validation (digital signatures) Digital Fingerprinting Forensic protection (hashing of log files and evidence) Pseudorandom number generation Data Destruction (throw away the key!) Key/certificate generation and management



Searching encrypted data Sorting encrypted data Identity based encryption Data integrity Mechanism to ensure secure removal of customer data when term / contract terminated Identity assurance (e.g., the parties involved are who they claim to be)

CHALLENGES  

Risk of compromised keys Searching and/or sorting of encrypted data

Continued on the following page…

Related Services: VM Architecture, Hardware protection, Software-based protection, remote access validation Related Technologies and Standards: FIPS 140-2, IPSEC, SSL, Hashing, and algorithms , Symetric and Asymetric Cryptography Service Model: PaaS, SaaS, IaaS

OPTIONAL FEATURES     

Includes: VPN services, Encryption Key Management, Virtual Storage Encryption, Communications Encryption, Application Encryption, Database Encryption, digital signatures, Integrity validation

CSA Domains (v2.1): 11

THREATS ADDRESSED     

Failure to meet Regulatory Compliance requirements Mitigating insider and external threats to data Intercepted clear text network traffic Clear text data on stolen / disposed of hardware Reducing the risk or and potentially enabling crossborder business opportunities

Copyright © 2011 Cloud Security Alliance

22

CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE 2011 Continued from the previous page…

CHALLENGES   

THREATS ADDRESSED

Separation of duties between data owners, administrators and cloud service providers Legal issues Federated trust between providers

REFERENCES / ADDITIONAL RESOURCES      

 









http://www.eweek.com/c/a/Security/IBM-UncoversEncryption-Scheme-That-Could-Improve-Cloud-SecuritySpam-Filtering-135413/ https://cloudsecurityalliance.org/csaguide.pdf “Implementing and Developing Cloud Computing Applications” by David E.Y. Sarna http://www.ctoedge.com/content/new-approach-enteprisedata-security-tokenization http://arstechnica.com/tech-policy/news/2009/09/yoursecrets-live-online-in-databases-of-ruin.ars CSA discussion forums : “The Illegality of Exporting Personal Data into the Cloud. Is the following Hypothesis the Answer? Does the following Hypothesis Handle the Objection?” http://www.linkedin.com/e/-njv39egmdp90wv1m/vaq/23764306/1864210/36300812/view_disc/ “IETF RFC 5246”. The Transport Layer Security (TLS) Protocol Version 1.2: http://tools.ietf.org/rfc/rfc5246.txt “SP 800-57 Recommendation for Key Management” NIST, January 2011: http://csrc.nist.gov/publications/nistpubs/ 800-57/sp800-57-Part1-revised2_Mar08-2007.pdf http://csrc.nist.gov/publications/nistpubs/800-57/SP80057-Part2.pdf http://csrc.nist.gov/publications/nistpubs/80057/sp800-57_PART3_key-management_Dec2009.pdf “SP 800-131A Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths” NIST, January 2011: http://csrc.nist.gov/publications/nistpubs/800-131A/sp800131A.pdf ISO/TR (2010). “ISO TR-14742:2010 Financial Services Recommendations on Cryptographic Algorithms and their Use.” ISO. Ferguson, N., Schneier, B., and Kohno T., (2010). “Cryptography Engineering: Design Principles and Practical Applications.” New York: John Wiley and Sons.

Reducing perceived risks and thus enabling Cloud's Adoption by government



REFERENCE EXAMPLES (Products and vendors. Non-exhaustive list)

Cloud

        

Credant Cypher Cloud enStratus Novaho Perpecsys ProtectV SecureCloud SurePassID Vormetric

Non-Cloud  Crypo.com  Sendinc

Copyright © 2011 Cloud Security Alliance

23

CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE 2011

Category #9: Business Continuity and Disaster Recovery Description: Business Continuity and Disaster Recovery are the measures designed and implemented to ensure operational resiliency in the event of any service interruptions. BCDR provides flexible and reliable failover for required services in the event of any service interruptions, including those caused by natural or man-made disasters or disruptions. Cloudcentric BCDR makes use of the cloud’s flexibility to minimize cost and maximize benefits. For example, a tenant could make use of low specification guest machines to replicate applications and data to the cloud, but with the provision to quickly ramp up the CPU and RAM, etc. of these machines in a BCDR scenario. Class: Reactive, Protective, Detective SERVICES

CORE FUNCTIONALITIES           

Flexible infrastructure Secure backup Monitored operations Third party service connectivity Replicated infrastructure components Replicated data (core / critical systems) Data and/or application recovery Alternate sites of operation Tested and measured processes and operations to ensure Geographically distributed data centers / infrastructure Network survivability

Includes: File recovery provider, File backup provider, Cold site, Warm site, Hot site, Insurance, Business partner agreements, Replication (e.g. Databases) Related Services: Fail-back to live systems, Encryption of data in transit, Encryption of data at rest, Field level encryption, Realm-based access control Related Technologies and Standards:

OPTIONAL FEATURES   

ISO/IEC 24762:2008, BS25999

Support for BC and DR compliance monitoring and/or reporting or testing flexible infrastructure Authorized post disaster privileged account management Enable DR Policy management (incl. authorization management, role management, compliance management)

Service Model: IaaS, SaaS CSA Domains (v2.1): 7

THREATS ADDRESSED CHALLENGES       

Over-centralization of data Lack of approved and tested policies, processes, and procedures Legal constraints on transportation of data outside affected region Network connectivity failures Identification of Recovery Time Objectives / Recovery Point Objectives / SLAs Agreed definition between vendor and client of what DR / BCP means Security – Data in multiple locations

      

Natural disaster Fire Power outage Terrorism/sabotage Data corruption Data deletion Pandemic/biohazard

Continued on the following page… Copyright © 2011 Cloud Security Alliance

24

CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE 2011 Continued from the previous page…

REFERENCES / ADDITIONAL RESOURCES      

NIST SP 800-34 ISO/IEC-27031 http://en.wikipedia.org/wiki/Disaster_recovery http://www.silicon.com/management/cioinsights/2010/09/30/cloud-computing-is-it-ready-fordisaster-recovery-39746406/ http://blogs.forrester.com/rachel_dines/11-08-29disaster_recovery_meet_the_cloud http://www.usenix.org/event/hotcloud10/tech/full_papers /Wood.pdf

REFERENCE EXAMPLES (Products and vendors. Non-exhaustive list)

Cloud  Atmos  Decco  Digital Parallels  Quantix  Rackspace Non-Cloud  IBM  Iron Mountain  Sunguard

Copyright © 2011 Cloud Security Alliance

25

CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE 2011

Category #10: Network Security Description: Network Security consists of security services that allocate access, distribute, monitor, and protect the underlying resource services. Architecturally, network security provides services that address security controls at the network in aggregate or specifically addressed at the individual network of each underlying resource. In a cloud / virtual environment network security is likely to be provided by virtual devices alongside traditional physical devices. Tight integration with the hypervisor to ensure full visibility of all traffic on the virtual network layer is key. Class: Detective, protective, reactive SERVICES

CORE FUNCTIONALITIES        

 

Data Threats Access Control Threats Access and Authentication controls Security Gateways (firewalls, WAF, SOA/API, VPN) Security Products (IDS/IPS, Server Tier Firewall, File Integrity Monitoring, DLP, Anti-Virus, Anti-Spam Security Monitoring and IR DoS protection/mitigation Secure “base services” like DNS and/or DNSSEC, DHCP, NTP, RAS, OAuth, SNMP, Management network segmentation and security Traffic / netflow monitoring Integration with Hypervisor layer

Includes: Firewall (perimeter and server tier), Web application firewall, DDOS protection/mitigation, DLP, IR management, IDS / IPS Related Services: Identity and Access Management, Data Loss Prevention, Web Security, Intrusion Management, Security Information and Event Management, and Encryption Related Technologies and Standards: Service Model: IaaS, SaaS, PaaS CSA Domains (v2.1): 7,8,9,10,13

OPTIONAL FEATURES     

THREATS ADDRESSED

Log correlation/ Secure and Immutable Logging Secure data encryption at rest Performance monitoring of the network Real-time alerting Change Management

    

CHALLENGES 

 

Data Threats Access Control Threats Application Vulnerabilities Cloud Platform Threats Regulatory, Compliance & Law Enforcement

Micro-borders (instead of traditional clearly defined network boundaries the borders between tenant networks can be dynamic and potentially blurred in a large scale virtual / cloud environment) Virtual Segmentation of Physical Servers Limited visibility of inter-VM traffic

Continued on the following page… Copyright © 2011 Cloud Security Alliance

26

CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE 2011 Continued from the previous page…

REFERENCE EXAMPLES

CHALLENGES    

Non-standard API’s Management of many virtual networks / VLAN in a complex environment – reliant on providers policies and procedures Separation of production and non-production environments Logical and Virtual Segregation of Customer Network/Systems/Data

REFERENCES / ADDITIONAL RESOURCES  



CSA Intel Cloud Security Reference Architecture: http://software.intel.com/en-us/articles/Cloud-SecurityReference-Architecture-Guide/ http://www.intel.com/content/dam/doc/referencearchitecture/cloud-computing-enhanced-cloud-securityhytrust-vmware-architecture.pdf ENISA Cloud Computing Risk Assessment: http://www.enisa.europa.eu/act/rm/files/deliverables/cl oud-computing-risk-assessment

(Products and vendors. Non-exhaustive list)

Cloud  CloudFlare  HP  IBM  Imperva - Incapsula  McAfee  Rackspace  Stonesoft  Symantec Non-Cloud  HP  IBM  McAfee  Snort  Symantec

Copyright © 2011 Cloud Security Alliance

27