Download (pdf) - Cloud Security Alliance

Cloud Security Alliance GRC Stack Training Becky Swain, Cisco Marlin Pohlman, EMC Laura Posey, Microsoft February 2011

Cloud Computing NIST Definition • UPDATED (Jan 2011) – National Institute of Standards and Technology (NIST) Special Publication 800-145 (Draft) • Model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) • Rapidly provisioned and released with minimal management effort or service provider interaction • Composed of 5 essential characteristics, 3 service models, and 4 deployment models. • Source: http://www.nist.gov/itl/csd/cloud-020111.cfm

Copyright © 2011 Cloud Security Alliance

www.cloudsecurityalliance.org

Cloud Computing 5 Essential Characteristics • On-demand tenant self-service model for provisioning computing capabilities (server time, network storage, etc.) • Broad network access with capabilities over the network accessible by standard mechanisms and mobile platforms • Resource pooling through dynamically assigned physical and virtual capabilities delivered in a multi-tenant model and location independent • Rapid elasticity of provisioned resources automatically or manually adjusted aligned with service level flexibility and needs • Measured service to monitor, control and report on transparent resource optimization



Cloud Computing 3 Service Models • Software as a Service (SaaS) •

Capability made available to tenant (or consumer) to use provider’s applications running on cloud infrastructure, accessible via web browser, mobile apps, and system interfaces.

•

Examples: Salesforce.com, Drop Box, Box.net, Google Docs, WebEx

• Platform as a Service (PaaS) •

Capability made available to tenant to deploy tenant owned (created or acquired) applications using programming languages and tools supported by provider.

•

Examples: Microsoft Azure, Amazon Web Services, Bungee Connect

• Infrastructure as a Service (IaaS) / Datacenter as a Service (DaaS) •

Capability made available to tenant to provision processing, storage, networks or other fundamental computing resources to host and run tenant’s applications.

•

Examples: Rackspace, Terremark (Verizon), Savvis, AT&T



Cloud Computing 4 Deployment Models (1) PRIVATE

ACCESSIBILITY

(2) COMMUNITY

Shared with Single Organization Common Interests / Requirements

(3)PUBLIC General Public / Large Industry Group

MANAGEMENT

Organization or Third Party

Organization or Third Party

Cloud Provider

HOST

On or Off Premise

On or Off Premise

On or Off Premise

(4) HYBRID • Composition of 2 or more deployment models that remain unique entities • Bound together by standardized or proprietary technology enabling data and application portability Copyright © 2011 Cloud Security Alliance


Cloud Computing Security: Largest Barrier to Adoption



What is Different about Cloud?



What is Different about Cloud? SERVICE OWNER

SaaS

PaaS

IaaS

Data

Joint

Tenant

Tenant

Application

Joint

Joint

Tenant

Compute

Provider

Joint

Tenant

Storage

Provider

Provider

Joint

Network

Provider

Provider

Joint

Physical

Provider

Provider

Provider












Cloud Controls Matrix



Cloud Controls Matrix Leadership Team • • • •

Becky Swain – Cisco Systems, Inc. Philip Agcaoili – Cox Communications Marlin Pohlman – EMC, RSA Kip Boyle – CSA

• V1.1 Released Dec 2010 • Rated as applicable to S-P-I with Cloud Provider / Tenant Delineation • Controls baselined and mapped to: • • • • • • • •

COBIT HIPAA / HITECH Act ISO/IEC 27001-2005 NISTSP800-53 FedRAMP PCI DSSv2.0 BITS Shared Assessments GAPP Copyright © 2011 Cloud Security Alliance


Cloud Controls Matrix Global Industry Contribution • • • • • • • • • • • • • • • • • • • • • • • • • •

AdalbertoAfonso A Navarro F do Valle – Deloitte LLP Addison Lawrence – Dell Akira Shibata – NTT DATA Corp Andy Dancer Anna Tang – Cisco Systems, Inc. April Battle – MITRE ChandrasekarUmpathy Chris Brenton – Dell Dale Pound – SAIC Daniel Philpott – Tantus Technologies Dr. Anton Chuvakin – Security Warrior Consulting Elizabeth Ann Wickham – L47 Consulting Limited Gary Sheehan – Advanced Server Mgmt Group, Inc. Georg Heß Georges Ataya Solvay – Brussels School of Economics & Mgmt Glen Jones – Cisco Systems, Inc. Greg Zimmerman – Jefferson Wells Guy Bejerano - LivePerson Henry Ojo – Kamhen Services Ltd, Jakob Holm Hansen – Neupart A/S Joel Cort – Xerox Corporation John DiMaria – HISPI John Sapp – McKesson Healthcare, HISPI Joshua Schmidt – Vertafore, Inc. KarthikAmrutesh – Ernst and Young LLP Kelvin Arcelay – Arcelay& Associates

• • • • • • • • • • • • • • • • • • • • • • • • • •


Kyle Lai – KLC Consulting, Inc. Larry Harvey – Cisco Systems, Inc. Laura Kuiper – Cisco Systems, Inc. Lisa Peterson – Progressive Insurance Lloyd Wilkerson – Robert Half International Marcelo Gonzalez – Banco Central Republica Argentina Mark Lobel – PricewaterhouseCoopers LLP Meenu Gupta – Mittal Technologies Michael Craigue, Ph.D. – Dell Mike Craigue MS Prasad, Exec Dir CSA India Niall BrowneI – LiveOps Patrick Sullivan Patty Williams – Symetra Financial Paul Stephen – Ernst and Young LLP Phil Genever-Watling Philip Richardson – Logicalis UK Ltd PritamBankar – Infosys Technologies Ltd. RamesanRamani – Paramount Computer Systems Steve Primost TaiyeLambo – eFortresses, Inc . Tajeshwar Singh Thej Mehta – KPMG LLP Thomas Loczewski – Ernst and Young GmbH, Germany Vincent Samuel – KPMG LLP Yves Le Roux – CA Technologies


Cloud Controls Matrix Characteristics •

•

•

•

Objective measure to monitor activities and then take corrective action to accomplish organizational goals.

Comprised of a set of policies and processes (internal controls) affecting the way Cloud services are directed, administered or controlled. Aligned to Information Security regulatory rules and industry accepted guidance. Controls reflect the intent of the CSA Guidance as applied to existing patterns of Cloud execution.



Cloud Controls Matrix Optimal & Holistic Compliance Bridging Regulatory Governance And Practical Compliance



Cloud Controls Matrix 11 Domains 1. Compliance (CO)

7. Operations Management (OM)

2. Data Governance (DG)

8. Risk Management (RI)

3. Facility Security (FS)

9. Release Management (RM)

4. Human Resources (HR)

10. Resiliency (RS)

5. Information Security (IS)

11.Security Architecture (SA)

6. Legal (LG)



Cloud Controls Matrix 98 Controls Compliance CO01 – Audit Planning CO02 – Independent Audits CO03 – Third Party Audits CO04 – Contact / Authority Maintenance CO05 – Information System Regulatory Mapping CO06 – Intellectual Property

• • • • • •

Legal LG01 - Non-Disclosure Agreements LG02 - Third Party Agreements

• •

Data Governance Risk Management • • • • •

RI01 – Program RI02 – Assessments RI03 – Mitigation / Acceptance RI04 – Business / Policy Change Impacts RI05 – Third Party Access

• • • • • • • •

DG01 – Ownership / Stewardship DG02 – Classification DG03 – Handling / Labeling / Security Policy DG04 – Retention Policy DG05 – Secure Disposal DG06 – Non-Production Data DG07 – Information Leakage DG08 – Risk Assessments



Cloud Controls Matrix 98 Controls (cont.) Resiliency

Human Resources • • •

HR01 – Background Screening HR02 – Employment Agreements HR03 – Employment Termination

RS01 – Management Program RS02 – Impact Analysis RS03 – Business Continuity Planning RS04 – Business Continuity Testing RS05 – Environmental Risks RS06 – Equipment Location RS07 – Equipment Power Failures RS08 – Power / Telecommunications

• • • • • •

Release Management • • • • •

RM01 – New Development / Acquisition RM02 – Production Changes RM03 – Quality Testing RM04 – Outsourced Development RM05 – Unauthorized Software Installations

• •

Operational Management • • • •

OP01 – Policy OP02 – Documentation OP03 – Capacity / Resource Planning OP04 – Equipment Maintenance



Cloud Controls Matrix 98 Controls (cont.) Security Architecture • • • • • • •

• • • • • • • •

SA01 – Customer Access Requirements SA02 – User ID Credentials SA03 – Data Security / Integrity SA04 – Application Security SA05 – Data Integrity SA06 – Production / Non-Production Environments SA07 – Remote User Multi-Factor Authentication SA08 – Network Security SA09 – Segmentation SA10 – Wireless Security SA11 – Shared Networks SA12 – Clock Synchronization SA13 – Equipment Identification SA14 – Audit Logging / Intrusion Detection SA15 – Mobile Code


Facility Security • •

• • • • •

•

FS01 – Policy FS02 – User Access FS03 – Controlled Access Points FS04 – Secure Area Authorization FS05 – Unauthorized Persons Entry FS06 – Off-Site Authorization FS07 – Off-Site Equipment FS08 – Asset Management


Cloud Controls Matrix 98 Controls (cont.) Information Security • • • • • • • • • • • • • • • •

IS01 – Management Program IS02 – Management Support / Involvement IS03 – Policy IS04 – Baseline Requirements IS05 – Policy Reviews IS06 – Policy Enforcement IS07 – User Access Policy IS08 – User Access Restriction / Authorization IS09 – User Access Revocation IS10 – User Access Reviews IS11 – Training / Awareness IS12 – Industry Knowledge / Benchmarking IS13 – Roles / Responsibilities IS14 – Management Oversight IS15 – Segregation of Duties IS16 – User Responsibility

• • • • • • • • •

• • • • • • • • •

IS17 – Workspace IS18 – Encryption IS19 – Encryption Key Management IS20 – Vulnerability / Patch Management IS21 – Anti-Virus / Malicious Software IS22 – Incident Management IS23 – Incident Reporting IS24 – Incident Response Legal Preparation IS25 – Incident Response Metrics IS26 – Acceptable Use IS27 – Asset Returns IS28 – eCommerce Transactions IS29 – Audit Tools Access IS30 – Diagnostic / Configuration Ports Access IS31 – Network Services IS32 – Portable / Mobile Devices IS33 – Source Code Access Restriction IS34 – Utility Programs Access



Consensus Assessment Initiative



Consensus Assessment Initiative • Research tools and processes to perform shared assessments of cloud providers • Lightweight “common assessment criteria” concept • Integrated with Controls Matrix • Ver 1 CAI Questionnaire released Oct 2010, approx 140 provider questions to identify presence of security controls or practices Copyright © 2011 Cloud Security Alliance


Consensus Assessment Initiative Team Leaders • Laura Posey – Microsoft • Jason Witty – Bank of America • Marlin Pohlman – EMC, RSA • Earle Humphreys – ITEEx Editor • Christofer Hoff – Cisco

Contributors • Matthew Becker – Bank of America • Aaron Benson – Novell • Ken Biery – Verizon Business • Kristopher Fador – Bank of America • David Gochenaur – Aon Corporation • Jesus Molina – Fujitsu • John Nootens – AMA Association • HemmaPrafullchandra – Hytrust • GorkaSadowski – Log Logic • Richard Schimmel – Bank of America • Patrick Vowles – RSA • Kenneth Zoline – IBM



Consensus Assessment Initiative Approach •

Build “cloud-specific” question-set •

CSA guidance

•

Industry experts

•

Align questions with the CSA Cloud Controls Matrix

•

Release 1.0 question-set publically •

Integrate into CloudAudit.org framework

•

Post to CloudSecurityAlliance.org



Consensus Assessment Initiative Questionnaire (CAIQ) – 148 Qs



CloudAudit



CloudAudit • Provide a common interface and namespace that allows cloud computing providers to automate the Audit, Assertion, Assessment, and Assurance (A6) of their environments • Allow authorized consumers of services to do likewise via an open, extensible and secure interface and methodology.



CloudAudit Objective • A structure for organizing assertions and supporting documentation for specific controls across different compliance frameworks in a way that simplifies discovery by humans and tools. • Define a namespace that can support diverse frameworks • Express five critical compliance frameworks in that namespace • Define the mechanisms for requesting and responding to queries relating to specific controls • Integrate with portals and AAA systems



CloudAudit Aligned to Cloud Controls Matrix • First efforts aligned to compliance frameworks as established by CSA Control Matrix: • PCI DSS • HIPAA • COBIT

• ISO/IEC 27001-2005 • NISTSP800-53

• Incorporate CSA’s CAI and additional CompliancePacks • Expand alignment to “infrastructure” and “operations” -centric views also Copyright © 2011 Cloud Security Alliance


CloudAudit Sample Implementation CSA Compliance Pack



CloudAudit Sample Implementation (cont.) CSA Compliance Pack



CloudAudit Sample Implementation (cont.) CSA Compliance Pack



CloudAudit Release Deliverables • Contains all Compliance Packs, documentation and scripts needed to begin implementation of CloudAudit • Working with Service Providers and Tool Vendors for Adoption

• Officially folded CloudAudit under the Cloud Security Alliance in October, 2010 • http://www.cloudaudit.org/CloudAudit_Distribution_20100815.zip



CloudAudit Release Deliverables (cont.) Request Flow for Users & Tools



CloudAudit Release Deliverables (cont.) index.html/default.jsp/etc. • Index.html is for dumb browser consumptions • Typically, the direct human user use case

• It can be omitted if directory browsing is enabled • It contains JavaScript to look for the manifest.xml file, parse it, and display it as HTML. • If no manifest.xml exists, it should list the directory contents relevant to the control in question



CloudAudit Release Deliverables (cont.) manifest.xml • Structured listing of control endpoints contents • Can be extended to provide contextual information

• Primarily aimed at tool consumption • In Atom format



CSA GRC Stack



CSA GRC Stack Provider Assertions

• Bringing it all together to peel back the layers of control ownership and address concerns for trusted Cloud adoption.

Private, Community & Public Clouds

Control Requirements Copyright © 2011 Cloud Security Alliance


CSA GRC Stack •

Whether implementing private, public or hybrid clouds, the shift to compute as a service presents new challenges across the spectrum of Governance, Risk Management and Compliance (GRC) requirements – success dependent upon:

•

Appropriate assessment criteria; and

•

Relevant control objectives and timely access to necessary supporting data.

•

CSA GRC Stack provides a toolkit for enterprises, cloud providers, security solution providers, IT auditors and other key stakeholders to instrument and assess both private and public clouds against industry established best practices, standards and critical compliance requirements.

•

Integrated suite of 3 CSA initiatives: CloudAudit, Cloud Controls Matrix (CCM) and Consensus Assessments Initiative Questionnaire (CAIQ).

•

Available now for free download at: www.cloudsecurityalliance.org/grcstack.zip



CSA GRC Stack Bringing it all together…



CSA GRC Stack Industry Collaboration & Support •

International Organization for Standards (ISO)

•

• • •

European Network and Information Security Agency (ENISA) Common Assurance Maturity Model (CAMM) American Institute of Certified Public Accountants (AICPA)

•

•

ISO/IEC JTC 1 SC 27 (“SC 27”) WG 1, 4 and 5 in Study Period in the area of Cloud Computing Security and Privacy with active CSA representation

Statement on Standards for Attestation Engagements (SSAE) No. 16 SOC 2 – Service Organization Controls over Security, Confidentiality, Processing Integrity, Availability, and Privacy

National Institute of Standards and Technology (NIST)

•

Consolidated feedback on Federal Risk and Authorization Management Program (FedRAMP)



CSA GRC Stack Industry Collaboration & Support (cont.) • Inverse Control Framework Mappings • • • • •

Health Information Trust Alliance (HITRUST)

Unified Compliance Framework (UCF) Information Systems Audit and Control Association (ISACA) BITS Shared Assessments SIG/AUP + TG Participation

Information Security Forum (ISF)



About the Cloud Security Alliance



About the Cloud Security Alliance • • • •

Global, not-for-profit organization Over 16,000 individual members, 80 corporate members Building best practices and a trusted cloud ecosystem Agile philosophy, rapid development of applied research

• • • • •

GRC: Balance compliance with risk management Reference models: build using existing standards Identity: a key foundation of a functioning cloud economy Champion interoperability Advocacy of prudent public policy

“To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.” www.cloudsecurityalliance.org Copyright © 2011 Cloud Security Alliance

Contact • Help us secure cloud computing • www.cloudsecurityalliance.org • [email protected] • LinkedIn: www.linkedin.com/groups?gid=1864210 • Twitter: @cloudsa



Thank You
