cloud security alliance · · 2016-01-25cloud security alliance grc stack ... cloud computing...
TRANSCRIPT
Cloud Security Alliance
GRC Stack Training
Becky Swain, Cisco
Marlin Pohlman, EMC
Laura Posey, Microsoft
February 2011
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
Cloud ComputingNIST Definition
• UPDATED (Jan 2011) – National Institute of Standards and Technology (NIST) Special Publication 800-145 (Draft)
• Model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services)
• Rapidly provisioned and released with minimal management effort or service provider interaction
• Composed of 5 essential characteristics, 3 service models, and 4 deployment models.
• Source: http://www.nist.gov/itl/csd/cloud-020111.cfm
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
Cloud Computing5 Essential Characteristics
• On-demand tenant self-service model for provisioning computing capabilities (server time, network storage, etc.)
• Broad network access with capabilities over the network accessible by standard mechanisms and mobile platforms
• Resource pooling through dynamically assigned physical and virtual capabilities delivered in a multi-tenant model and location independent
• Rapid elasticity of provisioned resources automatically or manually adjusted aligned with service level flexibility and needs
• Measured service to monitor, control and report on transparent resource optimization
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
Cloud Computing3 Service Models
• Software as a Service (SaaS)
• Capability made available to tenant (or consumer) to use provider’s applications running on cloud infrastructure, accessible via web browser, mobile apps, and system interfaces.
• Examples: Salesforce.com, Drop Box, Box.net, Google Docs, WebEx
• Platform as a Service (PaaS)
• Capability made available to tenant to deploy tenant owned (created or acquired) applications using programming languages and tools supported by provider.
• Examples: Microsoft Azure, Amazon Web Services, Bungee Connect
• Infrastructure as a Service (IaaS) / Datacenter as a Service (DaaS)
• Capability made available to tenant to provision processing, storage, networks or other fundamental computing resources to host and run tenant’s applications.
• Examples: Rackspace, Terremark (Verizon), Savvis, AT&T
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
Cloud Computing4 Deployment Models
(1) PRIVATE (2) COMMUNITY (3)PUBLIC
ACCESSIBILITY Single Organization
Shared with
Common Interests /
Requirements
General Public /
Large Industry
Group
MANAGEMENTOrganization or
Third Party
Organization or
Third PartyCloud Provider
HOST On or Off Premise On or Off Premise On or Off Premise
(4) HYBRID
• Composition of 2 or more deployment models that remain unique entities
• Bound together by standardized or proprietary technology enabling data and application portability
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
Cloud ComputingSecurity: Largest Barrier to Adoption
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
What is Different about Cloud?
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
What is Different about Cloud?
SERVICE OWNER SaaS PaaS IaaS
Data Joint Tenant Tenant
Application Joint Joint Tenant
Compute Provider Joint Tenant
Storage Provider Provider Joint
Network Provider Provider Joint
Physical Provider Provider Provider
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
What is Different about Cloud?
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
What is Different about Cloud?
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
What is Different about Cloud?
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
Cloud Controls Matrix
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
Cloud Controls Matrix
• V1.1 Released Dec 2010
• Rated as applicable to S-P-I with Cloud Provider / Tenant Delineation
• Controls baselined and mapped to:• COBIT
• HIPAA / HITECH Act
• ISO/IEC 27001-2005
• NISTSP800-53
• FedRAMP
• PCI DSSv2.0
• BITS Shared Assessments
• GAPP
Leadership Team• Becky Swain – Cisco Systems, Inc.
• Philip Agcaoili – Cox Communications
• Marlin Pohlman – EMC, RSA
• Kip Boyle – CSA
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
Cloud Controls MatrixGlobal Industry Contribution
• Kyle Lai – KLC Consulting, Inc.
• Larry Harvey – Cisco Systems, Inc.
• Laura Kuiper – Cisco Systems, Inc.
• Lisa Peterson – Progressive Insurance
• Lloyd Wilkerson – Robert Half International
• Marcelo Gonzalez – Banco Central Republica Argentina
• Mark Lobel – PricewaterhouseCoopers LLP
• Meenu Gupta – Mittal Technologies
• Michael Craigue, Ph.D. – Dell
• Mike Craigue
• MS Prasad, Exec Dir CSA India
• Niall BrowneI – LiveOps
• Patrick Sullivan
• Patty Williams – Symetra Financial
• Paul Stephen – Ernst and Young LLP
• Phil Genever-Watling
• Philip Richardson – Logicalis UK Ltd
• PritamBankar – Infosys Technologies Ltd.
• RamesanRamani – Paramount Computer Systems
• Steve Primost
• TaiyeLambo – eFortresses, Inc .
• Tajeshwar Singh
• Thej Mehta – KPMG LLP
• Thomas Loczewski – Ernst and Young GmbH, Germany
• Vincent Samuel – KPMG LLP
• Yves Le Roux – CA Technologies
• AdalbertoAfonso A Navarro F do Valle – Deloitte LLP
• Addison Lawrence – Dell
• Akira Shibata – NTT DATA Corp
• Andy Dancer
• Anna Tang – Cisco Systems, Inc.
• April Battle – MITRE
• ChandrasekarUmpathy
• Chris Brenton – Dell
• Dale Pound – SAIC
• Daniel Philpott – Tantus Technologies
• Dr. Anton Chuvakin – Security Warrior Consulting
• Elizabeth Ann Wickham – L47 Consulting Limited
• Gary Sheehan – Advanced Server Mgmt Group, Inc.
• Georg Heß
• Georges Ataya Solvay – Brussels School of Economics & Mgmt
• Glen Jones – Cisco Systems, Inc.
• Greg Zimmerman – Jefferson Wells
• Guy Bejerano - LivePerson
• Henry Ojo – Kamhen Services Ltd,
• Jakob Holm Hansen – Neupart A/S
• Joel Cort – Xerox Corporation
• John DiMaria – HISPI
• John Sapp – McKesson Healthcare, HISPI
• Joshua Schmidt – Vertafore, Inc.
• KarthikAmrutesh – Ernst and Young LLP
• Kelvin Arcelay – Arcelay& Associates
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
Cloud Controls MatrixCharacteristics
• Objective measure to monitor activities and then take
corrective action to accomplish organizational goals.
• Comprised of a set of policies and processes (internal
controls) affecting the way Cloud services are directed,
administered or controlled.
• Aligned to Information Security regulatory rules and
industry accepted guidance.
• Controls reflect the intent of the CSA Guidance as
applied to existing patterns of Cloud execution.
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
Cloud Controls MatrixOptimal & Holistic Compliance
Bridging Regulatory Governance And Practical Compliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
Cloud Controls Matrix11 Domains
1. Compliance (CO)
2. Data Governance (DG)
3. Facility Security (FS)
4. Human Resources (HR)
5. Information Security (IS)
6. Legal (LG)
7. Operations Management (OM)
8. Risk Management (RI)
9. Release Management (RM)
10. Resiliency (RS)
11.Security Architecture (SA)
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
Cloud Controls Matrix98 Controls
Compliance• CO01 – Audit Planning
• CO02 – Independent Audits
• CO03 – Third Party Audits
• CO04 – Contact / Authority Maintenance
• CO05 – Information System Regulatory Mapping
• CO06 – Intellectual Property
Data Governance• DG01 – Ownership / Stewardship
• DG02 – Classification
• DG03 – Handling / Labeling / Security Policy
• DG04 – Retention Policy
• DG05 – Secure Disposal
• DG06 – Non-Production Data
• DG07 – Information Leakage
• DG08 – Risk Assessments
Legal• LG01 - Non-Disclosure Agreements
• LG02 - Third Party Agreements
Risk Management• RI01 – Program
• RI02 – Assessments
• RI03 – Mitigation / Acceptance
• RI04 – Business / Policy Change Impacts
• RI05 – Third Party Access
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
Cloud Controls Matrix98 Controls (cont.)
Release Management• RM01 – New Development / Acquisition
• RM02 – Production Changes
• RM03 – Quality Testing
• RM04 – Outsourced Development
• RM05 – Unauthorized Software Installations
Resiliency• RS01 – Management Program
• RS02 – Impact Analysis
• RS03 – Business Continuity Planning
• RS04 – Business Continuity Testing
• RS05 – Environmental Risks
• RS06 – Equipment Location
• RS07 – Equipment Power Failures
• RS08 – Power / Telecommunications
Operational Management• OP01 – Policy
• OP02 – Documentation
• OP03 – Capacity / Resource Planning
• OP04 – Equipment Maintenance
Human Resources• HR01 – Background Screening
• HR02 – Employment Agreements
• HR03 – Employment Termination
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
Cloud Controls Matrix98 Controls (cont.)
Security Architecture• SA01 – Customer Access Requirements
• SA02 – User ID Credentials
• SA03 – Data Security / Integrity
• SA04 – Application Security
• SA05 – Data Integrity
• SA06 – Production / Non-Production Environments
• SA07 – Remote User Multi-Factor Authentication
• SA08 – Network Security
• SA09 – Segmentation
• SA10 – Wireless Security
• SA11 – Shared Networks
• SA12 – Clock Synchronization
• SA13 – Equipment Identification
• SA14 – Audit Logging / Intrusion Detection
• SA15 – Mobile Code
Facility Security• FS01 – Policy
• FS02 – User Access
• FS03 – Controlled Access Points
• FS04 – Secure Area Authorization
• FS05 – Unauthorized Persons Entry
• FS06 – Off-Site Authorization
• FS07 – Off-Site Equipment
• FS08 – Asset Management
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
Cloud Controls Matrix98 Controls (cont.)
Information Security• IS01 – Management Program
• IS02 – Management Support / Involvement
• IS03 – Policy
• IS04 – Baseline Requirements
• IS05 – Policy Reviews
• IS06 – Policy Enforcement
• IS07 – User Access Policy
• IS08 – User Access Restriction / Authorization
• IS09 – User Access Revocation
• IS10 – User Access Reviews
• IS11 – Training / Awareness
• IS12 – Industry Knowledge / Benchmarking
• IS13 – Roles / Responsibilities
• IS14 – Management Oversight
• IS15 – Segregation of Duties
• IS16 – User Responsibility
• IS17 – Workspace
• IS18 – Encryption
• IS19 – Encryption Key Management
• IS20 – Vulnerability / Patch Management
• IS21 – Anti-Virus / Malicious Software
• IS22 – Incident Management
• IS23 – Incident Reporting
• IS24 – Incident Response Legal Preparation
• IS25 – Incident Response Metrics
• IS26 – Acceptable Use
• IS27 – Asset Returns
• IS28 – eCommerce Transactions
• IS29 – Audit Tools Access
• IS30 – Diagnostic / Configuration Ports Access
• IS31 – Network Services
• IS32 – Portable / Mobile Devices
• IS33 – Source Code Access Restriction
• IS34 – Utility Programs Access
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
Consensus Assessment
Initiative
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
Consensus Assessment Initiative
• Research tools and processes to perform shared assessments of cloud providers
• Lightweight “common assessment criteria” concept
• Integrated with Controls Matrix
• Ver 1 CAI Questionnaire released Oct 2010, approx 140 provider questions to identify presence of security controls or practices
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
Consensus Assessment InitiativeTeam
Contributors
• Matthew Becker – Bank of America
• Aaron Benson – Novell
• Ken Biery – Verizon Business
• Kristopher Fador – Bank of America
• David Gochenaur – Aon Corporation
• Jesus Molina – Fujitsu
• John Nootens – AMA Association
• HemmaPrafullchandra – Hytrust
• GorkaSadowski – Log Logic
• Richard Schimmel – Bank of America
• Patrick Vowles – RSA
• Kenneth Zoline – IBM
Leaders
• Laura Posey – Microsoft
• Jason Witty – Bank of America
• Marlin Pohlman – EMC, RSA
• Earle Humphreys – ITEEx
Editor
• Christofer Hoff – Cisco
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
Consensus Assessment InitiativeApproach
• Build “cloud-specific” question-set
• CSA guidance
• Industry experts
• Align questions with the CSA Cloud Controls Matrix
• Release 1.0 question-set publically
• Integrate into CloudAudit.org framework
• Post to CloudSecurityAlliance.org
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
Consensus Assessment Initiative Questionnaire (CAIQ) – 148 Qs
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
CloudAudit
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
CloudAudit
• Provide a common interface and namespace that allows cloud computing providers to automate the Audit, Assertion, Assessment, and Assurance (A6) of their environments
• Allow authorized consumers of services to do likewise via an open, extensible and secure interface and methodology.
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
CloudAuditObjective
• A structure for organizing assertions and supporting documentation for specific controls across different compliance frameworks in a way that simplifies discovery by humans and tools.
• Define a namespace that can support diverse frameworks
• Express five critical compliance frameworks in that namespace
• Define the mechanisms for requesting and responding to queries relating to specific controls
• Integrate with portals and AAA systems
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
CloudAuditAligned to Cloud Controls Matrix
• First efforts aligned to compliance frameworks as established by CSA Control Matrix:
• PCI DSS
• HIPAA
• COBIT
• ISO/IEC 27001-2005
• NISTSP800-53
• Incorporate CSA’s CAI and additional CompliancePacks
• Expand alignment to “infrastructure” and “operations” -centric views also
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
CloudAuditSample Implementation
CSA Compliance Pack
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
CloudAuditSample Implementation (cont.)
CSA Compliance Pack
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
CloudAuditSample Implementation (cont.)
CSA Compliance Pack
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
CloudAuditRelease Deliverables
• Contains all Compliance Packs, documentation and scripts needed to begin implementation of CloudAudit
• Working with Service Providers and Tool Vendors for Adoption
• Officially folded CloudAudit under the Cloud Security Alliance in October, 2010
• http://www.cloudaudit.org/CloudAudit_Distribution_20100815.zip
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
CloudAuditRelease Deliverables (cont.)
Request Flow for Users & Tools
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
CloudAuditRelease Deliverables (cont.)
index.html/default.jsp/etc.
• Index.html is for dumb browser consumptions
• Typically, the direct human user use case
• It can be omitted if directory browsing is enabled
• It contains JavaScript to look for the manifest.xml file, parse it, and display it as HTML.
• If no manifest.xml exists, it should list the directory contents relevant to the control in question
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
CloudAuditRelease Deliverables (cont.)
manifest.xml
• Structured listing of control endpoints contents
• Can be extended to provide contextual information
• Primarily aimed at tool consumption
• In Atom format
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
CSA GRC Stack
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
CSA GRC Stack
• Bringing it all together to peel back the layers of control ownership and address concerns for trusted Cloud adoption.
Control Requirements
Provider Assertions
Private,
Community &
Public Clouds
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
CSA GRC Stack
• Whether implementing private, public or hybrid clouds, the shift to compute as a
service presents new challenges across the spectrum of Governance, Risk
Management and Compliance (GRC) requirements – success dependent upon:
• Appropriate assessment criteria; and
• Relevant control objectives and timely access to necessary supporting data.
• CSA GRC Stack provides a toolkit for enterprises, cloud providers, security
solution providers, IT auditors and other key stakeholders to instrument and
assess both private and public clouds against industry established best practices,
standards and critical compliance requirements.
• Integrated suite of 3 CSA initiatives: CloudAudit, Cloud Controls Matrix (CCM) and
Consensus Assessments Initiative Questionnaire (CAIQ).
• Available now for free download at: www.cloudsecurityalliance.org/grcstack.zip
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
CSA GRC StackBringing it all together…
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
CSA GRC StackIndustry Collaboration & Support
• International Organization for Standards (ISO)
• ISO/IEC JTC 1 SC 27 (“SC 27”) WG 1, 4 and 5 in Study Period in the area of
Cloud Computing Security and Privacy with active CSA representation
• European Network and Information Security Agency (ENISA)
• Common Assurance Maturity Model (CAMM)
• American Institute of Certified Public Accountants (AICPA)
• Statement on Standards for Attestation Engagements (SSAE) No. 16 SOC 2 –
Service Organization Controls over Security, Confidentiality, Processing
Integrity, Availability, and Privacy
• National Institute of Standards and Technology (NIST)
• Consolidated feedback on Federal Risk and Authorization Management
Program (FedRAMP)
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
CSA GRC StackIndustry Collaboration & Support (cont.)
• Inverse Control Framework Mappings
• Health Information Trust Alliance (HITRUST)
• Unified Compliance Framework (UCF)
• Information Systems Audit and Control Association (ISACA)
• BITS Shared Assessments SIG/AUP + TG Participation
• Information Security Forum (ISF)
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
About the Cloud Security
Alliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
About the Cloud Security Alliance
• Global, not-for-profit organization
• Over 16,000 individual members, 80 corporate
members
• Building best practices and a trusted cloud ecosystem
• Agile philosophy, rapid development of applied
research• GRC: Balance compliance with risk management
• Reference models: build using existing standards
• Identity: a key foundation of a functioning cloud economy
• Champion interoperability
• Advocacy of prudent public policy
“To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help
secure all other forms of computing.”
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
Contact
• Help us secure cloud computing
• www.cloudsecurityalliance.org
• LinkedIn: www.linkedin.com/groups?gid=1864210
• Twitter: @cloudsa