cloud security alliance ·  · 2016-01-25cloud security alliance grc stack ... cloud computing...

47
Cloud Security Alliance GRC Stack Training Becky Swain, Cisco Marlin Pohlman, EMC Laura Posey, Microsoft February 2011

Upload: truongnhan

Post on 02-Apr-2018

219 views

Category:

Documents


1 download

TRANSCRIPT

Page 1: Cloud Security Alliance ·  · 2016-01-25Cloud Security Alliance GRC Stack ... Cloud Computing NIST Definition •UPDATED (Jan 2011) –National Institute of Standards and Technology

Cloud Security Alliance

GRC Stack Training

Becky Swain, Cisco

Marlin Pohlman, EMC

Laura Posey, Microsoft

February 2011

Page 2: Cloud Security Alliance ·  · 2016-01-25Cloud Security Alliance GRC Stack ... Cloud Computing NIST Definition •UPDATED (Jan 2011) –National Institute of Standards and Technology

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance

Cloud ComputingNIST Definition

• UPDATED (Jan 2011) – National Institute of Standards and Technology (NIST) Special Publication 800-145 (Draft)

• Model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services)

• Rapidly provisioned and released with minimal management effort or service provider interaction

• Composed of 5 essential characteristics, 3 service models, and 4 deployment models.

• Source: http://www.nist.gov/itl/csd/cloud-020111.cfm

Page 3: Cloud Security Alliance ·  · 2016-01-25Cloud Security Alliance GRC Stack ... Cloud Computing NIST Definition •UPDATED (Jan 2011) –National Institute of Standards and Technology

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance

Cloud Computing5 Essential Characteristics

• On-demand tenant self-service model for provisioning computing capabilities (server time, network storage, etc.)

• Broad network access with capabilities over the network accessible by standard mechanisms and mobile platforms

• Resource pooling through dynamically assigned physical and virtual capabilities delivered in a multi-tenant model and location independent

• Rapid elasticity of provisioned resources automatically or manually adjusted aligned with service level flexibility and needs

• Measured service to monitor, control and report on transparent resource optimization

Page 4: Cloud Security Alliance ·  · 2016-01-25Cloud Security Alliance GRC Stack ... Cloud Computing NIST Definition •UPDATED (Jan 2011) –National Institute of Standards and Technology

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance

Cloud Computing3 Service Models

• Software as a Service (SaaS)

• Capability made available to tenant (or consumer) to use provider’s applications running on cloud infrastructure, accessible via web browser, mobile apps, and system interfaces.

• Examples: Salesforce.com, Drop Box, Box.net, Google Docs, WebEx

• Platform as a Service (PaaS)

• Capability made available to tenant to deploy tenant owned (created or acquired) applications using programming languages and tools supported by provider.

• Examples: Microsoft Azure, Amazon Web Services, Bungee Connect

• Infrastructure as a Service (IaaS) / Datacenter as a Service (DaaS)

• Capability made available to tenant to provision processing, storage, networks or other fundamental computing resources to host and run tenant’s applications.

• Examples: Rackspace, Terremark (Verizon), Savvis, AT&T

Page 5: Cloud Security Alliance ·  · 2016-01-25Cloud Security Alliance GRC Stack ... Cloud Computing NIST Definition •UPDATED (Jan 2011) –National Institute of Standards and Technology

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance

Cloud Computing4 Deployment Models

(1) PRIVATE (2) COMMUNITY (3)PUBLIC

ACCESSIBILITY Single Organization

Shared with

Common Interests /

Requirements

General Public /

Large Industry

Group

MANAGEMENTOrganization or

Third Party

Organization or

Third PartyCloud Provider

HOST On or Off Premise On or Off Premise On or Off Premise

(4) HYBRID

• Composition of 2 or more deployment models that remain unique entities

• Bound together by standardized or proprietary technology enabling data and application portability

Page 6: Cloud Security Alliance ·  · 2016-01-25Cloud Security Alliance GRC Stack ... Cloud Computing NIST Definition •UPDATED (Jan 2011) –National Institute of Standards and Technology

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance

Cloud ComputingSecurity: Largest Barrier to Adoption

Page 7: Cloud Security Alliance ·  · 2016-01-25Cloud Security Alliance GRC Stack ... Cloud Computing NIST Definition •UPDATED (Jan 2011) –National Institute of Standards and Technology

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance

What is Different about Cloud?

Page 8: Cloud Security Alliance ·  · 2016-01-25Cloud Security Alliance GRC Stack ... Cloud Computing NIST Definition •UPDATED (Jan 2011) –National Institute of Standards and Technology

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance

What is Different about Cloud?

SERVICE OWNER SaaS PaaS IaaS

Data Joint Tenant Tenant

Application Joint Joint Tenant

Compute Provider Joint Tenant

Storage Provider Provider Joint

Network Provider Provider Joint

Physical Provider Provider Provider

Page 9: Cloud Security Alliance ·  · 2016-01-25Cloud Security Alliance GRC Stack ... Cloud Computing NIST Definition •UPDATED (Jan 2011) –National Institute of Standards and Technology

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance

What is Different about Cloud?

Page 10: Cloud Security Alliance ·  · 2016-01-25Cloud Security Alliance GRC Stack ... Cloud Computing NIST Definition •UPDATED (Jan 2011) –National Institute of Standards and Technology

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance

What is Different about Cloud?

Page 11: Cloud Security Alliance ·  · 2016-01-25Cloud Security Alliance GRC Stack ... Cloud Computing NIST Definition •UPDATED (Jan 2011) –National Institute of Standards and Technology

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance

What is Different about Cloud?

Page 12: Cloud Security Alliance ·  · 2016-01-25Cloud Security Alliance GRC Stack ... Cloud Computing NIST Definition •UPDATED (Jan 2011) –National Institute of Standards and Technology

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance

Cloud Controls Matrix

Page 13: Cloud Security Alliance ·  · 2016-01-25Cloud Security Alliance GRC Stack ... Cloud Computing NIST Definition •UPDATED (Jan 2011) –National Institute of Standards and Technology

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance

Cloud Controls Matrix

• V1.1 Released Dec 2010

• Rated as applicable to S-P-I with Cloud Provider / Tenant Delineation

• Controls baselined and mapped to:• COBIT

• HIPAA / HITECH Act

• ISO/IEC 27001-2005

• NISTSP800-53

• FedRAMP

• PCI DSSv2.0

• BITS Shared Assessments

• GAPP

Leadership Team• Becky Swain – Cisco Systems, Inc.

• Philip Agcaoili – Cox Communications

• Marlin Pohlman – EMC, RSA

• Kip Boyle – CSA

Page 14: Cloud Security Alliance ·  · 2016-01-25Cloud Security Alliance GRC Stack ... Cloud Computing NIST Definition •UPDATED (Jan 2011) –National Institute of Standards and Technology

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance

Cloud Controls MatrixGlobal Industry Contribution

• Kyle Lai – KLC Consulting, Inc.

• Larry Harvey – Cisco Systems, Inc.

• Laura Kuiper – Cisco Systems, Inc.

• Lisa Peterson – Progressive Insurance

• Lloyd Wilkerson – Robert Half International

• Marcelo Gonzalez – Banco Central Republica Argentina

• Mark Lobel – PricewaterhouseCoopers LLP

• Meenu Gupta – Mittal Technologies

• Michael Craigue, Ph.D. – Dell

• Mike Craigue

• MS Prasad, Exec Dir CSA India

• Niall BrowneI – LiveOps

• Patrick Sullivan

• Patty Williams – Symetra Financial

• Paul Stephen – Ernst and Young LLP

• Phil Genever-Watling

• Philip Richardson – Logicalis UK Ltd

• PritamBankar – Infosys Technologies Ltd.

• RamesanRamani – Paramount Computer Systems

• Steve Primost

• TaiyeLambo – eFortresses, Inc .

• Tajeshwar Singh

• Thej Mehta – KPMG LLP

• Thomas Loczewski – Ernst and Young GmbH, Germany

• Vincent Samuel – KPMG LLP

• Yves Le Roux – CA Technologies

• AdalbertoAfonso A Navarro F do Valle – Deloitte LLP

• Addison Lawrence – Dell

• Akira Shibata – NTT DATA Corp

• Andy Dancer

• Anna Tang – Cisco Systems, Inc.

• April Battle – MITRE

• ChandrasekarUmpathy

• Chris Brenton – Dell

• Dale Pound – SAIC

• Daniel Philpott – Tantus Technologies

• Dr. Anton Chuvakin – Security Warrior Consulting

• Elizabeth Ann Wickham – L47 Consulting Limited

• Gary Sheehan – Advanced Server Mgmt Group, Inc.

• Georg Heß

• Georges Ataya Solvay – Brussels School of Economics & Mgmt

• Glen Jones – Cisco Systems, Inc.

• Greg Zimmerman – Jefferson Wells

• Guy Bejerano - LivePerson

• Henry Ojo – Kamhen Services Ltd,

• Jakob Holm Hansen – Neupart A/S

• Joel Cort – Xerox Corporation

• John DiMaria – HISPI

• John Sapp – McKesson Healthcare, HISPI

• Joshua Schmidt – Vertafore, Inc.

• KarthikAmrutesh – Ernst and Young LLP

• Kelvin Arcelay – Arcelay& Associates

Page 15: Cloud Security Alliance ·  · 2016-01-25Cloud Security Alliance GRC Stack ... Cloud Computing NIST Definition •UPDATED (Jan 2011) –National Institute of Standards and Technology

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance

Cloud Controls MatrixCharacteristics

• Objective measure to monitor activities and then take

corrective action to accomplish organizational goals.

• Comprised of a set of policies and processes (internal

controls) affecting the way Cloud services are directed,

administered or controlled.

• Aligned to Information Security regulatory rules and

industry accepted guidance.

• Controls reflect the intent of the CSA Guidance as

applied to existing patterns of Cloud execution.

Page 16: Cloud Security Alliance ·  · 2016-01-25Cloud Security Alliance GRC Stack ... Cloud Computing NIST Definition •UPDATED (Jan 2011) –National Institute of Standards and Technology

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance

Cloud Controls MatrixOptimal & Holistic Compliance

Bridging Regulatory Governance And Practical Compliance

Page 17: Cloud Security Alliance ·  · 2016-01-25Cloud Security Alliance GRC Stack ... Cloud Computing NIST Definition •UPDATED (Jan 2011) –National Institute of Standards and Technology

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance

Cloud Controls Matrix11 Domains

1. Compliance (CO)

2. Data Governance (DG)

3. Facility Security (FS)

4. Human Resources (HR)

5. Information Security (IS)

6. Legal (LG)

7. Operations Management (OM)

8. Risk Management (RI)

9. Release Management (RM)

10. Resiliency (RS)

11.Security Architecture (SA)

Page 18: Cloud Security Alliance ·  · 2016-01-25Cloud Security Alliance GRC Stack ... Cloud Computing NIST Definition •UPDATED (Jan 2011) –National Institute of Standards and Technology

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance

Cloud Controls Matrix98 Controls

Compliance• CO01 – Audit Planning

• CO02 – Independent Audits

• CO03 – Third Party Audits

• CO04 – Contact / Authority Maintenance

• CO05 – Information System Regulatory Mapping

• CO06 – Intellectual Property

Data Governance• DG01 – Ownership / Stewardship

• DG02 – Classification

• DG03 – Handling / Labeling / Security Policy

• DG04 – Retention Policy

• DG05 – Secure Disposal

• DG06 – Non-Production Data

• DG07 – Information Leakage

• DG08 – Risk Assessments

Legal• LG01 - Non-Disclosure Agreements

• LG02 - Third Party Agreements

Risk Management• RI01 – Program

• RI02 – Assessments

• RI03 – Mitigation / Acceptance

• RI04 – Business / Policy Change Impacts

• RI05 – Third Party Access

Page 19: Cloud Security Alliance ·  · 2016-01-25Cloud Security Alliance GRC Stack ... Cloud Computing NIST Definition •UPDATED (Jan 2011) –National Institute of Standards and Technology

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance

Cloud Controls Matrix98 Controls (cont.)

Release Management• RM01 – New Development / Acquisition

• RM02 – Production Changes

• RM03 – Quality Testing

• RM04 – Outsourced Development

• RM05 – Unauthorized Software Installations

Resiliency• RS01 – Management Program

• RS02 – Impact Analysis

• RS03 – Business Continuity Planning

• RS04 – Business Continuity Testing

• RS05 – Environmental Risks

• RS06 – Equipment Location

• RS07 – Equipment Power Failures

• RS08 – Power / Telecommunications

Operational Management• OP01 – Policy

• OP02 – Documentation

• OP03 – Capacity / Resource Planning

• OP04 – Equipment Maintenance

Human Resources• HR01 – Background Screening

• HR02 – Employment Agreements

• HR03 – Employment Termination

Page 20: Cloud Security Alliance ·  · 2016-01-25Cloud Security Alliance GRC Stack ... Cloud Computing NIST Definition •UPDATED (Jan 2011) –National Institute of Standards and Technology

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance

Cloud Controls Matrix98 Controls (cont.)

Security Architecture• SA01 – Customer Access Requirements

• SA02 – User ID Credentials

• SA03 – Data Security / Integrity

• SA04 – Application Security

• SA05 – Data Integrity

• SA06 – Production / Non-Production Environments

• SA07 – Remote User Multi-Factor Authentication

• SA08 – Network Security

• SA09 – Segmentation

• SA10 – Wireless Security

• SA11 – Shared Networks

• SA12 – Clock Synchronization

• SA13 – Equipment Identification

• SA14 – Audit Logging / Intrusion Detection

• SA15 – Mobile Code

Facility Security• FS01 – Policy

• FS02 – User Access

• FS03 – Controlled Access Points

• FS04 – Secure Area Authorization

• FS05 – Unauthorized Persons Entry

• FS06 – Off-Site Authorization

• FS07 – Off-Site Equipment

• FS08 – Asset Management

Page 21: Cloud Security Alliance ·  · 2016-01-25Cloud Security Alliance GRC Stack ... Cloud Computing NIST Definition •UPDATED (Jan 2011) –National Institute of Standards and Technology

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance

Cloud Controls Matrix98 Controls (cont.)

Information Security• IS01 – Management Program

• IS02 – Management Support / Involvement

• IS03 – Policy

• IS04 – Baseline Requirements

• IS05 – Policy Reviews

• IS06 – Policy Enforcement

• IS07 – User Access Policy

• IS08 – User Access Restriction / Authorization

• IS09 – User Access Revocation

• IS10 – User Access Reviews

• IS11 – Training / Awareness

• IS12 – Industry Knowledge / Benchmarking

• IS13 – Roles / Responsibilities

• IS14 – Management Oversight

• IS15 – Segregation of Duties

• IS16 – User Responsibility

• IS17 – Workspace

• IS18 – Encryption

• IS19 – Encryption Key Management

• IS20 – Vulnerability / Patch Management

• IS21 – Anti-Virus / Malicious Software

• IS22 – Incident Management

• IS23 – Incident Reporting

• IS24 – Incident Response Legal Preparation

• IS25 – Incident Response Metrics

• IS26 – Acceptable Use

• IS27 – Asset Returns

• IS28 – eCommerce Transactions

• IS29 – Audit Tools Access

• IS30 – Diagnostic / Configuration Ports Access

• IS31 – Network Services

• IS32 – Portable / Mobile Devices

• IS33 – Source Code Access Restriction

• IS34 – Utility Programs Access

Page 22: Cloud Security Alliance ·  · 2016-01-25Cloud Security Alliance GRC Stack ... Cloud Computing NIST Definition •UPDATED (Jan 2011) –National Institute of Standards and Technology

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance

Consensus Assessment

Initiative

Page 23: Cloud Security Alliance ·  · 2016-01-25Cloud Security Alliance GRC Stack ... Cloud Computing NIST Definition •UPDATED (Jan 2011) –National Institute of Standards and Technology

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance

Consensus Assessment Initiative

• Research tools and processes to perform shared assessments of cloud providers

• Lightweight “common assessment criteria” concept

• Integrated with Controls Matrix

• Ver 1 CAI Questionnaire released Oct 2010, approx 140 provider questions to identify presence of security controls or practices

Page 24: Cloud Security Alliance ·  · 2016-01-25Cloud Security Alliance GRC Stack ... Cloud Computing NIST Definition •UPDATED (Jan 2011) –National Institute of Standards and Technology

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance

Consensus Assessment InitiativeTeam

Contributors

• Matthew Becker – Bank of America

• Aaron Benson – Novell

• Ken Biery – Verizon Business

• Kristopher Fador – Bank of America

• David Gochenaur – Aon Corporation

• Jesus Molina – Fujitsu

• John Nootens – AMA Association

• HemmaPrafullchandra – Hytrust

• GorkaSadowski – Log Logic

• Richard Schimmel – Bank of America

• Patrick Vowles – RSA

• Kenneth Zoline – IBM

Leaders

• Laura Posey – Microsoft

• Jason Witty – Bank of America

• Marlin Pohlman – EMC, RSA

• Earle Humphreys – ITEEx

Editor

• Christofer Hoff – Cisco

Page 25: Cloud Security Alliance ·  · 2016-01-25Cloud Security Alliance GRC Stack ... Cloud Computing NIST Definition •UPDATED (Jan 2011) –National Institute of Standards and Technology

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance

Consensus Assessment InitiativeApproach

• Build “cloud-specific” question-set

• CSA guidance

• Industry experts

• Align questions with the CSA Cloud Controls Matrix

• Release 1.0 question-set publically

• Integrate into CloudAudit.org framework

• Post to CloudSecurityAlliance.org

Page 26: Cloud Security Alliance ·  · 2016-01-25Cloud Security Alliance GRC Stack ... Cloud Computing NIST Definition •UPDATED (Jan 2011) –National Institute of Standards and Technology

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance

Consensus Assessment Initiative Questionnaire (CAIQ) – 148 Qs

Page 27: Cloud Security Alliance ·  · 2016-01-25Cloud Security Alliance GRC Stack ... Cloud Computing NIST Definition •UPDATED (Jan 2011) –National Institute of Standards and Technology

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance

CloudAudit

Page 28: Cloud Security Alliance ·  · 2016-01-25Cloud Security Alliance GRC Stack ... Cloud Computing NIST Definition •UPDATED (Jan 2011) –National Institute of Standards and Technology

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance

CloudAudit

• Provide a common interface and namespace that allows cloud computing providers to automate the Audit, Assertion, Assessment, and Assurance (A6) of their environments

• Allow authorized consumers of services to do likewise via an open, extensible and secure interface and methodology.

Page 29: Cloud Security Alliance ·  · 2016-01-25Cloud Security Alliance GRC Stack ... Cloud Computing NIST Definition •UPDATED (Jan 2011) –National Institute of Standards and Technology

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance

CloudAuditObjective

• A structure for organizing assertions and supporting documentation for specific controls across different compliance frameworks in a way that simplifies discovery by humans and tools.

• Define a namespace that can support diverse frameworks

• Express five critical compliance frameworks in that namespace

• Define the mechanisms for requesting and responding to queries relating to specific controls

• Integrate with portals and AAA systems

Page 30: Cloud Security Alliance ·  · 2016-01-25Cloud Security Alliance GRC Stack ... Cloud Computing NIST Definition •UPDATED (Jan 2011) –National Institute of Standards and Technology

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance

CloudAuditAligned to Cloud Controls Matrix

• First efforts aligned to compliance frameworks as established by CSA Control Matrix:

• PCI DSS

• HIPAA

• COBIT

• ISO/IEC 27001-2005

• NISTSP800-53

• Incorporate CSA’s CAI and additional CompliancePacks

• Expand alignment to “infrastructure” and “operations” -centric views also

Page 31: Cloud Security Alliance ·  · 2016-01-25Cloud Security Alliance GRC Stack ... Cloud Computing NIST Definition •UPDATED (Jan 2011) –National Institute of Standards and Technology

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance

CloudAuditSample Implementation

CSA Compliance Pack

Page 32: Cloud Security Alliance ·  · 2016-01-25Cloud Security Alliance GRC Stack ... Cloud Computing NIST Definition •UPDATED (Jan 2011) –National Institute of Standards and Technology

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance

CloudAuditSample Implementation (cont.)

CSA Compliance Pack

Page 33: Cloud Security Alliance ·  · 2016-01-25Cloud Security Alliance GRC Stack ... Cloud Computing NIST Definition •UPDATED (Jan 2011) –National Institute of Standards and Technology

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance

CloudAuditSample Implementation (cont.)

CSA Compliance Pack

Page 34: Cloud Security Alliance ·  · 2016-01-25Cloud Security Alliance GRC Stack ... Cloud Computing NIST Definition •UPDATED (Jan 2011) –National Institute of Standards and Technology

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance

CloudAuditRelease Deliverables

• Contains all Compliance Packs, documentation and scripts needed to begin implementation of CloudAudit

• Working with Service Providers and Tool Vendors for Adoption

• Officially folded CloudAudit under the Cloud Security Alliance in October, 2010

• http://www.cloudaudit.org/CloudAudit_Distribution_20100815.zip

Page 35: Cloud Security Alliance ·  · 2016-01-25Cloud Security Alliance GRC Stack ... Cloud Computing NIST Definition •UPDATED (Jan 2011) –National Institute of Standards and Technology

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance

CloudAuditRelease Deliverables (cont.)

Request Flow for Users & Tools

Page 36: Cloud Security Alliance ·  · 2016-01-25Cloud Security Alliance GRC Stack ... Cloud Computing NIST Definition •UPDATED (Jan 2011) –National Institute of Standards and Technology

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance

CloudAuditRelease Deliverables (cont.)

index.html/default.jsp/etc.

• Index.html is for dumb browser consumptions

• Typically, the direct human user use case

• It can be omitted if directory browsing is enabled

• It contains JavaScript to look for the manifest.xml file, parse it, and display it as HTML.

• If no manifest.xml exists, it should list the directory contents relevant to the control in question

Page 37: Cloud Security Alliance ·  · 2016-01-25Cloud Security Alliance GRC Stack ... Cloud Computing NIST Definition •UPDATED (Jan 2011) –National Institute of Standards and Technology

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance

CloudAuditRelease Deliverables (cont.)

manifest.xml

• Structured listing of control endpoints contents

• Can be extended to provide contextual information

• Primarily aimed at tool consumption

• In Atom format

Page 38: Cloud Security Alliance ·  · 2016-01-25Cloud Security Alliance GRC Stack ... Cloud Computing NIST Definition •UPDATED (Jan 2011) –National Institute of Standards and Technology

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance

CSA GRC Stack

Page 39: Cloud Security Alliance ·  · 2016-01-25Cloud Security Alliance GRC Stack ... Cloud Computing NIST Definition •UPDATED (Jan 2011) –National Institute of Standards and Technology

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance

CSA GRC Stack

• Bringing it all together to peel back the layers of control ownership and address concerns for trusted Cloud adoption.

Control Requirements

Provider Assertions

Private,

Community &

Public Clouds

Page 40: Cloud Security Alliance ·  · 2016-01-25Cloud Security Alliance GRC Stack ... Cloud Computing NIST Definition •UPDATED (Jan 2011) –National Institute of Standards and Technology

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance

CSA GRC Stack

• Whether implementing private, public or hybrid clouds, the shift to compute as a

service presents new challenges across the spectrum of Governance, Risk

Management and Compliance (GRC) requirements – success dependent upon:

• Appropriate assessment criteria; and

• Relevant control objectives and timely access to necessary supporting data.

• CSA GRC Stack provides a toolkit for enterprises, cloud providers, security

solution providers, IT auditors and other key stakeholders to instrument and

assess both private and public clouds against industry established best practices,

standards and critical compliance requirements.

• Integrated suite of 3 CSA initiatives: CloudAudit, Cloud Controls Matrix (CCM) and

Consensus Assessments Initiative Questionnaire (CAIQ).

• Available now for free download at: www.cloudsecurityalliance.org/grcstack.zip

Page 41: Cloud Security Alliance ·  · 2016-01-25Cloud Security Alliance GRC Stack ... Cloud Computing NIST Definition •UPDATED (Jan 2011) –National Institute of Standards and Technology

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance

CSA GRC StackBringing it all together…

Page 42: Cloud Security Alliance ·  · 2016-01-25Cloud Security Alliance GRC Stack ... Cloud Computing NIST Definition •UPDATED (Jan 2011) –National Institute of Standards and Technology

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance

CSA GRC StackIndustry Collaboration & Support

• International Organization for Standards (ISO)

• ISO/IEC JTC 1 SC 27 (“SC 27”) WG 1, 4 and 5 in Study Period in the area of

Cloud Computing Security and Privacy with active CSA representation

• European Network and Information Security Agency (ENISA)

• Common Assurance Maturity Model (CAMM)

• American Institute of Certified Public Accountants (AICPA)

• Statement on Standards for Attestation Engagements (SSAE) No. 16 SOC 2 –

Service Organization Controls over Security, Confidentiality, Processing

Integrity, Availability, and Privacy

• National Institute of Standards and Technology (NIST)

• Consolidated feedback on Federal Risk and Authorization Management

Program (FedRAMP)

Page 43: Cloud Security Alliance ·  · 2016-01-25Cloud Security Alliance GRC Stack ... Cloud Computing NIST Definition •UPDATED (Jan 2011) –National Institute of Standards and Technology

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance

CSA GRC StackIndustry Collaboration & Support (cont.)

• Inverse Control Framework Mappings

• Health Information Trust Alliance (HITRUST)

• Unified Compliance Framework (UCF)

• Information Systems Audit and Control Association (ISACA)

• BITS Shared Assessments SIG/AUP + TG Participation

• Information Security Forum (ISF)

Page 44: Cloud Security Alliance ·  · 2016-01-25Cloud Security Alliance GRC Stack ... Cloud Computing NIST Definition •UPDATED (Jan 2011) –National Institute of Standards and Technology

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance

About the Cloud Security

Alliance

Page 45: Cloud Security Alliance ·  · 2016-01-25Cloud Security Alliance GRC Stack ... Cloud Computing NIST Definition •UPDATED (Jan 2011) –National Institute of Standards and Technology

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance

About the Cloud Security Alliance

• Global, not-for-profit organization

• Over 16,000 individual members, 80 corporate

members

• Building best practices and a trusted cloud ecosystem

• Agile philosophy, rapid development of applied

research• GRC: Balance compliance with risk management

• Reference models: build using existing standards

• Identity: a key foundation of a functioning cloud economy

• Champion interoperability

• Advocacy of prudent public policy

“To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help

secure all other forms of computing.”

Page 46: Cloud Security Alliance ·  · 2016-01-25Cloud Security Alliance GRC Stack ... Cloud Computing NIST Definition •UPDATED (Jan 2011) –National Institute of Standards and Technology

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance

Contact

• Help us secure cloud computing

• www.cloudsecurityalliance.org

[email protected]

• LinkedIn: www.linkedin.com/groups?gid=1864210

• Twitter: @cloudsa

Page 47: Cloud Security Alliance ·  · 2016-01-25Cloud Security Alliance GRC Stack ... Cloud Computing NIST Definition •UPDATED (Jan 2011) –National Institute of Standards and Technology

www.cloudsecurityalliance.org

Thank You