Download - Cloud Security Alliance's GRC Stack Overview
© 2011 Cloud Security Alliance, Inc. All rights reserved.
Cloud Security Cloud Security Alliance & GRC Alliance & GRC
StackStackMaterials by Cloud Security Alliance.org Materials by Cloud Security Alliance.org ©©
& & PCI in the cloud training, created by SecurityWarrior LLC for PCI in the cloud training, created by SecurityWarrior LLC for Cloud Security Alliance , Cloud Security Alliance ,
& Prof. Kai Hwang, University of Southern California& Prof. Kai Hwang, University of Southern California
Presented to Triad ISSA, NC January 26, 2012Presented to Triad ISSA, NC January 26, 2012
Valdez Ladd, ISSA Raleigh, NC 2012Valdez Ladd, ISSA Raleigh, NC 2012
© 2011 Cloud Security Alliance, Inc. All rights reserved.
About the Cloud Security Alliance
Global, not-for-profit organization
Building best practices and a trusted cloud ecosystem
Comprehensive research and tools
Certificate of Cloud Security Knowledge (CCSK)www.cloudsecurityalliance.org
2
© 2011 Cloud Security Alliance, Inc. All rights reserved.
Presentation Outline
IntroductionWhat this class is about, prerequisites, how to benefit
Cloud basics PCI DSS + cloud scenario for exampleCloud Security Alliance toolsets: Control
Matrix, Consensus Assessments, etc.,
Conclusions and action items
3
© 2011 Cloud Security Alliance, Inc. All rights reserved.
Cloud?4
© 2011 Cloud Security Alliance, Inc. All rights reserved.
NIST Definition of Cloud Computing
“Cloud computing is a model for enabling convenient, on-demand network access to a shared pool
of configurable computing resources
that can be rapidly provisioned and released with minimal
management effort or service provider interaction. “
55
© 2011 Cloud Security Alliance, Inc. All rights reserved.
5 Essential Cloud Characteristics
1. On-demand self-service 2. Broad network access3. Resource pooling
– Location independence4. Rapid elasticity5. Measured service
66
© 2011 Cloud Security Alliance, Inc. All rights reserved.
3 Cloud Service Models
1. Cloud Software as a Service (SaaS)– Use provider’s applications over a network
2. Cloud Platform as a Service (PaaS)– Deploy customer-created applications to a cloud
3. Cloud Infrastructure as a Service (IaaS)– Rent processing, storage, network capacity, and
other fundamental computing resources
To be considered “cloud” they must be deployed on top of cloud infrastructure that has the
essential characteristics
7
© 2011 Cloud Security Alliance, Inc. All rights reserved.
4 Cloud Deployment Models
Private cloud Enterprise owned or leased
Community cloudShared infrastructure for specific community
Public cloud <- our focus in this class!
Sold to the public, mega-scale infrastructure
Hybrid cloudComposition of two or more clouds
88
© 2011 Cloud Security Alliance, Inc. All rights reserved.
© 2011 Cloud Security Alliance, Inc. All rights reserved.
7 Common Cloud Characteristics1. Massive scale2. Homogeneity3. Virtualization4. Resilient computing5. Low cost software6. Geographic distribution7. Service orientation
10
10
© 2011 Cloud Security Alliance, Inc. All rights reserved.
All of this TOGETHER: The Cloud
CommunityCommunityCloudCloud
Private Private CloudCloud
Public CloudPublic Cloud
Hybrid Clouds
DeploymentModels
ServiceModels
EssentialCharacteristics
Common Characteristics
Software as a Service (SaaS)
Platform as a Service (PaaS)
Infrastructure as a Service (IaaS)
Resource Pooling
Broad Network Access Rapid Elasticity
Measured Service
On Demand Self-Service
Low Cost Software
Virtualization Service Orientation
Advanced Security
Homogeneity
Massive Scale Resilient Computing
Geographic Distribution
1111
© 2011 Cloud Security Alliance, Inc. All rights reserved.
Example IaaS//
Amazon Cloud
Amazon cloud components– Elastic Compute Cloud (EC2)
• Run your own or Amazon’s OS “instances”
– Simple Storage Service (S3)– SimpleDB– Other services
1212
© 2011 Cloud Security Alliance, Inc. All rights reserved.
Example PaaS//
Google App Engine
Create, deploy and run applicationsNO control (or, in fact, even visibility) of OSUse SDK to
develop theapplications
Run “natively”in the cloud
13
© 2011 Cloud Security Alliance, Inc. All rights reserved.
Example SaaS//
Salesforce
Well-known SaaS CRM applicationCloud CRM + a lot more applications
1414
© 2011 Cloud Security Alliance, Inc. All rights reserved.
Example P/IaaS //
Azure
Source: Microsoft Presentation, A Lap Around Windows Azure, Manuvir Das
1515
© 2011 Cloud Security Alliance, Inc. All rights reserved.
Service Model Architectures
Cloud Infrastructure
IaaS
PaaS
SaaS
Infrastructure as a Service (IaaS) Architectures
Platform as a Service (PaaS)Architectures
Software as a Service (SaaS)
Architectures
Cloud Infrastructure
SaaS
Cloud Infrastructure
PaaS
SaaS
Cloud Infrastructure
IaaS
PaaS
Cloud Infrastructure
PaaS
Cloud Infrastructure
IaaS
1616
© 2011 Cloud Security Alliance, Inc. All rights reserved.
18Security: Barrier to Adoption?
© 2011 Cloud Security Alliance, Inc. All rights reserved.
19What is Different about Cloud?
© 2011 Cloud Security Alliance, Inc. All rights reserved.
Security Relevant Cloud Components
Cloud Provisioning Services
Cloud Data Storage Services
Cloud Processing Infrastructure
Cloud Support Services
Cloud Network and Perimeter Security
Elastic Elements: Storage, Processing, and Virtual Networks
2020
© 2011 Cloud Security Alliance, Inc. All rights reserved.
21What is Different about Cloud?
© 2011 Cloud Security Alliance, Inc. All rights reserved.
22What is Different about Cloud?
© 2011 Cloud Security Alliance, Inc. All rights reserved.
23What is Different about Cloud?
© 2011 Cloud Security Alliance, Inc. All rights reserved.
CSA Cloud “Threats”
1. Abuse & Nefarious Use of Cloud Computing
2. Insecure Interfaces & APIs3. Malicious Insiders4. Shared Technology Issues5. Data Loss or Leakage6. Account or Service Hijacking7. Unknown Risk Profile
24
© 2011 Cloud Security Alliance, Inc. All rights reserved.
ENISA Cloud Computing Risk Assessment http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment
1. Loss of governance2. Lock-in3. Isolation failure4. Compliance risks5. Management interface compromise6. Data protection7. Insecure or incomplete data deletion8. Malicious insider
25
© 2011 Cloud Security Alliance, Inc. All rights reserved.
Cloud “Threats” – Top 3
1. Authentication abuse2. Operations breakdown3. Misuse of cloud-specific technology
26
© 2011 Cloud Security Alliance, Inc. All rights reserved.
FBI Takes Cloud Away27
© 2011 Cloud Security Alliance, Inc. All rights reserved.
While we are “in the cloud”
Here are some additional CSA/cloud security resources…
28
© 2011 Cloud Security Alliance, Inc. All rights reserved.
CSA GRC Stack
Bringing it all together to peel back the layers of control ownership and address concerns for trusted Cloud
adoption.
29
Control Requirements
Provider Assertions
Private, Community
& Public Clouds
Private, Community
& Public Clouds
© 2011 Cloud Security Alliance, Inc. All rights reserved.
CSA CloudAudit
Open standard and API to automate provider audit assertionsChange audit from data gathering to data analysis Necessary to provide audit & assurance at the scale demanded by cloud providersUses Cloud Controls Matrix as controls namespace Use to instrument cloud for continuous controls monitoring
30
© 2011 Cloud Security Alliance, Inc. All rights reserved.
CSA Cloud Controls Matrix
31
Controls derived from guidanceMapped to familiar frameworks: ISO 27001, COBIT, PCI, HIPAARated as applicable to SaaS/PaaS/IaaSCustomer vs Provider roleHelp bridge the “cloud gap”
for IT & IT auditorshttps://cloudsecurityalliance.org/research/projects/cloud-controls-matrix-ccm/
© 2011 Cloud Security Alliance, Inc. All rights reserved.
32
Next?
© 2011 Cloud Security Alliance, Inc. All rights reserved.
Thanks for Your Review!
Acknowledgement to Dr. Anton Chuvakin, SecurityWarrior LLC for Cloud Security Alliance,SecurityWarrior LLC for Cloud Security Alliance, Cloud Security Alliance.org,
Materials by Cloud Security Alliance.org Materials by Cloud Security Alliance.org ©©
& & PCI in the cloud training, created by PCI in the cloud training, created by for Triad ISSA, NCfor Triad ISSA, NCJanuary 26, 2012January 26, 2012
Valdez Ladd, ISSA Raleigh, NC 2011Valdez Ladd, ISSA Raleigh, NC 2011
33
© 2011 Cloud Security Alliance, Inc. All rights reserved.
34