saas isms implementation notes

Sr. No

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96979899

100101102103104105106107108109110111112113114115116117118119120121122123124125126127

Software as a Service (SaaS) Infrastructure as a Service (IaaS) Platform as a Service (PaaS)

SaaSAs the CSA explains, with SaaS, the provider's applications run on a cloud infrastructure and are accessible through a Web browser. The consumer does not manage or control the network, servers, operating systems, storage or even individual application capabilities.

PaaSWith PaaS, consumers create applications using programming languages and tools supported by the vendor and then deploy these onto the cloud infrastructure, the CSA explains. As with SaaS, the consumer does not manage or control the infrastructure--the network, servers, operating systems or storage--but does have control over the deployed applications and possibly the application-hosting environment configurations

IaaSHere, consumers can provision processing, storage, networks and other fundamental computing resources, as well as deploy and run operating systems and applications, according to the CSA. While they don't manage or control the underlying cloud infrastructure, they do have control over operating systems, storage and deployed applications, and possibly limited control of select networking components, such as host firewalls, the CSA says.With IaaS, there are few integrated security capabilities beyond protecting the infrastructure itself, but there's enormous extensibility, according to the CSA. This means users need to manage and secure operating systems, applications and content, typically through an API.

Regulations such as the Federal Information Security Management Act (FISMA) require customers to keep sensitive data within the country. Although keeping data within U.S. borders seems like a relatively simple task on its face, cloud vendors will often not make that guarantee.

In highly virtualized systems, data and virtual machines can move dynamically from one country to another in response to load balancing needs and other factors. Google, for example, would note that if an end user in California goes on a business trip to London, it's better (or at least faster) for that user's data to be served up by a data center in Europe.

Google Apps has received FISMA certification for its government cloud, but that same guarantee is not available to private industry. This isn't just a problem for U.S. customers either.

SLA Template for Cloud Service SLA

The service deployment model covers following options: Private, Community, Public, or Hybrid.

ISO/IEC 27018 — Data protection for cloud systems

Cloud ConsumerThe person or organization that maintains a business relationship with, and uses service from, cloud providers.Cloud ProviderThe person, organization or entity responsible for making a service available to cloud consumers.Cloud CarrierThe intermediary that provides connectivity and transport of cloud services from cloud providers to cloud consumers.Cloud BrokerAn organization that manages the use, performance and delivery of cloud services, and negotiates relationships between cloud providers and cloud consumers.Cloud AuditorA party that can conduct independent assessments of cloud services, information system operations, performance and security of the cloud implementation.

To be effective, a performance metric must be clearly defined in the SLA and understood by both parties. Here are the generally accepted definitions for the two metrics of interest:Availability. Percentage of uptime for a service in a given observation period.Response time. Elapsed time from when a service is invoked to when it is completed including delays (typically measured in milliseconds).

Consider following three different example scenarios (network availability, storage availability, and service response time) and the specific performance information required for each.

SAS 70 (http://www.aicpa.org/)a. Audit of financial reporting controls based on control objectives and control activities (defined by the service provider).b. Auditor opinion on the design, operational status, and operating effectiveness of financial reporting controls.c. I ntended to cover services that are relevant for purposes of customers’ financial statement audits.d. O ften required by customers when the SaaS offering is financial in nature.

SysTrust (http://infotech.aicpa.org/)a. Audit of controls based on defined principles and criteria for security, availability, confidentiality, and processing integrity.b. I ntended to apply to the reliability of any system.

WebTrust (http://infotech.aicpa.org/)a. Audit of controls based on defined principles and criteria for security, availability, confidentiality, processing integrity and privacy.b. I ntended to apply to online/e-commerce

SOX - Sarbanes-Oxley ActSOC - Security Operations Centre

Another security control based guidance is NIST’s special publication 800-53 R3 [28], as wellas NIST’s special publication 800-39 [29] for risk management at the organizational level.

Cloud Architecture Diagram

Responsibility for managing various parts of IT Services within OnPremises-IaaS,Paas,SaaS is as follows

Deployment Models:Private cloud. The cloud infrastructure is operated solely for an organization. It may bemanaged by the organization or a third party and may exist on premise or off premise.Community cloud. The cloud infrastructure is shared by several organizations and supports aspecific community that has shared concerns (e.g., mission, security requirements,policy, and compliance considerations). It may be managed by the organizations or athird party and may exist on premise or off premise.Public cloud. The cloud infrastructure is made available to the general public or a largeindustry group and is owned by an organization selling cloud services.Hybrid cloud. The cloud infrastructure is a composition of two or more clouds (private,community, or public) that remain unique entities but are bound together bystandardized or proprietary technology that enables data and application portability(e.g., cloud bursting for load balancing between clouds).

Service Models:Cloud Software as a Service (SaaS). The capability provided to the consumer is to use theprovider’s applications running on a cloud infrastructure. The applications areaccessible from various client devices through a thin client interface such as a Webbrowser (e.g., Web-based email). The consumer does not manage or control theunderlying cloud infrastructure including network, servers, operating systems, storage,or even individual application capabilities, with the possible exception of limited userspecificapplication configuration settings.Cloud Platform as a Service (PaaS). The capability provided to the consumer is to deploy ontothe cloud infrastructure consumer-created or acquired applications created usingprogramming languages and tools supported by the provider. The consumer does notmanage or control the underlying cloud infrastructure including network, servers,operating systems, or storage, but has control over the deployed applications andpossibly application hosting environment configurations.Cloud Infrastructure as a Service (IaaS). The capability provided to the consumer is toprovision processing, storage, networks, and other fundamental computing resourceswhere the consumer is able to deploy and run arbitrary software, which can includeoperating systems and applications. The consumer does not manage or control theunderlying cloud infrastructure but has control over operating systems, storage,deployed applications, and possibly limited control of select networking components(e.g., host firewalls).

Cloud Computing Standards Mapping and Gap Analysis

Actors in CloudCloud Consumer Person or organization that maintains a business relationship with, and uses service from, Cloud Providers.Cloud Provider Person, organization, or entity responsible for making a service available to Cloud Consumers.Cloud Auditor A party that can conduct independent assessment of cloud services, information system operations, performance, and security of the cloud implementation.Cloud Broker An entity that manages the use, performance, and delivery of cloud services, and negotiates relationships between Cloud Providers and Cloud Consumers.Cloud Carrier The intermediary that provides connectivity and transport of cloud services from Cloud Providers to Cloud Consumers.

SaaS - Uses application/service for business process operations. - Installs, manages, maintains, and supports the software application on a cloud infrastructure.PaaS - Develops, tests, deploys, and manages applications hosted in a cloud environment. - Provisions and manages cloud infrastructure and middleware for the platform consumers; provides development, deployment, and administration tools to platform consumers.IaaS - Creates/installs, manages, and monitors services for IT infrastructure operations. - Provisions and manages the physical processing, storage, networking, and the hosting environment and cloud infrastructure for IaaS consumers.

Cloud Computing StandardsStandards are already available in support of many of the functions and requirements for cloud computing

Cloud Security Alliance (CSA) is a "nonprofit" organization, which implements a wide range of initiatives in cloud security. For example, CSA publishes a free guide and instructions on cloud security. Members are a variety of vendors and corporate users of cloud computing, in addition to individuals. That combination gives a good weight behind the association and its initiatives. Other initiatives from CSA includes a GRC stack with a "control matrix". The matrix has a series of "controls" with relevance to cloud security, each mapped up to ISO 27001, PCI, COBIT, NIST and more.

CCSK is a certification issued by Cloud Security Alliance. The abbreviation means Certificate of Cloud Security Knowledge. CSA now works wih approved training providers. Neupart is the first CSA partner in Europe to offer CSA's original CCSK preparation course. In this course, you can enhance your knowledge about cloud security and prepare to take the optional certification test.

High Level Security ConsiderationsThe following key security elements should be carefully considered as an integral part of the SaaS application development and deployment process: • SaaS deployment model • Data security • Network security • Regulatory compliance • Data segregation • Availability • Backup • Identity management and sign-on process

Security considerations and vulnerabilities

The following figure illustrates the layered stack for a typical SaaS vendor and highlights critical aspects that must be covered across layers in order to ensure security of the enterprise data.

“Cloud Computing is a model for enabling ubiquitous, convenient, on-demandnetwork access to a shared pool of configurable computing resources(e.g. networks, servers, storage, applications and services) that can be rapidlyprovisioned and released with minimal management effort or service providerinteraction.”

Software as a Service (SaaS) is a software deployment model where applications are remotely hosted by the application or service provider and made available to customers on demand, over the Internet

the layered stack for a typical SaaS vendor and highlights critical aspects that must be covered across layers in order to ensure security of the enterprise data. The following key security elements should be carefully considered as an integral part of the SaaS application development and deployment process: • SaaS deployment model • Data security • Network security • Regulatory compliance • Data segregation • Availability • Backup • Identity management and sign-on process

The SaaS security challenges differ depending upon the deployment model being used by the vendor. SaaS vendors may choose to deploy the solution either by using a public cloud vendor or host it themselves. Dedicated public cloud providers such as Amazon help to build secure SaaS solutions by providing infrastructure services that aid in ensuring perimeter and environment security. This involves the use of firewalls, intrusion detection systems, etc. A self-hosted SaaS deployment, however, requires the vendor to build these services and assess them for security vulnerabilities

In the SaaS model, the enterprise data is stored outside the enterprise boundary, at the SaaS vendor end. Consequently, the SaaS vendor must adopt additional security checks to ensure data security and prevent breaches due to security vulnerabilities in the application or through malicious employees

In cloud vendors such as Amazon, the Elastic Compute Cloud [EC2] administrators do not have access to customer instances and cannot log into the Guest OS. EC2 Administrators with a business need are required to use their individual cryptographically strong Secure Shell [SSH] keys to gain access to a host. All such accesses are logged and routinely audited.

While the data at rest in Simple Storage Service [S3] is not encrypted by default, users can encrypt their data before it is uploaded to Amazon S3, so that it is not accessed or tampered with by any unauthorized party.

In a SaaS deployment model, sensitive data is obtained from the enterprises, processed by the SaaS application and stored at the SaaS vendor end. All data flow over the network needs to be secured in order to prevent leakage of sensitive information. This involves the use of strong network traffic encryption techniques such as Secure Socket Layer [SSL] and the Transport Layer Security [TLS] for security.

Data privacy has emerged as another significant challenge. Different countries have their distinct privacy regulations about how data needs to be secured and stored. These might lead to conflicts when the enterprise data of one country is stored in data centers located in another country.

In a mature multi-tenant SaaS architecture, the application instances and data stores may be shared across multiple enterprises. This allows the SaaS vendor to make more efficient use of resources and helps achieve lower costs. At the same time, sufficient security checks need to be adopted to ensure data security and prevent unauthorized access to data of one tenant by users from other tenants. This involves hardening the data store as well as the application to ensure data segregation.

In case the SaaS application is deployed at a third party cloud vendor, additional safeguards need to be adopted so that data of an application tenant is not accessible to other applications

The SaaS application needs to ensure that enterprises are provided with service around the clock. This involves making architectural changes at the application and infrastructural levels to add scalability and high availability. A multi-tier architecture needs to be adopted, supported by a load-balanced farm of application instances, running on a variable number of servers. Resiliency to hardware/software failures, as well as to denial of service attacks, needs to be built from the ground up within the application.

An appropriate action plan for business continuity [BC] and disaster recovery [DR] needs to be considered for any unplanned emergencies. This is essential to ensure the safety of the enterprise data and minimal downtime for enterprises.

With Amazon for instance, the AWS API endpoints are hosted on the same Internet-scale, world-class infrastructure that supports the Amazon.com retail site.Standard Distributed Denial of Service [DDoS] mitigation techniques such as syn cookies and connection limiting are used. To further mitigate the effect of potential DDoS attacks, Amazon maintains internal bandwidth that exceeds its provider-supplied Internet bandwidth.

The SaaS vendor needs to ensure that all sensitive enterprise data is regularly backed up to facilitate quick recovery in case of disasters. Also the use of strong encryption schemes to protect the backup data is recommended to prevent accidental leakage of sensitive information.

The SaaS vendor can support identity management and sign on services using any of the following models. 1. Independent IdM stack2. Credential Synchronization3. Federated IdM

Independent IdM stackThe SaaS vendor provides the complete stack of identity management and sign on services. All information related to user accounts, passwords, etc. is completely maintained at the SaaS vendor end. Advantages > Easy to implement> No separate integration with enterprise directoryDisadvantages > The users need to remember separate credentials for each SaaS application Security Challenges > The IdM stack should be highly configurable to facilitate compliance with enterprise policies; e.g., password strength, etc.

Credential SynchronizationThe SaaS vendor supports replication of user account information and credentials between enterprise and SaaS application. The user account information creation is done separately by each tenant within the enterprise boundary to comply with its regulatory needs. Relevant portions of user account information are replicated to the SaaS vendor to provide sign on and access control capabilities. The authentication happens at the SaaS vendor end using the replicated credentials.Advantages > Users don't need to remember multiple passwordsDisadvantages > Requires integration with enterprise directory> Has higher security risk value due to transmissions of user credentials outside enterprise perimeterSecurity Challenges > The SaaS vendor needs to ensure security of the credentials during transit and storage and prevent their leakage

Federated IdMThe entire user account information including credentials is managed and stored independently by each tenant. The user authentication occurs within the enterprise boundary. The identity of the user as well as certain user attributes are propagated on-demand to the SaaS vendor using federation to allow sign on and access control. Advantages > Users don't need to remember multiple passwords> No separate integration with enterprise directory> Low security risk value as compared to credential synchDisadvantages > Relatively more complex to implementSecurity Challenges > The SaaS vendor and tenants need to ensure that proper trust relationships and validations are established to ensure secure federation of user identities

Use of the following key mitigation strategies for addressing the above critical security challenges and improving the robustness of the SaaS applications • Secure Product Engineering • Secure Deployment • Governance and Regulatory Compliance Audits • Third-Party SaaS Security Assessment

It is highly recommended that software vendors treat security as part of the product engineering lifecycle. At each phase of development [architecture, design, coding], a security review should be performed. This will help with faster identification of any security issues and lower rework costs for any security fixes that need to be implemented. The coding and testing guidelines should similarly be revised while keeping security considerations in perspective.

As discussed, SaaS solutions can either be hosted by the SaaS vendor or they can be deployed on a public cloud. In a self-hosted deployment, the SaaS vendor needs to ensure that adequate safeguards are adopted to combat against network penetration and DoS attacks.

Governance and Regulatory Compliance AuditsThird party Governance and Regulatory Compliance [GRC] audits can help validate the conformance of the SaaS vendors to government regulations and industry standards such as ISO27001, SOX, GLBA, HIPAA and PCI-DSS. Additionally, they can validate that appropriate BC and DR plans are in place and followed meticulously. GRC audits help the SaaS vendor to identify and fix any deviations from regulations to ensure compliance to industry standards. They also help the SaaS provider ease customer concerns about the security, privacy and availability of the enterprise data, and help build credibility.

Third-Party SaaS Security AssessmentThird-party SaaS security assessments help validate the security and integrity of the SaaS application and its deployment. It is recommended that SaaS vendors periodically conduct a SaaS security assessment to ensure the security of their solutions. The standard tools and techniques used for web application vulnerability assessments (VA) as captured by Open Web Application Security Project [OWASP] do not provide sufficient coverage for SaaS-specific concepts such as multi-tenancy, data segregation, etc. The Cloud Security Alliance [CSA] captures the critical areas for SaaS applications in their CSA Security Guide. A security assessment specifically tailored for SaaS solutions that incorporates these critical areas is essential for detecting security vulnerabilities and fixing them before they can be exploited by malicious hackers.

Third-Party SaaS Security AssessmentThe SaaS security assessment should be comprised of both the application VA as well as network VA for complete coverage. The following figure gives an overview of the security threats and vulnerabilities which should be covered as part of the security assessment. The application VA helps validate application security in a SaaS deployment. This is generally independent of the SaaS deployment model used by the vendor. However, dedicated cloud providers such as Amazon help facilitate building secure SaaS applications by providing infrastructure services that aid in ensuring data security, network security, data segregation, etc.

Data SecurityMalicious users can exploit weaknesses in the data security model to gain unauthorized access to data. The following assessments test and validate the security of the enterprise data stored at the SaaS vendor. • Cross site scripting [XSS] • Access control weaknesses • OS and SQL Injection Flaws • Cross site request forgery [CSRF] • Cookie manipulation • Hidden field manipulation • Insecure storage • Insecure configuration

Network SecurityMalicious users can exploit weaknesses in network security configuration to sniff network packets. The following assessments test and validate the network security of the SaaS vendor. • Network penetration and packet analysis • Session management weaknesses • Insecure SSL trust configuration

Data SegregationA malicious user can use application vulnerabilities to handcraft parameters that bypass security checks and access sensitive data of other tenants. The following assessments test and validate the data segregation of the SaaS vendor in a multi-tenant deployment. • SQL Injection flaws • Data validation • Insecure storage

AvailabilityThese assessments test and validate the availability of the SaaS vendor. • Authentication weaknesses • Session management weaknesses

BackupThe following assessments test and validate the security of the data backup and recovery services provided by the SaaS vendor. • Insecure storage • Insecure configuration

Identity Management and Sign-on ProcessThe following assessments test and validate the security of the identity management and sign-on process of the SaaS vendor. • Authentication weakness analysis • Insecure trust configuration

The following assessments help test and validate the security of the infrastructure used to deploy the SaaS application. • Host scanning • Penetration testing • Perimeter separation for dev/production systems • Server hardening • Firewall testing • Router testing • Domain name server testing • Mail Server testing The above assessments help ensure security of the SaaS deployment against external penetration and breaches and prevent loss of sensitive data.

AvailabilityThe following assessment helps test and validate the availability of the infrastructure used to deploy the SaaS application. • DoS testing

Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services). Cloud computing is a disruptive technology that has the potential to enhance collaboration, agility, scaling, and availability, and provides the opportunities for cost reduction through optimized and efficient computing.

From an architectural perspective, there is much confusion surrounding how cloud is both similar to and different from existing models of computing and how these similarities and differences impact the organizational, operational, and technological approaches to network and information security practices. There is a thin line between conventional computing and cloud computing. However, cloud computing will impact the organizational, operational, and technological approaches to data security, network security, and information security good practice.

NIST defines cloud computing by describing five essential characteristics, three cloud service models, and four cloud deployment models.Five Essesntial Characterstics1) Broad N/w Access 2) Rapid Elasticity 3) Measure Services 4) On Demand Self Services 5) Resource Pooling Three Service Models IaaS , PaaS , SaaSFour Deployment ModelsPublic , Private , Hybrid , Community

Cloud provider’s security controls must be assessed at multiple layers:● Facilities (physical security)● Network infrastructure (network security)● IT systems (system security)● Information and applications (application security)● People (for example, separation of duties between development andproduction)● Process (for example, change management and incident response)

● First ever baseline control framework specifically designed for Cloud supply chain risk management● 16 control areas, 133 controls●Controls mapped to 32 other security standards, regulations, and controls frameworks including ISO 27001 and 27002, ISACA COBIT, FedRAMP, NERC CIP, NIST SP800-53, 95/46/EC, HIPAA, PCI DSS

NIST SP 800-53 Rev. 4 Security and Privacy Controls for Federal Information Systems and OrganizationsNIST SP 800-161 (Draft) Supply Chain Risk Management Practices for Federal Information Systems and Organizations

SSAE-16 SOC 2 Report● Reports on the design (Type I) and operating effectiveness (Type II) of a service organization’s controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system

CSA STAR (Security, Trust & Assurance Registry)● Goal is to improve transparency and assurance in the cloud● Searchable, publicly accessible registry to allow cloud customers to review the security practices of providers, accelerating their due diligence and leading to higher quality procurement experiences● Helps customers to assess the security of Cloud Providers● Based on a multilayered structure defined by Open Certification Framework Working Group

CSA STAR Self-Assessment - - Voluntary- Based on: ● Cloud Control Matrix ● Consensus Assessments Initiative Questionnaire

CSA STAR Certification (Level 2 - TPA) - ● Rigorous third party independent assessment of a cloud provider’s security● Measures cloud provider’s capability levels ● No formal approach ● Reactive approach ● Proactive approach ● Improvement based approach ● Optimising approach● Leverages the requirements of: ● ISO 27001:2013 ● CSA Cloud Control Matrix● Ensures the scope, processes and objectives are “fit for purpose”

CSA STAR Attestation (Level 2) -● Provides a framework for performing assessments of cloud service providers using SOC 2 engagements supplemented by criteria in the CSA Cloud Control Matrix● Typically, Cloud Providers acquire a CSA Attestation, 27001 certification, and SOC 2 Type II certification at the same time since so many of the criteria are common between the three

CSA CAI Questionnaire (Level 3) - ● Consensus Assessments Initiative Questionnaire● Provides a set of questions a cloud consumer can ask of a cloud provider about their security controls● Questions can be tailored to suit each unique cloud consumer’s evidentiary requirements● Questions mapped to the compliance requirements in Cloud Control Matrix

PII and Personal Information● PII (Personally Identifiable Information)Information that can identify an individual (name, date of birth, etc.)● Personal informationInformation that does not directly identify an individual, but is deemed sensitive by social mores --> race, religion, shopping habits

Privacy vs Security● Privacy governs how PII should be used, shared, and retained● Security restricts access to the sensitive data and protects confidentiality/integrity during collection, storage, and transmission

FTC Consent Decrees● Designate individuals to be accountable for the information security program● Identify risks to personal information● Design, implement and test reasonable safeguards to control risk

EU Data Protection Directive (95/46/EC)● Data controller (cloud customer) “must implement appropriate technical and organizational measures to protect personal data against …. all unlawful forms of processing…”● Processing of data by a data processor (cloud provider) must be governed by a contract or legal act binding the processor to the controller● Cross-border data transfer out of the EEA prohibited unless the third country in question ensures an adequate level of protection

US/EU Safe Harbor● Allows US companies to register their certification that they meet the EU Data Protection requirements● Take reasonable precautions to protect personal information ● Onward Transfer Principle

PIPEDA Principles for the Protection of Personal Data (Canada)● An organization is responsible for personal information in its possession or control, including information that has been transferred to a third party (cloud provider) for processing

● NIST SP800-53 Rev. 4 Appendix J “Privacy Control Catalog”● ISO/IEC 27018 Information technology -- Security techniques -- Code of practice for PII protection in public cloud acting as PII processors● HIPAA Health Insurance Portability and Accountability Act● PCI DSS Payment Card Industry Data Security Standard

● Cloud Provider should have a strong Privacy Policy that specifies the following for personal information: ● Collection ● Usage ● Storage ● Release ● Retention ● Deletion● Cloud Provider should provide Privacy Notice to Cloud Consumer upon demand

IEC 62443-3-3 RequirementSR 5.1 – Network Segmentation The network with access to the Cloud Provider’s application should be logically or physically segmented from the (critical) control system network SR 5.2 – Zone boundary protection Access to the Cloud Provider’s application must take place via a zone and conduit designed for this purpose SR 5.2 – Zone boundary protection The Cloud Provider’s security and access controls must fulfill the requirements of the asset owner’s zone and conduit security policy designed to meet the target Security Level

IEC 62443-3-3 RequirementSR 3.1 – Communication integrity & SR 4.1 – Information confidentiality The confidentiality and integrity of all network communication between the asset owner’s system and the Cloud Provider’s system must be protected via cryptographic means SR 3.4 – Software and information integrity & SR 4.1 – Information confidentiality The confidentiality and integrity of data at rest must be protected by the Cloud Provider using strong access and/or cryptographic controls

Control Group & Consensus Assessment Question(s)* Interoperability & Portability (Standardized Network Protocols) - Can data import, data export and service management be conducted over secure (e.g., non-clear text and authenticated), industry accepted standardized network protocols? - Do you provide consumers (tenants) with documentation detailing the relevant interoperability and portability network protocol standards that are involved? * Application & Interface Security (Data Integrity) - Are data input and output integrity routines (i.e., reconciliation and edit checks) implemented for application interfaces and databases to prevent manual or systematic processing errors or corruption of data?

Multi-Tenancy - Resources and services used by multiple cloud consumers are physically collocated, but logically separated – for example, data from multiple cloud consumers are stored in he same database, or on the same server, and security controls keep the data logically separated

Typical cloud guidance● Cloud Consumer (tenant) generates encryption key, encrypts and decrypts data en-route to/from the Cloud SaaS ProviderCloud SaaS encryption hurdles● SaaS is not just storage – need to validate, estimate, aggregate, search, sort, and analyze● Cloud Consumer (tenant) should control their own encryption keys● Encryption keys should never be stored alongside the encrypted data● Extremely important to manage encryption keys securely

Control Group & Consensus Assessment Question(s)* Audit Assurance & Compliance (Information System Regulatory Mapping )- Do you have the ability to logically segment or encrypt customer data such that data may be produced for a single tenant only, without inadvertently accessing another tenant's data? -Do you have capability to recover data for a specific customer in the case of a failure or data loss? * Encryption & Key Management (Encryption) - Do you encrypt tenant data at rest (on disk/storage) within your environment? - Do you support tenant-generated encryption keys or permit tenants to encrypt data to an identity without access to a public key certificate (e.g. identity-based encryption)? -Do you have documentation establishing and defining your encryption management policies, procedures and guidelines?

Control Group & Consensus Assessment Question(s)* Encryption & Key Management (Storage and Access)- Are your encryption keys maintained by the cloud consumer or a trusted key management provider? -Do you store encryption keys in the cloud? Do you have separate key management and key usage duties? * Supply Chain Management, Transparency and Accountability (Data Quality and Integrity) -Do you inspect and account for data quality errors and associated risks, and work with your cloud supply-chain partners to correct them? -Do you design and implement controls to mitigate and contain data security risks through proper separation of duties, role- based access, and least-privileged access for all personnel within your supply chain?

IEC 62443-3-3 RequirementSR 1.3 – Account management Ideally the asset owner should manage accounts centrally and the cloud provider should federate against the asset owner’s identity store, or the cloud provider can provide an application account store SR 1.5 – Authenticator management & SR 1.7 – Strength of password- based authentication & SR 1.11 – Unsuccessful login attempts The asset owner must be able to customize account and password policies when managing accounts in the Cloud Provider’s application account store

Control Group & Consensus Assessment Question(s)* Identity & Access Management (User ID Credentials) - Do you support use of, or integration with, existing customer- based Single Sign On (SSO) solutions to your service? - Do you use open standards to delegate authentication capabilities to your tenants? - Do you support identity federation standards (SAML, SPML, WS-Federation, etc.) as a means of authenticating/ authorizing users? - Do you provide tenants with strong (multifactor) authentication options (digital certs, tokens, biometrics, etc.) for user access? - Do you allow tenants to use third-party identity assurance services? - Do you support the ability to force password changes upon first logon? - Do you support password (minimum length, age, history, complexity) and account lockout (lockout threshold, lockout duration) policy enforcement? - Do you allow tenants/customers to define password and account lockout policies for their accounts? - Do you have mechanisms in place for unlocking accounts that have been locked out (e.g., self-service via email, defined challenge questions, manual unlock)?

Cloud Providers that are not certified can be assessed using the Consensus Assessments Initiative Questionnaire TRUST

IEC 62443-3-3 RequirementSR 6.2 – Continuous monitoring The Cloud Provider must continuously monitor their system and use common security industry practices and tools (a SIEM, for example) to detect and respond to security breaches in a timely manner SR 6.1 – Audit log accessibility The Cloud Provider must provide the capability for an asset owner to access tenant-specific audit log reports SR 2.8 – Auditable events It should be possible to export tenant-specific audit logs from the Cloud Provider into a centrally managed audit trail on the asset owner's system where they can be further analyzed by standard log analysis tools such as a SIEM

Control Group & Consensus Assessment Question(s)* Security Incident Management, E- Discovery & Cloud Forensics (Incident Management) - Do you have a documented security incident response plan? Do you integrate customized tenant requirements into your security incident response plans? - Do you publish a roles and responsibilities document specifying what you vs. your tenants are responsible for during security incidents? - Have you tested your security incident response plans in the last year? * Security Incident Management, E- Discovery & Cloud Forensics (Incident Reporting) - Does your security information and event management (SIEM) system merge data sources (app logs, firewall logs, IDS logs, physical access logs, etc.) for granular analysis and alerting? - Does your logging and monitoring framework allow isolation of an incident to specific tenants? * Security Incident Management, E- Discovery & Cloud Forensics (Incident Response Legal Preparation) (Custom)- Does your incident response plan comply with industry standards for legally admissible chain-of-custody management processes and controls? - Does your incident response capability include the use of legally admissible forensic data collection and analysis techniques? - Are you capable of supporting litigation holds (freeze of data from a specific point in time) for a specific tenant without freezing other tenant data? - Do you enforce and attest to tenant data separation when producing data in response to legal subpoenas? - Do you provide the capability for a customer (tenant) to access their audit logs via a visual or programmatic interface?- Do you provide the capability for a customer (tenant) to export their audit logs in an industry standard format such that the logs may be analyzed by the customer’s organization using industry standard log analysis tools such as a SIEM?

Control Group & Consensus Assessment Question(s)* Audit Assurance & Compliance (Information System Regulatory Mapping) - Do you have the capability to restrict the storage of customer data to specific countries or geographic locations? * Data Security & Information Lifecycle Management (Data Inventory / Flows) -Can you ensure that data does not migrate beyond a defined geographical residency? * Datacenter Security Secure (Area Authorization) - Do you allow tenants to specify which of your geographic locations their data is allowed to move into/out of (to address legal jurisdictional considerations based on where data is stored vs. accessed)?

Topic Title Implementation Area Ref

Abbrevations Nil

Terminology Training



Legal Requirement

Gain Credibility

D:\MyKnowledge Folders\ISMS\Cloud Security\1. Cloud security - The basics - #.docx




Customer Acqusition Process

D:\MyKnowledge Folders\ISMS\Cloud Security\2.5 problems with SaaS security.docx

Third-party assuranceoptions

D:\MyKnowledge Folders\ISMS\Cloud Security\2.5 problems with SaaS security.docx


Agreement Templates SLA Finalization


SLA Finalization

Gain Credibility

Gain Credibility

Gain Credibility

Abbrevations Nil

Standards Available Gain Credibility

Knowledge

D:\MyKnowledge Folders\ISMS\Cloud Security\3.2012_Practical_Guide_to_Cloud_SLAs.pdf



Performance Metrics for SLA



D:\MyKnowledge Folders\ISMS\Cloud Security\4.BDOTech-5-10Special.pdf





Recommended NIST Resources

Knowledge

Framework Knowledge

Terminology Knowledge


Accountbility for different IT service matters


Security ConsiderationHigh Level Division of ISMS Domain

Definition Knowledge

Definition Glossary Terns

Fundamental

D:\MyKnowledge Folders\ISMS\SaaS Security Control\Securing SaaS Applications [A Cloud Security Perspective for Application Providers] By Pradnyesh Rane #.docx

SaaS Stack Layer wise Security Focus Areas

Macro View of Security Requirement


SaaS Deployment Model


Data Security Fundamental

Access Control

Data Storage

Network Security Network Operation

Regulatory Compliance Fundamental

Data Segregation Fundamental


Avaialbility Fundamental

BC-DR Fundamental


Vendor's Access Control to application


Encryption of data by customer








D-DoS Fundamental

Data Backup Fundamental

Fundamental

Fundamental

Fundamental



Identity Management [IdM] and Sign-on Process






Fundamental

Fundamental

Fundamental

Secure Deployment Fundamental

Fundamental

Fundamental



Securing SaaS Applications


Secure Product Engineering



Governance and Regulatory Compliance Audits


Third-Party SaaS Security Assessment


Fundamental

Data Security Fundamental

Network Security Fundamental


Availability Fundamental

Backup Fundamental

Fundamental

Third-Party SaaS Security Assessment







Identity Management and Sign-on Process


Fundamental

Fundamental

Cloud Security Layers Security Control

Network Vulnerability Assessment m- SaaS Deployment Model


Network Vulnerability Assessment m- Availability


What is Cloud Computing

CLOUD COMPUTING ARCHITECTURAL FRAMEWORK

D:\MyKnowledge Folders\ISMS\SaaS Security Control\CSA Security Guidance for Critical Areas of Focus in Cloud Computing V3.0 #.pdf

Simialarities and Differences Between conventional computing and cloud computing


What Comprises Cloud Computing?


D:\MyKnowledge Folders\ISMS\SaaS Security Control\Assessing the Security of Cloud SaaS Solutions #.pdf

Cloud Certification

Security Control

SSAE-16 SOC 2 Report Cloud Certification

Cloud Certification

Cloud Certification

Cloud Certification

Cloud Certification

Cloud Certification

CSA Cloud Controls Matrix

NIST Cloud Security Documents

CSA STAR (Security, Trust & Assurance Registry)





Security Control

Privacy vs Security Security Control

Security Control

Security Control

Security Control

Security Control

Security Control

Privacy Policy Cloud Security Layers

PII and Personal Information

Privacy Standards and Regulations





Cloud Security Layers



Definitions Fundamental

Data At Rest

Network Segmentation and Zoning

Data Integrity and Confidentiality


Encrypting Data At Rest







Identity and Account Management

Identity and Account Management



Legal Compliance Cloud Security Layers

TRUST Cloud Certification

Auditing and Monitoring

Auditing and Monitoring

Page No Remarks

Symantec, which has data centers in 14 countries, does offer an in-country guarantee, according to Trollope.

The use of the term “broker” varies significantly and should be clarified with the various stakeholders, especially in context of a cloud SLA. An entity may provide broker services and functionality, but as a legal organizational entity not be recognized as a cloud broker. For example, an entity may perform research and negotiate on behalf of a consumer, but the actual SLA and contract terms are between the cloud consumer and cloud provider. The distinction of acting “broker like” vs. being an actual “broker” will evolve as the cloud computing industry matures and terminologies become more consistent. Due to these complexities this paper does not address all the SLA considerations for cloud brokering.

1

2

2

2

2

3

3

3

3

3

3

3

In case of Amazon WebServices [AWS], the network layer provides significant protection against traditional network security issues, such as MITM attacks, IP spoofing, port scanning, packet sniffing, etc. For maximum security, Amazon S3 is accessible via SSL encrypted endpoints. The encrypted endpoints are accessible from both the Internet and from within Amazon EC2, ensuring that data is transferred securely both within AWS and to and from sources outside of AWS.

The SaaS deployment needs to be periodically assessed for conformance to regulatory and industry standards. The SAS 70 standard includes operating procedures for physical and perimeter security of data centers and service providers. Access, storage, and processing of sensitive data needs to be carefully controlled and is governed under regulations such as ISO-27001, Sarbanes-Oxley Act [SOX], Gramm-Leach-Bliley Act [GLBA], Health Insurance Portability and Accountability Act [HIPAA] and industry standards like Payment Card Industry Data Security Standard [PCI-DSS].

In the case of Amazon, the S3 APIs provide both bucket-level and object-level access controls, with defaults that only permit authenticated access by the bucket and/or object creator. Write and Delete permission is controlled by an Access Control List (ACL) associated with the bucket. Permission to modify the bucket's ACL is itself controlled by an ACL, and it defaults to creator-only access. Therefore, the customer maintains full control over who has access to their data. Amazon S3 access can be granted based on AWS Account ID, DevPay Product ID, or open to everyone.

3

3-4

4

4 Full with SaaS Vendor

4 Partially by SaaS Vendor

In the case of cloud vendors such as Amazon, the data at rest in S3 is not encrypted by default. The users need to separately encrypt their data and backups so that it cannot be accessed or tampered with by unauthorized parties.

4 Full with Client

4

4 - 5

5

5

5

Product vendors are always rushing to meet market release deadlines. Consequently, product security is often given lesser precedence. This can result in buggy software that is prone to security vulnerabilities. It is a known fact that leakage of sensitive data due to security exploits can result in heavy financial loss to enterprises and expose the SaaS vendor to potential liability issues along with lost credibility.

Dedicated cloud providers such as Amazon and Google help facilitate building secure SaaS applications by providing infrastructure services that aid in ensuring data security, network security, data segregation, etc. The SaaS applications that are deployed on these public clouds should ensure that they harden their application security settings to conform to the best practices recommended by the public cloud vendor.

5-6

6

6

6

6

6

7

Any vulnerability detected during these tests can be exploited to gain access to sensitive enterprise data and lead to a financial loss.

Any vulnerability detected during these tests can be exploited to hijack active sessions, gain access to user credentials and sensitive data.

Any vulnerability detected during these tests can be exploited to gain access to sensitive enterprise data of other tenants.

Many applications provide safeguards to automatically lock user accounts after successive incorrect credentials. However, incorrect configuration and implementation of such features can be used by malicious users to mount denial of service attacks.

Any vulnerability detected during these tests can be exploited to gain access to sensitive enterprise data stored in backups.

Any vulnerability detected during these tests can be exploited to take over user accounts and compromise sensitive data.

7

7

13

13

14

5

Network VA helps validate the network/host security in the cloud used for deploying the SaaS application in a self hosted model.

The above assessment helps test and validate the resilience of the SaaS deployment to denial of service attacks and help ensure availability of the service to end users.

9

10

16

17 - 18

19

22-23

25

27

29

30

31

31

32

32

33

34

36

37

38

39

40

41

42

43

44 - 45

46

47 - 49

50

51

value Importance factor - Irrelevant if service is hosted on-premise or cloud1 Minimal importance (most part moved to SLA)2 Partial importance3 Important4 High importance (almost always)5 Highest importance (important for each company / IS)

5 Highest importance (important for each company / IS)