www.cloudsecurityalliance.org copyright © 2011 cloud security alliance daniele catteddu csa...
TRANSCRIPT
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
DANIELE CATTEDDUCSA Managing Director EMEA
CLOUD SECURITY ALLIANCE
CONTRIBUTION TO THE EUROPEAN COMMISSION
STRATEGY ON CLOUD COMPUTING
November 2011
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
About the Cloud Security AllianceGlobal, not-for-profit organization
Over 26,000 individual members, 100 corporate members, 50 chaptersBuilding best practices and a trusted cloud ecosystemAgile philosophy, rapid development of applied research
GRC: Balance compliance with risk managementReference models: build using existing standardsIdentity: a key foundation of a functioning cloud economyChampion interoperabilityEnable innovationAdvocacy of prudent public policy
“To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of
computing.”
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
What are the Trust Issues?
Will CSP be transparent about governance and operational issues?
Will the user be considered compliant?
Does the user know what legislation applies?
Will a lack of standards drive unexpected obsolescence?
Is cloud really better at security than traditional IT solution?
Are the hackers waiting for me in the cloud?
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
Key Problems of Today & Tomorrow
Keeping pace with cloud changes
Globally incompatible legislation and policy
Non-standard private & public clouds
Lack of continuous risk management & compliance monitoring
Incomplete identity management implementations
Haphazard response to security incidents
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
Contribution to Euro Cloud Strategy
KEY AREAS
Interoperability and portability
Trust, security, and assurance
Security innovation in the cloud
Our proposals should be understood in the context of the CSA focus on security, assurance, and compliance.
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
Interoperability and Portability
Public procurement to catalyse cloud adoption
Developing a standard framework and guidelines for service and data asset classification
Help customers decide which services and data can be moved in which type of cloud
Defining requirements for data security, privacy, portability and secure deletion
Designing models for cloud bursting
Developing/publishing “buyer’s guides” and SLAs & RFPs for common services
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
Interoperability and Portability
SHORT-TERM PRIORITIES Interoperability of security policy
Security service level agreements
Privacy level agreements
Security as a Service
Promoting the use of open standards
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
Interoperability and Portability
POSITIVE IMPACT Overcome the lack of solid technical standards for interoperability & portability
Guidance and support for SMEs
Help CSPs in improving and customising cloud offerings based on explicit requirements
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
Interoperability and Portability
ACTION 1: WHAT: Interoperable Security Policies and Measures
HOW: Standardisation of security policy syntax and basic settings
WHO: Public sector + research community + industry
Expert group to collect requirements and define policy syntax, and framework for policy interoperability
Research program framework, e.g. developing projects on security policy management automation.
CSA will play an active role
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
Interoperability and Portability
ACTION 2: WHAT: Security Service Level Agreements
HOW: Develop quantitative and comparable measures for reporting parameters by leveraging existing efforts from ENISA, NIST and CSA
WHO: Industry and/or ENISA to develop, Public Sector to endorse
CSA is playing an active role
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
Interoperability and Portability
ACTION 3:
WHAT: Privacy Level Agreements (PLAs)
HOW: Define a standard format for a CSP to declare the level of privacy (data protection and data security) that it sustains for the relevant data processing
WHO: Industry + DP authorities + subject matter experts to develop PLAs and public sector to endorse
CSA is playing an active role: PLA Outlines project to be launched Dec.2011
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
Interoperability and Portability
ACTION 4:
WHAT: Security as a Service
HOW: Create a common vocabulary (define and, characterise) for cloud-based security services and keep records of providers offerings
WHO: Industry and/or ENISA to develop, Public Sector to endorse
CSA is playing an active role: SecaaS
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
Trust, Security and Assurance
SHORT-TERM PRIORITIES Assessment Framework
Transparency Registry
Security Breach Notification
CloudSIRT and Real-Time Security Monitoring
Continuous Controls Monitoring and Auditing
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
Trust, Security and Assurance
SHORT-TERM PRIORITIES (CONT.)
Identity Model
Consumer Education
Applicable Law and Jurisdictions
Government Access to Data
e-Discovery
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
Interoperability and Portability
ACTION 1: WHAT: Assessment Framework
HOW: Integrated approach to assessment CSPs and their external suppliers. A single approach provides cross-mapping between existing standards (ISO 2700x, COBIT, PCI- DSS, ENISA Cloud IAF, CSA CCM and ISF SOGP)
WHO: Industry and ENISA to refine existing framework, public sector to endorse and adopt
CSA is playing an active role: CCM, CAMM, CAI & CloudAudit
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
ACTION 2: WHAT: Transparency Registry
HOW: Create a system to share and compare assessment results that would be managed and maintained by a European or national public institution, or from an independent trusted party or public/private partnership. Voluntary participation
WHO: Public sector, PPP, or independent org. to establish and maintain, EC to endorse
CSA is playing an active role: CSA STAR Registry
Interoperability and Portability
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
ACTION 3: WHAT: Security Breach Notification
HOW: Voluntary incident reporting mechanism. Inspired to Article 13a (3) ,2009/140/EC, and Article 4,2009/136/EC.
WHO: Industry to develop, public sector to endorse
CSA is playing an active role: CloudSIRT
Interoperability and Portability
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
ACTION 4:WHAT: SIRT and Real-Time Security Monitoring
HOW: Creation of EC-wide cloud-related SIRT; a single point for vendors and customers to get data on the latest risks and incidents.
Real- time reporting solutions could voluntarily send non-sensitive data to the SIRT
WHO: Public sector + research community + industry
CSA is playing an active role: CloudSIRT
Interoperability and Portability
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
ACTION 5 WHAT: Continuous Controls Monitoring and Auditing
HOW: Research and development of frameworks and automated systems for continuous controls monitoring and auditing.
WHO: Research community + public sector + industry
CSA is playing an active role: GRC Stack
Interoperability and Portability
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
ACTION 6: WHAT: Identity Model
HOW: Support CSPs and SDOs, e.g. OASIS, develop secure and interoperable identity, access and compliance management configurations, and practices.
WHO: EC + SDOs + research community+ industry
CSA is playing an active role: Trusted Cloud Initiative (TCI) Reference Architecture
Interoperability and Portability
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
ACTION 7: WHAT: Consumer Education
HOW: Pan-European and national awareness raising campaigns to explain terminology and remove false perceptions around benefits, risks, and legal framework
WHO: EC + MSs + Associations
CSA is playing an active role
Interoperability and Portability
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
ACTION 8: WHAT: Applicable Law and Jurisdictions
HOW: Jurisdiction should be the ones of the country of origin of the user
Interoperability and Portability
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
Interoperability and Portability
ACTION 9: WHAT: Government Access to Data
HOW: Bilateral agreement between EC and the US federal government to set up clear rules of engagement and limitations to the right of a government to confiscate servers
WHO: European Commission
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
Interoperability and Portability
ACTION 10: WHAT: e-Discovery
HOW: Bring forward Article 29 opinion on pre-trial discovery for cross-border civil litigation (http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2009/wp158_en.pdf)
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
Security innovation in the cloud
KEY RESEARCH AREASNew encryption and key management approaches
Format-preserving encryption
Tokenisation
Homomorphic encryption
Cloud management technologies to enforce desired policies at data centres around the world.
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
http://cloudsecurityalliance.org/research/
RESEARCH
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
CSA Guidance Research
Popular best practices for securing cloud computing
Flagship research project
V3 released 11/2011
cloudsecurityalliance.org/guidance
Op
era
tin
g in
th
e
Clo
ud
Govern
ing
the C
lou
d
Guidance > 100k downloads: cloudsecurityalliance.org/guidance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
CSA GRC Stack
Family of 4 research projects
Cloud Controls Matrix
Consensus Assessments Initiative
Cloud Audit
Cloud Trust Protocol
Tools for governance, risk and compliance management
Control Requirements
Provider Assertions
Private, Community & Public Clouds
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
Cloud Controls Matrix Tool
Controls derived from guidance
Mapped to familiar frameworks: ISO 27001, COBIT, PCI, HIPAA, FISMA, FedRAMP
Rated as applicable to S-P-I
Customer vs. provider role
Help bridge the “cloud gap” for IT & IT auditors
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
Consensus Assessment Initiative (CAI)
Research tools and processes to perform shared assessments of cloud providers
Integrated with Controls Matrix
Version 1 CAI Questionnaire released Oct. 2010, approximately 140 provider questions to identify presence of security controls or practices
Use to assess cloud providers today, procurement negotiation, contract inclusion, quantify SLAs
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
CloudAudit
Open standard and API to automate provider audit assertions
Change audit from data gathering to data analysis
Necessary to provide audit & assurance at the scale demanded by cloud providers
Uses Cloud Controls Matrix as controls namespace
Use to instrument cloud for continuous controls monitoring
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
Cloud Trust Protocol (CTP)
Developed by CSC, transferred to CSA
Open standard and API to verify control assertions
“Question and Answer” asynchronous protocol, leverages SCAP (Secure Content Automation Protocol)
Integrates with Cloud Audit
Now we have all the components for continuous controls monitoring
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
CSA STAR RegistryCSA STAR (Security, Trust and Assurance Registry)
Public Registry of Cloud Provider self assessments
Based on Consensus Assessments Initiative Questionnaire
Provider may substitute documented Cloud Controls Matrix compliance
Voluntary industry action promoting transparency
Free market competition to provide quality assessments
Provider may elect to provide assessments from third parties
Available since October 2011
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
Trusted Cloud Initiative (TCI)
Comprehensive Cloud Security Reference Architecture
Secure & interoperable Identity in the cloud
Getting SaaS, PaaS to be “Relying Parties” for corporate directories
Scalable federation
Outline responsibilities for Identity Providers
Assemble reference architectures with existing standards
www.cloudsecurityalliance.org/trustedcloud.html
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
TCI Reference Model Structure
TCI Reference Architecture
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
Security as a Service
Information Security Industry re-invented
Define Security as a Service
Articulate solution categories within Security as a Service
Guidance for adoption of Security as a Service
Align with other CSA research
14th domain within CSA Guidance Version 3.
www.cloudsecurityalliance.org/secaas.html
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
CloudSIRT
Consensus research for emergency response
in Cloud
Enhance community’s ability to respond to incidents
Standardised processes
Supplemental best practices for SIRTs
Hosted community of Cloud SIRTs
Being spun out into a separate, related entity
Fully functional SIRT launched at CSA Congress Nov. 2011
www.cloudsecurityalliance.org/cloudsirt.html
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
CSA Relation to Standards
CSA is a Cloud Security Standards Incubator not an SDO
CSA research projects last approx. 6 months
Research artifacts made available to SDOs, in some cases, SDOs may assume ownership
CSA a neutral community for all SDOs
Gives industry a fast track to standards alignment
Established CAT C Liaison with ISO/IEC SC 27, WGs 1, 4 & 5
Co-editor of ISO/IEC SC 27 WG1 Cloud Computing Security Study Period
Co-editor ISO 27036
Formal Liaison with ITU-T
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
Contact
Help Us Secure Cloud Computingwww.cloudsecurityalliance.org
LinkedIn: www.linkedin.com/groups?gid=1864210
Twitter: @cloudsa
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
THANK YOU!