View
1.156
Download
4
Category
Tags:
Preview:
Citation preview
1
To the Cloud: Key Risks and Security Concerns
3
Cloud ComputingCloud ComputingSecurity: Largest Barrier to AdoptionSecurity: Largest Barrier to Adoption
4
Key Cloud Security Problems of TodayKey Cloud Security Problems of Today
• From CSA Top Threats Research:– Trust: Lack of Provider transparency, impacts Governance, Risk
Management, Compliance
– Data: Leakage, Loss or Storage in unfriendly geography
– Insecure Cloud software
– Malicious use of Cloud services
– Account/Service Hijacking
– Malicious Insiders
– Cloud-specific attacks
5
Key Problems of TomorrowKey Problems of Tomorrow
• Globally incompatible legislation and policy
• Non-standard Private & Public clouds
• Lack of continuous Risk Management and Compliance monitoring
• Incomplete Identity Management implementations
• Haphazard response to security incidents
6
Current Assurance Demands Do Not Scale
Customers:• Reinvent the security wheel for each Cloud Provider• Construct detailed and custom questionnaires
– Pre-sales– Post-sales
Cloud Providers:• Answer lengthy and unique questionnaires from every
potential customer– Disregard/address– Larger Cloud Providers ignore questionnaires
• Right to Audit
7
Basic Question Everyone is Asking
Is it safe to put my data in this Cloud?
8
Cloud Computing Security Industry Initiatives
• Open Cloud Manifesto (http://www.opencloudmanifesto.org/)
– Making the case for an Open Cloud
• Jericho Forum (http://www.opengroup.org/jericho/)
– Cloud Cube Model: Recommendations & (Security) Evaluation Framework
• NIST Cloud Computing Program(http://www.nist.gov/itl/cloud/index.cfm )– Cloud Security Guidelines
• Cloud Security Alliance (http://www.cloudsecurityalliance.org/)
– Promoting Best Security Practices for the Cloud
6- Marcus J. Ranum on Cloud Computing Security video
9
Cloud Controls Matrix (CCM)Cloud Controls Matrix (CCM)
10
The Cloud Controls MatrixThe Cloud Controls Matrixaddresses these challengesaddresses these challenges
• Who is responsible? (Tenant, IaaS, PaaS, SaaS)
• How do you measure risk?
• How do you effectively decouple information intrinsic in infrastructure and applications?
• How do you satisfy regulators?
• How do you assure shareholders that the Cloud is a stable platform to conduct business?
Controls frameworks are the foundation of most attestation methodologies
11
Cloud Controls MatrixCloud Controls Matrix
• V1.1 Released Dec 2010• Rated as applicable to S-P-I with Cloud
Provider / Tenant Delineation• Controls baselined and mapped to:
– COBIT– HIPAA / HITECH Act– ISO/IEC 27001-2005– NISTSP800-53– FedRAMP– PCI DSS v2.0– BITS Shared Assessments– GAPP
Leadership Team•Phil Agcaoili – Cox Communications•Becky Swain – Cisco Systems, Inc.•Marlin Pohlman – EMC, RSA•Kip Boyle – CSA
www.cloudsecurityalliance.org/cm
12
Cloud Controls MatrixCloud Controls MatrixGlobal Industry ContributionGlobal Industry Contribution
• Kyle Lai – KLC Consulting, Inc.• Larry Harvey – Cisco Systems, Inc.• Laura Kuiper – Cisco Systems, Inc.• Lisa Peterson – Progressive Insurance• Lloyd Wilkerson – Robert Half International• Marcelo Gonzalez – Banco Central Republica
Argentina• Mark Lobel – PricewaterhouseCoopers LLP• Meenu Gupta – Mittal Technologies• Mike Craigue, Ph.D. – Dell• MS Prasad, Exec Dir CSA India • Niall BrowneI – LiveOps• Patrick Sullivan• Patty Williams – Symetra Financial• Paul Stephen – Ernst and Young LLP• Phil Genever-Watling - Dell• Philip Richardson – Logicalis UK Ltd• Pritam Bankar – Infosys Technologies Ltd.• Ramesan Ramani – Paramount Computer Systems• Steve Primost• Taiye Lambo – eFortresses, Inc .• Tajeshwar Singh• Thej Mehta – KPMG LLP• Thomas Loczewski – Ernst and Young GmbH,
Germany• Vincent Samuel – KPMG LLP• Yves Le Roux – CA Technologies• HISPI membership (Release ISO Review Body)
• Adalberto Afonso A Navarro F do Valle – Deloitte LLP• Addison Lawrence – Dell• Akira Shibata – NTT DATA Corp• Andy Dancer• Anna Tang – Cisco Systems, Inc.• April Battle – MITRE• Chandrasekar Umpathy - Symphony Services Ltd • Chris Brenton – Dell• Dale Pound – SAIC• Daniel Philpott – Tantus Technologies• Dr. Anton Chuvakin – Security Warrior Consulting• Elizabeth Ann Wickham – L47 Consulting Limited• Gary Sheehan – Advanced Server Mgmt Group, Inc.• Georg Heß• Georges Ataya Solvay – Brussels School of
Economics & Mgmt• Glen Jones – Cisco Systems, Inc.• Greg Zimmerman – Jefferson Wells• Guy Bejerano - LivePerson• Henry Ojo – Kamhen Services Ltd,• Jakob Holm Hansen – Neupart A/S• Joel Cort – Xerox Corporation• John DiMaria – HISPI• John Sapp – McKesson Healthcare, HISPI• Joshua Schmidt – Vertafore, Inc.• Karthik Amrutesh – Ernst and Young LLP• Kelvin Arcelay – Arcelay& Associates
13
Consensus Assessment InitiativeConsensus Assessment Initiative
14
Consensus Assessment InitiativeConsensus Assessment Initiative
• Questions for shared assessments of Cloud Providers
• Lightweight “common assessment criteria” concept
• Integrated with Cloud Controls Matrix (CCM)
• Ver 1 CAI Questionnaire (CAIQ) released Oct 2010– 148 questions – Identifies presence of security controls
or practices
www.cloudsecurityalliance.org/cai
15
Consensus Assessment InitiativeConsensus Assessment InitiativeTeamTeam
Contributors•Matthew Becker – Bank of America•Aaron Benson – Novell•Ken Biery – Verizon Business•Kristopher Fador – Bank of America•David Gochenaur – Aon Corporation •Jesus Molina – Fujitsu•John Nootens – AMA Association•HemmaPrafullchandra – Hytrust•GorkaSadowski – Log Logic•Richard Schimmel – Bank of America•Patrick Vowles – RSA•Kenneth Zoline – IBM
Leaders•Laura Posey – Microsoft•Jason Witty – Bank of America•Marlin Pohlman – EMC, RSA•Earle Humphreys – ITEEx
Editor•Christofer Hoff – Cisco
16
CloudAuditCloudAudit
17
CloudAuditCloudAudit
• Provide a common interface and namespace that allows cloud computing providers to automate the Audit, Assertion, Assessment, and Assurance (A6) of their environments
• Allow authorized consumers of services to do likewise via an open, extensible and secure interface and methodology.
• Aligned to CSA Cloud Controls Matrix (CCM)
• Incorporates CSA CAIQ and additional CompliancePacks
• Expands alignment to “infrastructure” and “operations”-centric views
http://cloudaudit.org
18
CloudAuditCloudAuditSample Implementation – CSA Compliance PackSample Implementation – CSA Compliance Pack
19
CSA GRC StackCSA GRC Stack
20
CSA Governance, Risk, and CSA Governance, Risk, and Compliance (CSA GRC) StackCompliance (CSA GRC) Stack
• Suite of tools, best practices and enabling technology
• Consolidate industry research & simplify GRC in the cloud
• For cloud providers, enterprises, solution providers and audit/compliance
• Simplifies customer and cloud provider attestation to accelerate cloud adoption – Common language to report security and
compliance– Common lexicon for communication
between tiers of service– Common ontology for reasoning about
providers
https://cloudsecurityalliance.org/grc-stack
Control Requirements
Provider Assertions
Private & Public Clouds
Private & Public Clouds
21
CSA GRC StackCSA GRC StackIndustry Collaboration & SupportIndustry Collaboration & Support
• International Organization for Standards (ISO)• ISO/IEC JTC 1 SC 27 (“SC 27”) WG 1, 4 and 5 in Study Period in the area of Cloud Computing Security
and Privacy
• National Institute of Standards and Technology (NIST) • Consolidated feedback on Federal Risk and Authorization Management Program (FedRAMP)
• European Network and Information Security Agency (ENISA)
• Common Assurance Maturity Model (CAMM)
• American Institute of Certified Public Accountants (AICPA)• Statement on Standards for Attestation Engagements (SSAE) No. 16 SOC 2 – Service Organization
Controls over Security, Confidentiality, Processing Integrity, Availability, and Privacy
• Next generation SAS 70 Type I and II attestation
• Inverse Control Framework Mappings• Unified Compliance Framework (UCF)
• Payment Card Industry (PCI) DSS
• Health Information Trust Alliance (HITRUST)
• Information Systems Audit and Control Association (ISACA) COBIT
• BITS Shared Assessments SIG/AUP + TG Participation
• Information Security Forum (ISF)
22
philA’s Approach to Using the CSA GRC Stack
1. Pre-sales - Use CAI Questionnaire
2. Contracts (MSA) – Attach CAIQ + CCM
3. Post Sales Assurance and Continuous Compliance – Use CloudAudit to verify contract and pre-sales assertions
23
Other Practical Risk Management Strategies for Cloud Computing
• Adoption and demand use of good industry practices– CSA GRC Stack
• Risk assessments
• Contract terms
• Service Level Agreement (SLA)
• Multi-Sourcing– Parallel in-house service– Several compatible suppliers
• More to come…Market is still evolving…
24
About the Cloud Security AllianceAbout the Cloud Security Alliance
25
• Global, not-for-profit organization• Almost 20,000 individual members, 80 corporate
members• Building best practices and a trusted cloud
ecosystem• Agile philosophy, rapid development of applied
research– GRC: Balance compliance with risk management– Reference models: build using existing standards– Identity: a key foundation of a functioning cloud economy– Champion interoperability– Advocacy of prudent public policy
“To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.”
About the Cloud Security AllianceAbout the Cloud Security Alliance
26
Help us secure cloud computing• Web: www.cloudsecurityalliance.org• Email: info@cloudsecurityalliance.org• LinkedIn: www.linkedin.com/groups?gid=1864210• Twitter: @cloudsa
•Email: Phil.Agcaoili@Cox.com•Twitter: @HackSec
Questions & Answers
Recommended