Embed Size (px)
Citation preview
C S A G U I D A N C E V E R S I O N 4 STATE OF T HE ART C L O U D S E C U R I T YAND GDPR NOTES
Hing-Yan Lee (Dr.) EVP, APAC, Cloud Security Alliance
A B O U T T H E C L O U D S E C U R I T Y A L L I A N C E
�“To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.”
CLOUD PROVIDER CERTIF ICATION – CSA STAR
�
�
THE GLOBALLY AUTHORITATIVE SOURCE FOR TRUST IN THE CLOUD
USER CERTIF ICATION – CCSK
BUILDING SECURITY BEST PRACTICES FOR NEXT GENERATION IT
�
�
RESEARCH AND EDUCATIONAL PROGRAMS
GLOBAL, NOT-FOR-PROFIT ORGANIZATION
�
3 5 +A C T I V E W O R K I N G G R O U P S
2 0 0 9C S A F O U N D E D
S I N G A P O R E / / A S I A PA C I F I C H E A D Q U A RT E R S
E D I N B U R G H / / U K H E A D Q U A RT E R S
S E AT T L E / B E L L I N G H A M , WA / / U S H E A D Q U A RT E R S
8 8 , 0 0 0 +I N D I V I D U A L M E M B E R S
4 0 0 +C O R P O R AT E M E M B E R S
8 0 +C H A P T E R S
Strategic partnerships with governments, research institutions, professional associations and industry
�
CSA research is FREE!�
OUR COMMUNITY
��
S E C U R I T Y G U I D A N C E V. 4 AT A G L A N C E
CO
PY
RIG
HT
© 2017 C
LOU
D S
EC
UR
ITY
ALLIA
NC
E
About Security Guidance V4• Fundamental cloud security research that started CSA
• 4th version, released July 2017
• Architecture
• Governing in the Cloud• Governance and Enterprise Risk Management• Legal• Compliance & Audit Management• Information Governance
• Operating in the Cloud• Management Plane & Business Continuity• Infrastructure Security• Virtualization & Containers• Incident Response• Application Security• Data Security & Encryption• Identity Management• Security as a Service• Related Technologies
CO
PY
RIG
HT
© 2017 C
LOU
D S
EC
UR
ITY
ALLIA
NC
E
D O M A I N 1 :C L O U D C O M P U T I N G C O N C E P T S & A R C H I T E C T U R E
Definitions
CO
PY
RIG
HT
© 2017 C
LOU
D S
EC
UR
ITY
ALLIA
NC
E
D O M A I N 1 :C L O U D C O M P U T I N G C O N C E P T S & A R C H I T E C T U R E
Definitions
CO
PY
RIG
HT
© 2017 C
LOU
D S
EC
UR
ITY
ALLIA
NC
E
D O M A I N 1 :C L O U D C O M P U T I N G C O N C E P T S & A R C H I T E C T U R E
Logical Models & Architectures
Shared Responsibil ity
Sample SaaS Architecture
Logical Model
CO
PY
RIG
HT
© 2017 C
LOU
D S
EC
UR
ITY
ALLIA
NC
E
D O M A I N 1 :C L O U D C O M P U T I N G C O N C E P T S & A R C H I T E C T U R E
Key Takeaways
• Understand Cloud Definitions
• Shared Responsibility of Security
• Leverage key CSA assurance tools
• Cloud Controls Matrix• Consensus Assessments Initiative
Questionnaire• CSA Security, Trust & Assurance
Registry (STAR)• CSA Enterprise Architecture
CO
PY
RIG
HT
© 2017 C
LOU
D S
EC
UR
ITY
ALLIA
NC
E
D O M A I N 2 :G O V E R N A N C E A N D E N T E R P R I S E R I S K M A N A G E M E N T
Risk & Governance Hierarchy
CO
PY
RIG
HT
© 2017 C
LOU
D S
EC
UR
ITY
ALLIA
NC
E
D O M A I N 2 :G O V E R N A N C E A N D E N T E R P R I S E R I S K M A N A G E M E N T
Key Takeaways
• Adapting Risk Management program to cloud’s unique characteristics
• Understanding tradeoffs and tools
• Understanding a virtual approach to security risk management
• Assessment process
Cloud Assessment Process
CO
PY
RIG
HT
© 2017 C
LOU
D S
EC
UR
ITY
ALLIA
NC
E
D O M A I N 3 :L E G A L
CO
PY
RIG
HT
© 2017 C
LOU
D S
EC
UR
ITY
ALLIA
NC
E
D O M A I N 3 :L E G A L
Key Takeaways
• Regional regulatory examples affecting cloud
• Contract criteria, due diligence focus and negotiations
• Electronic discovery
• Data collection and retention issues
• High level discussion of critical legal issues for both providers and customers
• NOTE: for GDPR tools, check out our GDPR Resource Center and the CSA Code of Conduct for GDPR Compliance: https://gdpr.cloudsecurityalliance.org/
CO
PY
RIG
HT
© 2017 C
LOU
D S
EC
UR
ITY
ALLIA
NC
E
D O M A I N 4 :C O M P L I A N C E A N D A U D I T M A N A G E M E N T
Key Takeaways
• Have a “continuous” approach
• Leverage “high quality” certifications & attestation as opposed to bespoke audits
• Scoping of audits/assessments is critical
• CSA tools essential
CO
PY
RIG
HT
© 2017 C
LOU
D S
EC
UR
ITY
ALLIA
NC
E
D O M A I N 5 :I N F O R M AT I O N G O V E R N A N C E
Key Takeaways
• Understand cloud information governance domains, e.g. privacy, location, classification, controls, etc.
• Know your governance requirements before selecting cloud application
• Take a data security lifecycle approach
Data Security Lifecycle
CO
PY
RIG
HT
© 2017 C
LOU
D S
EC
UR
ITY
ALLIA
NC
E
D O M A I N 6 :M A N A G E M E N T P L A N E A N D B U S I N E S S C O N T I N U I T Y
Key Takeaways
• Critical new domain reflecting practical knowledge in cloud security management
• High availability and business continuity intra-cloud vs inter-cloud
• Protection of privileged accounts
CO
PY
RIG
HT
© 2017 C
LOU
D S
EC
UR
ITY
ALLIA
NC
E
D O M A I N 7 :I N F R A S T R U C T U RE S E C U R I T Y
Key Takeaways
• Fundamentals of IaaS platform security
• Apply least privilege on a granular level, e.g. workloads
• Apply Software-Defined Networking (SDN) & Software-Defined Perimeter (SDP)
• Understand vulnerability assessment and penetration testing changes
Immutable VM/Container Deployment
CO
PY
RIG
HT
© 2017 C
LOU
D S
EC
UR
ITY
ALLIA
NC
E
D O M A I N 8 :V I R T U A L I Z AT I O N A N D C O N TA I N E R S
Key Takeaways
• Tenant isolation
• “Secure by default” images
• Cloud-native patch management
• Orchestration tools
CO
PY
RIG
HT
© 2017 C
LOU
D S
EC
UR
ITY
ALLIA
NC
E
D O M A I N 9 :I N C I D E N T R E S P O N S E
Key Takeaways
• Understand the IR lifecycle process
• Cloud providers have varying options supporting IR
• SLAs are an important area to understand ahead of time
• Cloud tools provide superior capabilities to orchestrate and automate IR
CO
PY
RIG
HT
© 2017 C
LOU
D S
EC
UR
ITY
ALLIA
NC
E
D O M A I N 1 0 :A P P L I C AT I O N S E C U R I T Y
Key Takeaways
• Leverage a recognized secure software development lifecycle, e.g.: MS-SDLC, NIST800-64, ISO/IEC 27034
• Understand new cloud app design trends
• Make sure you are addressing DevOps and Continuous Deployment
• Understand multi-tenant vulnerability assessment & pen testing considerations
Continuous Deployment Pipeline
CO
PY
RIG
HT
© 2017 C
LOU
D S
EC
UR
ITY
ALLIA
NC
E
D O M A I N 11 :D ATA S E C U R I T Y A N D E N C RY P T I O N
Key Takeaways
• Understand provider data security controls, risk based approach to encryption (can’t encrypt everything)
• Customer-managed keys preferable where feasible
• CASB may help with encryption prioritization/decision support
• Granular access control & entitlements
CO
PY
RIG
HT
© 2017 C
LOU
D S
EC
UR
ITY
ALLIA
NC
E
D O M A I N 1 2 :I D E N T I T Y M A N A G E M E N T
Key Takeaways
• Extend strong internal identity federation
• Federation standards critical
• Multi-factor authentication needed (mandatory for privileged identities)
• Attribute-based preferred to role-based access control
CO
PY
RIG
HT
© 2017 C
LOU
D S
EC
UR
ITY
ALLIA
NC
E
D O M A I N 1 3 :S E C U R I T Y A S A S E RV I C E
Key Takeaways
• Numerous benefits
• Flexible deployment• Shared intelligence• Staffing expertise
• Vetting as you would any important cloud provider: certifications, portability, regulatory support
• Visibility into your data & logs critical
CO
PY
RIG
HT
© 2017 C
LOU
D S
EC
UR
ITY
ALLIA
NC
E
D O M A I N 1 4 :R E L AT E D T E C H N O L O G I E S
Key Takeaways
• Big Data
• Internet of Things
• Mobile computing
• Serverless cloud
• Discuss synergy and cloud leverage
CO
PY
RIG
HT
© 2017 C
LOU
D S
EC
UR
ITY
ALLIA
NC
E
CSA Code of Conduct for GDPR Compliance
• Released November 2017
• Provide CSPs a tool to achieve EU Data Protection
• Provide cloud customer with a tool to evaluate CSP Data Protection compliance
• Code of Conduct Self-Assessment and Certification added to CSA STAR in early 2018
• Working closely with supervisory authorities for approval
• https://gdpr.cloudsecurityalliance.org/
CO
PY
RIG
HT
© 2017 C
LOU
D S
EC
UR
ITY
ALLIA
NC
E
CSA Code of Conduct
• Structure of components• Part 1: CSA CoC objectives & scope• Part 2: Privacy Level Agreement
Code of Practice• Part 3: CSA CoC Governance
mechanisms • Detailed list of GDPR requirements
• Strongly based on WP29 Opinions, ENISA Guidelines and ISO standards
• Considers differences between CSP-controller and CSP-processor
CO
PY
RIG
HT
© 2017 C
LOU
D S
EC
UR
ITY
ALLIA
NC
E
CSA Code of Conduct and CSA STAR
• CSA STAR: world’s largest registry of cloud security assertions
• Adding GDPR self-assessment January 2018
• Adding GDPR 3rd party certification H1 2018
• View specifications in Part 3 of Code of Conduct
C O D E O F C O N D U C T F O R G D P R C O M P L I A N C E
T E C H N I C A L C O M P L I A N C E
L E G A L C O M P L I A N C E
H T T P S : / / C L O U D S E C U R I T Y A L L I A N C E . O R G /28
THANK YOU
Contact CSAEmail: [email protected]
Twitter: @Cloudsa
Site: www.cloudsecurityalliance.org
Learn: www.cloudsecurityalliance.org/research/cloudbytes
Download: www.cloudsecurityalliance.org/download
GDPR Resource center: https://gdpr.cloudsecurityalliance.org
