10
Defined Categories of Security as a Service (Preview) - Continuous Monitoring as a Service SECURITY AS A SERVICE WORKING GROUP

SECURITY AS A SERVICE WORKING GROUP …...acceptance, a clear categorization and definitions of Security as a Service is required. The research will allow the intended users to create

  • Upload
    others

  • View
    1

  • Download
    0

Embed Size (px)

Citation preview

Page 1: SECURITY AS A SERVICE WORKING GROUP …...acceptance, a clear categorization and definitions of Security as a Service is required. The research will allow the intended users to create

Defined Categories of Security as a Service (Preview) - Continuous Monitoring as a Service

SECURITY AS A SERVICE WORKING GROUP

Page 2: SECURITY AS A SERVICE WORKING GROUP …...acceptance, a clear categorization and definitions of Security as a Service is required. The research will allow the intended users to create

© 2016 Cloud Security Alliance – All Rights Reserved

All rights reserved. You may download, store, display on your computer, view, print, and link to this document at

http://www.cloudsecurityalliance.org/download, subject to the following: (a) the Report may be used solely for

your personal, informational, non-commercial use; (b) the Report may not be modified or altered in any way; (c)

the Report may not be redistributed; and (d) the trademark, copyright or other notices may not be removed. You

may quote portions of the Report as permitted by the Fair Use provisions of the United States Copyright Act,

provided that you attribute the portions this document.

Page 3: SECURITY AS A SERVICE WORKING GROUP …...acceptance, a clear categorization and definitions of Security as a Service is required. The research will allow the intended users to create

©2016 Cloud Security Alliance - All Rights Reserved.3

ACKNOWLEDGMENTS

Initiative LeadBernd Jaeger

Key ContributorsRobert de MontsKevin FielderJens LaundrupTim OwenRoshan SequieraCameron SmithJohn Yeoh

©2016 Cloud Security Alliance - All Rights Reserved.

Page 4: SECURITY AS A SERVICE WORKING GROUP …...acceptance, a clear categorization and definitions of Security as a Service is required. The research will allow the intended users to create

©2016 Cloud Security Alliance - All Rights Reserved.4

TABLE OF CONTENTS

Acknowledgments ................................................................................................. 3

Executive Overview ............................................................................................... 5

Categories of Security as a Service ....................................................................... 6

Continuous Monitoring as a Service (CMaaS) ....................................................... 7

Category Description ............................................................................................. 7

Business Elements ................................................................................................ 7

Core Functionalities ........................................................................................ 7

Optional Features ............................................................................................ 7

Technical Elements ................................................................................................ 8

Disciplines ....................................................................................................... 8

Related Categories of Services ....................................................................... 8

Related Standards and Technologies .............................................................. 8

CSA Domains (v3.0) ........................................................................................ 8

Controls ........................................................................................................... 8

CCM v3.0.1 Mapping ...................................................................................... 8

Elements not mapped ..................................................................................... 8

Threats Addressed .......................................................................................... 9

Challenges ...................................................................................................... 9

Examples ........................................................................................................ 9

References ...................................................................................................... 9

©2016 Cloud Security Alliance - All Rights Reserved.

Page 5: SECURITY AS A SERVICE WORKING GROUP …...acceptance, a clear categorization and definitions of Security as a Service is required. The research will allow the intended users to create

©2016 Cloud Security Alliance - All Rights Reserved.

EXECUTIVE OVERVIEWNumerous security vendors are now leveraging cloud based models to deliver their security solutions known as Security as a Service (SecaaS). This shift has occurred for a variety of reasons including greater economies of scale and streamlined delivery mechanisms. However, these SecaaS offerings can take many forms causing market confusion and complicating the selection process. Customers are increasingly faced with evaluating security solutions, which do not run on premises. They need a better understanding of these offerings to assess the type of security risks they address and the need a better understanding of these offerings to evaluate the security risks and the shared responsibility over the security of systems for which they are accountable.

In order to improve the understanding of these services and accelerate their market acceptance, a clear categorization and definitions of Security as a Service is required. The research will allow the intended users to create guidelines for implementing SecaaS offerings, facilitate the purchasing process for such solutions, and aid those tasked with implementing or auditing them.

The SecaaS Working Group will address these challenges by working with experienced knowledge leaders and intelligent market research in the industry to align with cloud governance best practices, document use cases, identify standards requirements, and create other innovative research artifacts. This overview document is the first in a series of business, technical, and implementation guidance documents for the following security service categories:

- Business Continuity and Disaster Recovery- Continuous Monitoring- Data Loss Prevention- Email Security- Encryption- Identity and Access Management (IAM)- Intrusion Management- Network Security- Security Assessments- Security Information and Event Management- Vulnerability Scanning- Web Security

For more information about CSA Security as a Service, visit: https://cloudsecurityalliance.org/security-as-a-service

©2016 Cloud Security Alliance - All Rights Reserved.5

Page 6: SECURITY AS A SERVICE WORKING GROUP …...acceptance, a clear categorization and definitions of Security as a Service is required. The research will allow the intended users to create

©2016 Cloud Security Alliance - All Rights Reserved.6

Network Security Network Security consists of security services that allocate network access, distribute, monitor, and protect network services

Vulnerability Scanning Vulnerability Scanning scans the target infrastructure or systems for security vulnerabilities via a public network.

Web Security Web Security offers real-time protection of public facing application services generally offered by proxying web traffic through the cloud service provider.

Email Security Email Security provides control over inbound and outbound email, protecting the organization from phishing, malicious attachments, and spam, and providing business continuity options.

Identity and Access Management (IAM)

Identity and Access Management (IAM) provides identity administration, governance and access controls. This includes authentication, identity assurance, access intelligence, and privileged user management.

Encryption Encryption is the process of obfuscating data using cryptographic and numerical ciphers. Transforming clear-text into cipher-text to make it unreadable

Intrusion Management Intrusion Management is the process of using pattern recognition to detect statistically unusual events, prevent or detect intrusion attempts, and manage the incidents.

Data Loss Prevention (DLP) Data Loss Prevention is the monitoring, protecting, and verifying the security of data at rest, in motion, and in use.

Security Information and Event Management (SIEM)

Security Incident and Event Management (SIEM) systems accept log and event information, correlation and incident data and provide real time analysis and correlation.

Business Continuity and Disaster Recovery (BCDR)

Business Continuity and Disaster Recovery is the implementation of measures designed to ensure operational resiliency in the event of any service interruptions.

Continuous Monitoring Continuous Monitoring performs the function of continuous risk management presenting the current security posture of the organization.

Security Assessments Security Assessments are third party audits of cloud services based on industry standards.

CATEGORIES OF SECURITY AS A SERVICE

Page 7: SECURITY AS A SERVICE WORKING GROUP …...acceptance, a clear categorization and definitions of Security as a Service is required. The research will allow the intended users to create

©2016 Cloud Security Alliance - All Rights Reserved.7

Continuous Monitoring performs the function of continuous risk management presenting the current security posture of the organization. Using industry approved risk management frameworks, Continuous Monitoring collects inventory of deployed organizational assets (including but not limited to current patch/version status, vulnerabilities, threats, and traffic) and generates ongoing risk scores across the enterprise. The intent of Continuous Monitoring is to reduce the time and effort required to identify security risks, assist in defining mitigation strategies, and implement any necessary controls reducing the security risk window.

BUSINESS ELEMENTS

Core Functionalities Asset Discovery & Management- Scan for assets, discover assets and create a continuously updated asset

inventory. Inventory based on the classification of assets by the organization- Collect traffic metrics and create baselines profiles. Baselines are created

based against industry accepted standards. - provide processes support via workflow integration

Collection and Data Evaluation- Ingest of data from other security functions (Automated collection and

manual inputs). Collect: - Configuration status- Patch status- Vulnerability scanning results- Pen-Testing findings- SIEM feeds

- Transformation of different input formats (format conversion, ormalization, de-duplication)

- Information Correlation

Risk & Compliance Assessment- Identification and/or definition of policies and standards to measure against- Assessment against policies, certification standards and other legal &

compliance requirements- Risk scoring

Reporting- Report current risk and compliance status

Continuous Mitigation Process/Cycle- Identify remediation and mitigation activities - Prioritize activities- Tack progress and effectiveness

CONTINUOUS MONITORING AS A SERVICE (CMAAS)

Page 8: SECURITY AS A SERVICE WORKING GROUP …...acceptance, a clear categorization and definitions of Security as a Service is required. The research will allow the intended users to create

©2016 Cloud Security Alliance - All Rights Reserved.8

TECHNICAL ELEMENTS

Supporting Core Functionalities Risk reporting, encryption, anonymization, logging, data categorization, data correlation, data integrity protection, threat intelligence management, patch management, creating policies, asset management, vulnerability management, configuration management, compliance monitoring/management

Related Categories of Services SIEM, Network Security, Security Assessments, Vulnerability Scanning, IAM, Intrusion Management

Related Technologies Cloud Access Security Broker (CASB)

Related Standards DFARS, FISMA, FISMA II, ISO/IEC 27001, NASA-FARS, NERC/FERC CIP, NIST Cybersecurity Framework, NIST IR 7800,NIST SP 800-137, NIST SP 800-53

CSA Domains (v3.0) Domain 2 Governance and Enterprise Risk Management, Domain 4: Compliance and Audit Management, Domain 9 Incident Response, Domain 14 SecaaS

Controls - Classification of information systems- Assessing technical and administrative security controls- Monitoring security controls (i.e. preventative, detective)- Indirectly during the mitigation or follow-up cycle:- Selecting security controls- Implementing security controls (i.e. process, technical, administrative)- Authorizing information systems

CCM v3.0.1 Mapping - Audit Assurance & Compliance AAC-01, AAC-02, AAC-03- Change Control & Configuration Management CCC-01, CCC-02, CCC-04, CCC-05- Data Security & Information Lifecycle Management DSI-01, DSI-02, DSI-03,

DSI-04, DSI-05- Datacenter Security DCS-01, DCS-03- Encryption & Key Management EKM-03- Governance & Risk Management GRM-01, GRM-02, GRM-04, GRM-06, GRM-08,

GRM-09, GRM-10, GRM-11- Human Resources HRS-05, HRS-08- Identity & Access Management IAM-01, IAM-03, IAM-04, IAM-05, IAM-07,

IAM-08, IAM-09, IAM-10- Infrastructure & Virtualization Security IVS-01, IVS-02, IVS-05, IVS-06, IVS-07, I

VS-11, IVS-12- Mobile Security MOS-02, MOS-03, MOS-09, MOS-10, MOS-12, MOS-15,

MOS-16, MOS-17,MOS-19- Threat & Vulnerability Management TVM-01, TVM-02

Page 9: SECURITY AS A SERVICE WORKING GROUP …...acceptance, a clear categorization and definitions of Security as a Service is required. The research will allow the intended users to create

9

Threats Addressed - Non-compliance and policy violations- Insecure configuration (changes)- Being vulnerable between point-in-time audits- APT (intrusion via Advanced Persistent Threats)

Challenges - full coverage of the infrastructure in scope- asset discovery blocked by firewalls/gateways- poor or no policies / processes defined to assess against- lack of stakeholder or Senior Management commitment- handling of offline or legacy devices- appropriate risk evaluation and prioritization- Sound processes for mitigation- dynamic topology changes, cloned devices/assets, offline copies in a Software

Defined/Driven ICT environment (i.e. SDN, NFV, cloud)

References http://csrc.nist.gov/publications/nistpubs/800-137/SP800-137-Final.pdfhttp://www.gsa.gov/portal/getMediaData?mediaId=199735http://www.gsa.gov/portal/mediaId/199735/fileName/CDM_Product_Catalog.action

©2016 Cloud Security Alliance - All Rights Reserved.

Page 10: SECURITY AS A SERVICE WORKING GROUP …...acceptance, a clear categorization and definitions of Security as a Service is required. The research will allow the intended users to create

©2016 Cloud Security Alliance - All Rights Reserved.10

©2016 Cloud Security Alliance - All Rights Reserved.