Upload
phila-agcaoili
View
650
Download
0
Embed Size (px)
DESCRIPTION
Cloud Security Assurance for the International Association of Privacy Professionals
Citation preview
1IAPP Atlanta Chapter
Cloud Assurance Basics
February 22, 2013
Phil AgcaoiliCISO, Cox CommunicationsFounding Member, Cloud Security Alliance (CSA)Co-Founder and Co-Author, CSA Cloud Controls Matrix (CCM)Co-Founder Security, Trust, & Assurance Registry (STAR) and GRC Stack
2agenda
• Intro to cloud computing• Legal and privacy concerns to
consider• Latest developments of cloud
security and assurance standards
3
Intro to cloud computing
4What Is Cloud Computing?
• The “cloud” is a metaphor for the Internet– Leverages the connectivity of the Internet to optimize the utility of
computing
• It is not new!– Search is a cloud application (Google, Yahoo, Altavista)– Internet-based email services are cloud applications (Gmail, Yahoo!
Mail, Hotmail, AOL Mail)– Social networking sites are cloud applications (Facebook, MySpace,
Forums)– Similar to time-sharing and service bureau services from the mainframe
days, or ASP’s from the 90’s
• Accessible anywhere with Internet access– There are public, private, managed and hybrid clouds
5
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
...Everything is Cloud
The Consumer’s View of Cloud
6A
dopt
ion
Time1961
John McCarthy proposed 'computer time-sharing technology' to be sold through utility business model (like electricity) in a lecture at MIT
Mid 90’s
ASP (Application Service Provider) model with single tenant hosting of applications
Early 00’s
Software as a Service (SaaS) model with multi-tenant hosting of applications
Late 00’s
Cloud Computing with pay as you go model, leveraging virtualization for data center efficiencies and faster networks
Evolution Over The Years
7
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
The Technical View of Cloud
8
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Application(SaaS)
Platform as a Service
Infrastructure
as a Service
EnablingTechnology
Platform as a Service
Execution Platforms at Scale(Developers)
Infrastructure
as a Service
Infrastructure at Scale(System Administrators)
EnablingTechnology
Cloud Service Delivery at Scale(Public / Private Cloud
Providers)
Application(SaaS)
Applications at Scale(End users)
NIST Cloud Deployment Models
9Cloud Model :: Infrastructure as a Service (IaaS)
10Cloud Model :: Platform as a Service (PaaS)
11Cloud Model :: Software as a Service (SaaS)
12
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
… and one other
Public Cloud
Private Cloud
Virtual Private
Cloud
Hybrid Cloud
Community Cloud
Public Cloud
Cloud infrastructure made available to the general public.
Private Cloud
Cloud infrastructure operated solely for an organization.
Virtual Private
Cloud
Cloud services that simulate the private cloud experience in public
cloud infrastructure
Hybrid Cloud
Cloud infrastructure composed of two or more clouds that interoperate
or federate through technology
Community Cloud
Cloud infrastructure shared by several organizations and supporting
a specific community
NIST Cloud Deployment Models
13
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Ownership
Control
Internal ResourcesAll cloud resources owned by or dedicated to enterprise
External ResourcesAll cloud resources owned by providers; used by many customers
Private Cloud
Cloud definition/governance controlled by enterprise
Public Cloud
Cloud definition/governance controlled by provider
Hybrid Cloud
Interoperability and portability among Public and/or Private Cloud systems
Enterprise Deployment ModelsDistinguishing Between Ownership and Control
14
Amazon EC2 - IaaS
The lower down the stack the Cloud provider stops, the more security you are tactically responsible for implementing & managing yourself.
Salesforce - SaaS
Google AppEngine - PaaS
What This Means To Security
15
Legal and privacy concerns to consider
16Be Prepared for Change
• Cloud industry is immature and growing rapidly
• New players will rapidly emerge to fill new market niches
• Consolidation of the industry at some point is inevitable– You may not be as comfortable with new entity
• Google, Amazon, IBM, Microsoft, Dell, HP, Cisco, CSC, and Verizon all active in this area
– Big players will create standards for security and governance
• Cloud computing is disruptive to existing business models and IT practices– Disruptive technologies attract players who may not be around
for the long term
17Types of Issues
• Location (where is your data; what law governs?)• Operational (including service levels and security)• Legislation/Regulatory (including privacy) • Third-party contractual limitations on use of cloud• Security• Investigative/Litigation (eDiscovery)• Risk allocation/risk mitigation/insurance
18Location Issues
• Where will your data be located?– The cloud may be the ultimate form of globalization
• What law governs?– You may or may not be able to control this by contract as the law
in some countries can trump contractual provisions– State law is becoming increasingly relevant– Complying with a patchwork of federal and state privacy laws
• Storing data in certain regions may not be acceptable to your customers, especially the government
19Operational Issues
• Vendor lock-in issues– Will you be bound to a certain application; platform; operating
system?– Some critics, such as Richard Stallman, have called it “a trap
aimed at forcing more people to buy into locked, proprietary systems that will cost them more and more over time”
• Can you transfer data and applications to and from the cloud?
20Operational Issues
• Backup/data restoration
• Disaster recovery
• Acceptable service levels
• What do you do if the Internet crashes?– How is that risk allocated by contract?
• Data retention issues– There many legal and tax reasons that company must retain
data longer than cloud vendor is prepared to do so
21Regulatory/Governance Issues
• The more of these issues you have, the slower you will move to cloud computing– Early growth in cloud computing will come from small and
medium sized businesses and give them a competitive advantage
– Portion of cost savings will have to be reinvested into increased scrutiny of security capabilities of cloud providers
• Some regions, such as the EU, have stringent rules concerning moving certain types of data across borders
• Cloud computing not regulated –yet
22Regulatory/Governance Issues
• Patriot Act/UK Regulation of Investigatory Powers Act• Stored Communications Act (part of ECPA)• National Security Letters (may not even know of investigation)• PCI (credit card information)• HIPAA (health-related information)• GLB (financial services industry)• FTC and state privacy laws• ITARS, EARS, other export or trade restrictions will impact
where data can be stored and who can store it• Video rental records• Fair Credit Reporting Act• Violence Against Women Act• Cable company customer records
23Contracts Will Be The KeyLegal Enforcement Mechanism
• Privileged user access– Who has access to data and their backgrounds
• Regulatory compliance– Vendor must be willing to undergo audits and security
certifications
• Data location– Can you control the physical location of your data?
• Security– Implementation is a technical matter; responsibility is a legal one
24Key Contractual Issues
• Data segregation– Use of encryption to protect data –a sometimes tricky issue
• Recovery– What happens to your data and apps in the event of a disaster?– You should have test procedures in place
• Long-term viability– What happens to data and apps if company goes out of
business?
• Investigative support– Will vendor investigate illegal or inappropriate activity?
• What happens in the event of a security breach?
25Security Issues
• Physical security– Physical location of data centers; protection of data centers
against disaster and intrusion
• Operational security– Who has access to facilities/applications/data?– Will you get a “private cloud” or a service delivered more on a
“utility” model?
• Programmatic security– Software controls that limit vendor and other access to data and
applications (firewalls; encryption; access and rights management)
– Encryption accidents can make data unusable
26Investigative/Litigation Issues
• Third party access– Subpoenas
• You may not even know about them if vendor gets the subpoena– Criminal/national security investigations– Search warrants; possible seizures
• eDiscovery– How are document holds enforced; metadata protected;
information searched for and retrieved?
• You must have clear understanding of what cloud provider will do in response to legal requests for information
27Intellectual Property Issues
• The big issue is trade secret protection– If third parties have access to trade secret information, that could
destroy the legal protection of trade secrets– This can be ameliorated by appropriate contractual non-
disclosure provisions
• Same concern for attorney-client privileged information
28Risk Allocation/Management
• No benchmarks today for service levels
• No cloud vendor can offer a 100% guarantee– The most trusted and reliable vendor can still fail– Should replicate data and application availability at multiple sites– Should you escrow data or application code?
• A premium will be charged based on the degree of accountability demanded
• Responsibility of customer to determine if it is comfortable with risk of putting service in the cloud
• Many publicly available cloud computing contracts limit liability of hosting provider to a level that is not in line with the potential risk
• Cloud computing contracts resemble typical software licenses, although potential risk is much higher
29Insurance
• Will business interruption insurance provide coverage if your business goes down because of problem at cloud vendor?
• Do Commercial General Liability (CGL) or other types of liability coverage handle claims that arise from privacy breaches or other events at the cloud level?
• Are you covered if your cloud vendor gets hacked?
30Checklist of Things to Consider
• Financial viability of cloud provider
• Plan for bankruptcy or unexpected termination of the relationship and orderly return of disposal of data/applications– Vendor will want right to dispose of your data if you don’t pay
• Contract should include agreement as to desired service level and ability to monitor it
• Negotiate restrictions on secondary uses of data and who at the vendor has access to sensitive data
• Understand cloud provider’s information security management systems
31Checklist of Things to Consider
• Negotiate roles for response to eDiscovery requests
• Ensure that you have ability to audit on demand and regulatory and business needs require– Companies subject to information security standards such as ISO
27001, must pass to subs same obligation
• Make sure that cloud provider policies and processes for data retention and destruction are acceptable
• Provide for regular backup and recovery tests
• Consider data portability application lock-in concerns
• Understand roles and notification responsibilities in event of a breach
32Checklist of Things to Consider
• Data encryption is very good for security, but potentially risky; make sure you understand it– Will you still be able to de-crypt data years later?
• Understand and negotiate where your data will be stored, what law controls and possible restrictions on cross-border transfers
• Third-party access issues
• Consider legal and practical liability for force majeure events– Must be part of disaster recovery and business continuity plan
• There is no substitute for careful due diligence
33
Latest developments in cloud security assuranceCSA Cloud Controls Matrix (CCM)AICPA SOC ReportsCSA Open Certification Framework (OCF)
34
35
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org
Our research includes fundamental projects needed to define and implement trust within the future of information technologyCSA continues to be aggressive in producing critical research, education and tools22 Active Work Groups and 10 in the pipeline
Copyright © 2012 Cloud Security Alliance
36
GRC Stack GRC Stack
Family of 4 research Family of 4 research projectsprojects
Cloud Controls Matrix (CCM)Cloud Controls Matrix (CCM)
Consensus Assessments Consensus Assessments Initiative (CAI)Initiative (CAI)
Cloud Audit Cloud Audit
Cloud Trust Protocol (CTP)Cloud Trust Protocol (CTP)
Control Requirements
Provider Assertions
Private, Community
& Public Clouds
37
• Controls derived from guidance
• Mapped to familiar frameworks: ISO 27001, COBIT, PCI, HIPAA, FISMA, FedRAMP, etc.
• Rated as applicable to S-P-I• Customer vs. Provider role• Help bridge the “cloud gap”
for IT & IT auditors
38
• Research tools and processes to perform shared assessments of cloud providers
• Integrated with Controls Matrix• Version 1 CAI Questionnaire
released Oct 2010, approximately 140 provider questions to identify presence of security controls or practices
• Use to assess cloud providers today, procurement negotiation, contract inclusion, quantify SLAs
39
• CSA STAR (Security, Trust and Assurance Registry)
– Public Registry of Cloud Provider self assessments– Based on Consensus Assessments Initiative
Questionnaire• Provider may substitute documented Cloud Controls Matrix
compliance– Voluntary industry action promoting transparency– Free market competition to provide quality
assessments• Provider may elect to provide assessments from third
parties
40
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
The CSA Open Certification Framework is an industry initiative to allow global, accredited, trusted certification of cloud providers.
The CSA Open Certification Framework is a program for flexible, incremental and multi-layered cloud provider certification according to the Cloud Security Alliance’s industry leading security guidance and control objectives.
The program will integrate with popular third-party assessment and attestation statements developed within the public accounting community to avoid duplication of effort and cost.
~Jim Reavis & Daniele Catteddu; CSA~
Security Assurance - A Better WayCSA Open Certification Framework (OCF)
41
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
CSA STAR (Security, Trust and Assurance Registry)
Public Registry of Cloud Provider self assessments
Based on Consensus Assessments Initiative Questionnaire (CAIQ)Provider may substitute documented Cloud Controls Matrix compliance
Voluntary industry action promoting transparency
Free market competition to provide quality assessmentsProvider may elect to provide assessments from third parties
Available since October 2011
Security Assurance - A Better WayCSA Open Certification Framework (OCF)OCF Level 1: CSA STAR Registry
42
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
The open certification framework is structured on 3 LEVELs of TRUST, each one of them providing an incremental level of visibility and transparency into the operations of the Cloud Service Provider and a higher level of assurance to the Cloud consumer.
OCF: The structure
43
Service Organization Control Reports (SOC)
44AICPA SAS No. 70, Service Organizations
•A standard for reporting on a service organization’s controls affecting user entities' financial statements.
•Only for use by service organization management, existing user entities, and their auditors.
•Replaced by SSAE 16 SOC 1 in 2011
45SAS No. 70, Service Organizations
Misuse:•“SAS 70 Certified” or “SAS 70 Compliant”
•Controls related to subject matter other than internal control over financial reporting
•Made report public
46Other Service Organization Control Reports (SOC)
Marketplace demand for detailed report on controls on subject matter other than internal control over financial reporting include:
Security Availability Processing integrity Confidentiality Privacy
47How the AICPA Addressed Issues
48Service Organization Control (SOC) Reports
49SOC Report Logos
For CPAs who provide the services that result in a SOC 1, SOC 2 or SOC 3 report
For service organizations that had a SOC 1, SOC 2 or SOC 3 engagement within the past year
50New Standards and Names
Trust Services Principles and Criteria
51SOC 1 Report (restricted use)
• Report on controls at a service organization relevant to a user entity’s internal control over financial reporting
52SOC 2 Report (use determined by auditor)
• Report on controls at a service organization relevant to security, availability, processing integrity, confidentiality or privacy
53SOC 2 Reports – Type 1 and Type 2
• Both report on management’s description of a service organization’s system, and… Type 1 also reports on suitability of design of
controls Type 2 also reports on suitability of design
and operating effectiveness of controls
54
Security Assurance - A Better WayAICPA SOC 2 Type 2 with the CSA CCM
•The SOC 2 Type 2 Attestation Standard (AT-101) allows for inclusion of other standards
•Use SOC 2 Report as the Assurance wrapper for any or all of the following:–Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM)–ISO27001–PCI-DSS–HITECH–NIST/FedRamp
•One core set of audit work serves as the basis for multiple reports
Recommendation:The Cloud Security Alliance has determined that for most cloud providers, a SOC 2 Type 2 attestation examination conducted in accordance with AICPA standard AT Section 101 (AT 101) utilizing the CSA Cloud Controls Matrix (CCM) as additional suitable criteria is likely to meet the assurance and reporting needs of the majority of users of cloud services.
*This conclusion is supported by the AICPA Technical Practice Aid titled “TIS Section 9530: Service Organization Controls Reports” published in November 2011.
55
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
Global, not-for-profit organisationOver 40,000 individual members, more than 160 corporate members, over 60 chaptersBuilding best practices and a trusted cloud ecosystemAgile philosophy, rapid development of applied research
GRC: Balance compliance with risk managementReference models: build using existing standardsIdentity: a key foundation of a functioning cloud economyChampion interoperabilityEnable innovationAdvocacy of prudent public policy
“To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.”
About the Cloud Security Alliance
56Questions & Answers
Thank you. Phil [email protected] @hacksec
www.cloudsecurityalliance.org
http://www.aicpa.org
Promoting Privacy