View
24
Download
0
Category
Tags:
Preview:
DESCRIPTION
Presentation to the CSA Norway Members on February 9th, 2011.
Citation preview
Governing in the CloudRolf Frydenberg
Joymount AS, Senior Advisor
February 9, 2011
Cloud Security Alliance, Norway Chapter
Agenda
• Cloud Security Alliance – general and Norway• CSA Cloud Security Guidance• NIST Cloud Definition Framework• Governance and Enterprise Risk Management• Legal and Electronic Discovery• Compliance and Audit• Information Lifecycle Management• Portability and Interoperability• Other CSA Domains – Operations• Cloud Controls Matrix• CSA GRC Stack
Cloud Security Alliance, Norway Chapter
About the Cloud Security Alliance• Global, not-for-profit organization• Over 16,000 individual members, 80 corporate
members• Building best practices and a trusted cloud
ecosystem• Agile philosophy, rapid development of applied
research• GRC: Balance compliance with risk management• Reference models: build using existing standards• Identity: a key foundation of a functioning cloud
economy• Champion interoperability• Advocacy of prudent public policy
“To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud
Computing to help secure all other forms of computing.”
Cloud Security Alliance, Norway Chapter
What We Did in 2010
• Threat Research: Top Threats to Cloud Computing; announced at RSA 2010, shared technology vulnerabilities, data loss/leakage, malicious insiders, insecure APIs, etc.
• Certificate of Cloud Security Knowledge; released Sep 1 2010, web-based test for competency in CSA Guidance
• Trusted Cloud Initiative; Cloud security reference architecture, secure and interoperable identity in the cloud, responsibilities for identity providers
• Cloud Controls Matrix Tool; 98 controls derived from guidance, mapped to ISO 27001, COBIT, PCI DSS, HIPAA
• Consensus Assessment Initiative; research tool and processes to assess cloud providers, V 1 released Oct 2010 with 140 provider questions
• Cloud Audit; Open standard and API to automate provider audit assertions, uses CCM, www.cloudaudit.org
• CSA GRC Stack; suite of tools, best practices, enabling technology, simplify GRC in the cloud
Cloud Security Alliance, Norway Chapter
Plans for 2011
• CSA Guidance Research; V3 target for Q3 2011; best practices
• CSA GRC Stack; Expand, pilot projects, embed in providers and products
• Trusted Cloud Initiative; Release reference architecture and certifications
• CloudCERT; Consensus research, best practices
• CCSK; Role-specific training, hands-on lab
• CCM; V 2 target 1H 2011; increase mappings, fine tune controls, ISO engagement
• Cloud Metrics Research; Metrics for each of the 98 controls in CCM; create baseline capability
• Security as a Service; Define it, solution categories, guidance, align with other CSA research
Cloud Security Alliance, Norway Chapter
CSA Norway Chapter
• Established in October 2010• 80 individual members (Feb 2011)• Board of six directors elected Oct 2011:
• Rolf Frydenberg, Joymount (president)• Geir-Arild Engh Hellesvik, KPMG (secretary)• Lars Egil Sætrang, Promon (treasurer)• Helge Skrivervik, Team Mellvik• Tor Andre Breivikås, Teleplan• Chunming Rong, University of Stavanger
• First Members’ Meeting in December 2010 (Private vs Public Cloud)
• Second Members’ Meeting in February 2011 (Compliance in the Cloud)
• Co-op seminar planned with Dataforeningen (Norwegian Computing Society)
Cloud Security Alliance, Norway Chapter
CSA Guidance Research
CSA Guidance 2.1 > 100k downloads:
cloudsecurityalliance.org/guidance
Governance and Enterprise Risk Management
Legal and Electronic Discovery
Compliance and Audit
Information Lifecycle Management
Portability and Interoperability
Security, Bus. Cont,, and Disaster Recovery
Data Center Operations
Incident Response, Notification, Remediation
Application Security
Encryption and Key Management
Identity and Access Management
Virtualization
Cloud Architecture
Op
erat
ing
in
th
e C
lou
d
Go
vernin
g th
e Clo
ud
Cloud Reference Architecture (According to NIST)
Cloud Security Alliance, Norway Chapter
Governance and Enterprise Risk Management
• Develop robust information security guidance regardless of the service or delivery model
• Review information security governance structures and processes, as well as security controls; include the vendor’s complete supply chain!
• Collaborative governance and risk management as part of development, deployment and operation of services
• Methods and metrics for measuring performance and effectiveness of security management
• Determine risk exposure before detailed requirements• Risk Management through valuation of assets, identification
of threats and vulnerabilities; management acceptance of risk levels and options (control, avoid, transfer, accept)
• Cloud vendors should include measures and controls to assist customers in their Risk Management
Cloud Security Alliance, Norway Chapter
Legal and Electronic Discovery
• Mutual understanding of each other’s roles and responsibilities related to e-discovery, litigation, searches, etc.
• Plan for both expected and unexpected termination of agreement
• Agreement must allow customer and/or third party to monitor service provider’s performance and test for vulnerabilities
• In many cases there is a requirement to know – down to physical disk – where data is stored
• Customer must ensure it retains ownership of all data it stores on behalf of its customers and employees
Cloud Security Alliance, Norway Chapter
Compliance and Audit
• The provider’s standard terms and conditions many not address your compliance needs
• Make sure you have the right and access capabilities to perform audits
• Determine whether you are subject to compliance regulations with specific Cloud Computing requirements
• Analyze the impact of regulations regarding data security on use of Cloud Computing
• Require that the cloud provider has at least a roadmap for ISO/IEC 27001 compliance
• CSA has called for the whole industry to be ISO/IEC 27002 compliant
• When selecting an external auditor, ensure he has Cloud Computing knowledge and experience
Cloud Security Alliance, Norway Chapter
Information Lifecycle Management
• Understand how data integrity is maintained and how compromise of integrity is detected and communicated
• Ensure specific identification of all controls used during the lifecycle of the data
• Understand circumstances under which storage can be seized by a third party or government entity, and require advance notification of and such action
• Use a “Default Deny All” policy for all data, applied to all cloud provider personnel and subcontractors, as well as third parties; often also preferable to use for your own employees as well
• Identify trust boundaries throughout the IT architecture and abstraction layers
• Understand how encryption and key management are handled on multi-tenant storage and other multi-tenant components of the service
Cloud Security Alliance, Norway Chapter
Portability and Interoperability
• Substituting cloud providers is in virtually all cases a negative transaction for at least one party; plan for this from the outset
• Document the security architecture, configuration and controls
• IaaS: Understand how virtual machine images can be captured and ported; identify and eliminate provider-specific extensions to VM environment
• PaaS: Use platform components with standard syntax, open APIs and open standards; understand how tools and services like backup/restore, monitoring, logging and audit would transfer to a new vendor
• SaaS: Perform regular data extractions to a format that is usable without the current SaaS provider; Understand any custom tools that are developed and configured specially
Cloud Security Alliance, Norway Chapter
Other CSA Domains: Operations
• Security, Business Continuity, Disaster Recovery
• Data Center Operations
• Incident Response, Notification, Remediation
• Application Security
• Encryption and Key Management
• Identity and Access Management
• Virtualization
Cloud Security Alliance, Norway Chapter
Cloud Controls Matrix Tool• Controls derived from
guidance
• Rated as applicable to S-P-I
• Customer vs Provider role
• Mapped to ISO 27001, COBIT, PCI, HIPAA
• Help bridge the gap for IT & IT auditors
Cloud Security Alliance, Norway Chapter
CSA GRC Stack• Recent News: CSA GRC Stack
– on your USB drive
• Suite of tools, best practices and enabling technology
• Consolidate industry research & simplify GRC in the cloud
• For cloud providers, enterprises, solution providers and audit/compliance
www.cloudsecurityalliance.org/grcstack Control Requirements
Provider Assertions
Private & Public Clouds
Private & Public Clouds
Thanks for listening!Rolf Frydenberg, rolff@joymount.no
CSA Norway & Joymount AS
Recommended