Cloud Security Framework (CSF)

Please send comments & suggestions to Suren Karavettil (surenck@gmail.com)

December 09th, 2010

Contributors: Suren Karavettil, Bhumip KhasnabishNing So, Gene Golovinsky, and Meng Yu

12/9/2010 1

IETF IPR and Copyright Statements • This document (future Internet-Draft) is being

prepared for IETF in full conformance with the provisions of BCP 78 and BCP 79

• Copyright Notice– Copyright (c) 2010 IETF Trust and the persons identified as

the document authors. All rights reserved.

• This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents in effect on the date of publication of this document (http://trustee.ietf.org/license-info)

•12/9/2010 2

Outline• Definition

• Security Components Relationships

• Few purposes of CSF

• Cloud Resources & their Usage

• Expected Coverage Areas by CSF

• Security Layers

• Security Layers & Security Control Requirement Areas (multiple slides on this topic)

• Represent Security requirements based on OSI layers

• Information Management requirements12/9/2010 3

A Definition

• Cloud Security Framework (CSF) establishes security standards, policies, procedures and guidelines for the Cloud Service Providers (CSP). Standards would enable CSP organizations and development organizations using their service to practice safe security techniques for their applications and intra & inter CSP information exchange. The policies provide overarching guidance for the CSP’s on matters affecting the security of their customer information. While procedures & guidelines document the best practices, methods and compliance requirements as appropriate to ensure that the standards & policies objectives are met.

12/9/2010 4

Security Components Relationships

Fundamental Security Principle, CIA triad – Confidentiality, Integrity, Availability

12/9/2010 5

Asset x Agent Matrix = Access ControlThreat x Vulnerability Matrix = Risk

Few Purposes for Cloud Security Framework

• Multi-tenant isolation.• Multi-Cloud Services integrated application at

different CSPs.• Backup & Recovery of information (import/export

across CSP’s).• Business Continuity & Disaster Recovery.• Inter-Cloud Information Exchange between CSPs.• Load balancing multi-tenant users in cloud.• Reduce human intervention in provisioning &

management.

12/9/2010 6

Cloud Resources & their Usage

12/9/2010 7

Expected Coverage Areas by CSF

• CSF shall be applicable to both Cloud Applications (CloudApps) and Cloud Operations (CloudOps). Some of the intended areas of requirements that may be expected to be covered by CSF are:– Guidelines– Procedures– Best Practices – Policies– Standards– Governance & Audit– Regulations & Compliance– Configuration Management– Incident Management & Information Reporting– Risk Management

12/9/2010 8

Security Layers

• Application & Services Security

• Data Security

• Systems Security

• Network Security

• Physical Security

• Operational & Environmental Security

• Information Management

12/9/2010 9

Security Layers & Security Controls Requirements – Apps & Services

• Application & Services Security Requirements Areas– User & Resource Identification– Authentication– Authorization (Privileges & Roles)– Accountability– Multi-tenant isolation

• Few Threats– Session Hijacking– Input Data Validation– Cross-Site Scripting– Access Control Hijacking– Cross-Site Request Forgery– Client-Side override hijacking

12/9/2010 10

Security Layers & Security Controls Requirements - Data

• Data Security Requirements Areas– Data Integrity– Privacy– Multi-tenant isolation– Cryptography– Data Transformation (OR Mapping)

• Few Threats– Input Data Validation– SQL & XML Injection– Buffer Overflow

12/9/2010 11

Security Layers & Security Controls Requirements – Systems

• Systems Security Requirements Areas– Host Intrusion (Detection)– Servers (Web Servers, Application Servers, Database Servers)– Directory Services– Domain Services– PKI– Role Based Access– Multi-tenant isolation– Load balancing (Sticky)– Cryptography– Transport Level Security (e.g. HTTPS)

• Few Threats– Denial of Service– LDAP injection– Lack of sufficient Auditing– Parameter Tampering

12/9/2010 12

Security Layers & Security Controls Requirements – Network

• Network Security Requirements Areas– VPN– Virus Scanning– Load balancing (Sticky)– DMZ– VLAN– Bandwidth Management– Firewalls– System Access logs (syslog)– Network Intrusion (Detection & Prevention)– Multi-tenant isolation

• Few Threats– Man-in-the middle attack (Lack of Transport Level Security)– Spoofing attack– Risk due to lack of Separation of data (logs, load, configuration, etc)– Risk due to lack of Separation of duties– VLAN configuration & bandwidth management across orgs and media data (video, voice,

data).

12/9/2010 13

Security Layers & Security Controls Requirements – Physical

• Physical Security Requirements Areas– Access Control Card Readers– Wired Cables– Communication Rooms– Wireless Networks– Network Elements– Power Supply– HVAC, Fire & Cameras, Sensors

• Few Threats– Access Control– Risk due to lack of Separation of duties– Risk to Business Continuity

12/9/2010 14

Security Layers & Security Controls Requirements – Ops & Environment

• Operational & Environmental Security Requirements Areas– Asset Management

– Personnel Management

– Operational Procedures

– Business Hours & Resource Access Privileges

• Few Risks– Asset tracking, isolation

– Personnel tracking, isolation and knowledge12/9/2010 15

Security Layers & Security Controls Requirements – Management

• Information Management Requirements Areas– Alarms & Alerts based Incident Management– Configuration Management

• Change Management (Virus DAT or Windows updates, software releases ), Testing & Assurance, COTS Product Evaluation, etc

– Business Continuity & Disaster Recovery• Backup & Recovery• Service Level Agreements

– Governance, Audit & Risk Management• Policies

– Password Management, etc• Access Governance• Logging & Auditing data

– Legal, Investigation, Regulations & Compliance• PCI, HIPAA, SOX• Privacy• Forensics investigation

• Few Risks– Time sensitive alerts to management and businesses on incidents– Lack of controls– Security breaches– Lack of Certifications– Compliance– Forensics data availability– Intellectual Property Rights

12/9/2010 16

Represent Security Requirements based on OSI Layer Mapping

coming soon…

12/9/2010 17

Q&A Discussion

• Framework

• Requirements

• Next Steps

--------------------------

• Thoughts

• Questions

• Suggestions

12/9/2010 18

Client-Side Security Requirements

coming soon…

12/9/2010 19

Server (CloudCenter/DataCenter)-Side Security Requirements

coming soon…

12/9/2010 20

Cloud Service Session Bundling Security Requirements

coming soon…

12/9/2010 21

Data Duplication API Authentication & Security Requirements

coming soon…

12/9/2010 22

Data De-Duplication API Authentication & Security Requirements

coming soon…

12/9/2010 23

Layer-2 Virtualization & Load Balancing Security Requirements

coming soon…

12/9/2010 24

Layer-3 Virtualization & Load Balancing Security Requirements

coming soon…

12/9/2010 25

Information Management Requirements

coming soon…

12/9/2010 26