Upload
barto
View
53
Download
3
Tags:
Embed Size (px)
DESCRIPTION
THE GRC STACK ( V2.0) Understanding and applying the CSA GRC stack for payoffs and protection. A learning workshop from the CSA. CSA Organization & Operation Where does the GRC Stack fit in?. Board. Steering Committee. Executive Director. Membership. Working Groups. Research Director. - PowerPoint PPT Presentation
Citation preview
© 2011 Cloud Security Alliance, Inc. All rights reserved.
THE GRC STACK (V2.0)Understanding and applying the CSA GRC stack for payoffs and protectionA learning workshop from the CSA
© 2011 Cloud Security Alliance, Inc. All rights reserved.
Working Groups
CSA Organization & OperationWhere does the GRC Stack fit in?
Executive Director
Board Steering Committee
Membership
CorporateIndividual
Affiliate
Chapters
EducationResearch
. . .
. . .
Special competencies …
Security Guidance for Critical Areas of Cloud
Computing
Cloud Controls Matrix (CCM)
Consensus Assessments Initiative Questionnaire (CAIQ)
GRC Stack(CCM, CAIQ,
CloudAudit, CTP)
CSA Security, Trust, & Assurance Registry
(STAR)
Trusted Cloud Initiative
CCSK
PCI
GRC Stack
Research Director
We are here today …We are here today …
2
© 2011 Cloud Security Alliance, Inc. All rights reserved.
3
Course SyllabusSession Schedule Speaker
AM Session
Welcome and session orientation 15 minutes Ron Knode1. Introduction to the CSA GRC stack
• The need for a cloud full GRC capability• The CSA GRC Value Equation
15 minutes Ron Knode
2. CSA GRC Stack Overview (the “stack packs”)• Combining the Cloud Controls Matrix (CCM), the
Consensus Assessments Initiative Questionnaire (CAIQ), CloudAudit, and the CloudTrust Protocol (CTP)
• Service roles and boundaries• Complements and supplements
30 minutes Ron Knode
3. Component Descriptionsa) CCMb) CAIQc) CloudAuditd) CTP
30 minutes each
(2 hours)
Becky Swain (a/b)
Marlin Pohlman (c)
Ron Knode (d)4. Where (and How) to Begin
• Stack Pack combinations that make sense• Deployment techniques and architectures …• Connections to other CSA initiatives (explored
more fully in afternoon session) … and some references
30 minutes Ron KnodeMarlin Pohlman
5. GRC Stack evolution and administration (+ “open mic” time with Q&A) 30 minutes Ron Knode
PM Sessi
on6. GRC stack connections and application in other
initiatives Becky Swain
© 2011 Cloud Security Alliance, Inc. All rights reserved.
SESSION 1 //Why a cloud GRC stack?The GRC stack value equation
© 2011 Cloud Security Alliance, Inc. All rights reserved.
The “big rocks” of cloud security, trust, and controlTake care of the big rocks first …
5
From CSA Top Threats Research:–Trust: Lack of Provider transparency, impacts
Governance, Risk Management, Compliance, and the capture of real value
–Data: Leakage, Loss or Storage in unfriendly geography
–Insecure Cloud software–Malicious use of Cloud services–Account/Service Hijacking–Malicious Insiders–Cloud-specific attacks
Key Cloud Security Problems
6
© 2011 Cloud Security Alliance, Inc. All rights reserved.
7
Neglected but Necessary• IT and IT risk governance
• Traditional sourcing?• Cloud?
• Private? Community? Public? Hybrid?
• Traditional + cloud?• How measured?
• Security policy• Uniform across all delivery
methods?• Cloud adjusted?
• Private? Community? Public? Hybrid?
• Risk/compliance management standards/benchmarks• Cloud adjusted?
• Private? Community? Public? Hybrid?
Cloud Adoption ObstaclesPlanning often neglects Information Risk Management Transition & Transformation
Traditional• Enterprise strategy• Business function
(workload) adaptation to cloud delivery
• Technical architecture• Network connections• Application standards• Interoperability• “Buying time” for current
compliance programs• …• Concept of Operations
© 2011 Cloud Security Alliance, Inc. All rights reserved.
8The Value Equation in the Cloud
Security Service + Transparency Service =
Compliance & Trust VALUE Captured
…delivering evidence-based confidence ……with compliance-supporting data & artifacts …… using the best virtualization and cloud technologies …… within quality processes …… operated by trained
and certified staffand partners …
© 2011 Cloud Security Alliance, Inc. All rights reserved.
9The Roots of the Value Equation in the Cloud
Impact• The “Rebound Effect”
between security & interoperability
Information risk management transition & transformation planning• Policy• Governance• Compliance & Risk
Management Thresholds• Business model• Downstream application of
reclaimed transparency
Standards
Portability
Transparency
© 2011 Cloud Security Alliance, Inc. All rights reserved.
10The GRC StackSolving the Value Equation in the Cloud
VALUE CapturedDelivering evidence-based confidence…
with compliance-supporting data & artifacts.
Security Requirements
and Capabilities
Security Transparencyand Visibility
Complianceand
Trust
GRC Stack
Payoffs
© 2011 Cloud Security Alliance, Inc. All rights reserved.
SESSION 2 //GRC Stack Overview“The Stack Packs”
© 2011 Cloud Security Alliance, Inc. All rights reserved.
The CSA GRC Stack
A suite of four integrated and reinforcing CSA initiatives (the “stack packages”)– The Stack Packs
• Cloud Controls Matrix• Consensus Assessments Initiative• Cloud Audit• CloudTrust Protocol
Designed to support cloud consumers and cloud providersPrepared to capture value from the cloud as well as support compliance and control within the cloud
12
© 2011 Cloud Security Alliance, Inc. All rights reserved.
A Complete Cloud Security Governance, Risk, and Compliance (GRC) Stack
13
Delivering Stack Pack Description
Continuous monitoring … with a purpose
• Common technique and nomenclature to request and receive evidence and affirmation of current cloud service operating circumstances from cloud providers
Claims, offers, and the basis for auditing service
delivery
• Common interface and namespace to automate the Audit, Assertion, Assessment, and Assurance (A6) of cloud environments
Pre-audit checklists and questionnaires to inventory controls
• Industry-accepted ways to document what security controls exist
The recommended foundations for controls
• Fundamental security principles in specifying the overall security needs of a cloud consumers and assessing the overall security risk of a cloud provider
© 2011 Cloud Security Alliance, Inc. All rights reserved.
14CSA GRC Value Equation Contributions for Consumers and ProvidersWhat control requirements should I have as a cloud consumer or cloud provider?
How do I ask about the control requirements that are satisfied (consumer) or express my claim of control response (provider)?
How do I announce and automate my claims of audit support for all of the various compliance mandates and control obligations?
How do I know that the controls I need are working for me now (consumer)? How do I provide actual security and transparency of service to all of my cloud users (provider)?
• Individually useful• Collectively powerful • Productive way to
reclaim end-to-end information risk management capability
Static claims & assurances
Dynamic (continuous) monitoring and transparency
© 2011 Cloud Security Alliance, Inc. All rights reserved.
15
Deliver “continuous monitoring” required by A&A methodologies
A Headstart for Control and ComplianceForged by the Global Marketplace; Ready for AllGovernment Commercial
??? Continuous monitoring … with a purpose
• Common technique and nomenclature to request and receive evidence and affirmation of controls from cloud providers
???Claims, offers, and the
basis for auditing service delivery
• Common interface and namespace to automate the Audit, Assertion, Assessment, and Assurance (A6) of cloud environments
• FedRAMP• DIACAP• Other C&A standards
Pre-audit checklists and questionnaires to inventory controls
• Industry-accepted ways to document what security controls exist
NIST 800-53, HITRUST CSF, ISO 27001/27002, ISACA COBIT, PCI, HIPAA, SOX, GLBA, STIG, NIST 800-144, SAS 70, …
A recommended foundations for controls
• Fundamental security principles in assessing the overall security risk of a cloud provider
Professional
SSAE SOC2 control
assessment criteria
Legend In placeOffered
© 2011 Cloud Security Alliance, Inc. All rights reserved.
CSA Guidance Research
Popular best practices for securing cloud computing13 Domains of concern– governing &
operating groupingsGuidance > 100k downloads:
cloudsecurityalliance.org/guidance
Ope
ratin
g in
the
Clo
ud
Governance and Enterprise Risk Management
Legal and Electronic Discovery
Compliance and Audit
Information Lifecycle Management
Portability and Interoperability
Security, Bus. Cont,, and Disaster Recovery
Data Center Operations
Incident Response, Notification, Remediation
Application Security
Encryption and Key Management
Identity and Access Management
Virtualization
Cloud Architecture
Governing the
Cloud
16
© 2011 Cloud Security Alliance, Inc. All rights reserved.
CSA Guidance ResearchPopular best practices for securing cloud computing13 Domains of concern
governing & operating groupings
14?
Governance and Enterprise Risk Management
Legal and Electronic Discovery
Compliance and Audit
Information Lifecycle Management
Portability and Interoperability
Security, Bus. Cont,, and Disaster Recovery
Data Center Operations
Incident Response, Notification, Remediation
Application Security
Encryption and Key Management
Identity and Access Management
Virtualization
Cloud Architecture
Ope
ratin
g in
the
Clo
ud
Governing the
Cloud
Transparency
17
© 2011 Cloud Security Alliance, Inc. All rights reserved.
18Accepting the GRC Value Solution …Reference Model Readiness??
Source: NIST SP500-291-v1.0, p. 42, Figure 12
Enough???
© 2011 Cloud Security Alliance, Inc. All rights reserved.
19“Just not enough, baby …”(Barry White – “Can’t Get Enough of Your Love, Babe”)
Source: NIST SP500-291-v1.0, p. 42, Figure 12
Transparency
Now it’s enough!
© 2011 Cloud Security Alliance, Inc. All rights reserved.
SESSION 3 //
Component Descriptions
© 2011 Cloud Security Alliance, Inc. All rights reserved.
THE CLOUD CONTROLS MATRIX
© 2011 Cloud Security Alliance, Inc. All rights reserved.
Cloud Controls Matrix (CCM)Leadership TeamBecky Swain – EKKO ConsultingPhilip Agcaoili – Cox CommunicationsMarlin Pohlman – EMC, RSAKip Boyle – CSA
V1.0 (Apr 2010), v1.1 (Dec 2010, v1.2 (Aug 2011),V2.0 (2012)
Controls baselined and mapped to:COBIT BITS Shared AssessmentsHIPAA/HITECH Act Jericho ForumISO/IEC 27001-2005 NERC CIPNISTSP800-53FedRAMPPCI DSSv2.0
22
© 2011 Cloud Security Alliance, Inc. All rights reserved.
What is the CCM?First ever baseline control framework specifically designed for managing risk in the Cloud Supply Chain:– Addressing the inter and intra-organizational challenges of
persistent information security by clearly delineating control ownership.
– Providing an anchor point and common language for balanced measurement of security and compliance postures.
– Providing the holistic adherence to the vast and ever evolving landscape of global data privacy regulations and security standards.
Serves as the basis for new industry standards and certifications.
23
© 2011 Cloud Security Alliance, Inc. All rights reserved.
Optimal & Holistic Compliance
24
© 2011 Cloud Security Alliance, Inc. All rights reserved.
CCM v1.1 Industry Participation
This grass roots movement continues to grow with over 100 volunteer industry experts in
the recent release of v1.2!
25
© 2011 Cloud Security Alliance, Inc. All rights reserved.
CCM – 11 Domains26
© 2011 Cloud Security Alliance, Inc. All rights reserved.
CCM – 98 Controls27
© 2011 Cloud Security Alliance, Inc. All rights reserved.
CCM – 98 Controls (cont.)28
© 2011 Cloud Security Alliance, Inc. All rights reserved.
CCM – 98 Controls (cont.)29
© 2011 Cloud Security Alliance, Inc. All rights reserved.
CCM – 98 Controls (cont.)30
Control Matrix >> Guidance >> ISO
31
© 2011 Cloud Security Alliance, Inc. All rights reserved.
Cloud Supply Chain – Information Security Risks
You can outsource business capability or function but you cannot outsource accountability for information security do your due diligence to identify and address…– Control Gaps (Shared Control)
• Information Security (Access Controls, Vulnerability & Patch Management)
• Security Architecture• Data Governance (Lifecycle Management)• Release Management (Change Control)• Facility Security
– Control Dependencies• Corporate Governance• Incident Response• Resiliency (BCM & DR)• Risk & Compliance Management
32
© 2011 Cloud Security Alliance, Inc. All rights reserved.
THE CONSENSUS ASSESSMENT INITIATIVE
© 2011 Cloud Security Alliance, Inc. All rights reserved.
Consensus AssessmentsInitiative Questionnaire (CAIQ)
34
© 2011 Cloud Security Alliance, Inc. All rights reserved.
Consensus Assessment Initiative
A cloud supply chain risk management and due diligence questionnaire~ 200 yes/no questions that map directly to the CCM, and thus, in turn, to many industry standards.can be used by both CSPs for self-assessment or by potential customers for the following purposes– to identify the presence of security controls and practices for cloud
offerings– procurement negotiation– contract inclusion– to quantify SLAsFor potential customers, the CAIQ is intended to be part of an initial assessment followed by further clarifying questions of the provider as it is applicable to their particular needs. v1.1 available as of Sept 2011; v1.2 underway to map to CCM v1.2
35
© 2011 Cloud Security Alliance, Inc. All rights reserved.
CAIQ Guiding PrinciplesThe following are the principles that the working group utilized as guidance when developing the CAIQ:
The questionnaire is organized using CSA 13 governing & operating domains divided into “control areas” within CSA’s Control Matrix structureQuestions are to assist both cloud providers in general principles of cloud security and clients in vetting cloud providers on the security of their offering and company security profile CAIQ not intended to duplicate or replace existing industry security assessments but to contain questions unique or critical to the cloud computing model in each control areaEach question should be able to be answered yes or noIf a question can’t be answered yes or no then it was separated into two or more questions to allow yes or no answers.Questions are intended to foster further detailed questions to provider by client specific to client’s cloud security needs. This was done to limit number of questions to make the assessment feasible and since each client may have unique follow-on questions or may not be concerned with all “follow-on questions
36
© 2011 Cloud Security Alliance, Inc. All rights reserved.
The CAIQ Questionnaire37
© 2011 Cloud Security Alliance, Inc. All rights reserved.
CAIQ QuestionnaireControl Group, Control Group ID (CGID) and Control Identifier (CID) all map the CAIQ question being asked directly to the CCM control that is being addressed.Relevant compliance and standards are mapped line by line to the CAIQ, which, in turn, also map to the CCM. The CAIQ v1.1 maps to the following compliance areas – HIPPA, ISO 27001, COBIT, SP800_53, FedRAMP, PCI_DSS, BITS and GAPP. V1.2 will additionally include mappings to Jericho Forum and NERC CIP.Each question can be answered by a provider with a yes or no answer.
38
© 2011 Cloud Security Alliance, Inc. All rights reserved.
Sample Questions to Vendors
39
Compliance - Independent Audits
CO-02CO-02a - Do you allow tenants to view your SAS70 Type II/SSAE 16 SOC2/ISAE3402 or similar third party audit reports?CO-02b - Do you conduct network penetration tests of your cloud service infrastructure regularly as prescribed by industry best practices and guidance? CO-02c - Do you conduct application penetration tests of your cloud service infrastructure regularly as prescribed by industry best practices and guidance? CO-02d - Do you conduct internal audits regularly as prescribed by industry best practices and guidance? CO-02e - Do you conduct external audits regularly as prescribed by industry best practices and guidance? CO-02f - Are the results of the network penetration tests available to tenants at their request? CO-02g - Are the results of internal and external audits available to tenants at their request?
Data Governance - Classification
DG-02DG-02a - Do you provide a capability to identify virtual machines via policy tags/metadata (ex. Tags can be used to limit guest operating systems from booting/instanciating/transporting data in the wrong country, etc.?)DG-02b - Do you provide a capability to identify hardware via policy tags/metadata/hardware tags (ex. TXT/TPM, VN-Tag, etc.)?DG-02c - Do you have a capability to use system geographic location as an authentication factor? DG-02d - Can you provide the physical location/geography of storage of a tenant’s data upon request?DG-02e - Do you allow tenants to define acceptable geographical locations for data routing or resource instantiation?
© 2011 Cloud Security Alliance, Inc. All rights reserved.
CLOUDAUDIT
© 2011 Cloud Security Alliance, Inc. All rights reserved.
CloudAudit ObjectivesProvide a common interface and namespace that allows cloud computing providers to automate collection of Audit, Assertion, Assessment, and Assurance Artifacts (A6) of their operating environments Allow authorized consumers of services and concerned parties to do likewise via an open, extensible and secure interface and methodology.
41
© 2011 Cloud Security Alliance, Inc. All rights reserved.
What CloudAudit DoesProvide a structure for organizing assertions and supporting documentation for specific controls across different compliance frameworks in a way that simplifies discovery by humans and tools.– Define a namespace that can support diverse
frameworks– Express compliance frameworks in that namespace– Define the mechanisms for requesting and
responding to queries relating to specific controls– Integrate with portals and AAA systems
42
© 2011 Cloud Security Alliance, Inc. All rights reserved.
How CloudAudit Works
Utilize security automation capabilities with existing tools/protocols/frameworks via a standard, open and extensible set of interfacesKeep it simple, lightweight and easy to implement; offer primitive definitions & language structure using HTTP(S) first at a very basic levelAllow for extension and elaboration by providers and choice of trusted assertion validation sources, checklist definitions, etc.
43
© 2011 Cloud Security Alliance, Inc. All rights reserved.
Context for CloudAuditCloudAudit is not designed to validate or attest “compliance” Automates collection and presentation of data supporting queries using a common set of namespaces aligned CSA Cloud Control MatrixArtifacts are accessible by a human operating a web browser or a tool capable of utilizing CloudAudit over HTTP(S).The consumers of this information are internal & external auditors, compliance teams, risk managers, security teams, etc. & in the longer term, brokers
44
© 2011 Cloud Security Alliance, Inc. All rights reserved.
Aligned to CSA Control Matrix
Officially folded CloudAudit under the Cloud Security Alliance in October, 2010First efforts aligned to compliance frameworks as established by CSA Control Matrix:– PCI DSS– NIST 800-53– HIPAA– COBIT– ISO 27002Incorporate CSA’s CAI and additional CompliancePacksExpand alignment to “infrastructure” and “operations” -centric views also
45
© 2011 Cloud Security Alliance, Inc. All rights reserved.
What Was Delivered in v1.0
The first release of CloudAudit provides for the scoped capability for providers to store evidentiary data in well-defined namespaces aligned to the 5 CSA Control Matrix Mappings (PCI, HIPAA, NIST800-53, ISO27002,COBIT)*The data in these namespaces is arbitrary and can be named and file-typed as such, so we need a way of dealing with what can be one to hundreds of supporting files, the contents of some of which are actually URIs to other locations
* Update v1.1 packaging available to include CSA CCM Updates
© 2011 Cloud Security Alliance, Inc. All rights reserved.
Current Discussions*Stack Providers with whom we have discussed CloudAudit:– VMware, Citrix, Microsoft, OpenStackCloud Service Providers with whom we have discussed CloudAudit:– AWS, Google, Microsoft, Terremark, Savvis, RackspaceTool (GRC) solution providers with whom we are discussing CloudAudit Implementation:– Agiliance, RSAAudit/Standards associations with whom we are discussing CloudAudit:– ISACA, ODCA, BITS, ISO, Open Group, DMTF, IETF
* NOTE: Discussions do not imply commitment to proceed or intent to support
47
© 2011 Cloud Security Alliance, Inc. All rights reserved.
What’s On The 6 Month Roadmap
Extend ATOM in manifest.xml to provide for timestamps, signatures and version control [need XML/ATOM expertise] Version control and change notification in conjunction with……Architecture for registry services [cloudaudit.net] and extensions of such (public and/or private)Implementation architecture for “atomic queries” (e.g. “PCI Compliant,” or “SAS-70 Certified” Expand On Specific CloudAudit Use Cases:– CloudAudit for Federal Government– CloudAudit for Cloud Providers– CloudAudit for Auditors/AssessorsIntensify and clarify connection between CloudAudit and the CTP
48
© 2011 Cloud Security Alliance, Inc. All rights reserved.
CloudAudit – How it Works49
© 2011 Cloud Security Alliance, Inc. All rights reserved.
Manifest.xml
Structured listing of control contentsCan be extended to provide contextual informationPrimarily aimed at tool consumptionIn Atom format
50
© 2011 Cloud Security Alliance, Inc. All rights reserved.
CloudAudit –Manifest.xml Example
51
© 2011 Cloud Security Alliance, Inc. All rights reserved.
index.html/default.jsp/etc.
Index.html is for dumb browser consumption– Typically, the direct human user use caseIt can be omitted if directory browsing is enabled (not recommended)It contains JavaScript to look for the manifest.xml file, parse it, and render it as HTML.If no manifest.xml exists, it should list the directory contents relevant to the control in question
52
© 2011 Cloud Security Alliance, Inc. All rights reserved.
Atom Specification (RFC4287)
http://www.ietf.org/rfc/rfc4287.txtAtom is an XML-based document format that describes lists of related information known as "feeds". Feeds are composed of a number of items, known as "entries", each with an extensible set of attached metadata. For example, each entry has a title. The primary use case that Atom addresses is the syndication of Web content such as weblogs and news headlines to Web sites as well as directly to user agents.
53
© 2011 Cloud Security Alliance, Inc. All rights reserved.
Sample Implementation –CSA Compliance Pack
54
© 2011 Cloud Security Alliance, Inc. All rights reserved.
Sample Implementation –CSA Compliance Pack
55
© 2011 Cloud Security Alliance, Inc. All rights reserved.
Sample Implementation –CSA Compliance Pack
56
© 2011 Cloud Security Alliance, Inc. All rights reserved.
Sample Implementation –CSA Compliance Pack
57
© 2011 Cloud Security Alliance, Inc. All rights reserved.
CLOUD TRUST PROTOCOL
© 2011 Cloud Security Alliance, Inc. All rights reserved.
As visibility is lost …• Where is the data?• Who can see the data?• Who has seen the data?• Is data untampered?• Where is processing performed?• How is processing configured?• Does backup happen? How? Where?
Why a CloudTrust Protocol?Information Assurance is Cloud-Complicated … “Clouds are cloudy”
Amazon
Requirements
Services
… Security, compliance, and value are lost as well
Microsoft
59
© 2011 Cloud Security Alliance, Inc. All rights reserved.
Cloud ProcessingThree Big Obstacles to Value Capture
• Lack of standards
• Lack of portability
• Lack of transparencycontrols …, compliance …, sustained payoff …, reliability …, liability …, confidentiality …, privacy …,
Compliance issues
• PCI DSS • HIPAA • ITAR• ISO27001 • HITECH in
ARRA 2009• DIACAP
• HMG InfosecStandard 2
• GLBA • NIST 800-53 and FISMA and FedRAMP
• U.K. Manual of Protective Security
• FRCP • SAS70• SSAE16
60
© 2011 Cloud Security Alliance, Inc. All rights reserved.
Absent Transparency … Some Big Problems For example, … without transparency …• No confirmed chain of custody for information• No way to conduct investigative forensics• Little confidence in the ability to detect
attempts or occurrences of illegal disclosure• Little capability to discover or enforce
configurations• No ability to monitor operational access or
service management actions (e.g., change management, patch management, vulnerability management, …)
61
© 2011 Cloud Security Alliance, Inc. All rights reserved.
Relationship between Transparency and Elastic Payoff Potential based on Deployment Model
Private Community Hybrid Public
Potential Elastic Benefit Transparency in Deployment
Cloud Deployment Model
Seeking the best (realistic) enterprise cloud strategy on this risk/reward axis
62
© 2011 Cloud Security Alliance, Inc. All rights reserved.
Transparency Restores Information Assurance Working with a “glass cloud” delivers the elastic benefits of the cloud
Amazon
Requirements
Services
Microsoft
As visibility is gained …• Configurations are known and verified• Data exposure and use is collected
and reported• Access permissions are discovered
and validated• Processing and data locations are
exposed• Compliance evidence can be gathered
and analyzed• Processing risks and readiness
become known … Security, compliance, and value are captured as well
63
Thoughtful progression …inevitable conclusion
Reclaim transpare
ncy
Continuous
monitoring (with a purpose)
Simple, dynamic informati
on request
and response
CloudTrust Protocol
64
CloudTrust Protocol (CTP) to deliverTransparency-as-a-Service (TaaS)
65
© 2011 Cloud Security Alliance, Inc. All rights reserved.
The CTP Today (V2.0)66
© 2011 Cloud Security Alliance, Inc. All rights reserved.
Only 23 in total in
the entire
protocol!
Elements of Transparency in the CTP v2.0• 6 Types
– Initiation– Policy
Introduction– Provider
assertions– Provider
notifications– Evidence
requests– Client
extensions
• Families– Configuration– Vulnerabilities–Anchoring– Audit log– Service Management– Service Statistics
• Elements– Geographic– Platform– Process
67
© 2011 Cloud Security Alliance, Inc. All rights reserved.
CloudTrust Protocol PathwaysMapping the Elements of Transparency in DeploymentAdmin and
Ops Specs Transparency Requests Extensions
Assertions Evidence Affirmations
Configuration definition: 20
Security capabilities and operations: 17
Configuration and vulnerabilities: 3,4,5,6,7
Anchoring: 8, 9, 10(geographic, platform, process)
Session start: 1Session end: 2Alerts: 18
Users: 19Anchors: 21Quotas: 22Alert conditions: 23
Violation: 11Audit: 12Access: 13Incident log: 14Config./control: 15Stats: 16
Consumer/provider negotiated: 24
CloudAudit.org SCAPSCAP Sign/sealing
23 1
68
© 2011 Cloud Security Alliance, Inc. All rights reserved.
CloudTrust Protocol (CTP) Sample 69
© 2011 Cloud Security Alliance, Inc. All rights reserved.
• Syntax Based on XML Traditional RESTful
web service over HTTP
CloudTrust Protocol V2.0
Legend: New in V2.0 SCAP / XCCDF query &
response structure
70
© 2011 Cloud Security Alliance, Inc. All rights reserved.
Elastic Characteristics of the CTP
71
© 2011 Cloud Security Alliance, Inc. All rights reserved.
Multiple Styles of ImplementationThe CTP is machine and human readable
72
© 2011 Cloud Security Alliance, Inc. All rights reserved.
Scope of a TaaS Implementation of CTPEnterprise or Client-specific
73
© 2011 Cloud Security Alliance, Inc. All rights reserved.
74CTP Transaction Response Codes
CTP Transaction Response Codes
HTTP Response Code Meaning
200 ‘OK’ (with data) or ‘YES’
204 Request received, but cloud vendor chooses not to respond
401 Unauthorized request
404 ‘NO’
Example XML Document Types
Mimetype Descriptionctp/resources+xml A list of all IT resources
ctp/resource+xml Details of one resource
ctp/resourcecount+xml Count of all resources to date
ctp/update+xml When the resources were last updated
ctp/tags+xml A list of all tags
ctp/tag+xml Details of one tag
© 2011 Cloud Security Alliance, Inc. All rights reserved.
75Current Configuration Discovery/ReportingEoT 3
Description
Poll the Cloud provider for details of current configuration data, within the provider’s inventory of technology (real and virtual) being used on behalf of the cloud consumer. Resource configuration information is returned using the Extensible Configuration Checklist Description Format (XCCDF) and Open Vulnerability and Assessment (OVAL) languages, within the Common Configuration Enumeration (CCE) specifications.
Method GET
URL https://cloudtrust.csc.com/ctp/[custID]/resources/cce/[platformID]
Querystring
tag= Filter by tag
OS= Filter by operating system
loc= Filter by location
start= The number of the first resource to return
end= The number of the last resource to return
Returns
200 OK and XML data 204 Decline to respond401 Unauthorized404 Not Found
© 2011 Cloud Security Alliance, Inc. All rights reserved.
CTP Implementation ArchitectureConfiguration Item Relationships
TaaS (CTP) U/I and service director
CloudTrustManagement Base
(CTMB)
Automated Manual
Cloud Providers
IBM
Amazon
CSC
CTP request & response stack
Identification, authorization, accounting, flow control, CTMB interface, response and reporting
CTP request /response translation, packaging, and brokering
CTP request queuing and execution in a conforming cloud
Salesforce
Others …Google
MicrosoftSavvis
RE
RE RE
RE
RE
The storage of user authorizations and credentials, request status, result histories, specifications, and commentary; management of the CTMB
(RE) CTP Response
EngineCloud that
acknowledges CTP(CTP conforming)
Cloud Consumer
Legend Cloud consumer
or service broker Cloud provider
76
Transparency-as-a-Service (TaaS)Turn on the lights you need … when you need them
Authorized TaaS Users
CloudTrust Protocol (CTP) Elements of Transparency1 23
• What does my cloud computing configuration look like right now?
• Where are my data and processing being performed?
• Who has access to my data now?
• What vulnerabilities exist in my cloud configuration?
• What audit events have occurred in my cloud configuration?• Who has had access
to my data?. . . . . .
CTUIHost (Cloud)
Transparency-as-a-Service(TaaS)
CTP
Salesforce
CTPMicrosoft
CTPAmazon
CTP Others …
CTPCTUI CTP
77
© 2011 Cloud Security Alliance, Inc. All rights reserved.
The CSA CTP Working Group AgendaMoving toward CTP V3.0
• CTMB structure/schema• Trust package correlation with
all contributing (traditional) security services
• EoT extension technique– Characteristics of specification– Degree of automation– API
• Priority/relative value of each Element of Transparency
• SLA foundation• Transparency operator training
and operations monitoring
• Degree of automatic correlation with other elements of GRC stack
• Final namespace• Identity store for transparency
service authorizations; IAM for federated or “chained” identity needs across multiple cloud service providers
• Evidence Request category “integrity and liability verification technique”– Attest to the content, provenance,
and imputability of the response (with legal import)
– Transmission integrity not sufficient; storage integrity not sufficient; require legal liability of intent to provide response as delivered
• E.g, Surety AbsoluteProof, (Kinamik Secure Audit Vault)
• Look for opportunities to join the working group!
• Ask CSA for help in pilot implementations!
• Get started now!
78
© 2011 Cloud Security Alliance, Inc. All rights reserved.
SESSION 4 //Where and How to BeginConnections to Other CSA Initiatives
© 2011 Cloud Security Alliance, Inc. All rights reserved.
80Using the GRC StackMaking the Stack Pack Approach Work for You
Easy to get startedMany successful combinationsBenefits accrue with each stack pack additionMultiple alternatives to application and deploymentMapped across multiple compliance mandates
© 2011 Cloud Security Alliance, Inc. All rights reserved.
81GRC Stack Pack Combinations that Deliver a Payoff
GRC Stack Payoff Combinations Other CSA Related
• CSA STAR (Security, Trust and Assurance Registry)• Public Registry of Cloud Provider self assessments• Leverages GRC Stack Projects
– Consensus Assessments Initiative Questionnaire– Provider may substitute documented Cloud Controls
Matrix compliance• Voluntary industry action promoting transparency• Free market competition to provide quality
assessments• Available October 2011
Security, Trust, and Assurance Registry (CSA STAR)
82
© 2011 Cloud Security Alliance, Inc. All rights reserved.
Security, Trust, and Assurance Registry (CSA STAR)
83
Encourage transparency of security practices within cloud providersDocuments the security controls provided by various cloud computing offeringsFree and open to all cloud providersOption to use data/report based on CCM or the CAIQ
Expose
control claims
Compete to impro
ve GRC
capabilities
GRC Stack
STAR Listing Process
• Provider fills out CAIQ or customizes CCM
• Uploads document at /star• CSA performs basic verification
• Authorized listing from provider• Delete SPAM, “poisoned” listing• Basic content accuracy check
• CSA digitally signs and posts at /star
84
FAQ
• Where? www.cloudsecurityalliance.org/star/ • Help? Special LinkedIn support group and private mailbox
moderated by CSA volunteers, online next week• Costs? Free to post, free to use• Is this a new hacker threat vector? No, it is
responsible disclosure of security practices• Will CSA police STAR? Initial verification and
maintenance of “Abuse” mailbox • Do listings expire? Yes, 1 year limit• Full FAQ to be posted at /star next week
85
Why not certification or 3rd party assessment?• Complex to do certification right
– Many uses of cloud, many customer needs– Different risk profiles for each
• CSA supporting broad industry consortia and standards bodies– ISO, ITU-T– Common Assurance Maturity Model (CAMM – 3rd Party assessment)– GRC Stack aligns with common requirements (e.g. PCI/DSS, HIPAA,
FedRAMP, 27001, CoBIT, etc) • Self assessment & transparency complements
all– STAR could be part of SSAE 16 SOC II report (SAS 70 replacement)
86
Is CSA STAR temporary or the ultimate assurance solution? • Neither• Permanent effort to drive transparency, competition,
innovation and self regulation with agility – crowdsourcing cloud security
• Does not provide automation, 3rd party assessment, relative/absolute scoring, real-time controls monitoring, etc
• Ultimate assurance is real time GRC (enabled by CloudAudit) complemented by CSA STAR and 3rd party attestation. Will look to solution providers to deliver this integration
87
© 2011 Cloud Security Alliance, Inc. All rights reserved.
88
CSA certification criteria and seal program for cloud providersInitial focus on secure & interoperable identity in the cloud, and its alignment with data encryptionAssemble with existing standardsReference models & Proof of conceptOutline responsibilities for Identity Providers, Enterprises, Cloud Providers, Consumers www.cloudsecurityalliance.org/trustedcloud.html
Trusted Cloud Initiative (TCI)
© 2011 Cloud Security Alliance, Inc. All rights reserved.
TCI Mission“To create a Trusted Cloud reference architecture for cloud use cases that
leverage cloud delivery models (SaaS, PaaS, IaaS) in the context of operational models (Public, Private, Hybrid) to deliver a secure and
trusted cloud service.”
89
© 2011 Cloud Security Alliance, Inc. All rights reserved.
Holistic approach around controls…
90
https://cloudsecurityalliance.org/research/projects/cloud-controls-matrix-ccm/
© 2011 Cloud Security Alliance, Inc. All rights reserved.
… and Architecture best practices
91
https://cloudsecurityalliance.org/research/projects/cloud-controls-matrix-ccm/
© 2011 Cloud Security Alliance, Inc. All rights reserved.
Reference model structure
92
© 2011 Cloud Security Alliance, Inc. All rights reserved.
How to use the architecture?
93
© 2011 Cloud Security Alliance, Inc. All rights reserved.
How to use the architecture?
94
© 2011 Cloud Security Alliance, Inc. All rights reserved.
How to use the architecture?
95
© 2011 Cloud Security Alliance, Inc. All rights reserved.
Use Cases and Patterns
Trusted Cloud Initiative
96
© 2011 Cloud Security Alliance, Inc. All rights reserved.
CAMM
The Common Assurance Maturity Model (CAMM) is designed to provide trustworthiness (safety, security and reliability) of the supply chain working within and across the Internet in the new information world. It offers the following benefits to customer and service provider organizations:
97
© 2011 Cloud Security Alliance, Inc. All rights reserved.
CAMM ObjectivesPurpose– Provide a framework to provide the necessary transparency in attesting the Information Assurance Maturity of a third party (e.g. Cloud provider).– Allow the publication of results to be performed in an open and transparent manner, without the mandatory need for third party audit functions.– Allow for data processors to demonstratively publicise their attention to Information Assurance over other suppliers that may not take it as seriously.– Avoid the subjective and bespoke arrangements that customers of such services are currently faced with.
Method– Utilise existing standards such as ISO 27001, BS 25999, NIST SP 800-53, etc to develop a series of control questions specific to the organisation.– Responses to such questions (and the subsequent detail) to be published and available.– Output to also include a score that details the providers Common Assurance Maturity score
98
Business Assurance
Provides a genuine USP to organisations
that have higher levels of information
risk maturity
Risk management maturity is open for
stakeholders to view, using appropriate
language and detail.
CAMM is built on existing standards, so need for massive re-investment.
Measures maturity against defined controls areas, with particular focus on
key controls.
A business benefit that creates consumer
trust that is both meaningful and understandable
99CAMM: New business assurance barometer
Third Party Assurance Centre
Maturity
Maturity
Maturity
Third party requesting access
Cloud provider
Internal hosting provider
Risk Appetite
1. Business sets level of risk they are willing to tolerate (number of levels
depending on the data). Maturity will include CAMM plus possible bespoke
modules. 2.Level of risk management maturity is
communicated to business partners (and
possible partners)
3. Evidence of compliance may be uploaded to central repository that can
be used by numerous customers.
4. Leverage existing expenditure and remove need for duplicate verification (note: May remove audit requirement altogether)
100How it Works: A Simplified View
© 2011 Cloud Security Alliance, Inc. All rights reserved.
SESSION 5 //GRC Stack Evolution and Administration How to Learn MoreOpen Mic for Q&A
© 2011 Cloud Security Alliance, Inc. All rights reserved.
GRC Stack Planned Evolutions
Executive Director
Board Steering Committee
Membership
CorporateIndividual
Affiliate
Chapters
EducationResearch
. . .
. . .
Security Guidance for Critical Areas of Cloud
Computing
Cloud Controls Matrix (CCM)
Consensus Assessments Initiative Questionnaire (CAIQ)
GRC Stack(CCM, CAIQ,
CloudAudit, CTP)
CSA Security, Trust, & Assurance Registry
(STAR)
Trusted Cloud Initiative
CCSK
PCI
GRC Stack
Research Director
Legal perspectives and alterations…a
Special competencies …
Working Groups
102
© 2011 Cloud Security Alliance, Inc. All rights reserved.
103The GRC Stack Evolution Plan
• Content• Timeframe
Evolution 1
What is the current expansion/evolution plan for the GRC stack?
© 2011 Cloud Security Alliance, Inc. All rights reserved.
104
What’s Happening Now?A great time to move
the security ecosystem forward in the cloud
Research Work Groups Underway CCM update CAIQ update CloudAudit update CloudTrust Protocol update and integration into CSA GRC
stack• Trusted Cloud Initiative• CloudSIRT Cloud data governance Cloud metrics• Security as a service (SecaaS)
Education• CCSK update• GRC stack training• PCI compliance in the cloud
Legend Current planned
sources of evolution for the GRC stack
© 2011 Cloud Security Alliance, Inc. All rights reserved.
105
of AM presentation
questions & dialogue
© 2011 Cloud Security Alliance, Inc. All rights reserved.
106
Cloud Security Alliance: Industry Efforts to Secure Cloud ComputingA Workshop on the CSA Governance, Risk, and Compliance (GRC) StackJim Reavis, CSA Executive DirectorRon Knode (CSC), Marlin Pohlman (EMC), Kip Boyle (…), Becky Swain (…), John Yeoh (CSA)October 2011
© 2011 Cloud Security Alliance, Inc. All rights reserved.
PM SESSIONSSESSION 9 //Connections and applications of GRC stack components in other initiatives (inside and outside the CSA)
© 2011 Cloud Security Alliance, Inc. All rights reserved.
THANK YOU