Using the CSA Control Matrix and ISO 27017 controls to ...docbox.etsi.org/Workshop/2012/201201_SECURITYWORKSHOP/3... · Using the CSA Control Matrix and ISO 27017 controls to facilitate

Using the CSA Control Matrix and ISO

27017 controls to facilitate regulatory

compliance in the cloud

Marlin Pohlman Ph.D.Marlin Pohlman Ph.D.CISA, CISM, CGEIT, CISSP, PE, HITRUST CSV

Co-Chair: CSA CCM, CSA CAIQ, CSA Cloud Audit

CoEditor: ISO 27017 & ITU-T FG Cloud x. srfctse

Co-Chair/Founder, CSA GRC Stack

Chief Governance Officer, EMC CTO Office

www.cloudsecurityalliance.org

Copyright © 2010 Cloud Security Alliance

Cloud adds the concept of Supply Chain

Each member does

what they do best

2

Harmony in

Specialization

Chains are only as strong as the weakest link

3

GRC Insures the

integrity of the

chain

CSA GRC Stack

Family of 4 research projects:• Cloud Controls Matrix (CCM)

• Consensus Assessments Initiative Questionnaire (CAIQ)

• Cloud Trust Protocol (CTP)• Cloud Trust Protocol (CTP)

• Cloud Audit

Tools for governance, risk and compliance management.

Enabling automation and continuous monitoring of GRC.

4



Cloud Controls Matrix (CCM)

5



What is the CCM?

• First ever baseline control framework specifically designed for managing risk in the Cloud Supply Chain:– Addressing the inter and intra-organizational challenges of

persistent information security by clearly delineating control ownership.

– Providing an anchor point and common language for balanced measurement of security and compliance balanced measurement of security and compliance postures.

– Providing the holistic adherence to the vast and ever evolving landscape of global data privacy regulations and security standards.

• Serves as the basis for new industry standards and certifications.

6



CCM – 11 Domains

7



CCM – 98 Controls

8



CCM – 98 Controls (cont.)

9




10




11



An Unified Compliance Approach

Bridging Regulatory Governance And Practical Compliance

12

Consensus Assessments

Initiative Questionnaire (CAIQ)

13



What is the CAIQ?

• Cloud Supply Chain risk management and due

diligence questionnaire (148 questions)

– Enables 1 or more Cloud service providers to

demonstrate compliance with the CSA CCM.

– Forms the basis for establishing Cloud specific

14

– Forms the basis for establishing Cloud specific

Service Level Objectives that can be incorporated

into supplier agreements.

• AICPA SSAE 16 SOC 2 Normative Qualification

Questionnaire.



CloudAudit Protocol

• Provides an open, extensible and secure interface for automation of Audit, Assertion, Assessment, and Assurance (A6) of cloud computing environments

• A structure for organizing assertions and supporting documentation for specific controls across different compliance frameworks in a way that simplifies discovery by humans and tools.

15

discovery by humans and tools.– Define a namespace that can support diverse frameworks.

– Expressed in namespace – CSA CCM, ISO/IEC 27001, COBIT, HIPAA, NIST SP 800-53, PCI DSS.

– Defines the mechanisms for requesting and responding to queries relating to specific controls.

– Integrates with portals and AAA systems.



Sample Implementation –CSA Compliance Pack

16



Sample Implementation –CSA Compliance Pack

17



CloudAudit – How it Works

18www.cloudsecurityalliance.org


CloudAudit –Manifest.xml Example

19



DMTF – CADF (Cloud Audit Data Federation)Cloud Audit Data Federation Resource Model

Resource

ComputeNetwork Storage DataService

Example Instance

is-a Relationship

NetworkNode

Router

Repository

* Machine

ProcessingNode

Initiator

… … ConfigurationRepository

User

PrivilegedUser

Application

Workload

CRMService

BSSService

… … … …

Node Description

20

Node Description

Network Represents the logical resources that interconnect computer systems, terminals, and other equipment allowing information to be exchanged. (general, compiled definition)* A realized entity that is capable of providing Network Addresses, routing rules, mapping tables, and network access limits. (as defined by CMWG)

Compute Represents the logical resources that are used to perform logical operations or calculations on data

Storage Represents the logical constructs that represent storage containers

Service Represents the logical sets of functions, packaged into a single entity, that provide access to and add value to cloud resources.

Data Represents the logical named sets of information that are referenced and managed by services.

Initiator Separate Taxonomy. Classifies the initiator (human or non-human entities) that of event actions

Elements of Transparency in the CTP

6 TYPES

Initiation

Policy introduction ELEMENTS

On

ly 2

3 i

n e

nti

re p

roto

col

FAMILIES

Configuration

Vulnerabilities

CloudTrust Protocol Orientation

Provider assertions

Provider notifications

EVIDENCE REQUESTS

Client extensions

Geographic

Platform

Process On

ly 2

3 i

n e

nti

re p

roto

col

Vulnerabilities

ANCHORING

Audit log

Service Management

Service Statistics

CloudTrust Protocol PathwaysMapping the Elements of Transparency in Deployment

Admin& Ops

Specs Transparency Requests Extensions

Assertions Evidence Affirmations

Configuration

definition: 20

Security capabilities and

operations: 17

Configuration &

vulnerabilities: 3,4,5,6,7

Anchoring: 8, 9, 10

(geographic,

platform, process)


Session

start: 1

Session end:

2

Alerts: 18

Users: 19

Anchors: 21

Quotas: 22

Alert conditions:

23

Violation: 11

Audit: 12

Access: 13

Incident log: 14

Config/control: 15

Stats: 16

Consumer/provider

negotiated: 24

2323 11

CloudAudit.org SCAPSCAP Sign / sealing

CloudTrust Protocol V2.0

Syntax• Based on XML

• Traditional RESTful web

service over HTTP


RESTful Web

Service

RESTful Web

Service

RESTfulWeb

Service

Multiple Styles of ImplementationThe CTP is machine and human readable

RESTful Web

Service

RESTful Web

Service

Trust Trust

RESTfulWeb

Service

Cloud Provider

Cloud Consumer

OUT-OF-BAND

ServiceService

Trust

Evidence (Elements of

transparency)

Trust


transparency)

Cloud Provider

CloudTrustProtocol Service

Cloud Consumer

Trust


transparency)

Trust


transparency)CloudTrust

Protocol Service

IN-BAND

Legal and Electronic Discovery

The highest risk of conducting e-discovery in the cloud are:

• The loss/alteration of data and associated metadata

• The potential violation of international data privacy laws by illegally disclosing data

in the jurisdiction in which the cloud is located

• The unintentional waiver of the attorney-client privilege by co-mingling data or

disclosing attorney client communications to third parties

• The failure to properly and timely implement and monitor litigation holds

Companies can manage the risk of altering metadata and the risk of violating Companies can manage the risk of altering metadata and the risk of violating

international data privacy laws by insisting the service agreement with their cloud

provider require that:

• None of the company’s data may be stored outside the United States

• Provide a detailed mechanism for how the cloud will implement litigation holds

• Address how metadata will be created and stored in the cloud environment

Obligatory Predicates & SLA Supply Chain

OBLIGATION

The requirement to do what is imposed

by law, promise, or contract; a duty.

In its general and most extensive sense,

obligation is synonymous with duty. In

a more technical meaning, it is a tie

which binds us to pay or to do

26

which binds us to pay or to do

something agreeably to the laws and

customs of the country in which the

obligation is made. The term obligation

also signifies the instrument or writing

by which the contract is witnessed. And

in another sense, an obligation still

subsists, although the civil obligation is

said to be a bond containing a penalty.

Obligatory Predicates can also address

Jurisdictional issues in the cloud

1. <rdf:Property rdf:ID=”value”>

2. <rdfs:domain rdf:resources=”Asset”/>

3. <rdfs:range rdf:resources=&xsd:integer/>

4. </rdf:Property>

5. <rdf:Property rdf:ID=”depends”>


7. <rdfs:range rdf:resources=”Asset”/>

8. </rdf:Property>

9. <rdf:Property rdf:ID=”contains”>


11. <rdfs:range rdf:resources=”Asset”/>

12. <rdf:Property rdf:ID=”subjecttoObligation”>

27

12. <rdf:Property rdf:ID=”subjecttoObligation”>


14. <rdfs:range rdf:resources=”Obligation”/>

15. <rdf:Property rdf:ID=”Predicate”>


17. <rdfs:range rdf:resources=”Resource”/>

18. <rdf:Property rdf:ID=”Constraint”>


20. <rdfs:range rdf:resources=”Value”/>

21. <rdf:Property rdf:ID=”supportUsage”>


23. <rdfs:range rdf:resources=”CaseLaw”/>

24. </rdf:Property>

ISO 27017 Coordinated Editorial Activity

ISO 27017

Control

Standard

28

ITU-T

X.srfctse

StandardITU-T FG SG17

Cloud-I-0465

Requirement

Document

FedRamp

2012

Controls

Security requirements and framework

of cloud based telecommunication

service environment

ISO 27017 Work In Progress

29

ISO 27017 Example: Obligatory Predicates

CSA Control Matrix RS-08

ISO 27017:11.7.2

30

ITU-T FG SG17

Cloud-I-0465

Requirement

Document

Req 8.12

Agreements on

information transfer and

forensic traceability

ISO 27017 Example: Virtualization Security

CSA Control Matrix IS-34

FedRAMP SC-30

31

FedRAMP SC-30

X.srfctse: Security requirements and framework of cloud

based telecommunication service environment

7.1 Security Vulnerabilities in Virtualization

ISO 27017 A.13.6.4

Secure Virtual Machine

27017 Appendix B: Minimum Baseline

32

SECURITY CONTROL SELECTION

Organizations (CSU, CSP IaaS, PaaS, SaaS) must meet the minimum

security requirements in this standard by selecting the

appropriate security controls and assurance requirement

Thank you for your Time and Attention

Questions ?

Marlin Pohlman

[email protected]

[email protected]

+1.503.662.2245

33

Documents

Using the CSA Control Matrix and ISO 27017 controls to ...docbox.etsi.org/Workshop/2012/201201_SECURITYWORKSHOP/3... · Using the CSA Control Matrix and ISO 27017 controls to facilitate