Upload
digital-bond
View
433
Download
1
Tags:
Embed Size (px)
Citation preview
Schneider Electric 2 – Digital Services Transformation – Matthew Theobald – January 2015
Agenda
1. Introduction 2. Cloud Security Standards
3. Trust in the Cloud
4. Privacy in the Cloud
5. Exercise – Assessing Security of a Cloud SaaS Solution
Schneider Electric 3 – Digital Services Transformation – Matthew Theobald – January 2015
INTRODUCTION
Schneider Electric 4 – Digital Services Transformation – Matthew Theobald – January 2015
Control System Data in the Cloud ● ICS vendors are beginning to develop cloud SaaS (Software as a
Service) solutions to store and analyze control system data ● Driven by need to collect, cleanse, store, analyze and report on large
volumes of data from multiple sources, in a cost-effective manner
● Through analysis, this data can be turned into information to quantify, improve and optimize business processes
● Examples ● Cloud Historian ● Remote Monitoring ● Asset Management ● Smart Buildings
Schneider Electric 5 – Digital Services Transformation – Matthew Theobald – January 2015
Difficulty Assessing Cloud SaaS Solutions
● Cloud provider’s security controls must be assessed at multiple layers: ● Facilities (physical security) ● Network infrastructure (network security) ● IT systems (system security) ● Information and applications (application security) ● People (for example, separation of duties between development and
production) ● Process (for example, change management and incident response)
● Biggest obstacle to assessing the security of a Cloud SaaS solution is a
lack of transparency on the part of the Cloud Provider
Schneider Electric 6 – Digital Services Transformation – Matthew Theobald – January 2015
Term Definition Cloud Provider An organization or entity responsible for making a
service available to interested parties - for example, an ICS vendor providing a Cloud Historian service
Cloud Consumer An organization that maintains a business relationship with, and uses services from, a Cloud Provider – for example, an asset owner that has subscribed to and uses an ICS vendor’s Cloud Historical service
Definitions
Schneider Electric 7 – Digital Services Transformation – Matthew Theobald – January 2015
CLOUD SECURITY STANDARDS
Schneider Electric 8 – Digital Services Transformation – Matthew Theobald – January 2015
ISO/IEC
ISO/IEC 27001 Information technology -- Security techniques -- Information security management systems -- Requirements
● Provides requirements for an information security management system (ISMS), which is a systematic approach to keep information assets secure ● Auditable
ISO/IEC 27002 Information technology -- Security techniques -- Code of practice for information security controls
● Provides best practice recommendations for use by those responsible for those initiating, implementing or maintaining an ISMS
Schneider Electric 9 – Digital Services Transformation – Matthew Theobald – January 2015
Cloud Security Alliance CSA Cloud Controls Matrix
● First ever baseline control framework specifically designed for Cloud supply chain risk management
● Backbone of CSA’s Cloud Certification framework (more later) ● 16 control areas, 133 controls
● Controls mapped to 32 other security standards, regulations, and controls frameworks including ISO 27001 and 27002, ISACA COBIT, FedRAMP, NERC CIP, NIST SP800-53, 95/46/EC, HIPAA, PCI DSS
Schneider Electric 10 – Digital Services Transformation – Matthew Theobald – January 2015
NIST
NIST SP 800-53 Rev. 4 Security and Privacy Controls for Federal Information Systems and Organizations NIST SP 800-161 (Draft) Supply Chain Risk Management Practices for Federal Information Systems and Organizations
Schneider Electric 11 – Digital Services Transformation – Matthew Theobald – January 2015
TRUST IN THE CLOUD
Schneider Electric 12 – Digital Services Transformation – Matthew Theobald – January 2015
Trust
● Lack of Cloud Provider transparency inhibits Governance, Risk Management, and Compliance (GRC) ● Difficult to monitor and audit supply chains necessary for the company’s
consistent performance and growth
● Difficult to identify and understand exposure to risk and the capability to manage risk
● Challenge for a Cloud Consumer to show auditors that the organization is in compliance with industry security / privacy standards and regulations
Schneider Electric 13 – Digital Services Transformation – Matthew Theobald – January 2015
The higher up the Service Model stack, the more security the Cloud Provider is responsible for implementing and managing
Build It In
RFP / Contract
It In
Schneider Electric 14 – Digital Services Transformation – Matthew Theobald – January 2015
General Approach
• Network segmentation and segregation
• Boundary protection • Firewall policy • Defense in depth • Authentication and
authorization • Monitoring and auditing • etc.
NIST 800-82
IEC-62443
NIST 800-53
Schneider Electric 15 – Digital Services Transformation – Matthew Theobald – January 2015
Cloud Certifications
● Provide transparency and visibility to cloud customers ● Deliver compliance-supporting data and artifacts
ISO/IEC 27001
CSA STAR
SSAE-16 SOC 2
Schneider Electric 16 – Digital Services Transformation – Matthew Theobald – January 2015
SSAE-16 SOC 2 Report
● Reports on the design (Type I) and operating effectiveness (Type II) of a service organization’s controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system
Schneider Electric 17 – Digital Services Transformation – Matthew Theobald – January 2015
CSA STAR (Security, Trust & Assurance Registry)
● Goal is to improve transparency and assurance in the cloud
● Searchable, publicly accessible registry to allow cloud customers to review the security practices of providers, accelerating their due diligence and leading to higher quality procurement experiences ● Helps customers to assess the security of Cloud Providers
● Based on a multilayered structure defined by Open Certification Framework Working Group
Schneider Electric 19 – Digital Services Transformation – Matthew Theobald – January 2015
CSA STAR Self-Assessment
● Voluntary ● Based on: ● Cloud Control Matrix
● Consensus Assessments Initiative Questionnaire
Schneider Electric 22 – Digital Services Transformation – Matthew Theobald – January 2015
CSA STAR Certification
● Rigorous third party independent assessment of a cloud provider’s security ● Measures cloud provider’s capability levels ● No formal approach ● Reactive approach ● Proactive approach ● Improvement based approach ● Optimising approach
Schneider Electric 23 – Digital Services Transformation – Matthew Theobald – January 2015
CSA STAR Certification
● Leverages the requirements of: ● ISO 27001:2013 ● CSA Cloud Control Matrix
● Ensures the scope, processes and objectives are “fit for purpose”
Schneider Electric 25 – Digital Services Transformation – Matthew Theobald – January 2015
CSA STAR Attestation
● Provides a framework for performing assessments of cloud service providers using SOC 2 engagements supplemented by criteria in the CSA Cloud Control Matrix ● Typically, Cloud Providers acquire a CSA Attestation, 27001 certification, and SOC 2 Type II certification at the same time since so many of the criteria are common between the three
Schneider Electric 27 – Digital Services Transformation – Matthew Theobald – January 2015
CSA CAI Questionnaire
● Consensus Assessments Initiative Questionnaire ● Provides a set of questions a cloud consumer can ask of a
cloud provider about their security controls ● Questions can be tailored to suit each unique cloud consumer’s
evidentiary requirements ● Questions mapped to the compliance requirements in Cloud
Control Matrix
Schneider Electric 28 – Digital Services Transformation – Matthew Theobald – January 2015
PRIVACY IN THE CLOUD
Schneider Electric 29 – Digital Services Transformation – Matthew Theobald – January 2015
PII and Personal Information
● PII (Personally Identifiable Information) ● Information that can identify an individual (name, date
of birth, etc.)
● Personal information ● Information that does not directly identify an individual,
but is deemed sensitive by social mores è race, religion, shopping habits
Schneider Electric 30 – Digital Services Transformation – Matthew Theobald – January 2015
Privacy vs Security
● Privacy governs how PII should be used, shared, and retained ● Security restricts access to the sensitive data and protects
confidentiality/integrity during collection, storage, and transmission
Privacy in ICS ● Information primarily Business Sensitive / Confidential
● Biggest privacy impact is Identity / Account stores
● Full name ● Email address ● Etc.
Schneider Electric 31 – Digital Services Transformation – Matthew Theobald – January 2015
Privacy Standards and Regulations
● FTC Consent Decrees ● Designate individuals to be accountable for the information security program ● Identify risks to personal information ● Design, implement and test reasonable safeguards to control risk
● EU Data Protection Directive (95/46/EC)
● Data controller (cloud customer) “must implement appropriate technical and organizational measures to protect personal data against …. all unlawful forms of processing…”
● Processing of data by a data processor (cloud provider) must be governed by a contract or legal act binding the processor to the controller
● Cross-border data transfer out of the EEA prohibited unless the third country in question ensures an adequate level of protection
Schneider Electric 32 – Digital Services Transformation – Matthew Theobald – January 2015
Privacy Standards and Regulations
● US/EU Safe Harbor ● Allows US companies to register their certification that they meet the EU
Data Protection requirements ● Take reasonable precautions to protect personal information ● Onward Transfer Principle
● PIPEDA Principles for the Protection of Personal Data (Canada)
● An organization is responsible for personal information in its possession or control, including information that has been transferred to a third party (cloud provider) for processing
Schneider Electric 33 – Digital Services Transformation – Matthew Theobald – January 2015
Privacy Standards and Regulations
● NIST SP800-53 Rev. 4 Appendix J “Privacy Control Catalog”
● ISO/IEC 27018 Information technology -- Security techniques -- Code of practice for PII protection in public cloud acting as PII processors ● HIPAA Health Insurance Portability and Accountability Act
● PCI DSS Payment Card Industry Data Security Standard
Schneider Electric 34 – Digital Services Transformation – Matthew Theobald – January 2015
Privacy Policy
● Cloud Provider should have a strong Privacy Policy that specifies the following for personal information: ● Collection ● Usage ● Storage ● Release ● Retention ● Deletion
● Cloud Provider should provide Privacy Notice to Cloud Consumer upon demand
Schneider Electric 35 – Digital Services Transformation – Matthew Theobald – January 2015
EXERCISE Assessing the Security of a Cloud SaaS Solution
Schneider Electric 36 – Digital Services Transformation – Matthew Theobald – January 2015
Network Segmentation and Zoning
IEC 62443-3-3 Requirement Impact SR 5.1 – Network Segmentation The network with access to the Cloud Provider’s
application should be logically or physically segmented from the (critical) control system network
SR 5.2 – Zone boundary protection Access to the Cloud Provider’s application must take place via a zone and conduit designed for this purpose
SR 5.2 – Zone boundary protection The Cloud Provider’s security and access controls must fulfill the requirements of the asset owner’s zone and conduit security policy designed to meet the target Security Level
Schneider Electric 37 – Digital Services Transformation – Matthew Theobald – January 2015
Data Integrity and Confidentiality
IEC 62443-3-3 Requirement Impact SR 3.1 – Communication integrity SR 4.1 – Information confidentiality
The confidentiality and integrity of all network communication between the asset owner’s system and the Cloud Provider’s system must be protected via cryptographic means
SR 3.4 – Software and information integrity SR 4.1 – Information confidentiality
The confidentiality and integrity of data at rest must be protected by the Cloud Provider using strong access and/or cryptographic controls
Schneider Electric 38 – Digital Services Transformation – Matthew Theobald – January 2015
Data Integrity and Confidentiality
Control Group Consensus Assessment Question(s) Interoperability & Portability Standardized Network Protocols
Can data import, data export and service management be conducted over secure (e.g., non-clear text and authenticated), industry accepted standardized network protocols? Do you provide consumers (tenants) with documentation detailing the relevant interoperability and portability network protocol standards that are involved?
Application & Interface Security Data Integrity
Are data input and output integrity routines (i.e., reconciliation and edit checks) implemented for application interfaces and databases to prevent manual or systematic processing errors or corruption of data?
Schneider Electric 39 – Digital Services Transformation – Matthew Theobald – January 2015
Multi-Tenancy
● Def. ● Resources and services used by multiple cloud consumers are
physically collocated, but logically separated – for example, data from multiple cloud consumers are stored in the same database, or on the same server, and security controls keep the data logically separated
● To Cloud Providers ● Enables economies of scale, availability, management, segmentation,
isolation, and operational efficiency
● To Cloud Consumers ● Implies a need for security controls, at different layers, to ensure logical
separation
Schneider Electric 40 – Digital Services Transformation – Matthew Theobald – January 2015
Encrypting Data At Rest in Cloud SaaS
● Typical cloud guidance ● Cloud Consumer (tenant) generates encryption key, encrypts and
decrypts data en-route to/from the Cloud SaaS Provider
● Cloud SaaS encryption hurdles ● SaaS is not just storage – need to validate, estimate, aggregate, search,
sort, and analyze
● Cloud Consumer (tenant) should control their own encryption keys ● Encryption keys should never be stored alongside the encrypted data
● Extremely important to manage encryption keys securely
Schneider Electric 41 – Digital Services Transformation – Matthew Theobald – January 2015
Data Integrity and Confidentiality
Control Group Consensus Assessment Question(s) Audit Assurance & Compliance Information System Regulatory Mapping
Do you have the ability to logically segment or encrypt customer data such that data may be produced for a single tenant only, without inadvertently accessing another tenant's data? Do you have capability to recover data for a specific customer in the case of a failure or data loss?
Encryption & Key Management Encryption
Do you encrypt tenant data at rest (on disk/storage) within your environment? Do you support tenant-generated encryption keys or permit tenants to encrypt data to an identity without access to a public key certificate (e.g. identity-based encryption)? Do you have documentation establishing and defining your encryption management policies, procedures and guidelines?
Schneider Electric 42 – Digital Services Transformation – Matthew Theobald – January 2015
Data Integrity and Confidentiality
Control Group Consensus Assessment Question(s) Encryption & Key Management Storage and Access
Are your encryption keys maintained by the cloud consumer or a trusted key management provider? Do you store encryption keys in the cloud? Do you have separate key management and key usage duties?
Supply Chain Management, Transparency and Accountability Data Quality and Integrity
Do you inspect and account for data quality errors and associated risks, and work with your cloud supply-chain partners to correct them? Do you design and implement controls to mitigate and contain data security risks through proper separation of duties, role-based access, and least-privileged access for all personnel within your supply chain?
Schneider Electric 43 – Digital Services Transformation – Matthew Theobald – January 2015
Identity and Account Management
IEC 62443-3-3 Requirement Impact SR 1.3 – Account management Ideally the asset owner should manage accounts
centrally and the cloud provider should federate against the asset owner’s identity store, or the cloud provider can provide an application account store
SR 1.5 – Authenticator management SR 1.7 – Strength of password-based authentication SR 1.11 – Unsuccessful login attempts
The asset owner must be able to customize account and password policies when managing accounts in the Cloud Provider’s application account store
Schneider Electric 44 – Digital Services Transformation – Matthew Theobald – January 2015
Identity and Account Management
Control Group Consensus Assessment Question(s) Identity & Access Management User ID Credentials
Do you support use of, or integration with, existing customer-based Single Sign On (SSO) solutions to your service? Do you use open standards to delegate authentication capabilities to your tenants? Do you support identity federation standards (SAML, SPML, WS-Federation, etc.) as a means of authenticating/ authorizing users? Do you provide tenants with strong (multifactor) authentication options (digital certs, tokens, biometrics, etc.) for user access? Do you allow tenants to use third-party identity assurance services?
Schneider Electric 45 – Digital Services Transformation – Matthew Theobald – January 2015
Identity and Account Management
Control Group Consensus Assessment Question(s) Identity & Access Management User ID Credentials
Do you support the ability to force password changes upon first logon? Do you support password (minimum length, age, history, complexity) and account lockout (lockout threshold, lockout duration) policy enforcement? Do you allow tenants/customers to define password and account lockout policies for their accounts? Do you have mechanisms in place for unlocking accounts that have been locked out (e.g., self-service via email, defined challenge questions, manual unlock)?
Schneider Electric 46 – Digital Services Transformation – Matthew Theobald – January 2015
Auditing and Monitoring
IEC 62443-3-3 Requirement Impact SR 6.2 – Continuous monitoring The Cloud Provider must continuously monitor
their system and use common security industry practices and tools (a SIEM, for example) to detect and respond to security breaches in a timely manner
SR 6.1 – Audit log accessibility The Cloud Provider must provide the capability for an asset owner to access tenant-specific audit log reports
SR 2.8 – Auditable events It should be possible to export tenant-specific audit logs from the Cloud Provider into a centrally managed audit trail on the asset owner's system where they can be further analyzed by standard log analysis tools such as a SIEM
Schneider Electric 47 – Digital Services Transformation – Matthew Theobald – January 2015
Auditing and Monitoring Control Group Consensus Assessment Question(s) Security Incident Management, E-Discovery & Cloud Forensics Incident Management
Do you have a documented security incident response plan? Do you integrate customized tenant requirements into your security incident response plans? Do you publish a roles and responsibilities document specifying what you vs. your tenants are responsible for during security incidents? Have you tested your security incident response plans in the last year?
Security Incident Management, E-Discovery & Cloud Forensics Incident Reporting
Does your security information and event management (SIEM) system merge data sources (app logs, firewall logs, IDS logs, physical access logs, etc.) for granular analysis and alerting? Does your logging and monitoring framework allow isolation of an incident to specific tenants?
Schneider Electric 48 – Digital Services Transformation – Matthew Theobald – January 2015
Auditing and Monitoring
Control Group Consensus Assessment Question(s) Security Incident Management, E-Discovery & Cloud Forensics Incident Response Legal Preparation
Does your incident response plan comply with industry standards for legally admissible chain-of-custody management processes and controls? Does your incident response capability include the use of legally admissible forensic data collection and analysis techniques? Are you capable of supporting litigation holds (freeze of data from a specific point in time) for a specific tenant without freezing other tenant data? Do you enforce and attest to tenant data separation when producing data in response to legal subpoenas?
Schneider Electric 49 – Digital Services Transformation – Matthew Theobald – January 2015
Auditing and Monitoring
Control Group Consensus Assessment Question(s) (Custom) Do you provide the capability for a customer (tenant) to access
their audit logs via a visual or programmatic interface? Do you provide the capability for a customer (tenant) to export their audit logs in an industry standard format such that the logs may be analyzed by the customer’s organization using industry standard log analysis tools such as a SIEM?
Schneider Electric 50 – Digital Services Transformation – Matthew Theobald – January 2015
Legal Compliance
Control Group Consensus Assessment Question(s) Audit Assurance & Compliance Information System Regulatory Mapping
Do you have the capability to restrict the storage of customer data to specific countries or geographic locations?
Data Security & Information Lifecycle Management Data Inventory / Flows
Can you ensure that data does not migrate beyond a defined geographical residency?
Datacenter Security Secure Area Authorization
Do you allow tenants to specify which of your geographic locations their data is allowed to move into/out of (to address legal jurisdictional considerations based on where data is stored vs. accessed)?
Schneider Electric 51 – Digital Services Transformation – Matthew Theobald – January 2015
Summary
● Assessing the security of a Cloud SaaS solution can be daunting
● Certifications provide transparency and visibility into the Cloud Provider’s security controls ● Delivers evidence-based confidence and compliance-supporting data and
artifacts
● Cloud Providers that are not certified can be assessed using the Consensus Assessments Initiative Questionnaire
TRUST