View
278
Download
0
Tags:
Embed Size (px)
Citation preview
www.cloudsecurityalliance.orgCopyright © 2013 CloudSecurity Alliance
CSA Cloud Trust Protocol andA4Cloud:
Enforcing cloud accountabilitythrough security continuous
monitoringNovember 2013, Research Council of Norway
Daniele Catteddu, CSA Managing Director EMEA and OCF Project Director
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
About the Cloud Security Alliance
Global, not-for-profit organisation
Over 48,000 individual members, more than 180corporate members, and 65 chapters
Building best practices and a trusted cloud ecosystem
Agile philosophy, rapid development of applied researchGRC: Balance compliance with risk management
Reference models: build using existing standards
Identity: a key foundation of a functioning cloud economy
Champion interoperability
Enable innovation
Advocacy of prudent public policy
“To promote the use of best practices for providing securityassurance within Cloud Computing, and provide education on the
uses of Cloud Computing to help secure all other forms of
computing.”
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
SecurityBenefits
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
SecurityBenefits
Economy of Scale
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
RISKS
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
OPENNESS & TRANSPARENCY
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
NEW GOVERNANCE MODELS
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
ACCOUNTABILITY
This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).
Cloud Accountability Project
The project focuses on accountability as themost critical prerequisite for effectivegovernance and control of corporate and privatedata processed by cloud-based IT services.
It aims to assist cloud service providers with:
• Techniques to make services moretrustworthy
• Ways to satisfy business policies anddemonstrate compliance
• Allowing differentiation
This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).
A4Cloud Members
Industry
Community
Research
This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).
Globalisation and new technologies• Cloud computing presents a paradigm shift in how IT is deployed and consumed
Uncertainty and lack of visibility (for consumers, clients andregulators)• Privacy and trust comes from sound stewardship of information by service providers
for which we need to hold them accountable
Regulatory complexity in global business environments,especially for cloud• Accountability addresses global interoperability
• Clear and consistent framework of data protection rules
• Allows avoidance of complex matrix of national laws and reduces unnecessary layersof complexity for cloud providers
• New technologies like cloud are straining traditional privacy frameworks
Drivers for accountability
This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).
Context
Principles,Regulations andSocietal Norms
DesignAccountability
What is the rightthing?
How to do the rightthing
Trying to getorganisations to do the
right thing
Holding them toaccount if they don’t Facilitating redress
supports
complements
This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).
Context
Principles,Regulations andSocietal Norms
DesignAccountability
What is the rightthing?
How to do the rightthing
Trying to getorganisations to do the
right thing
Holding them toaccount if they don’t Facilitating redress
supports
complements
Control over practicalaspects of compliance
Obligation to provethat principles put
into effect
This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).
Cloud ecosystem
This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).
Model of Accountability
This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).
Accountability
Attributes
Practices
Mechanisms
organisational
operational
abstract
concrete
conceptual
Conceptual model ofaccountability
With what?
How?
What?
This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).
Accountability
Attributes
Practices
Mechanisms
Defining accountability
Accountability consists of defining
governance to comply in a
responsible manner with internal
and external criteria, ensuring
implementation of appropriate
actions, explaining and justifying
those actions and remedying any
failure to act properly.
This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).
• Observabililty
• Verifiability
• Attributability
• Transparency
• Responsibility
• Liability
• Remediation
Accountability attributes
Accountability
Attributes
Practices
Mechanisms
This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).
• Define governance
• Ensure implementation
• Explain & justify actions
• Remedy failures
Accountability practices
Accountability
Attributes
Practices
Mechanisms
This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).
Accountability
Attributes
Practices
Mechanisms
• Business processes
• Non-technical
instruments
• Technical tools
Accountability mechanisms
contain
This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).
• Business processes
• Non-technical
instruments
• Technical tools
Accountability Mechanisms
contain
Auditing,Risk assessment, etc
Accountability
Attributes
Practices
Mechanisms
This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).
• Business processes
• Non-technical
instruments
• Technical tools
Accountability Mechanisms
contain
Contracts,Legal means, etc
Accountability
Attributes
Practices
Mechanisms
This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).
• Business processes
• Non-technical
instruments
• Technical tools
Accountability Mechanisms
contain
Tracking andtransparency toolsNotification of policyviolation, etc
Accountability
Attributes
Practices
Mechanisms
This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).
• Accountability framework
• Accountability metrics• Accountability evidence
mechanisms and tools• Auditing mechanisms
and tools
• Policy compliancemechanisms and tools
• Reference architecturefor accountability
• Interoperablemechanisms and tools
What is needed
A4Cloud project
Trustworthyarchitecture
Privacyassurance
Trustassurance
GovernanceSecurityand trust
economics
Policies
Transparent
security
• Risk and trust models foraccountability
• Accountability policylanguage
• Enforcementmechanisms foraccountability
• User-centricaccountability tools
This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).
A4Cloud & CSA
A4Cloud results are relevant to a number ofnumber of CSA research, educational activities,as well as in the context of the Open CertificationFramework
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
The Cloud Trust Protocol (CTP) is designed to be amechanism by which cloud service clients can ask for andreceive information related to the security of the servicesthey use in the cloud, promoting transparency and trust.
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
An idea for a consumer/provider protocol
+ Commitments= Reports + Alerts
CTPconsumer provider
Confidentialitylevel
Uptime…
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
Transparency and trust
OCF level 2: Third-party cloud certification
OCF level 1: Cloud self-certification
OCF level 3: Cloud monitoring based certification
Goal: Transparency and trust
www.cloudsecurityalliance.org
What we have today…
1. API & Data Model1. API & Data Model
2. Security attributecatalogue
2. Security attributecatalogue
3. A prototype3. A prototype
What is…A report, a commitment, an alert?A security attribute?A resource, a service?
“Availability”, “timely incident reporting”,“confidentiality level”…
REST + XML
www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
www.cloudsecurityalliance.org
Challenge 1:
Standardizing cloud security attributes
0.06 kWh 0.06 kWh 0.06 kWh
99.95% 99.95% 99.95%
= =
=
Cloud availability
Electricity consumption
=
www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
www.cloudsecurityalliance.org
Challenge 2:
Finding good security attributes
1Vulnerability found
5Vulnerabilities found
<?
100 vulnerabilities published in 2013 (NVD)9 relevant to our platform8 tested1 found exploitable (severity=6.0)Time between discovery and fix = 5 days.
www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
www.cloudsecurityalliance.org
Challenge 3:
Fitting CTP in OCF level 3
www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
The CSA Open Certification Framework is an industry initiative toallow global, accredited, trusted certification of cloud providers.
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
Challenge 4:
Integrating CTP in A4Cloud
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
Lessons already learned
Well defined - consistently measured
Cheap to evaluate – automated
Correlated to consumer utility
Some interesting but tricky areas:
Vulnerability management, data location, staff data
access, incident response….
Good attributes need to be:
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
Now it’s your turn!
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
The CTP working group
Objective 1: Define CTP Vision, goals, design principles.
Objective 2: Define CTP data model.
Objective 3: Specify the CTP API.
Objective 4: Specify CTP core security attributes.
Objective 5: Implement a CTP pilot.
Objective 6: Support OCF monitoring based certification
CSA launches the CTP working group:
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
Help Us Secure Cloud Computingwww.cloudsecurityalliance.org
www.linkedin.com/groups?gid=1864210
www.a4cloud.eu