Keynote address: Securing the cloudJuly 28, 2011

Phil AgcaoiliCloud Security Alliance, Co-founding member

CSA Cloud Controls Matrix (CCM), Inventor and co-authorCSA GRC Stack , Co-founder and committee co-chair

CSA Atlanta Chapter, Founder and Chapter Officer

2

Customers of Cloud• Enterprises – large scale services

– Outsource whole-sale IT services such as payroll, HR/benefits, CRM, help desk/service desk, etc.

• Startups — developers using Web at scale– Web-based business, SaaS, collaboration services, widget providers, mobile services, and social

networking• Small businesses — using SaaS

– Online businesses, online presence, collaboration, and enterprise integration• Enterprises — developers and one-off projects

– R&D projects, quick promotions, widgets, online collaboration, partner integration, social networking, and new business ventures

• Firms — with compute intensive tasks– Overnight ad placement or transportation calculations

“If you move your data centre to a cloud provider, it will cost a tenth of the cost.” – Brian Gammage, Gartner Fellow

“Using cloud infrastructures saves 18% to 29% before considering that you no longer need to buy for peak capacity” - George Reese, founder Valtira and enStratus

“Web service providers offer APIs that enable developers to exploit functionality over the Internet, rather than delivering full-blown applications.” - Infoworld

3

“In the Cloud, step one is trusting, and that's not security — that's hope.”

- Andrew Walls, Gartner Group

You cannot outsource responsibility.

4

Top Threats of Cloud Computing

CSA Research Study Findings:• Shared Technology Vulnerabilities• Data Loss/Data Leakage• Malicious Insiders• Interception or Hijacking of Traffic• Insecure APIs• Account/Service Hijacking• Nefarious Use of Service

HTTP://CLOUDSECURITYALLIANCE.ORG/TOPTHREATS

5

Cloud Security = Loss of Control• Loss of Direct access - In the Cloud you are at least one step removed• Multi-tenancy – not an issue in private computing, no shared devices or services• Commingling – will your data be mixed in with other clients? How will it be

segregated?• Resource Pooling – how will resource conflicts be resolved? Who gets first

response?• Ineffective data deletion – if you change providers does your data get destroyed?

Unintentional destruction?• Legal snafus/data exhaust – if Company A has their data subpoenaed and your data

is also on the same device, what happens to your data?

Control

Encryption and

signatures

Service level

agreements

Auditable security

standards

Traditional Security Model New Security Model

Myhardware(root)

Mysoftware

Mypeople

6

Moving to the Cloud

• Assess the business• Assess the culture• Assess the value• Understand your data• Understand your services• Understand your processes• Understand the cloud

resources• Identify candidate data• Identify candidate services

• Identify candidate processes• Create a governance

strategy• Bind candidate services to

data and processes• Relocate services,

processes, and information • Implement security• Implement governance• Implement operations• Create a security strategy

7

Secure Adoption of the Cloud• Understand the threats and the risks• CSA Guidance

– Identify the asset for the cloud deployment– Evaluate the asset– Map the asset to potential cloud deployment models– Evaluate potential cloud service models and providers– Sketch the potential data flowhttps://wiki.cloudsecurityalliance.org/guidance

• Mitigating the risks– Legal contracts and SLAs with Cloud Service Providers (CSPs)

• CSA Atlanta Chapter Project 2 – Contractual Guidance (coming soon)– Audits, Attestations, and Certifications for Cloud Trust and Assurance

• ISO 27001 Certification– Amazon

» ISO 27001» SAS 70 Type II» FISMA moderate Authority to Operate» HIPAA - Current customer deploymentsWhitepaper describes the specifics

http://aws.amazon.com/security• AICPA SSAE 16 (SOC 1, 2, and 3) / ISAE 3402

– Replaced SAS 70 as of June 2011• CSA STAR (coming soon) and CSA GRC Stack standards usage

Microsoft Office 365 (formerly BPOS) ISO27K to CSA CCM Mappinghttp://www.microsoft.com/download/en/details.aspx?id=26647– CloudAudit– Cloud Controls Matrix (CCM)– Consensus Assessments Initiative Questionnaire (CAIQ)– Cloud Trust Protocol (CTP)

CSA Governance, Risk, and Compliance (CSA GRC) Stack

• Suite of tools, best practices and enabling technology

• Consolidate industry research & simplify GRC in the cloud

• For cloud providers, enterprises, solution providers and audit/compliance

• Controls Framework, Questionnaire and Continuous Controls Monitoring Automation

• Simplifies customer and cloud provider attestation to accelerate cloud adoption

https://cloudsecurityalliance.org/grc-stack

Control Requirements

Provider Assertions

Private & Public Clouds

Private & Public Clouds

CSA GRC StackIndustry Collaboration & Support

• International Organization for Standards (ISO)

• ISO/IEC JTC 1 SC 27 (“SC 27”) WG 1, 4 and 5 in Study Period in the area of Cloud Computing Security and Privacy

• European Network and Information Security Agency (ENISA)

• Common Assurance Maturity Model (CAMM)

• American Institute of Certified Public Accountants (AICPA)

• Statement on Standards for Attestation Engagements (SSAE) No. 16 SOC 2 – Service Organization Controls over Security, Confidentiality, Processing Integrity, Availability, and Privacy

• Next generation SAS 70 Type I and II attestation

• National Institute of Standards and Technology (NIST)

• Consolidated feedback on Federal Risk and Authorization Management Program (FedRAMP)

• Inverse Control Framework Mappings

• Unified Compliance Framework (UCF)

• Payment Card Industry (PCI) DSS

• Health Information Trust Alliance (HITRUST)

• Information Systems Audit and Control Association (ISACA) COBIT

• BITS Shared Assessments SIG/AUP + TG Participation

• Information Security Forum (ISF)

Challenges for the CAIQ Due Diligence and contracting represent major obstacles to

cloud adoption, with vendors forced to respond to a multitude of similar customer concerns, expressed differently by each prospective customer.

The CAIQ was identified by the CSA Atlanta Chapter legal support group as the best beginning for a standardized due diligence tool but the CAIQ is not widely used in the due diligence prior to cloud contracting yet.

The CAIQ is constructed as a series of yes/no questions, useful for high-level comparisons between vendors.– A "yes" or "no" response to any of the CAIQ's terse, broad

questions may have little value or even mislead, however, without narrative describing the basis for that response.

The CAIQ has not received legal review, and does not address some important legal issues.

The CSA Atlanta Chapter Project and Its Value

Fill the CAIQ out so that it addresses effectively all general legal and risk management issues (i.e., issues not limited to a specific business sector or region) that should arise in the due diligence process.

Provide for supporting narrative complementing the yes/no answers to all questions. – The value to vendors is that they can write only once

(and then update) a single, comprehensive set of answers to due diligence questions.

– Prospective customers can use the yes/no answers to make instantaneous vendor comparisons, and then drill deeper into the related narratives.

12

Legal and Contract Issues with Cloud“Many cloud providers appear reluctant to negotiate contracts, as

the premise of their core model is a highly leveraged approach. The starting point contractually often favors the vendor, resulting in

a potential misalignment with user requirements.” Gartner

9 Security Areas to Include in CSP-related Contract:• Security • Data privacy conditions • Uptime guarantees• Service-level agreement (SLA) penalties • SLA penalty exclusions • Business continuity and disaster recovery • Suspension of service • Termination • Liability

philA’s Approach to Using the CSA GRC Stack

1. Pre-sales - Use CAI Questionnaire

2. Contracts (MSA) – Attach CAIQ + CCM

3. Post Sales Assurance and Continuous Compliance – Use CloudAudit to verify contract and pre-sales assertions

*CSA STAR will support this approach in an official manner.

14

Cloud Back Out Plan Considerations

• Include provisions for transition assistance requiring the vendor to assist you with transition to a new vendor.

• Require the return or secure destruction of all data held by vendor.

• Have right to verify compliance.• Transition period may last from 30 days

to 6 months.

15

Summary

• Adopt Cloud that works for you• Understand the risks• Know your limits• Conduct due diligence

– Use available Cloud Trust and Assurance tools

• Work with your Legal and Procurement teams to ensure contractual obligations exist and are met

16

About the Cloud Security Alliance

• Global, not-for-profit organization• Over 22,000 individual members, 100 corporate

members• Building good practices and a trusted cloud

ecosystem• Agile philosophy, rapid development of applied

research– GRC: Balance compliance with risk management– Reference models: build using existing standards– Identity: a key foundation of a functioning cloud economy– Champion interoperability– Advocacy of prudent public policy

“To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help

secure all other forms of computing.”

17

Questions and Answers…HTTP://CLOUDSECURITYALLIANCE.ORG

http://cloudsecurityalliance.org/cmhttp://cloudsecurityalliance.org/grc-stack

https://wiki.cloudsecurityalliance.org/guidancehttp://cloudsecurityalliance.org/topthreats

http://AICPA.ORG/SOC/ http://www.opencloudmanifesto.org

http://www.opengroup.org/jerichohttp://www.nist.gov/itl/cloud/index.cfm

http://www.microsoft.com/download/en/details.aspx?id=26647http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment

CSA LinkedIn: www.linkedin.com/groups?gid=1864210

Many thanks to:Jon Neiditz, Nelson Mullins Riley & Scarborough, for leading the development of the CSA Atlanta Chapter Project 2 (Contractual Guidance) and for some of the material used in today’s presentation.David Barton, UHY LLP, for some of the material used in today’s presentation.

Phil AgcaoiliTwitter: hacksec