© 2011 Cloud Security Alliance, Inc. All rights reserved.
Cloud Security
Alliance &
GRC Stack
Materials by Cloud Security ...
© 2011 Cloud Security Alliance, Inc. All rights reserved.
About the Cloud Security Alliance
Global, not-for-profit organiz...
© 2011 Cloud Security Alliance, Inc. All rights reserved.
Presentation Outline
Introduction
What this class is about, prer...
© 2011 Cloud Security Alliance, Inc. All rights reserved.
Cloud?
4
© 2011 Cloud Security Alliance, Inc. All rights reserved.
NIST Definition of Cloud Computing
“Cloud computing is a model f...
© 2011 Cloud Security Alliance, Inc. All rights reserved.
5 Essential Cloud
Characteristics
1. On-demand self-service
2. B...
© 2011 Cloud Security Alliance, Inc. All rights reserved.
3 Cloud Service Models
1. Cloud Software as a Service (SaaS)
– U...
© 2011 Cloud Security Alliance, Inc. All rights reserved.
4 Cloud Deployment Models
Private cloud
Enterprise owned or leas...
© 2011 Cloud Security Alliance, Inc. All rights reserved.
© 2011 Cloud Security Alliance, Inc. All rights reserved.
7 Common Cloud
Characteristics
1. Massive scale
2. Homogeneity
3...
© 2011 Cloud Security Alliance, Inc. All rights reserved.
All of this TOGETHER: The Cloud
Community
Cloud
Private
Cloud
Pu...
© 2011 Cloud Security Alliance, Inc. All rights reserved.
Example IaaS//
Amazon Cloud
Amazon cloud components
– Elastic Co...
© 2011 Cloud Security Alliance, Inc. All rights reserved.
Example PaaS//
Google App Engine
Create, deploy and run applicat...
© 2011 Cloud Security Alliance, Inc. All rights reserved.
Example SaaS//
Salesforce
Well-known SaaS CRM application
Cloud ...
© 2011 Cloud Security Alliance, Inc. All rights reserved.
Example P/IaaS //
Azure
Source: Microsoft Presentation, A Lap Ar...
© 2011 Cloud Security Alliance, Inc. All rights reserved.
Service Model Architectures
Cloud Infrastructure
IaaS
PaaS
SaaS
...
© 2011 Cloud Security Alliance, Inc. All rights reserved.
18
Security: Barrier to Adoption?
© 2011 Cloud Security Alliance, Inc. All rights reserved.
19
What is Different about Cloud?
© 2011 Cloud Security Alliance, Inc. All rights reserved.
Security Relevant Cloud
Components
Cloud Provisioning Services
C...
© 2011 Cloud Security Alliance, Inc. All rights reserved.
21
What is Different about Cloud?
SERVICE OWNER SaaS PaaS IaaS
D...
© 2011 Cloud Security Alliance, Inc. All rights reserved.
22
What is Different about Cloud?
© 2011 Cloud Security Alliance, Inc. All rights reserved.
23
What is Different about Cloud?
© 2011 Cloud Security Alliance, Inc. All rights reserved.
CSA Cloud “Threats”
1. Abuse & Nefarious Use of Cloud Computing
...
© 2011 Cloud Security Alliance, Inc. All rights reserved.
ENISA Cloud Computing Risk
Assessment
http://www.enisa.europa.eu...
© 2011 Cloud Security Alliance, Inc. All rights reserved.
Cloud “Threats” – Top 3
1. Authentication abuse
2. Operations br...
© 2011 Cloud Security Alliance, Inc. All rights reserved.
FBI Takes Cloud Away
27
© 2011 Cloud Security Alliance, Inc. All rights reserved.
While we are “in the cloud”
Here are some additional
CSA/cloud s...
© 2011 Cloud Security Alliance, Inc. All rights reserved.
CSA GRC Stack
Bringing it all together to peel back the
layers o...
© 2011 Cloud Security Alliance, Inc. All rights reserved.
CSA CloudAudit
Open standard and API to automate
provider audit ...
© 2011 Cloud Security Alliance, Inc. All rights reserved.
CSA Cloud Controls Matrix
31
Controls derived from
guidance
Mapp...
© 2011 Cloud Security Alliance, Inc. All rights reserved.
32
Next?
© 2011 Cloud Security Alliance, Inc. All rights reserved.
Thanks for Your Review!
Acknowledgement to Dr. Anton Chuvakin,
S...
© 2011 Cloud Security Alliance, Inc. All rights reserved.
34
Upcoming SlideShare
Loading in...5
×

CSA & GRC Stack

325

Published on

Cloud Security Alliance

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
325
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
12
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

CSA & GRC Stack

  1. 1. © 2011 Cloud Security Alliance, Inc. All rights reserved. Cloud Security Alliance & GRC Stack Materials by Cloud Security Alliance.org © & PCI in the cloud training, created by SecurityWarrior LLC for Cloud Security Alliance , & Prof. Kai Hwang, University of Southern California Presented to Triad ISSA, NC January 26, 2012 Valdez Ladd, ISSA Raleigh, NC 2012 1
  2. 2. © 2011 Cloud Security Alliance, Inc. All rights reserved. About the Cloud Security Alliance Global, not-for-profit organization Building best practices and a trusted cloud ecosystem Comprehensive research and tools Certificate of Cloud Security Knowledge (CCSK) www.cloudsecurityalliance.org 2
  3. 3. © 2011 Cloud Security Alliance, Inc. All rights reserved. Presentation Outline Introduction What this class is about, prerequisites, how to benefit Cloud basics PCI DSS + cloud scenario for example Cloud Security Alliance toolsets: Control Matrix, Consensus Assessments, etc., Conclusions and action items 3
  4. 4. © 2011 Cloud Security Alliance, Inc. All rights reserved. Cloud? 4
  5. 5. © 2011 Cloud Security Alliance, Inc. All rights reserved. NIST Definition of Cloud Computing “Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction. “ 55
  6. 6. © 2011 Cloud Security Alliance, Inc. All rights reserved. 5 Essential Cloud Characteristics 1. On-demand self-service 2. Broad network access 3. Resource pooling – Location independence 4. Rapid elasticity 5. Measured service 66
  7. 7. © 2011 Cloud Security Alliance, Inc. All rights reserved. 3 Cloud Service Models 1. Cloud Software as a Service (SaaS) – Use provider’s applications over a network 2. Cloud Platform as a Service (PaaS) – Deploy customer-created applications to a cloud 3. Cloud Infrastructure as a Service (IaaS) – Rent processing, storage, network capacity, and other fundamental computing resources To be considered “cloud” they must be deployed on top of cloud infrastructure that has the essential characteristics 7
  8. 8. © 2011 Cloud Security Alliance, Inc. All rights reserved. 4 Cloud Deployment Models Private cloud Enterprise owned or leased Community cloud Shared infrastructure for specific community Public cloud <- our focus in this class! Sold to the public, mega-scale infrastructure Hybrid cloud Composition of two or more clouds 88
  9. 9. © 2011 Cloud Security Alliance, Inc. All rights reserved.
  10. 10. © 2011 Cloud Security Alliance, Inc. All rights reserved. 7 Common Cloud Characteristics 1. Massive scale 2. Homogeneity 3. Virtualization 4. Resilient computing 5. Low cost software 6. Geographic distribution 7. Service orientation 10
  11. 11. © 2011 Cloud Security Alliance, Inc. All rights reserved. All of this TOGETHER: The Cloud Community Cloud Private Cloud Public Cloud Hybrid Clouds Deployment Models Service Models Essential Characteristics Common Characteristics Software as a Service (SaaS) Platform as a Service (PaaS) Infrastructure as a Service (IaaS) Resource Pooling Broad Network Access Rapid Elasticity Measured Service On Demand Self-Service Low Cost Software Virtualization Service Orientation Advanced Security Homogeneity Massive Scale Resilient Computing Geographic Distribution 1111
  12. 12. © 2011 Cloud Security Alliance, Inc. All rights reserved. Example IaaS// Amazon Cloud Amazon cloud components – Elastic Compute Cloud (EC2) • Run your own or Amazon’s OS “instances” – Simple Storage Service (S3) – SimpleDB – Other services 1212
  13. 13. © 2011 Cloud Security Alliance, Inc. All rights reserved. Example PaaS// Google App Engine Create, deploy and run applications NO control (or, in fact, even visibility) of OS Use SDK to develop the applications Run “natively” in the cloud 13
  14. 14. © 2011 Cloud Security Alliance, Inc. All rights reserved. Example SaaS// Salesforce Well-known SaaS CRM application Cloud CRM + a lot more applications 1414
  15. 15. © 2011 Cloud Security Alliance, Inc. All rights reserved. Example P/IaaS // Azure Source: Microsoft Presentation, A Lap Around Windows Azure, Manuvir Das 1515
  16. 16. © 2011 Cloud Security Alliance, Inc. All rights reserved. Service Model Architectures Cloud Infrastructure IaaS PaaS SaaS Infrastructure as a Service (IaaS) Architectures Platform as a Service (PaaS) Architectures Software as a Service (SaaS) Architectures Cloud Infrastructure SaaS Cloud Infrastructure PaaS SaaS Cloud Infrastructure IaaS PaaS Cloud Infrastructure PaaS Cloud Infrastructure IaaS 1616
  17. 17. © 2011 Cloud Security Alliance, Inc. All rights reserved. 18 Security: Barrier to Adoption?
  18. 18. © 2011 Cloud Security Alliance, Inc. All rights reserved. 19 What is Different about Cloud?
  19. 19. © 2011 Cloud Security Alliance, Inc. All rights reserved. Security Relevant Cloud Components Cloud Provisioning Services Cloud Data Storage Services Cloud Processing Infrastructure Cloud Support Services Cloud Network and Perimeter Security Elastic Elements: Storage, Processing, and Virtual Networks 2020
  20. 20. © 2011 Cloud Security Alliance, Inc. All rights reserved. 21 What is Different about Cloud? SERVICE OWNER SaaS PaaS IaaS Data Joint Tenant Tenant Application Joint Joint Tenant Compute Provider Joint Tenant Storage Provider Provider Joint Network Provider Provider Joint Physical Provider Provider Provider
  21. 21. © 2011 Cloud Security Alliance, Inc. All rights reserved. 22 What is Different about Cloud?
  22. 22. © 2011 Cloud Security Alliance, Inc. All rights reserved. 23 What is Different about Cloud?
  23. 23. © 2011 Cloud Security Alliance, Inc. All rights reserved. CSA Cloud “Threats” 1. Abuse & Nefarious Use of Cloud Computing 2. Insecure Interfaces & APIs 3. Malicious Insiders 4. Shared Technology Issues 5. Data Loss or Leakage 6. Account or Service Hijacking 7. Unknown Risk Profile 24
  24. 24. © 2011 Cloud Security Alliance, Inc. All rights reserved. ENISA Cloud Computing Risk Assessment http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment 1. Loss of governance 2. Lock-in 3. Isolation failure 4. Compliance risks 5. Management interface compromise 6. Data protection 7. Insecure or incomplete data deletion 8. Malicious insider 25
  25. 25. © 2011 Cloud Security Alliance, Inc. All rights reserved. Cloud “Threats” – Top 3 1. Authentication abuse 2. Operations breakdown 3. Misuse of cloud-specific technology 26
  26. 26. © 2011 Cloud Security Alliance, Inc. All rights reserved. FBI Takes Cloud Away 27
  27. 27. © 2011 Cloud Security Alliance, Inc. All rights reserved. While we are “in the cloud” Here are some additional CSA/cloud security resources… 28
  28. 28. © 2011 Cloud Security Alliance, Inc. All rights reserved. CSA GRC Stack Bringing it all together to peel back the layers of control ownership and address concerns for trusted Cloud adoption. 29 Control Requirements Provider Assertions Private, Community & Public Clouds
  29. 29. © 2011 Cloud Security Alliance, Inc. All rights reserved. CSA CloudAudit Open standard and API to automate provider audit assertions Change audit from data gathering to data analysis Necessary to provide audit & assurance at the scale demanded by cloud providers Uses Cloud Controls Matrix as controls namespace Use to instrument cloud for continuous controls monitoring 30
  30. 30. © 2011 Cloud Security Alliance, Inc. All rights reserved. CSA Cloud Controls Matrix 31 Controls derived from guidance Mapped to familiar frameworks: ISO 27001, COBIT, PCI, HIPAA Rated as applicable to SaaS/PaaS/IaaS Customer vs Provider role Help bridge the “cloud gap” for IT & IT auditors https://cloudsecurityalliance.org/research/projects/cloud-controls-matrix-ccm/
  31. 31. © 2011 Cloud Security Alliance, Inc. All rights reserved. 32 Next?
  32. 32. © 2011 Cloud Security Alliance, Inc. All rights reserved. Thanks for Your Review! Acknowledgement to Dr. Anton Chuvakin, SecurityWarrior LLC for Cloud Security Alliance, Cloud Security Alliance.org, Materials by Cloud Security Alliance.org © & PCI in the cloud training, created by for Triad ISSA, NC January 26, 2012 Valdez Ladd, ISSA Raleigh, NC 2011 33
  33. 33. © 2011 Cloud Security Alliance, Inc. All rights reserved. 34
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×