• Like
  • Save
Governing in the Cloud
Upcoming SlideShare
Loading in...5

Governing in the Cloud



Presentation to the CSA Norway Members on February 9th, 2011.

Presentation to the CSA Norway Members on February 9th, 2011.



Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    Governing in the Cloud Governing in the Cloud Presentation Transcript

    • Governing in the Cloud
      Rolf Frydenberg
      Joymount AS, Senior Advisor
      February 9, 2011
    • Agenda
      Cloud Security Alliance – general and Norway
      CSA Cloud Security Guidance
      NIST Cloud Definition Framework
      Governance and Enterprise Risk Management
      Legal and Electronic Discovery
      Compliance and Audit
      Information Lifecycle Management
      Portability and Interoperability
      Other CSA Domains – Operations
      Cloud Controls Matrix
      CSA GRC Stack
    • About the Cloud Security Alliance
      Global, not-for-profit organization
      Over 16,000 individual members, 80 corporate members
      Building best practices and a trusted cloud ecosystem
      Agile philosophy, rapid development of applied research
      GRC: Balance compliance with risk management
      Reference models: build using existing standards
      Identity: a key foundation of a functioning cloud economy
      Champion interoperability
      Advocacy of prudent public policy
      “To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.”
    • What We Did in 2010
      Threat Research: Top Threats to Cloud Computing; announced at RSA 2010, shared technology vulnerabilities, data loss/leakage, malicious insiders, insecure APIs, etc.
      Certificate of Cloud Security Knowledge; released Sep 1 2010, web-based test for competency in CSA Guidance
      Trusted Cloud Initiative; Cloud security reference architecture, secure and interoperable identity in the cloud, responsibilities for identity providers
      Cloud Controls Matrix Tool; 98 controls derived from guidance, mapped to ISO 27001, COBIT, PCI DSS, HIPAA
      Consensus Assessment Initiative; research tool and processes to assess cloud providers, V 1 released Oct 2010 with 140 provider questions
      Cloud Audit; Open standard and API to automate provider audit assertions, uses CCM, www.cloudaudit.org
      CSA GRC Stack; suite of tools, best practices, enabling technology, simplify GRC in the cloud
    • Plans for 2011
      CSA Guidance Research; V3 target for Q3 2011; best practices
      CSA GRC Stack; Expand, pilot projects, embed in providers and products
      Trusted Cloud Initiative; Release reference architecture and certifications
      CloudCERT; Consensus research, best practices
      CCSK; Role-specific training, hands-on lab
      CCM; V 2 target 1H 2011; increase mappings, fine tune controls, ISO engagement
      Cloud Metrics Research; Metrics for each of the 98 controls in CCM; create baseline capability
      Security as a Service; Define it, solution categories, guidance, align with other CSA research
    • CSA Norway Chapter
      Established in October 2010
      80 individual members (Feb 2011)
      Board of six directors elected Oct 2011:
      Rolf Frydenberg, Joymount (president)
      Geir-Arild EnghHellesvik, KPMG (secretary)
      Lars Egil Sætrang, Promon (treasurer)
      Helge Skrivervik, Team Mellvik
      Tor Andre Breivikås, Teleplan
      ChunmingRong, University of Stavanger
      First Members’ Meeting in December 2010 (Private vs Public Cloud)
      Second Members’ Meeting in February 2011 (Compliance in the Cloud)
      Co-op seminar planned with Dataforeningen (Norwegian Computing Society)
    • CSA Guidance Research
      Cloud Architecture
      Governance and Enterprise Risk Management
      Legal and Electronic Discovery
      Compliance and Audit
      Governing the Cloud
      Information Lifecycle Management
      Portability and Interoperability
      Security, Bus. Cont,, and Disaster Recovery
      Data Center Operations
      Incident Response, Notification, Remediation
      Application Security
      Operating in the Cloud
      Encryption and Key Management
      CSA Guidance 2.1 > 100k downloads:
      Identity and Access Management
    • Cloud Reference Architecture (According to NIST)
    • Governance and Enterprise Risk Management
      Develop robust information security guidance regardless of the service or delivery model
      Review information security governance structures and processes, as well as security controls; include the vendor’s complete supply chain!
      Collaborative governance and risk management as part of development, deployment and operation of services
      Methods and metrics for measuring performance and effectiveness of security management
      Determine risk exposure before detailed requirements
      Risk Management through valuation of assets, identification of threats and vulnerabilities; management acceptance of risk levels and options (control, avoid, transfer, accept)
      Cloud vendors should include measures and controls to assist customers in their Risk Management
    • Legal and Electronic Discovery
      Mutual understanding of each other’s roles and responsibilities related to e-discovery, litigation, searches, etc.
      Plan for both expected and unexpected termination of agreement
      Agreement must allow customer and/or third party to monitor service provider’s performance and test for vulnerabilities
      In many cases there is a requirement to know – down to physical disk – where data is stored
      Customer must ensure it retains ownership of all data it stores on behalf of its customers and employees
    • Compliance and Audit
      The provider’s standard terms and conditions many not address your compliance needs
      Make sure you have the right and access capabilities to perform audits
      Determine whether you are subject to compliance regulations with specific Cloud Computing requirements
      Analyze the impact of regulations regarding data security on use of Cloud Computing
      Require that the cloud provider has at least a roadmap for ISO/IEC 27001 compliance
      CSA has called for the whole industry to be ISO/IEC 27002 compliant
      When selecting an external auditor, ensure he has Cloud Computing knowledge and experience
    • Information Lifecycle Management
      Understand how data integrity is maintained and how compromise of integrity is detected and communicated
      Ensure specific identification of all controls used during the lifecycle of the data
      Understand circumstances under which storage can be seized by a third party or government entity, and require advance notification of and such action
      Use a “Default Deny All” policy for all data, applied to all cloud provider personnel and subcontractors, as well as third parties; often also preferable to use for your own employees as well
      Identify trust boundaries throughout the IT architecture and abstraction layers
      Understand how encryption and key management are handled on multi-tenant storage and other multi-tenant components of the service
    • Portability and Interoperability
      Substituting cloud providers is in virtually all cases a negative transaction for at least one party; plan for this from the outset
      Document the security architecture, configuration and controls
      IaaS: Understand how virtual machine images can be captured and ported; identify and eliminate provider-specific extensions to VM environment
      PaaS: Use platform components with standard syntax, open APIs and open standards; understand how tools and services like backup/restore, monitoring, logging and audit would transfer to a new vendor
      SaaS: Perform regular data extractions to a format that is usable without the current SaaS provider; Understand any custom tools that are developed and configured specially
    • Other CSA Domains: Operations
      Security, Business Continuity, Disaster Recovery
      Data Center Operations
      Incident Response, Notification, Remediation
      Application Security
      Encryption and Key Management
      Identity and Access Management
    • Cloud Controls Matrix Tool
      Controls derived from guidance
      Rated as applicable to S-P-I
      Customer vs Provider role
      Mapped to ISO 27001, COBIT, PCI, HIPAA
      Help bridge the gap for IT & IT auditors
    • CSA GRC Stack
      Recent News: CSA GRC Stack – on your USB drive
      Suite of tools, best practices and enabling technology
      Consolidate industry research & simplify GRC in the cloud
      For cloud providers, enterprises, solution providers and audit/compliance
      Provider Assertions
      Private & Public Clouds
      Control Requirements
    • Thanks for listening!
      Rolf Frydenberg, rolff@joymount.no
      CSA Norway & Joymount AS