Your SlideShare is downloading. ×
0
Governing in the Cloud
Governing in the Cloud
Governing in the Cloud
Governing in the Cloud
Governing in the Cloud
Governing in the Cloud
Governing in the Cloud
Governing in the Cloud
Governing in the Cloud
Governing in the Cloud
Governing in the Cloud
Governing in the Cloud
Governing in the Cloud
Governing in the Cloud
Governing in the Cloud
Governing in the Cloud
Governing in the Cloud
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Governing in the Cloud

1,007

Published on

Presentation to the CSA Norway Members on February 9th, 2011.

Presentation to the CSA Norway Members on February 9th, 2011.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,007
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
49
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  1. Governing in the Cloud<br />Rolf Frydenberg<br />Joymount AS, Senior Advisor<br />February 9, 2011<br />
  2. Agenda<br />Cloud Security Alliance – general and Norway<br />CSA Cloud Security Guidance<br />NIST Cloud Definition Framework<br />Governance and Enterprise Risk Management<br />Legal and Electronic Discovery<br />Compliance and Audit<br />Information Lifecycle Management<br />Portability and Interoperability<br />Other CSA Domains – Operations<br />Cloud Controls Matrix<br />CSA GRC Stack<br />
  3. About the Cloud Security Alliance<br />Global, not-for-profit organization<br />Over 16,000 individual members, 80 corporate members<br />Building best practices and a trusted cloud ecosystem<br />Agile philosophy, rapid development of applied research<br />GRC: Balance compliance with risk management<br />Reference models: build using existing standards<br />Identity: a key foundation of a functioning cloud economy<br />Champion interoperability<br />Advocacy of prudent public policy<br />“To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.”<br />
  4. What We Did in 2010<br />Threat Research: Top Threats to Cloud Computing; announced at RSA 2010, shared technology vulnerabilities, data loss/leakage, malicious insiders, insecure APIs, etc.<br />Certificate of Cloud Security Knowledge; released Sep 1 2010, web-based test for competency in CSA Guidance<br />Trusted Cloud Initiative; Cloud security reference architecture, secure and interoperable identity in the cloud, responsibilities for identity providers<br />Cloud Controls Matrix Tool; 98 controls derived from guidance, mapped to ISO 27001, COBIT, PCI DSS, HIPAA <br />Consensus Assessment Initiative; research tool and processes to assess cloud providers, V 1 released Oct 2010 with 140 provider questions<br />Cloud Audit; Open standard and API to automate provider audit assertions, uses CCM, www.cloudaudit.org<br />CSA GRC Stack; suite of tools, best practices, enabling technology, simplify GRC in the cloud<br />
  5. Plans for 2011<br />CSA Guidance Research; V3 target for Q3 2011; best practices<br />CSA GRC Stack; Expand, pilot projects, embed in providers and products<br />Trusted Cloud Initiative; Release reference architecture and certifications<br />CloudCERT; Consensus research, best practices<br />CCSK; Role-specific training, hands-on lab<br />CCM; V 2 target 1H 2011; increase mappings, fine tune controls, ISO engagement<br />Cloud Metrics Research; Metrics for each of the 98 controls in CCM; create baseline capability<br />Security as a Service; Define it, solution categories, guidance, align with other CSA research<br />
  6. CSA Norway Chapter<br />Established in October 2010<br />80 individual members (Feb 2011)<br />Board of six directors elected Oct 2011:<br />Rolf Frydenberg, Joymount (president)<br />Geir-Arild EnghHellesvik, KPMG (secretary)<br />Lars Egil Sætrang, Promon (treasurer)<br />Helge Skrivervik, Team Mellvik<br />Tor Andre Breivikås, Teleplan<br />ChunmingRong, University of Stavanger<br />First Members’ Meeting in December 2010 (Private vs Public Cloud)<br />Second Members’ Meeting in February 2011 (Compliance in the Cloud)<br />Co-op seminar planned with Dataforeningen (Norwegian Computing Society)<br />
  7. CSA Guidance Research<br />Cloud Architecture<br />Governance and Enterprise Risk Management<br />Legal and Electronic Discovery<br />Compliance and Audit<br />Governing the Cloud<br />Information Lifecycle Management<br />Portability and Interoperability<br />Security, Bus. Cont,, and Disaster Recovery<br />Data Center Operations<br />Incident Response, Notification, Remediation<br />Application Security<br />Operating in the Cloud<br />Encryption and Key Management<br />CSA Guidance 2.1 > 100k downloads:<br />cloudsecurityalliance.org/guidance<br />Identity and Access Management<br />Virtualization<br />
  8. Cloud Reference Architecture (According to NIST)<br />
  9. Governance and Enterprise Risk Management<br />Develop robust information security guidance regardless of the service or delivery model<br />Review information security governance structures and processes, as well as security controls; include the vendor’s complete supply chain!<br />Collaborative governance and risk management as part of development, deployment and operation of services<br />Methods and metrics for measuring performance and effectiveness of security management<br />Determine risk exposure before detailed requirements<br />Risk Management through valuation of assets, identification of threats and vulnerabilities; management acceptance of risk levels and options (control, avoid, transfer, accept)<br />Cloud vendors should include measures and controls to assist customers in their Risk Management<br />
  10. Legal and Electronic Discovery<br />Mutual understanding of each other’s roles and responsibilities related to e-discovery, litigation, searches, etc.<br />Plan for both expected and unexpected termination of agreement<br />Agreement must allow customer and/or third party to monitor service provider’s performance and test for vulnerabilities<br />In many cases there is a requirement to know – down to physical disk – where data is stored<br />Customer must ensure it retains ownership of all data it stores on behalf of its customers and employees<br />
  11. Compliance and Audit<br />The provider’s standard terms and conditions many not address your compliance needs<br />Make sure you have the right and access capabilities to perform audits<br />Determine whether you are subject to compliance regulations with specific Cloud Computing requirements<br />Analyze the impact of regulations regarding data security on use of Cloud Computing<br />Require that the cloud provider has at least a roadmap for ISO/IEC 27001 compliance<br />CSA has called for the whole industry to be ISO/IEC 27002 compliant<br />When selecting an external auditor, ensure he has Cloud Computing knowledge and experience<br />
  12. Information Lifecycle Management<br />Understand how data integrity is maintained and how compromise of integrity is detected and communicated<br />Ensure specific identification of all controls used during the lifecycle of the data<br />Understand circumstances under which storage can be seized by a third party or government entity, and require advance notification of and such action<br />Use a “Default Deny All” policy for all data, applied to all cloud provider personnel and subcontractors, as well as third parties; often also preferable to use for your own employees as well<br />Identify trust boundaries throughout the IT architecture and abstraction layers<br />Understand how encryption and key management are handled on multi-tenant storage and other multi-tenant components of the service<br />
  13. Portability and Interoperability<br />Substituting cloud providers is in virtually all cases a negative transaction for at least one party; plan for this from the outset<br />Document the security architecture, configuration and controls<br />IaaS: Understand how virtual machine images can be captured and ported; identify and eliminate provider-specific extensions to VM environment<br />PaaS: Use platform components with standard syntax, open APIs and open standards; understand how tools and services like backup/restore, monitoring, logging and audit would transfer to a new vendor <br />SaaS: Perform regular data extractions to a format that is usable without the current SaaS provider; Understand any custom tools that are developed and configured specially<br />
  14. Other CSA Domains: Operations<br />Security, Business Continuity, Disaster Recovery<br />Data Center Operations<br />Incident Response, Notification, Remediation<br />Application Security<br />Encryption and Key Management<br />Identity and Access Management<br />Virtualization<br />
  15. Cloud Controls Matrix Tool<br />Controls derived from guidance<br />Rated as applicable to S-P-I<br />Customer vs Provider role<br />Mapped to ISO 27001, COBIT, PCI, HIPAA<br />Help bridge the gap for IT & IT auditors<br />
  16. CSA GRC Stack<br />Recent News: CSA GRC Stack – on your USB drive<br />Suite of tools, best practices and enabling technology<br />Consolidate industry research & simplify GRC in the cloud<br />For cloud providers, enterprises, solution providers and audit/compliance<br />www.cloudsecurityalliance.org/grcstack<br />Provider Assertions<br />Private & Public Clouds<br />Control Requirements<br />
  17. Thanks for listening!<br />Rolf Frydenberg, rolff@joymount.no<br />CSA Norway & Joymount AS<br />

×