Your SlideShare is downloading. ×
Governing in the Cloud
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Governing in the Cloud


Published on

Presentation to the CSA Norway Members on February 9th, 2011.

Presentation to the CSA Norway Members on February 9th, 2011.

Published in: Technology

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. Governing in the Cloud
    Rolf Frydenberg
    Joymount AS, Senior Advisor
    February 9, 2011
  • 2. Agenda
    Cloud Security Alliance – general and Norway
    CSA Cloud Security Guidance
    NIST Cloud Definition Framework
    Governance and Enterprise Risk Management
    Legal and Electronic Discovery
    Compliance and Audit
    Information Lifecycle Management
    Portability and Interoperability
    Other CSA Domains – Operations
    Cloud Controls Matrix
    CSA GRC Stack
  • 3. About the Cloud Security Alliance
    Global, not-for-profit organization
    Over 16,000 individual members, 80 corporate members
    Building best practices and a trusted cloud ecosystem
    Agile philosophy, rapid development of applied research
    GRC: Balance compliance with risk management
    Reference models: build using existing standards
    Identity: a key foundation of a functioning cloud economy
    Champion interoperability
    Advocacy of prudent public policy
    “To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.”
  • 4. What We Did in 2010
    Threat Research: Top Threats to Cloud Computing; announced at RSA 2010, shared technology vulnerabilities, data loss/leakage, malicious insiders, insecure APIs, etc.
    Certificate of Cloud Security Knowledge; released Sep 1 2010, web-based test for competency in CSA Guidance
    Trusted Cloud Initiative; Cloud security reference architecture, secure and interoperable identity in the cloud, responsibilities for identity providers
    Cloud Controls Matrix Tool; 98 controls derived from guidance, mapped to ISO 27001, COBIT, PCI DSS, HIPAA
    Consensus Assessment Initiative; research tool and processes to assess cloud providers, V 1 released Oct 2010 with 140 provider questions
    Cloud Audit; Open standard and API to automate provider audit assertions, uses CCM,
    CSA GRC Stack; suite of tools, best practices, enabling technology, simplify GRC in the cloud
  • 5. Plans for 2011
    CSA Guidance Research; V3 target for Q3 2011; best practices
    CSA GRC Stack; Expand, pilot projects, embed in providers and products
    Trusted Cloud Initiative; Release reference architecture and certifications
    CloudCERT; Consensus research, best practices
    CCSK; Role-specific training, hands-on lab
    CCM; V 2 target 1H 2011; increase mappings, fine tune controls, ISO engagement
    Cloud Metrics Research; Metrics for each of the 98 controls in CCM; create baseline capability
    Security as a Service; Define it, solution categories, guidance, align with other CSA research
  • 6. CSA Norway Chapter
    Established in October 2010
    80 individual members (Feb 2011)
    Board of six directors elected Oct 2011:
    Rolf Frydenberg, Joymount (president)
    Geir-Arild EnghHellesvik, KPMG (secretary)
    Lars Egil Sætrang, Promon (treasurer)
    Helge Skrivervik, Team Mellvik
    Tor Andre Breivikås, Teleplan
    ChunmingRong, University of Stavanger
    First Members’ Meeting in December 2010 (Private vs Public Cloud)
    Second Members’ Meeting in February 2011 (Compliance in the Cloud)
    Co-op seminar planned with Dataforeningen (Norwegian Computing Society)
  • 7. CSA Guidance Research
    Cloud Architecture
    Governance and Enterprise Risk Management
    Legal and Electronic Discovery
    Compliance and Audit
    Governing the Cloud
    Information Lifecycle Management
    Portability and Interoperability
    Security, Bus. Cont,, and Disaster Recovery
    Data Center Operations
    Incident Response, Notification, Remediation
    Application Security
    Operating in the Cloud
    Encryption and Key Management
    CSA Guidance 2.1 > 100k downloads:
    Identity and Access Management
  • 8. Cloud Reference Architecture (According to NIST)
  • 9. Governance and Enterprise Risk Management
    Develop robust information security guidance regardless of the service or delivery model
    Review information security governance structures and processes, as well as security controls; include the vendor’s complete supply chain!
    Collaborative governance and risk management as part of development, deployment and operation of services
    Methods and metrics for measuring performance and effectiveness of security management
    Determine risk exposure before detailed requirements
    Risk Management through valuation of assets, identification of threats and vulnerabilities; management acceptance of risk levels and options (control, avoid, transfer, accept)
    Cloud vendors should include measures and controls to assist customers in their Risk Management
  • 10. Legal and Electronic Discovery
    Mutual understanding of each other’s roles and responsibilities related to e-discovery, litigation, searches, etc.
    Plan for both expected and unexpected termination of agreement
    Agreement must allow customer and/or third party to monitor service provider’s performance and test for vulnerabilities
    In many cases there is a requirement to know – down to physical disk – where data is stored
    Customer must ensure it retains ownership of all data it stores on behalf of its customers and employees
  • 11. Compliance and Audit
    The provider’s standard terms and conditions many not address your compliance needs
    Make sure you have the right and access capabilities to perform audits
    Determine whether you are subject to compliance regulations with specific Cloud Computing requirements
    Analyze the impact of regulations regarding data security on use of Cloud Computing
    Require that the cloud provider has at least a roadmap for ISO/IEC 27001 compliance
    CSA has called for the whole industry to be ISO/IEC 27002 compliant
    When selecting an external auditor, ensure he has Cloud Computing knowledge and experience
  • 12. Information Lifecycle Management
    Understand how data integrity is maintained and how compromise of integrity is detected and communicated
    Ensure specific identification of all controls used during the lifecycle of the data
    Understand circumstances under which storage can be seized by a third party or government entity, and require advance notification of and such action
    Use a “Default Deny All” policy for all data, applied to all cloud provider personnel and subcontractors, as well as third parties; often also preferable to use for your own employees as well
    Identify trust boundaries throughout the IT architecture and abstraction layers
    Understand how encryption and key management are handled on multi-tenant storage and other multi-tenant components of the service
  • 13. Portability and Interoperability
    Substituting cloud providers is in virtually all cases a negative transaction for at least one party; plan for this from the outset
    Document the security architecture, configuration and controls
    IaaS: Understand how virtual machine images can be captured and ported; identify and eliminate provider-specific extensions to VM environment
    PaaS: Use platform components with standard syntax, open APIs and open standards; understand how tools and services like backup/restore, monitoring, logging and audit would transfer to a new vendor
    SaaS: Perform regular data extractions to a format that is usable without the current SaaS provider; Understand any custom tools that are developed and configured specially
  • 14. Other CSA Domains: Operations
    Security, Business Continuity, Disaster Recovery
    Data Center Operations
    Incident Response, Notification, Remediation
    Application Security
    Encryption and Key Management
    Identity and Access Management
  • 15. Cloud Controls Matrix Tool
    Controls derived from guidance
    Rated as applicable to S-P-I
    Customer vs Provider role
    Mapped to ISO 27001, COBIT, PCI, HIPAA
    Help bridge the gap for IT & IT auditors
  • 16. CSA GRC Stack
    Recent News: CSA GRC Stack – on your USB drive
    Suite of tools, best practices and enabling technology
    Consolidate industry research & simplify GRC in the cloud
    For cloud providers, enterprises, solution providers and audit/compliance
    Provider Assertions
    Private & Public Clouds
    Control Requirements
  • 17. Thanks for listening!
    Rolf Frydenberg,
    CSA Norway & Joymount AS