Your clouds must be transparent - an intro to Cloud Security Alliance

All your clouds must be transparent

The inconvenient truth for SaaS and PaaS security credibility

David Jones – CTO/Founder ThreatMetrix

CLOUDCAMP SYDNEY AUG 09 TMX: Real-time SaaS based Fraud Protection for eCommerce Payments, Dating/Social, Classifieds, Money Transfer, Virtual Goods

Anyone spent 10minutes with a security guy?

Anyone told Sales “its not ready to sell?”

Compromise: We’ll fix it later

Why put off until tomorrow that you can do the day after?

Credit Card Breaches (payments gateways are one of the oldest SaaS services)

TJMAX – 475 million stolen cards

Heartland 130mill stolen cards

DDOS

Aug 2009: Twitter/Facebook DDOS

BUT there were 770 other DDOS attacks on the same day (source:Arbor Networks)

30Gbit/sec attack on a 3G provider

Phish, Spearphish and Keylogger (identity theft driven fraud)

I’ve lost track…

Twitter public document leak (password exploit)

And then there is Outages

Gartner (July 2008) “ Cloud computing is the least transparent externally sourced delivery method,” “ [cloud] not only introduces the same risks as any externally provided service, it also includes some unique risk challenges.” reduced visibility, the complication of compliance, and the loss of control over the location of the data. Reliability and recoverability become a concern when outsourcing to a commodity provider, as does the viability of that supplier. “ assess the risks of using any cloud computing provider, and to demand greater transparency than many are currently willing to offer”

Cloud Security Alliance wwwcloudsecurityallianceorg (I don’t speak for them, just talkin’ about them)

3,512 individual members as of August 3 rd

Broad Geographical Distribution

Board of Directors include: ING, eBay execs

CSA challenges/position

We aren’t moving to the cloud We are reinventing in the cloud

Accelerated pace of change

Globalization

Massive multi-tenancy

Pressure on traditional organizational boundaries

Challenges traditional thinking

How do we build standards?

How do we create architectures?

What is the ecosystem required to managed, operate, assess and audit cloud systems?

Activities

New Working Groups

Healthcare

Cloud Threat Analysis

US Federal Government

Financial Services

What is in the Guide? (April 2009 edition is 80+ pages)

Is a working document that defines the basis on which vendors and customers can NEGOTIATE an understood service engagement (for IaaS, PaaS, SaaS)

Many enterprises are clueless about security anyway – so the document EDUCATES current landscape of concern/issues

What is in the Guide? (cont’d)

Section I Cloud Architecture

Domain 1: Cloud Computing Architectural Framework

Section II Governing in the Cloud

Domain 2: Governance and Enterprise Risk Management

Domain 3: Legal

Domain 4: Electronic Discovery

Domain 5: Compliance and Audit

Domain 6: Information Lifecycle Management

Domain 7: Portability and Interoperability

Section III Operating in the Cloud

Domain 8: Traditional Security, Business Continuity and Disaster Recovery

Domain 9: Data Center Operations

Domain 10: Incident Response, Notification and Remediation

Domain 11: Application Security

Domain 12: Encryption and Key Management

Domain 13: Identity and Access Management

Domain 14: Storage

Domain 15: Virtualization

So is CSA a good or bad thing? ” Yes” if you don’t like being pwned “ Yes” if cloud is to be Long-term credible Can create a perception of “one size fits all” Is this Sarbanes Oxley for service providers? “ No” if it only benefits big/incumbent vendors

A compliance comparison… Credit: Sense of Security and aisaorgau

Heartland was PCI Compliant

So…compliance does not always deliver what is needed but…

CSA: Call to Action