Compliance in the Public Cloudand theCloud Security AlliancesOpen Certification FrameworkDr David RossCISO, Bridge Point C...
• Security issues encountered with cloud services• Trust Issues• Governance, Compliance, Control, Assurance and Certificat...
Security issues encountered with cloud services• #1 The Cloud Consumer assumes the Cloud Service is “secure” withoutunders...
Security issues encountered with cloud services• #2 Insecure management or administration interfaces– Real Example: Cloud ...
Security issues encountered with cloud services• #3 No separation of duties, detection of abuse, or escalation of privileg...
Issues particular to cloud services in the GRC space• #4 Weak, vague, or one-sided SLAs and contracts– Real Example: “The ...
Impacts on the typical IT governance model• Require a trust relationship with the Cloud Service Provider• Require indirect...
What are the Trust Issues?8Copyright © 2013 Bridge Point Communications( I just ordered this from zazzle.com.au )
What are the Trust Issues?• Will the CSP be transparent about governance and operational issues?• Will the user be conside...
A new Governance Model• Users need to understand the shift in the balance of responsibility andaccountability for key func...
Assurance• Consumers do not have simple, cost effective ways to evaluate andcompare their providers’ resilience, data prot...
Certification Challenges• Provide a globally relevant certification to reduce duplication of efforts• Address localised, n...
Certification ChallengesThis gap of trust mainly lies down in the difficulties of cloud users in addressingfundamental ass...
How do we build Trust and Transparency?• The Cloud Security Alliance’s Open Certification Framework for cloudservices14Cop...
The Cloud Security Alliance’s Open Certification Framework• Daniele Catteddu, CSA Managing Director EMEA• Open Certificati...
The Cloud Security Alliance (CSA)• Global, not-for-profit organisation• Over 40,000 individual members, more than160 corpo...
Open Certification Framework Vision Statement• The CSA Open Certification Framework is an industry initiative to allowglob...
OCF: The structure• The open certificationframework is structuredon 3 LEVELs of TRUST,each one of themproviding an increme...
OCF Governance19Copyright © 2013 CloudSecurity Alliance
OCF Level 1: CSA STAR Registry• CSA STAR (Security, Trust and Assurance Registry)• Public Registry of Cloud Provider self ...
OCF Level 2:21Copyright © 2013 Cloud Security AllianceCertification
What is STAR Certification?• Continuous monitoring of cloud service contract execution• STAR CERTIFICATION evaluates the e...
The Cloud Security Alliance’s STAR Certification• The concept of the scheme is to use to the ISO/IEC 27001:2005 certificat...
PDCA Model for an ISMS24Copyright © 2013 Cloud Security Alliance
STAR Certification25Copyright © 2013 Cloud Security Alliance
STAR Certification: the role of CCM• The CCM is specifically designed to provide fundamental securityprinciples to guide c...
Benefits of STAR CertificationSales and Marketing Benefits:• Added to the current management system.• A ISO 27001 certific...
Benefits of STAR CertificationStrategic Benefits:• A 360º enhanced assessment giving senior management full visibility to ...
Benefits of STAR CertificationOperational Benefits:• Scalable to organisations of all sizes. Provides information that all...
OCF Level 2:30Copyright © 2013 Cloud Security AllianceAttestation
What is STAR Attestation?Star Attestation (through the type 2 SOC attestation examination) helps companies meet the assess...
AICPA SOC Reporting Options32Copyright © 2013 Cloud Security Alliance
STAR Attestation• SOC 2SM Report• If the report will be used by customers and/or stakeholders to gainconfidence and place ...
SOC 2 (AT 101): Key strengths• AT 101 is a mature attest standard (it serves as the standard for SOC 2 andSOC 3 reporting ...
ContactHelp Us Secure Cloud Computing:• www.cloudsecurityalliance.org• https://chapters.cloudsecurityalliance.org/australi...
Thank You36
Upcoming SlideShare
Loading in …5
×

CSA Introduction 2013 David Ross

426 views
325 views

Published on

CSA

Published in: Technology, Business
1 Comment
1 Like
Statistics
Notes
  • Cloud Security Alliance (CSA) value proposition to attendees of recent Trend Micro sponsored EVOLVE Security Conference in Sydney and Melbourne. Approx 100 attendees in this stream, and many questions asked..
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total views
426
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
1
Likes
1
Embeds 0
No embeds

No notes for slide

CSA Introduction 2013 David Ross

  1. 1. Compliance in the Public Cloudand theCloud Security AlliancesOpen Certification FrameworkDr David RossCISO, Bridge Point CommunicationsFounding Director, Cloud Security Alliance Australia Chapter
  2. 2. • Security issues encountered with cloud services• Trust Issues• Governance, Compliance, Control, Assurance and Certification• Open Certification Framework– STAR Certification– STAR Attestation2A collaboration of a number of security expertsfrom the Cloud Security Alliance in Australia
  3. 3. Security issues encountered with cloud services• #1 The Cloud Consumer assumes the Cloud Service is “secure” withoutunderstanding the contract.– Real Example: Cloud Service includes “automatic backup service that copies customer datato an external backup service, providing a further level of security to customer data …stored for 3 months after being made … can be extended to up to 7 years if required”• Perfectly legitimate, but there are 2 meanings for “secure” here– By default, the backup is overwritten after 3 months … no restores over 3 months old!– The backups go to a third party … with whom you have no contract for handling your data!– The backups are … NOT encrypted!3Copyright © 2013 Bridge Point Communications
  4. 4. Security issues encountered with cloud services• #2 Insecure management or administration interfaces– Real Example: Cloud Service uses insecure, clear-text protocol (HTTP) forremote administration logins.– The username and password are transmitted in clear-text and may beintercepted by a network sniffer, relay, server logs, proxy or firewall logs, ora man-in-the-middle attack to provide credentials for a subsequent attack.4Copyright © 2013 Bridge Point Communications
  5. 5. Security issues encountered with cloud services• #3 No separation of duties, detection of abuse, or escalation of privilege– Real Example: Cloud Service Systems Administrator has access to all layers,from Application down to Physical hardware.– The entire security of the Cloud Consumers’ data relies on the integrity andexpertise of a single person with no checks or balances to prevent maliciousor accidental compromise of security controls. The Systems Administratorcan do anything with the hosts, networks, and storage … including the audittrails that detail just what has been done.5Copyright © 2013 Bridge Point Communications
  6. 6. Issues particular to cloud services in the GRC space• #4 Weak, vague, or one-sided SLAs and contracts– Real Example: “The following list presents an overview of some of the auditsand assessments that the” Cloud Service “undergoes on a regular basis”...– The Cloud Service did indeed undergo regular audits … but only heldcertifications for two of the five in their list in that year.– Difference between ‘undergo audits’ and ‘meet requirements’.– Require certification6Copyright © 2013 Bridge Point Communications
  7. 7. Impacts on the typical IT governance model• Require a trust relationship with the Cloud Service Provider• Require indirect administrative and contractual controls over the CSP inplace of the direct controls over in-house infrastructure and personnel• Require transparency and assurance of the CSP operations• Therefore -> Require independent verification of CSP assertions7Copyright © 2013 Bridge Point Communications
  8. 8. What are the Trust Issues?8Copyright © 2013 Bridge Point Communications( I just ordered this from zazzle.com.au )
  9. 9. What are the Trust Issues?• Will the CSP be transparent about governance and operational issues?• Will the user be considered compliant?• Does the user know what legislation applies?• Will a lack of standards drive unexpectedobsolescence?• Is cloud really better at security thantraditional IT solution?9Copyright © 2013 Cloud Security Alliance
  10. 10. A new Governance Model• Users need to understand the shift in the balance of responsibility andaccountability for key functions such as governance and control overdata and IT operations, ensuring compliance with laws and regulations.• Cloud computing requires a new model for assessing organisational risksrelated to security and resilience.10Copyright © 2013 Cloud Security Alliance
  11. 11. Assurance• Consumers do not have simple, cost effective ways to evaluate andcompare their providers’ resilience, data protection capabilities andservice portability.11Copyright © 2013 Cloud Security Alliance
  12. 12. Certification Challenges• Provide a globally relevant certification to reduce duplication of efforts• Address localised, national-state and regional compliance needs• Address industry specific requirements• Address different assurance requirements• Address “certification staleness”– assure provider is still secure after “point in time” certification• Do all of the above while recognising the dynamic and fast changing worldthat is cloud12Copyright © 2013 Cloud Security Alliance
  13. 13. Certification ChallengesThis gap of trust mainly lies down in the difficulties of cloud users in addressingfundamental assurance issues with cloud providers, such as:• Understanding legal compliance and contractual liabilities,• Defining and allocating responsibilities• Enforcing accountability• Translating requirements into cloud language/controls/checks• Identifying means for an ex-ante analysis assessment of cloud services and for a• Continuous monitoring of cloud service contract execution13Copyright © 2013 Cloud Security Alliance
  14. 14. How do we build Trust and Transparency?• The Cloud Security Alliance’s Open Certification Framework for cloudservices14Copyright © 2013 Cloud Security Alliance
  15. 15. The Cloud Security Alliance’s Open Certification Framework• Daniele Catteddu, CSA Managing Director EMEA• Open Certification Framework for cloud services• Announced 9May2012 Frankfurt (DE),detail 20Aug2012 Edinburgh (UK)15Copyright © 2013 Cloud Security Alliance
  16. 16. The Cloud Security Alliance (CSA)• Global, not-for-profit organisation• Over 40,000 individual members, more than160 corporate members, over 60 chapters• Building best practices and a trusted cloudecosystem• Agile philosophy, rapid development ofapplied research16Copyright © 2013 Cloud Security AllianceThe Cloud Security Alliance– not-for-profitorganisationwith a mission…“To promote the use ofbest practices for providingsecurity assurance withinCloud Computing, andprovide education on theuses of Cloud Computing tohelp secure all other formsof computing.”
  17. 17. Open Certification Framework Vision Statement• The CSA Open Certification Framework is an industry initiative to allowglobal, accredited, trusted certification of cloud providers.• The CSA Open Certification Framework is a program for flexible, incrementaland multi-layered cloud provider certification according to the CloudSecurity Alliance’s industry leading security guidance and control objectives.• The program will integrate with popular third-party assessment andattestation statements developed within the public accounting communityto avoid duplication of effort and cost.~Jim Reavis & Daniele Catteddu; CSA~17Copyright © 2013 Cloud Security Alliance
  18. 18. OCF: The structure• The open certificationframework is structuredon 3 LEVELs of TRUST,each one of themproviding an incrementallevel of visibility andtransparency into theoperations of the CloudService Provider and ahigher level of assuranceto the Cloud consumer.18Copyright © 2013 Cloud Security Alliance
  19. 19. OCF Governance19Copyright © 2013 CloudSecurity Alliance
  20. 20. OCF Level 1: CSA STAR Registry• CSA STAR (Security, Trust and Assurance Registry)• Public Registry of Cloud Provider self assessments• Based on Consensus Assessments Initiative Questionnaire• Provider may substitute documented Cloud Controls Matrix compliance• Voluntary industry action promoting transparency• Free market competition to provide quality assessments• Provider may elect to provide assessments from third parties• Available since October 201120Copyright © 2013 Cloud Security Alliance
  21. 21. OCF Level 2:21Copyright © 2013 Cloud Security AllianceCertification
  22. 22. What is STAR Certification?• Continuous monitoring of cloud service contract execution• STAR CERTIFICATION evaluates the efficiency of an organization’s ISMS and ensures the scope,processes and objectives are “Fit for Purpose.”• Help organizations prioritize areas for improvement and lead them towards business excellence.• Enables effective comparison across other organizations in the applicable sector.• Focused on the strategic & operational business benefits as well as effective partnership relationships.• Based upon the Plan, Do, Check, Act (PDCA) approach and the controls outlined in the Cloud ControlsMatrix (CCM)• Enables the auditor to assess a company’s performance, on long-term sustainability and risks, inaddition to ensuring they are SLA driven, allowing senior management to quantify and measureimprovement year on year.22Copyright © 2013 Cloud Security Alliance
  23. 23. The Cloud Security Alliance’s STAR Certification• The concept of the scheme is to use to the ISO/IEC 27001:2005 certificationintegrated with the CSA Cloud Control Matrix (CCM) as additional orcompensating controls as applicable and the organisation’s own internalrequirements or specifications to assess how advanced their systems are.• The scheme will be compliant with ISO 17021 and ISO 27006.• Will be open to all 3rd party Certified Bodies (CB)• Will be an additional scheme to the CB organisations internal ISO 27001scheme requirements. It is not meant to be a replacement.23Copyright © 2013 Cloud Security Alliance
  24. 24. PDCA Model for an ISMS24Copyright © 2013 Cloud Security Alliance
  25. 25. STAR Certification25Copyright © 2013 Cloud Security Alliance
  26. 26. STAR Certification: the role of CCM• The CCM is specifically designed to provide fundamental securityprinciples to guide cloud vendors and to assist prospective cloudcustomers in assessing the overall security risk of a cloud provider.• The Cloud Controls Matrix is meant to be integrated into the assessmentby the auditor, referencing the applicable CCM control to the associatedISO 27001 controls (SOA) The output will be the result of the overallperformance of the organization within the scope of certification.26Copyright © 2013 Cloud Security Alliance
  27. 27. Benefits of STAR CertificationSales and Marketing Benefits:• Added to the current management system.• A ISO 27001 certification plus a STAR certificate as evidence of both compliance andperformance to both suppliers, customers and other interested parties.• The ability to benchmark your organization’s performance and gauge yourimprovement from year to year.• An independently validated report from an external Certified Body (CB) body whichcan be used to demonstrate an organisation’s progress & performance levels.• Exclusive to the STAR Registry.27Copyright © 2013 Cloud Security Alliance
  28. 28. Benefits of STAR CertificationStrategic Benefits:• A 360º enhanced assessment giving senior management full visibility to evaluate the effectiveness ofboth their management system and the roles and responsibilities of personnel within the organisation.• A flexible assessment that can be tailored through the Statement of Applicability. This guarantees theresults and measurements of assessments are both relevant and necessary in helping organisationsmanage their business.• A comprehensive business report that goes beyond a usual assessment report and gives a strategic andaccurate overview of an organisations performance to enabling senior management to the identifyaction areas needed.• A set of improvement targets to encourage an organisation to move beyond compliance towardcontinued improvement.28Copyright © 2013 Cloud Security Alliance
  29. 29. Benefits of STAR CertificationOperational Benefits:• Scalable to organisations of all sizes. Provides information that allows you to knowwhere they are now and measure any improvements, internally benchmark theirsites and potentially externally benchmark their supply chain to stimulate healthycompetition.• A visual representation of the status of a business and instantly highlights where thestrengths, weaknesses, allowing clients to maximize resources, improve operationalefficiencies and reduce costs• Independent reassurance to prove to senior management where the risks, threats,opportunities lie within a business29Copyright © 2013 Cloud Security Alliance
  30. 30. OCF Level 2:30Copyright © 2013 Cloud Security AllianceAttestation
  31. 31. What is STAR Attestation?Star Attestation (through the type 2 SOC attestation examination) helps companies meet the assessmentand reporting needs of the majority of users of cloud services, when the criteria for the engagement aresupplemented by the criteria in the CSA Cloud Controls Matrix (CCM). This assessment:• Is based on a mature attest standard• Allows for immediate adoption of the CCM as additional criteria and the flexibility to update thecriteria as technology and market requirements change• Does not require the use of any criteria that were not designed for, or readily accepted by cloudproviders• Provides for robust reporting on the service provider’s description of its system, and on the serviceprovider’s controls, including a description of the service auditor’s tests of controls in a format verysimilar to the now obsolete SAS 70 reporting format, and current SSAE 16 (SOC 1) reporting, therebyfacilitating market acceptance31Copyright © 2013 Cloud Security Alliance
  32. 32. AICPA SOC Reporting Options32Copyright © 2013 Cloud Security Alliance
  33. 33. STAR Attestation• SOC 2SM Report• If the report will be used by customers and/or stakeholders to gainconfidence and place trust in a service organisation’s system:• Need to understand the details of processing and controls at yourorganisation, the tests performed & results of those tests?33Copyright © 2013 Cloud Security Alliance
  34. 34. SOC 2 (AT 101): Key strengths• AT 101 is a mature attest standard (it serves as the standard for SOC 2 andSOC 3 reporting )• Provides for robust reporting on the service provider’s description of itssystem, and on the service provider’s controls, including a description of theservice auditor’s tests of controls in a format very similar to the nowobsolete SAS 70 reporting format, and current SSAE 16 (SOC 1) reporting,thereby facilitating market acceptance• Evaluation over a period of time rather than a point in time• Recognition with an AICPA Logo34Copyright © 2013 Cloud Security Alliance
  35. 35. ContactHelp Us Secure Cloud Computing:• www.cloudsecurityalliance.org• https://chapters.cloudsecurityalliance.org/australia/• http://www.linkedin.com/groups?gid=3966724• Archie Reed archer@hp.com• David Ross David_Ross@bridgepoint.com.au35Copyright © 2013 Cloud Security Alliance
  36. 36. Thank You36

×