Neupart Isaca April 2012


Published on

I gave a presentation about recent cloud security developments and how to risk assess a cloud provider at ISACA Scandinavian Conference yesterday. Thanks to Cloud Security Alliance for a lot of input.

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Neupart Isaca April 2012

  1. 1. Recent  Cloud   Security   Developments   By  Lars  Neupart,   founder  of  Neupart  –   The  ERP  of  Security                                  
  2. 2. Program   !  Security  Guidance   !  The  new  Security  Guidance  for  Critical  Areas  of  Focus  in  Cloud   Computing?   !  GRC  Stack   ! GRCstack  from  Cloud  Security  Alliance  -­‐  what  it  is,  and  how  you   can  benefit  from  it.   !  Cloud  Vendor  Risk  Assessments   !  How  To  Perform  Cloud  Vendor  Assessments   !  CCSK     !  An  an  individual  certification:  Certificate  of  Cloud  Security   Knowledge  -­‐                                
  3. 3.  CSA  Security  Guidance   !  CSA  =  Cloud  Security  Alliance     !  Version  3  has  been  released   !  Provides  practical  direction  for  adopting  the  cloud  paradigm  safely  and  securely.     !  Extends  with  use  cases     !  14  Domains  emphasize  security,  stability,  and  privacy,  ensuring  corporate  privacy  in  a   multi-­‐tenant  environment.                                  
  4. 4. CSA  Guidance   !  Section  I:  Cloud  Archiecture   !  Section  II:  Governing  in  the  Cloud   !  Section  III:  Operating  in  the  Cloud                                
  5. 5. Section  I.  Cloud  Architecture     !  Domain  1:  Cloud  Computing  Architectural   Framework                                
  6. 6. S-­‐P-­‐I  Framework   You “RFP” security in SaaS Software as a Service You build security in PaaS Platform as a Service IaaS Infrastructure as a Service                              
  7. 7. Section  II.  Governing  in  the  Cloud     !  Domain  2:  Governance  and  Enterprise  Risk   Management     !  Domain  3:  Legal  Issues:  Contracts  and   Electronic  Discovery   !  Domain  4:  Compliance  and  Audit   Management   !   Domain  5:  Information  Management  and   Data  Security   !  Domain  6:  Interoperability  and  Portability                                
  8. 8.  Section  III.  Operating  in  the   Cloud       !  Domain  7:  Traditional  Security,  Business  Continuity,   and  Disaster  Recovery   !  Domain  8:  Data  Center  Operations     !  Domain  9:  Incident  Response   !  Domain  10:  Application  Security   !  Domain  11:  Encryption  and  Key  Management   !  Domain  12:  Identity,  Entitlement,  and  Access   Management     !  Domain  13:  Virtualization   !  Domain  14:  Security  as  a  Service                                
  9. 9. CSA  Guidance:    Risk  Based   !  CSA  Guidance  recommends  a  risk  based   approach  to  control  selection.   !  Also  offers  a  simple  model                                
  10. 10. !  Visit  the  V.3  website  at: security-­‐guidance/                                
  11. 11. ISO  27017   !  Guidelines  on   Information  security   controls  for  the  use  of   cloud  computing   services  based  on  ISO/ IEC  27002     !  Draft                                
  12. 12. GRCstack  from  CSA   !  Achieving  Governance,  Risk  Management  and  Compliance   (GRC)  goals  requires  appropriate  assessment  criteria,   relevant  control  objectives  and  timely  access  to  necessary   supporting  data.     !  The  shift  to  compute  as  a  service  presents  new  challenges   across  the  spectrum  of  GRC  requirements.     !  To  instrument  and  assess  both  private  and  public  clouds   against  industry  established  best  practices,  standards  and   critical  compliance  requirements.   !  A  toolkit  for  enterprises,  cloud  providers,  security  solution   providers,  IT  auditors  and  other  key  stakeholders                                
  13. 13. !  A  look  into    the  CSA  Control  Matrix   ! grc-­‐stack/                                  
  14. 14. Cloud  Vendor  Risk  Assessments  –   how  to  do  it                                
  15. 15. Classic  Risk  Assessments     Asset  Hierarchy   Finance   Business  Impact  values   ERP   are  inherited  downward   Finance  DB   Dynamics  AOS   SQL  01   Server  01   Server  02   HP  DL380   Serial  abc0987654321   HP  DL380   Vulnerability  values   Serial  xyz1234567890   are  inherited  upward   Data  Center  A                                
  16. 16. Business  Processes  &  IT  Services   Business Business Business  Impact  Scores   Process 1 Process 2 Inherits  Downwards   IT Services IT Services from (on premise) vendor, e.g. Vulnerability  Scores   cloud Inherits  Upwards                                 G R C
  17. 17. The  good  news:   !  You  can  use  well  known  risk  management   best  practices  (e.g.  ISO  27001  &  ISO   27005)  also  when  assessing  cloud   applications   !  ……  with  a  few  notable  differences                                
  18. 18. Difference  #1:  CAI   !  Cloud  Security  Alliance  Consensus  Assessments   Initiative  (CAI)  was  launched  to  perform   research,  create  tools  and  create  industry   partnerships  to  enable  cloud  computing   assessments.     !  Industry-­‐accepted  ways  to  document  what   security  controls  exist  in  IaaS,  PaaS,  and  SaaS   offerings,  providing  security  control   transparency.     !  Part  of  GRC  Stack                                
  19. 19. Link   ! cai/                                  
  20. 20. Difference  #2:  STAR   !   CSA  Security,  Trust  &  Assurance  Registry   (STAR)     !  Free,  publicly  accessible  registry  that   documents  the  security  controls  provided  by   various  cloud  computing  offerings.     !  Cloud  providers  can  submit  two  different   types  of  reports  to  indicate  their  compliance   with  CSA  best  practices,  the  CAIQ  or  the  CCM.                                
  21. 21. STAR  Links   !  Visit  the  CSA  STAR  website  at:     !  CSA  STAR  faq:   !  Ask  STAR  related  Question  at  our  CSA  STAR  Support   Forum: home=&gid=4066598   !  Watch  the  STAR  briefing  online:­‐ learning/star-­‐registry-­‐briefing                                
  22. 22. ISO  27005  =  Threat  Based  Risk  Mngt                                
  23. 23. Example  Threat  Catalogue   Screen  from  SecureAware  Risk  TNG                                
  24. 24. Not  all  assets  burn   !  Recommendation:  The   threats  you’ll  be   assessing  should   depend    on  type  of   asset.   !  Using  Cloud  Service   providers  gives  you   other  threats  than  using   own  IT  operations                                  
  25. 25. Business  Impact  Assessments     Screen  from  SecureAware  Risk  TNG                              
  26. 26. Vulnerability  Assessments     Screen  from  SecureAware  Risk  TNG                              
  27. 27. Shortcut:  Probability  Assesment                                    
  28. 28. In  the  cloud  or  on  the  ground:   !  SecureAware  assesses     risks  to  your  business,   from  own  IT  or  from   vendors  –  also  in  the   cloud   !  SecureAware  is  delivered   as  on-­‐premise  software   or  SaaS                                
  29. 29. What  is  the  CCSK?   CCSK  –  the  Cer*ficate  of  Cloud  Security  Knowledge   •  Industry’s  first  user  cer.fica.on  program  for  secure  cloud   •  Based  on  CSA’s  body  of  knowledge   •  Complimentary  to  popular  IT  Security  &  Audit  user  accredita.ons  and   user  cer.fica.ons   •  Suitable  for  a  wide  variety  of  professions  that  must  be  concerned  with   cloud   •  Self  study  or  classroom  instruc.on   •  Online,  web-­‐based  examina.on   •     Show  your  knowledge  of  the  next  genera3on     of  informa3on  technology!                                     Copyright © 2012 Cloud Security Alliance
  30. 30. What  is  the  CCSK  Body  of   Knowledge?   Based  upon  two  industry  leading  whitepapers   •  Security  Guidance  for  Areas  of  Focus  in  Cloud   •  Current  test  based  upon  Version  2.1  of  Guidance   •  hMp://     •  70%  of  test  ques.ons  based  upon  this  document   •  ENISA’s  report  “Cloud  Benefits,  Risks  and  Recommenda.ons   for  Informa.on  Security”.   •  hMp://­‐­‐risk-­‐ assessment     •  20%  of  test  ques.ons  based  upon  this  document   •  Final  10%  of  Test  Ques.ons  are  applied  knowledge  based  upon  both   documents  above   •  Prepara.on  guide  available   •  hMps://­‐prep.pdf                                       Copyright © 2012 Cloud Security Alliance
  31. 31. Taking  the  CCSK  Examination   CCSK  –  On  Demand,  24  hours  a  day   •  Online  web-­‐based  examina.on,  no  appointment  necessary   •  50  ques.ons  in  the  examina.on   •  60  minutes  to  complete  the  examina.on   •  80%  correct  answers  required  to  successfully  complete  the  test   •  Two  chances  with  a  test  token   •  Test  available  at  hMps://     •  FAQ  at   hMps://­‐of-­‐cloud-­‐ security-­‐knowledge/ccsk-­‐faq/                                     Copyright © 2012 Cloud Security Alliance
  32. 32. Preparing  for  the  CCSK   CCSK  Self  Study   •  Review  body  knowledge  a^er  prepara.on  guide   •  hMps://­‐prep.pdf     •  Study  with  a  colleague   •  Form  study  groups  in  a  CSA  chapter   •  hMps://     CCSK  Classroom  Instruc*on   •  Classes  offered  worldwide  through  training  partners   •  CCSK  Basic  1  Day  course  covers  everything  needed  to  pass  CCSK   •  CCSK  Plus  includes  Basic  plus  addi.onal  1  Day  lab  exercises   •  Find  training  partners  and  training  schedule  here:   hMps://                                       Copyright © 2012 Cloud Security Alliance
  33. 33. CCSK  –  Set  yourself  apart   Become  an  early  adopter  of  the  future  of  IT  Security   •  For  cloud  service  providers,  informa.on  security  experts,  IT   professionals,  IT  audit  &  governance  –  everyone!   •  Enhance  your  with  proven  knowledge  from  the  broadest   best  prac.ces  developed  in  the  industry   •  Differen.ate  your  resume  from  the  crowd   •                                   Copyright © 2012 Cloud Security Alliance
  34. 34. ISACA  Member  offer   Learn  about  cloud  security  &  prepare  for  your   Certificate  of  Cloud  Security  Knowledge     Neupart  is  CSA  training  partner  using  CSA   certified  CCSK-­‐instructors.     Oslo  May  31   Copenhagen  June  20     ISACA  Member  Discount  kr.  500,-­‐     Sign  up  before  May  15  and  May  31  respectively.   Use  code  ISACA-­‐Conf-­‐Cph    in  comment  field  in  sign  up  form     at                              
  35. 35. Meet  Neupart  Today   PLEASE  GO  TO  THE  NEUPART  SPONSOR  TABLE  TO   PICK  UP  YOUR  CCSK  TRANING  DISCOUNT  CODE  OR     SEE  A  SECUREAWARE  DEMO     About  Neupart:   !  ISO  27001  certified  company.   !  IT  GRC  all-­‐in-­‐one  solution  enables   organizations  to  manage  their  IT  risks  and  to   comply  with  IT  security  requirements  -­‐  Also  in   the  Cloud!   !  “The  ERP  of  Security”   !  Get  SecureAware  demo  or  free  trial: