RSA CSA GRC Stack Update for the Atlanta CSA Chapter by Phil Agcaoili
RSA CSA GRC Stack Update for the Atlanta CSA Chapter by Phil Agcaoili
RSA: Cloud Security AllianceGRC Stack Update Cloud Security Alliance, Atlanta Chapter Phil Agcaoili, Cox Communications Dennis Hurst, HP March 2011
Cloud ComputingNIST Definition UPDATED (Jan 2011) – National Institute of Standards and Technology (NIST) Special Publication 800-145 (Draft) Model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) Rapidly provisioned and released with minimal management effort or service provider interaction Composed of 5 essential characteristics, 3 service models, and 4 deployment models. Source: http://www.nist.gov/itl/csd/cloud-020111.cfm
Cloud Computing5 Essential Characteristics On-demand tenant self-service model for provisioning computing capabilities (server time, network storage, etc.) Broad network access with capabilities over the network accessible by standard mechanisms and mobile platforms Resource pooling through dynamically assigned physical and virtual capabilities delivered in a multi-tenant model and location independent Rapid elasticity of provisioned resources automatically or manually adjusted aligned with service level flexibility and needs Measured service to monitor, control and report on transparent resource optimization
Cloud Computing3 Service Models Software as a Service (SaaS) Capability made available to tenant (or consumer) to use provider’s applications running on cloud infrastructure, accessible via web browser, mobile apps, and system interfaces. Examples: Salesforce.com, Drop Box, Box.net, Google Docs, WebEx Platform as a Service (PaaS) Capability made available to tenant to deploy tenant owned (created or acquired) applications using programming languages and tools supported by provider. Examples: Microsoft Azure, Amazon Web Services, Bungee Connect Infrastructure as a Service (IaaS) / Datacenter as a Service (DaaS) Capability made available to tenant to provision processing, storage, networks or other fundamental computing resources to host and run tenant’s applications. Examples: Rackspace, Terremark (Verizon), Savvis, AT&T
Proposal for Atlanta Chapter Objective #1: Cloud Security Contract Template Vendor and Customer Needs: A simple, but uniform security contract and questionnaire/checklist Benefits: Standard/uniform customer response Minimizes unique customer requests Provide basic security attestation and assurance
V1.1 Released Dec 2010 Rated as applicable to S-P-I with Cloud Provider / Tenant Delineation Controls baselined and mapped to: COBIT HIPAA / HITECH Act ISO/IEC 27001-2005 NISTSP800-53 FedRAMP PCI DSSv2.0 BITS Shared Assessments GAPP
Cloud Controls MatrixGlobal Industry Contribution
AdalbertoAfonso A Navarro F do Valle – Deloitte LLP
Consensus Assessment Initiative Research tools and processes to perform shared assessments of cloud providers Lightweight “common assessment criteria” concept Integrated with Controls Matrix Ver 1 CAI Questionnaire released Oct 2010, approx 140 provider questions to identify presence of security controls or practices
CloudAudit Provide a common interface and namespace that allows cloud computing providers to automate the Audit, Assertion, Assessment, and Assurance (A6) of their environments Allow authorized consumers of services to do likewise via an open, extensible and secure interface and methodology.
CloudAuditObjective A structure for organizing assertions and supporting documentation for specific controls across different compliance frameworks in a way that simplifies discovery by humans and tools. Define a namespace that can support diverse frameworks Express five critical compliance frameworks in that namespace Define the mechanisms for requesting and responding to queries relating to specific controls Integrate with portals and AAA systems
CloudAuditAligned to Cloud Controls Matrix First efforts aligned to compliance frameworks as established by CSA Control Matrix: PCI DSS HIPAA COBIT ISO/IEC 27001-2005 NISTSP800-53 Incorporate CSA’s CAI and additional CompliancePacks Expand alignment to “infrastructure” and “operations” -centric views also
CloudAuditRelease Deliverables Contains all Compliance Packs, documentation and scripts needed to begin implementation of CloudAudit Working with Service Providers and Tool Vendors for Adoption Officially folded CloudAudit under the Cloud Security Alliance in October, 2010 http://www.cloudaudit.org/CloudAudit_Distribution_20100815.zip
CloudAuditRelease Deliverables (cont.) Request Flow for Users & Tools
CloudAuditRelease Deliverables (cont.) manifest.xml Structured listing of control endpoints contents Can be extended to provide contextual information Primarily aimed at tool consumption In Atom format
CSA GRC Stack Bringing it all together to peel back the layers of control ownership and address concerns for trusted Cloud adoption. Provider Assertions Private, Community & Public Clouds Control Requirements
Whether implementing private, public or hybrid clouds, the shift to compute as a service presents new challenges across the spectrum of Governance, Risk Management and Compliance (GRC) requirements – success dependent upon:
Relevant control objectives and timely access to necessary supporting data.
CSA GRC Stack provides a toolkit for enterprises, cloud providers, security solution providers, IT auditors and other key stakeholders to instrument and assess both private and public clouds against industry established best practices, standards and critical compliance requirements.
Integrated suite of 3 CSA initiatives: CloudAudit, Cloud Controls Matrix (CCM) and Consensus Assessments Initiative Questionnaire (CAIQ).
Available now for free download at: www.cloudsecurityalliance.org/grcstack.zip
CSA GRC StackBringing it all together…
CSA GRC StackIndustry Collaboration & Support
International Organization for Standards (ISO)
ISO/IEC JTC 1 SC 27 (“SC 27”) WG 1, 4 and 5 in Study Period in the area of Cloud Computing Security and Privacy with active CSA representation
European Network and Information Security Agency (ENISA)
About the Cloud Security Alliance Global, not-for-profit organization Almost 18,000 individual members, 80 corporate members Building best practices and a trusted cloud ecosystem Agile philosophy, rapid development of applied research GRC: Balance compliance with risk management Reference models: build using existing standards Identity: a key foundation of a functioning cloud economy Champion interoperability Advocacy of prudent public policy “To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.”
Contact Help us secure cloud computing www.cloudsecurityalliance.org firstname.lastname@example.org LinkedIn: www.linkedin.com/groups?gid=1864210 Twitter: @cloudsa