Your SlideShare is downloading. ×
RSA: CSA GRC Stack Update for the CSA Atlanta Chapter
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

RSA: CSA GRC Stack Update for the CSA Atlanta Chapter

1,371
views

Published on

RSA CSA GRC Stack Update for the Atlanta CSA Chapter by Phil Agcaoili

RSA CSA GRC Stack Update for the Atlanta CSA Chapter by Phil Agcaoili


0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,371
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
35
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • On-demand self-service. A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service’s provider.Broad network access. Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, laptops, and PDAs).Resource pooling. The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a sense of locationindependence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). Examples of resources include storage, processing, memory, network bandwidth, and virtual machines.Rapid elasticity. Capabilities can be rapidly and elastically provisioned, in some cases automatically, to quickly scale out, and rapidly released to quickly scale in. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be purchased in any quantity at any time.Measured Service. Cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported, providing transparency for both the provider and consumer of the utilized service.
  • Cloud Software as a Service (SaaS). The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through a thin client interface such as a web browser (e.g., web-based email). The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings.Cloud Platform as a Service (PaaS). The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly application hosting environment configurations, typically through a pay-per-use business model.Cloud Infrastructure as a Service (IaaS). The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, deployed applications, and possibly limited control of select networking components (e.g., host firewalls).
  • Private cloud. The cloud infrastructure is operated solely for an organization. It may be managed by the organization or a third party and may exist on premise or off premise.Community cloud. The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be managed by the organizations or a third party and may exist on premise or off premise.Public cloud. The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services.Hybrid cloud. The cloud infrastructure is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds).
  • The NIST Security Content Automation Protocol (SCAP) Validation Program (SCAP) is designed to test the ability of products to use the features and functionality available through SCAP and its component standards.XBRL (eXtensible Business Reporting Language) is a freely available, standards-based way to communicate and exchange business information between business systems.
  • Do visit the websiteDo join the LinkedIn Groups – you will receive regular email updates
  • Transcript

    • 1. RSA: Cloud Security AllianceGRC Stack Update
      Cloud Security Alliance, Atlanta Chapter
      Phil Agcaoili, Cox Communications
      Dennis Hurst, HP
      March 2011
    • 2. Cloud ComputingNIST Definition
      UPDATED (Jan 2011) – National Institute of Standards and Technology (NIST) Special Publication 800-145 (Draft)
      Model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services)
      Rapidly provisioned and released with minimal management effort or service provider interaction
      Composed of 5 essential characteristics, 3 service models, and 4 deployment models.
      Source: http://www.nist.gov/itl/csd/cloud-020111.cfm
    • 3. Cloud Computing5 Essential Characteristics
      On-demand tenant self-service model for provisioning computing capabilities (server time, network storage, etc.)
      Broad network access with capabilities over the network accessible by standard mechanisms and mobile platforms
      Resource pooling through dynamically assigned physical and virtual capabilities delivered in a multi-tenant model and location independent
      Rapid elasticity of provisioned resources automatically or manually adjusted aligned with service level flexibility and needs
      Measured service to monitor, control and report on transparent resource optimization
    • 4. Cloud Computing3 Service Models
      Software as a Service (SaaS)
      Capability made available to tenant (or consumer) to use provider’s applications running on cloud infrastructure, accessible via web browser, mobile apps, and system interfaces.
      Examples: Salesforce.com, Drop Box, Box.net, Google Docs, WebEx
      Platform as a Service (PaaS)
      Capability made available to tenant to deploy tenant owned (created or acquired) applications using programming languages and tools supported by provider.
      Examples: Microsoft Azure, Amazon Web Services, Bungee Connect
      Infrastructure as a Service (IaaS) / Datacenter as a Service (DaaS)
      Capability made available to tenant to provision processing, storage, networks or other fundamental computing resources to host and run tenant’s applications.
      Examples: Rackspace, Terremark (Verizon), Savvis, AT&T
    • 5. Cloud Computing4 Deployment Models
      (4) HYBRID
      • Composition of 2 or more deployment models that remain unique entities
      • 6. Bound together by standardized or proprietary technology enabling data and application portability
    • Cloud ComputingSecurity: Largest Barrier to Adoption
    • 7. What is Different about Cloud?
    • 8. What is Different about Cloud?
    • 9. What is Different about Cloud?
    • 10. Proposal for Atlanta Chapter Objective #1: Cloud Security Contract Template
      Vendor and Customer Needs:
      A simple, but uniform security contract and questionnaire/checklist
      Benefits:
      Standard/uniform customer response
      Minimizes unique customer requests
      Provide basic security attestation and assurance
    • 11. What is Different about Cloud?
    • 12. What is Different about Cloud?
    • 13. Cloud Controls Matrix
    • 14. Cloud Controls Matrix
      Leadership Team
      • Becky Swain – Cisco Systems, Inc.
      • 15. Philip Agcaoili – Cox Communications
      • 16. Marlin Pohlman – EMC, RSA
      • 17. Kip Boyle – CSA
      V1.1 Released Dec 2010
      Rated as applicable to S-P-I with Cloud Provider / Tenant Delineation
      Controls baselined and mapped to:
      COBIT
      HIPAA / HITECH Act
      ISO/IEC 27001-2005
      NISTSP800-53
      FedRAMP
      PCI DSSv2.0
      BITS Shared Assessments
      GAPP
    • 18. Cloud Controls MatrixGlobal Industry Contribution
      • AdalbertoAfonso A Navarro F do Valle – Deloitte LLP
      • 19. Addison Lawrence – Dell
      • 20. Akira Shibata – NTT DATA Corp
      • 21. Andy Dancer
      • 22. Anna Tang – Cisco Systems, Inc.
      • 23. April Battle – MITRE
      • 24. ChandrasekarUmpathy
      • 25. Chris Brenton – Dell
      • 26. Dale Pound – SAIC
      • 27. Daniel Philpott – Tantus Technologies
      • 28. Dr. Anton Chuvakin – Security Warrior Consulting
      • 29. Elizabeth Ann Wickham – L47 Consulting Limited
      • 30. Gary Sheehan – Advanced Server Mgmt Group, Inc.
      • 31. Georg Heß
      • 32. Georges Ataya Solvay – Brussels School of Economics & Mgmt
      • 33. Glen Jones – Cisco Systems, Inc.
      • 34. Greg Zimmerman – Jefferson Wells
      • 35. Guy Bejerano - LivePerson
      • 36. Henry Ojo – Kamhen Services Ltd,
      • 37. Jakob Holm Hansen – Neupart A/S
      • 38. Joel Cort – Xerox Corporation
      • 39. John DiMaria – HISPI
      • 40. John Sapp – McKesson Healthcare, HISPI
      • 41. Joshua Schmidt – Vertafore, Inc.
      • 42. KarthikAmrutesh – Ernst and Young LLP
      • 43. Kelvin Arcelay – Arcelay& Associates
      • 44. Kyle Lai – KLC Consulting, Inc.
      • 45. Larry Harvey – Cisco Systems, Inc.
      • 46. Laura Kuiper – Cisco Systems, Inc.
      • 47. Lisa Peterson – Progressive Insurance
      • 48. Lloyd Wilkerson – Robert Half International
      • 49. Marcelo Gonzalez – Banco Central Republica Argentina
      • 50. Mark Lobel – PricewaterhouseCoopers LLP
      • 51. Meenu Gupta – Mittal Technologies
      • 52. Mike Craigue, Ph.D. – Dell
      • 53. MS Prasad, Exec Dir CSA India
      • 54. Niall BrowneI – LiveOps
      • 55. Patrick Sullivan
      • 56. Patty Williams – Symetra Financial
      • 57. Paul Stephen – Ernst and Young LLP
      • 58. Phil Genever-Watling - Dell
      • 59. Philip Richardson – Logicalis UK Ltd
      • 60. PritamBankar – Infosys Technologies Ltd.
      • 61. RamesanRamani – Paramount Computer Systems
      • 62. Steve Primost
      • 63. TaiyeLambo – eFortresses, Inc .
      • 64. Tajeshwar Singh
      • 65. Thej Mehta – KPMG LLP
      • 66. Thomas Loczewski – Ernst and Young GmbH, Germany
      • 67. Vincent Samuel – KPMG LLP
      • 68. Yves Le Roux – CA Technologies
      • 69. HISPI membership (Release ISO Review Body)
    • Cloud Controls MatrixCharacteristics
      • Objective measure to monitor activities and then take corrective action to accomplish organizational goals.
      • 70. Comprised of a set of policies and processes (internal controls) affecting the way Cloud services are directed, administered or controlled.
      • 71. Aligned to Information Security regulatory rules and industry accepted guidance.
      • 72. Controls reflect the intent of the CSA Guidance as applied to existing patterns of Cloud execution.
    • Cloud Controls MatrixOptimal & Holistic Compliance
      Bridging Regulatory Governance And Practical Compliance
    • 73. Cloud Controls Matrix11 Domains
      1. Compliance (CO)
      2. Data Governance (DG)
      3. Facility Security (FS)
      4. Human Resources (HR)
      5. Information Security (IS)
      6. Legal (LG)
      7. Operations Management (OM)
      8. Risk Management (RI)
      9. Release Management (RM)
      10. Resiliency (RS)
      11.Security Architecture (SA)
    • 74. Cloud Controls Matrix98 Controls
      Compliance
      • CO01 – Audit Planning
      • 75. CO02 – Independent Audits
      • 76. CO03 – Third Party Audits
      • 77. CO04 – Contact / Authority Maintenance
      • 78. CO05 – Information System Regulatory Mapping
      • 79. CO06 – Intellectual Property
      Legal
      • LG01 - Non-Disclosure Agreements
      • 80. LG02 - Third Party Agreements
      Data Governance
      • DG01 – Ownership / Stewardship
      • 81. DG02 – Classification
      • 82. DG03 – Handling / Labeling / Security Policy
      • 83. DG04 – Retention Policy
      • 84. DG05 – Secure Disposal
      • 85. DG06 – Non-Production Data
      • 86. DG07 – Information Leakage
      • 87. DG08 – Risk Assessments
      Risk Management
      • RI01 – Program
      • 88. RI02 – Assessments
      • 89. RI03 – Mitigation / Acceptance
      • 90. RI04 – Business / Policy Change Impacts
      • 91. RI05 – Third Party Access
    • Cloud Controls Matrix98 Controls (cont.)
      Resiliency
      • RS01 – Management Program
      • 92. RS02 – Impact Analysis
      • 93. RS03 – Business Continuity Planning
      • 94. RS04 – Business Continuity Testing
      • 95. RS05 – Environmental Risks
      • 96. RS06 – Equipment Location
      • 97. RS07 – Equipment Power Failures
      • 98. RS08 – Power / Telecommunications
      Human Resources
      • HR01 – Background Screening
      • 99. HR02 – Employment Agreements
      • 100. HR03 – Employment Termination
      Release Management
      • RM01 – New Development / Acquisition
      • 101. RM02 – Production Changes
      • 102. RM03 – Quality Testing
      • 103. RM04 – Outsourced Development
      • 104. RM05 – Unauthorized Software Installations
      Operational Management
      • OP01 – Policy
      • 105. OP02 – Documentation
      • 106. OP03 – Capacity / Resource Planning
      • 107. OP04 – Equipment Maintenance
    • Cloud Controls Matrix98 Controls (cont.)
      Security Architecture
      • SA01 – Customer Access Requirements
      • 108. SA02 – User ID Credentials
      • 109. SA03 – Data Security / Integrity
      • 110. SA04 – Application Security
      • 111. SA05 – Data Integrity
      • 112. SA06 – Production / Non-Production Environments
      • 113. SA07 – Remote User Multi-Factor Authentication
      • 114. SA08 – Network Security
      • 115. SA09 – Segmentation
      • 116. SA10 – Wireless Security
      • 117. SA11 – Shared Networks
      • 118. SA12 – Clock Synchronization
      • 119. SA13 – Equipment Identification
      • 120. SA14 – Audit Logging / Intrusion Detection
      • 121. SA15 – Mobile Code
      Facility Security
      • FS01 – Policy
      • 122. FS02 – User Access
      • 123. FS03 – Controlled Access Points
      • 124. FS04 – Secure Area Authorization
      • 125. FS05 – Unauthorized Persons Entry
      • 126. FS06 – Off-Site Authorization
      • 127. FS07 – Off-Site Equipment
      • 128. FS08 – Asset Management
    • Cloud Controls Matrix98 Controls (cont.)
      Information Security
      • IS01 – Management Program
      • 129. IS02 – Management Support / Involvement
      • 130. IS03 – Policy
      • 131. IS04 – Baseline Requirements
      • 132. IS05 – Policy Reviews
      • 133. IS06 – Policy Enforcement
      • 134. IS07 – User Access Policy
      • 135. IS08 – User Access Restriction / Authorization
      • 136. IS09 – User Access Revocation
      • 137. IS10 – User Access Reviews
      • 138. IS11 – Training / Awareness
      • 139. IS12 – Industry Knowledge / Benchmarking
      • 140. IS13 – Roles / Responsibilities
      • 141. IS14 – Management Oversight
      • 142. IS15 – Segregation of Duties
      • 143. IS16 – User Responsibility
      • 144. IS17 – Workspace
      • 145. IS18 – Encryption
      • 146. IS19 – Encryption Key Management
      • 147. IS20 – Vulnerability / Patch Management
      • 148. IS21 – Anti-Virus / Malicious Software
      • 149. IS22 – Incident Management
      • 150. IS23 – Incident Reporting
      • 151. IS24 – Incident Response Legal Preparation
      • 152. IS25 – Incident Response Metrics
      • 153. IS26 – Acceptable Use
      • 154. IS27 – Asset Returns
      • 155. IS28 – eCommerce Transactions
      • 156. IS29 – Audit Tools Access
      • 157. IS30 – Diagnostic / Configuration Ports Access
      • 158. IS31 – Network Services
      • 159. IS32 – Portable / Mobile Devices
      • 160. IS33 – Source Code Access Restriction
      • 161. IS34 – Utility Programs Access
    • Consensus Assessment Initiative
    • 162. Consensus Assessment Initiative
      Research tools and processes to perform shared assessments of cloud providers
      Lightweight “common assessment criteria” concept
      Integrated with Controls Matrix
      Ver 1 CAI Questionnaire released Oct 2010, approx 140 provider questions to identify presence of security controls or practices
    • 163. Consensus Assessment InitiativeTeam
      Contributors
      • Matthew Becker – Bank of America
      • 164. Aaron Benson – Novell
      • 165. Ken Biery – Verizon Business
      • 166. Kristopher Fador – Bank of America
      • 167. David Gochenaur – Aon Corporation
      • 168. Jesus Molina – Fujitsu
      • 169. John Nootens – AMA Association
      • 170. HemmaPrafullchandra – Hytrust
      • 171. GorkaSadowski – Log Logic
      • 172. Richard Schimmel – Bank of America
      • 173. Patrick Vowles – RSA
      • 174. Kenneth Zoline – IBM
      Leaders
      • Laura Posey – Microsoft
      • 175. Jason Witty – Bank of America
      • 176. Marlin Pohlman – EMC, RSA
      • 177. Earle Humphreys – ITEEx
      Editor
      • Christofer Hoff – Cisco
    • Consensus Assessment InitiativeApproach
      • Build “cloud-specific” question-set
      • 178. CSA guidance
      • 179. Industry experts
      • 180. Align questions with the CSA Cloud Controls Matrix
      • 181. Release 1.0 question-set publically
      • 182. Integrate into CloudAudit.org framework
      • 183. Post to CloudSecurityAlliance.org
    • Consensus Assessment Initiative Questionnaire (CAIQ) – 148 Qs
    • 184. CloudAudit
    • 185. CloudAudit
      Provide a common interface and namespace that allows cloud computing providers to automate the Audit, Assertion, Assessment, and Assurance (A6) of their environments
      Allow authorized consumers of services to do likewise via an open, extensible and secure interface and methodology.
    • 186. CloudAuditObjective
      A structure for organizing assertions and supporting documentation for specific controls across different compliance frameworks in a way that simplifies discovery by humans and tools.
      Define a namespace that can support diverse frameworks
      Express five critical compliance frameworks in that namespace
      Define the mechanisms for requesting and responding to queries relating to specific controls
      Integrate with portals and AAA systems
    • 187. CloudAuditAligned to Cloud Controls Matrix
      First efforts aligned to compliance frameworks as established by CSA Control Matrix:
      PCI DSS
      HIPAA
      COBIT
      ISO/IEC 27001-2005
      NISTSP800-53
      Incorporate CSA’s CAI and additional CompliancePacks
      Expand alignment to “infrastructure” and “operations” -centric views also
    • 188. CloudAuditSample Implementation
      CSA Compliance Pack
    • 189. CloudAuditSample Implementation (cont.)
      CSA Compliance Pack
    • 190. CloudAuditSample Implementation (cont.)
      CSA Compliance Pack
    • 191. CloudAuditRelease Deliverables
      Contains all Compliance Packs, documentation and scripts needed to begin implementation of CloudAudit
      Working with Service Providers and Tool Vendors for Adoption
      Officially folded CloudAudit under the Cloud Security Alliance in October, 2010
      http://www.cloudaudit.org/CloudAudit_Distribution_20100815.zip
    • 192. CloudAuditRelease Deliverables (cont.)
      Request Flow for Users & Tools
    • 193. CloudAuditRelease Deliverables (cont.)
      index.html/default.jsp/etc.
      Index.html is for dumb browser consumptions
      Typically, the direct human user use case
      It can be omitted if directory browsing is enabled
      It contains JavaScript to look for the manifest.xml file, parse it, and display it as HTML.
      If no manifest.xml exists, it should list the directory contents relevant to the control in question
    • 194. CloudAuditRelease Deliverables (cont.)
      manifest.xml
      Structured listing of control endpoints contents
      Can be extended to provide contextual information
      Primarily aimed at tool consumption
      In Atom format
    • 195. CSA GRC Stack
    • 196. CSA GRC Stack
      Bringing it all together to peel back the layers of control ownership and address concerns for trusted Cloud adoption.
      Provider Assertions
      Private, Community & Public Clouds
      Control Requirements
    • 197. CSA GRC Stack
      • Whether implementing private, public or hybrid clouds, the shift to compute as a service presents new challenges across the spectrum of Governance, Risk Management and Compliance (GRC) requirements – success dependent upon:
      • 198. Appropriate assessment criteria; and
      • 199. Relevant control objectives and timely access to necessary supporting data.
      • 200. CSA GRC Stack provides a toolkit for enterprises, cloud providers, security solution providers, IT auditors and other key stakeholders to instrument and assess both private and public clouds against industry established best practices, standards and critical compliance requirements.
      • 201. Integrated suite of 3 CSA initiatives: CloudAudit, Cloud Controls Matrix (CCM) and Consensus Assessments Initiative Questionnaire (CAIQ).
      • 202. Available now for free download at: www.cloudsecurityalliance.org/grcstack.zip
    • CSA GRC StackBringing it all together…
    • 203. CSA GRC StackIndustry Collaboration & Support
      • International Organization for Standards (ISO)
      • 204. ISO/IEC JTC 1 SC 27 (“SC 27”) WG 1, 4 and 5 in Study Period in the area of Cloud Computing Security and Privacy with active CSA representation
      • 205. European Network and Information Security Agency (ENISA)
      • 206. Common Assurance Maturity Model (CAMM)
      • 207. American Institute of Certified Public Accountants (AICPA)
      • 208. Statement on Standards for Attestation Engagements (SSAE) No. 16 SOC 2 – Service Organization Controls over Security, Confidentiality, Processing Integrity, Availability, and Privacy
      • 209. National Institute of Standards and Technology (NIST)
      • 210. Consolidated feedback on Federal Risk and Authorization Management Program (FedRAMP)
    • CSA GRC StackIndustry Collaboration & Support (cont.)
      • Inverse Control Framework Mappings
      • 211. Health Information Trust Alliance (HITRUST)
      • 212. Unified Compliance Framework (UCF)
      • 213. Information Systems Audit and Control Association (ISACA)
      • 214. BITS Shared Assessments SIG/AUP + TG Participation
      • 215. Information Security Forum (ISF)
    • About the Cloud Security Alliance
    • 216. About the Cloud Security Alliance
      Global, not-for-profit organization
      Almost 18,000 individual members, 80 corporate members
      Building best practices and a trusted cloud ecosystem
      Agile philosophy, rapid development of applied research
      GRC: Balance compliance with risk management
      Reference models: build using existing standards
      Identity: a key foundation of a functioning cloud economy
      Champion interoperability
      Advocacy of prudent public policy
      “To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.”
    • 217. Contact
      Help us secure cloud computing
      www.cloudsecurityalliance.org
      info@cloudsecurityalliance.org
      LinkedIn: www.linkedin.com/groups?gid=1864210
      Twitter: @cloudsa
    • 218. Thank You