Secure Computing Magazine - SC World Congress 2/7 eConference - Keynote: Securing the cloud

  • 1,274 views
Uploaded on

Enterprise end-users are becoming more reliant on cloud computing applications and virtualized environments, in general, to enable the sharing of information with one another more quickly. And while …

Enterprise end-users are becoming more reliant on cloud computing applications and virtualized environments, in general, to enable the sharing of information with one another more quickly. And while some companies are being cautious with their moves to the cloud, limiting the kinds of information stored and exchanged there, others are taking some risks. What can executives do to better plan and implement security best practices in the cloud? We speak with some experts.

More in: Technology , Business
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
1,274
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
17
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Keynote address: Securing the cloudJuly 28, 2011
    Phil Agcaoili
    Cloud Security Alliance, Co-founding member
    CSA Cloud Controls Matrix (CCM), Inventor and co-author
    CSA GRC Stack , Co-founder and committee co-chair
    CSA Atlanta Chapter, Founder and Chapter Officer
  • 2. 2
    Customers of Cloud
    Enterprises – large scale services
    Outsource whole-sale IT services such as payroll, HR/benefits, CRM, help desk/service desk, etc.
    Startups — developers using Web at scale
    Web-based business, SaaS, collaboration services, widget providers, mobile services, and social networking
    Small businesses — using SaaS
    Online businesses, online presence, collaboration, and enterprise integration
    Enterprises — developers and one-off projects
    R&D projects, quick promotions, widgets, online collaboration, partner integration, social networking, and new business ventures
    Firms — with compute intensive tasks
    Overnight ad placement or transportation calculations
    “If you move your data centre to a cloud provider, it will cost a tenth of the cost.” – Brian Gammage, Gartner Fellow
    “Using cloud infrastructures saves 18% to 29% before considering that you no longer need to buy for peak capacity” - George Reese, founder Valtira and enStratus
    “Web service providers offer APIs that enable developers to exploit functionality over the Internet, rather than delivering full-blown applications.” - Infoworld
  • 3. 3
    “In the Cloud, step one is trusting, and that's not security — that's hope.”
    - Andrew Walls, Gartner Group
    You cannot outsource responsibility.
  • 4. 4
    Top Threats of Cloud Computing
    CSA Research Study Findings:
    Shared Technology Vulnerabilities
    Data Loss/Data Leakage
    Malicious Insiders
    Interception or Hijacking of Traffic
    Insecure APIs
    Account/Service Hijacking
    Nefarious Use of Service
    HTTP://CLOUDSECURITYALLIANCE.ORG/TOPTHREATS
  • 5. 5
    Cloud Security = Loss of Control
    Loss of Direct access - In the Cloud you are at least one step removed
    Multi-tenancy – not an issue in private computing, no shared devices or services
    Commingling – will your data be mixed in with other clients? How will it be segregated?
    Resource Pooling – how will resource conflicts be resolved? Who gets first response?
    Ineffective data deletion – if you change providers does your data get destroyed? Unintentional destruction?
    Legal snafus/data exhaust – if Company A has their data subpoenaed and your data is also on the same device, what happens to your data?
    Traditional Security ModelNew Security Model
  • 6. 6
    Moving to the Cloud
    Assess the business
    Assess the culture
    Assess the value
    Understand your data
    Understand your services
    Understand your processes
    Understand the cloud resources
    Identify candidate data
    Identify candidate services
    Identify candidate processes
    Create a governance strategy
    Bind candidate services to data and processes
    Relocate services, processes, and information
    Implement security
    Implement governance
    Implement operations
    Create a security strategy
  • 7. 7
    Secure Adoption of the Cloud
    Understand the threats and the risks
    CSA Guidance
    Identify the asset for the cloud deployment
    Evaluate the asset
    Map the asset to potential cloud deployment models
    Evaluate potential cloud service models and providers
    Sketch the potential data flow
    https://wiki.cloudsecurityalliance.org/guidance
    Mitigating the risks
    Legal contracts and SLAs with Cloud Service Providers (CSPs)
    CSA Atlanta Chapter Project 2 – Contractual Guidance (coming soon)
    Audits, Attestations, and Certifications for Cloud Trust and Assurance
    ISO 27001 Certification
    Amazon
    ISO 27001
    SAS 70 Type II
    FISMA moderate Authority to Operate
    HIPAA - Current customer deployments
    Whitepaper describes the specifics
    http://aws.amazon.com/security
    AICPA SSAE 16 (SOC 1, 2, and 3) / ISAE 3402
    Replaced SAS 70 as of June 2011
    CSA STAR (coming soon) and CSA GRC Stack standards usage
    Microsoft Office 365 (formerly BPOS) ISO27K to CSA CCM Mapping
    http://www.microsoft.com/download/en/details.aspx?id=26647
    CloudAudit
    Cloud Controls Matrix (CCM)
    Consensus Assessments Initiative Questionnaire (CAIQ)
    Cloud Trust Protocol (CTP)
  • 8. CSA Governance, Risk, and Compliance (CSA GRC) Stack
    Provider Assertions
    Suite of tools, best practices and enabling technology
    Consolidate industry research & simplify GRC in the cloud
    For cloud providers, enterprises, solution providers and audit/compliance
    Controls Framework, Questionnaire and Continuous Controls Monitoring Automation
    Simplifies customer and cloud provider attestation to accelerate cloud adoption
    https://cloudsecurityalliance.org/grc-stack
    Private & Public Clouds
    Control Requirements
  • 9. CSA GRC StackIndustry Collaboration & Support
    • International Organization for Standards (ISO)
    • 10. ISO/IEC JTC 1 SC 27 (“SC 27”) WG 1, 4 and 5 in Study Period in the area of Cloud Computing Security and Privacy
    • 11. European Network and Information Security Agency (ENISA)
    • 12. Common Assurance Maturity Model (CAMM)
    • 13. American Institute of Certified Public Accountants (AICPA)
    • 14. Statement on Standards for Attestation Engagements (SSAE) No. 16 SOC 2 – Service Organization Controls over Security, Confidentiality, Processing Integrity, Availability, and Privacy
    • 15. Next generation SAS 70 Type I and II attestation
    • 16. National Institute of Standards and Technology (NIST)
    • 17. Consolidated feedback on Federal Risk and Authorization Management Program (FedRAMP)
    • 18. Inverse Control Framework Mappings
    • 19. Unified Compliance Framework (UCF)
    • 20. Payment Card Industry (PCI) DSS
    • 21. Health Information Trust Alliance (HITRUST)
    • 22. Information Systems Audit and Control Association (ISACA) COBIT
    • 23. BITS Shared Assessments SIG/AUP + TG Participation
    • 24. Information Security Forum (ISF)
  • Challenges for the CAIQ
    Due Diligence and contracting represent major obstacles to cloud adoption, with vendors forced to respond to a multitude of similar customer concerns, expressed differently by each prospective customer.
    The CAIQ was identified by the CSA Atlanta Chapter legal support group as the best beginning for a standardized due diligence tool but the CAIQ is not widely used in the due diligence prior to cloud contracting yet.
    The CAIQ is constructed as a series of yes/no questions, useful for high-level comparisons between vendors.
    A "yes" or "no" response to any of the CAIQ's terse, broad questions may have little value or even mislead, however, without narrative describing the basis for that response.
    The CAIQ has not received legal review, and does not address some important legal issues.
  • 25. The CSA Atlanta Chapter Project and Its Value
    Fill the CAIQ out so that it addresses effectively all general legal and risk management issues (i.e., issues not limited to a specific business sector or region) that should arise in the due diligence process.
    Provide for supporting narrative complementing the yes/no answers to all questions.
    The value to vendors is that they can write only once (and then update) a single, comprehensive set of answers to due diligence questions.
    Prospective customers can use the yes/no answers to make instantaneous vendor comparisons, and then drill deeper into the related narratives.
  • 26. 12
    Legal and Contract Issues with Cloud
    “Many cloud providers appear reluctant to negotiate contracts, as the premise of their core model is a highly leveraged approach.
    The starting point contractually often favors the vendor, resulting in a potential misalignment with user requirements.” Gartner
    9 Security Areas to Include in CSP-related Contract:
    Security
    Data privacy conditions
    Uptime guarantees
    Service-level agreement (SLA) penalties
    SLA penalty exclusions
    Business continuity and disaster recovery
    Suspension of service
    Termination
    Liability
  • 27. philA’s Approach to Using the CSA GRC Stack
    Pre-sales - Use CAI Questionnaire
    Contracts (MSA) – Attach CAIQ + CCM
    Post Sales Assurance and Continuous Compliance – Use CloudAudit to verify contract and pre-sales assertions
    *CSA STAR will support this approach in an official manner.
  • 28. 14
    Cloud Back Out Plan Considerations
    Include provisions for transition assistance requiring the vendor to assist you with transition to a new vendor.
    Require the return or secure destruction of all data held by vendor.
    Have right to verify compliance.
    Transition period may last from 30 days to 6 months.
  • 29. 15
    Summary
    Adopt Cloud that works for you
    Understand the risks
    Know your limits
    Conduct due diligence
    Use available Cloud Trust and Assurance tools
    Work with your Legal and Procurement teams to ensure contractual obligations exist and are met
  • 30. 16
    About the Cloud Security Alliance
    Global, not-for-profit organization
    Over 22,000 individual members, 100 corporate members
    Building good practices and a trusted cloud ecosystem
    Agile philosophy, rapid development of applied research
    GRC: Balance compliance with risk management
    Reference models: build using existing standards
    Identity: a key foundation of a functioning cloud economy
    Champion interoperability
    Advocacy of prudent public policy
    “To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.”
  • 31. 17
    Questions and Answers…
    HTTP://CLOUDSECURITYALLIANCE.ORGhttp://cloudsecurityalliance.org/cmhttp://cloudsecurityalliance.org/grc-stackhttps://wiki.cloudsecurityalliance.org/guidancehttp://cloudsecurityalliance.org/topthreatshttp://AICPA.ORG/SOC/http://www.opencloudmanifesto.org
    http://www.opengroup.org/jericho
    http://www.nist.gov/itl/cloud/index.cfm
    http://www.microsoft.com/download/en/details.aspx?id=26647http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment
    CSA LinkedIn: www.linkedin.com/groups?gid=1864210
    Many thanks to:
    Jon Neiditz, Nelson Mullins Riley & Scarborough, for leading the development of the CSA Atlanta Chapter Project 2 (Contractual Guidance) and for some of the material used in today’s presentation.
    David Barton, UHY LLP, for some of the material used in today’s presentation.
    Phil Agcaoili
    Twitter: hacksec