Secure Computing Magazine - SC World Congress 2/7 eConference - Keynote: Securing the cloud

Keynote address: Securing the cloudJuly 28, 2011
Phil Agcaoili
Cloud Security Alliance, Co-founding member
CSA Cloud Controls Matrix (CCM), Inventor and co-author
CSA GRC Stack , Co-founder and committee co-chair
CSA Atlanta Chapter, Founder and Chapter Officer

2
Customers of Cloud
Enterprises – large scale services
Outsource whole-sale IT services such as payroll, HR/benefits, CRM, help desk/service desk, etc.
Startups — developers using Web at scale
Web-based business, SaaS, collaboration services, widget providers, mobile services, and social networking
Small businesses — using SaaS
Online businesses, online presence, collaboration, and enterprise integration
Enterprises — developers and one-off projects
R&D projects, quick promotions, widgets, online collaboration, partner integration, social networking, and new business ventures
Firms — with compute intensive tasks
Overnight ad placement or transportation calculations
“If you move your data centre to a cloud provider, it will cost a tenth of the cost.” – Brian Gammage, Gartner Fellow
“Using cloud infrastructures saves 18% to 29% before considering that you no longer need to buy for peak capacity” - George Reese, founder Valtira and enStratus
“Web service providers offer APIs that enable developers to exploit functionality over the Internet, rather than delivering full-blown applications.” - Infoworld

3
“In the Cloud, step one is trusting, and that's not security — that's hope.”
- Andrew Walls, Gartner Group
You cannot outsource responsibility.

4
Top Threats of Cloud Computing
CSA Research Study Findings:
Shared Technology Vulnerabilities
Data Loss/Data Leakage
Malicious Insiders
Interception or Hijacking of Traffic
Insecure APIs
Account/Service Hijacking
Nefarious Use of Service
HTTP://CLOUDSECURITYALLIANCE.ORG/TOPTHREATS

5
Cloud Security = Loss of Control
Loss of Direct access - In the Cloud you are at least one step removed
Multi-tenancy – not an issue in private computing, no shared devices or services
Commingling – will your data be mixed in with other clients? How will it be segregated?
Resource Pooling – how will resource conflicts be resolved? Who gets first response?
Ineffective data deletion – if you change providers does your data get destroyed? Unintentional destruction?
Legal snafus/data exhaust – if Company A has their data subpoenaed and your data is also on the same device, what happens to your data?
Traditional Security ModelNew Security Model

6
Moving to the Cloud
Assess the business
Assess the culture
Assess the value
Understand your data
Understand your services
Understand your processes
Understand the cloud resources
Identify candidate data
Identify candidate services
Identify candidate processes
Create a governance strategy
Bind candidate services to data and processes
Relocate services, processes, and information
Implement security
Implement governance
Implement operations
Create a security strategy

7
Secure Adoption of the Cloud
Understand the threats and the risks
CSA Guidance
Identify the asset for the cloud deployment
Evaluate the asset
Map the asset to potential cloud deployment models
Evaluate potential cloud service models and providers
Sketch the potential data flow
https://wiki.cloudsecurityalliance.org/guidance
Mitigating the risks
Legal contracts and SLAs with Cloud Service Providers (CSPs)
CSA Atlanta Chapter Project 2 – Contractual Guidance (coming soon)
Audits, Attestations, and Certifications for Cloud Trust and Assurance
ISO 27001 Certification
Amazon
ISO 27001
SAS 70 Type II
FISMA moderate Authority to Operate
HIPAA - Current customer deployments
Whitepaper describes the specifics
http://aws.amazon.com/security
AICPA SSAE 16 (SOC 1, 2, and 3) / ISAE 3402
Replaced SAS 70 as of June 2011
CSA STAR (coming soon) and CSA GRC Stack standards usage
Microsoft Office 365 (formerly BPOS) ISO27K to CSA CCM Mapping
http://www.microsoft.com/download/en/details.aspx?id=26647
CloudAudit
Cloud Controls Matrix (CCM)
Consensus Assessments Initiative Questionnaire (CAIQ)
Cloud Trust Protocol (CTP)

CSA Governance, Risk, and Compliance (CSA GRC) Stack
Provider Assertions
Suite of tools, best practices and enabling technology
Consolidate industry research & simplify GRC in the cloud
For cloud providers, enterprises, solution providers and audit/compliance
Controls Framework, Questionnaire and Continuous Controls Monitoring Automation
Simplifies customer and cloud provider attestation to accelerate cloud adoption
https://cloudsecurityalliance.org/grc-stack
Private & Public Clouds
Control Requirements

CSA GRC StackIndustry Collaboration & Support
International Organization for Standards (ISO)
ISO/IEC JTC 1 SC 27 (“SC 27”) WG 1, 4 and 5 in Study Period in the area of Cloud Computing Security and Privacy
European Network and Information Security Agency (ENISA)
Common Assurance Maturity Model (CAMM)
American Institute of Certified Public Accountants (AICPA)
Statement on Standards for Attestation Engagements (SSAE) No. 16 SOC 2 – Service Organization Controls over Security, Confidentiality, Processing Integrity, Availability, and Privacy
Next generation SAS 70 Type I and II attestation
National Institute of Standards and Technology (NIST)
Consolidated feedback on Federal Risk and Authorization Management Program (FedRAMP)
Inverse Control Framework Mappings
Unified Compliance Framework (UCF)
Payment Card Industry (PCI) DSS
Health Information Trust Alliance (HITRUST)
Information Systems Audit and Control Association (ISACA) COBIT
BITS Shared Assessments SIG/AUP + TG Participation
Information Security Forum (ISF)

Challenges for the CAIQ
Due Diligence and contracting represent major obstacles to cloud adoption, with vendors forced to respond to a multitude of similar customer concerns, expressed differently by each prospective customer.
The CAIQ was identified by the CSA Atlanta Chapter legal support group as the best beginning for a standardized due diligence tool but the CAIQ is not widely used in the due diligence prior to cloud contracting yet.
The CAIQ is constructed as a series of yes/no questions, useful for high-level comparisons between vendors.
A "yes" or "no" response to any of the CAIQ's terse, broad questions may have little value or even mislead, however, without narrative describing the basis for that response.
The CAIQ has not received legal review, and does not address some important legal issues.

The CSA Atlanta Chapter Project and Its Value
Fill the CAIQ out so that it addresses effectively all general legal and risk management issues (i.e., issues not limited to a specific business sector or region) that should arise in the due diligence process.
Provide for supporting narrative complementing the yes/no answers to all questions.
The value to vendors is that they can write only once (and then update) a single, comprehensive set of answers to due diligence questions.
Prospective customers can use the yes/no answers to make instantaneous vendor comparisons, and then drill deeper into the related narratives.

12
Legal and Contract Issues with Cloud
“Many cloud providers appear reluctant to negotiate contracts, as the premise of their core model is a highly leveraged approach.
The starting point contractually often favors the vendor, resulting in a potential misalignment with user requirements.” Gartner
9 Security Areas to Include in CSP-related Contract:
Security
Data privacy conditions
Uptime guarantees
Service-level agreement (SLA) penalties
SLA penalty exclusions
Business continuity and disaster recovery
Suspension of service
Termination
Liability

philA’s Approach to Using the CSA GRC Stack
Pre-sales - Use CAI Questionnaire
Contracts (MSA) – Attach CAIQ + CCM
Post Sales Assurance and Continuous Compliance – Use CloudAudit to verify contract and pre-sales assertions
*CSA STAR will support this approach in an official manner.

14
Cloud Back Out Plan Considerations
Include provisions for transition assistance requiring the vendor to assist you with transition to a new vendor.
Require the return or secure destruction of all data held by vendor.
Have right to verify compliance.
Transition period may last from 30 days to 6 months.

15
Summary
Adopt Cloud that works for you
Understand the risks
Know your limits
Conduct due diligence
Use available Cloud Trust and Assurance tools
Work with your Legal and Procurement teams to ensure contractual obligations exist and are met

16
About the Cloud Security Alliance
Global, not-for-profit organization
Over 22,000 individual members, 100 corporate members
Building good practices and a trusted cloud ecosystem
Agile philosophy, rapid development of applied research
GRC: Balance compliance with risk management
Reference models: build using existing standards
Identity: a key foundation of a functioning cloud economy
Champion interoperability
Advocacy of prudent public policy
“To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.”

17
Questions and Answers…
HTTP://CLOUDSECURITYALLIANCE.ORGhttp://cloudsecurityalliance.org/cmhttp://cloudsecurityalliance.org/grc-stackhttps://wiki.cloudsecurityalliance.org/guidancehttp://cloudsecurityalliance.org/topthreatshttp://AICPA.ORG/SOC/http://www.opencloudmanifesto.org
http://www.opengroup.org/jericho
http://www.nist.gov/itl/cloud/index.cfm
http://www.microsoft.com/download/en/details.aspx?id=26647http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment
CSA LinkedIn: www.linkedin.com/groups?gid=1864210
Many thanks to:
Jon Neiditz, Nelson Mullins Riley & Scarborough, for leading the development of the CSA Atlanta Chapter Project 2 (Contractual Guidance) and for some of the material used in today’s presentation.
David Barton, UHY LLP, for some of the material used in today’s presentation.
Phil Agcaoili
Twitter: hacksec

Secure Computing Magazine - SC World Congress 2/7 eConference - Keynote: Securing the cloud

by philA Agcaoili on Jul 29, 2011

Accessibility

Categories

Upload Details

Usage Rights

3 Embeds 6

Statistics

Secure Computing Magazine - SC World Congress 2/7 eConference - Keynote: Securing the cloud Presentation Transcript

http://www.linkedin.com	3
http://www.techgig.com	2
http://www.techgig.timesjobs.com	1