Governing in the Cloud


Published on

Presentation to the CSA Norway Members on February 9th, 2011.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Governing in the Cloud

  1. 1. Governing in the Cloud<br />Rolf Frydenberg<br />Joymount AS, Senior Advisor<br />February 9, 2011<br />
  2. 2. Agenda<br />Cloud Security Alliance – general and Norway<br />CSA Cloud Security Guidance<br />NIST Cloud Definition Framework<br />Governance and Enterprise Risk Management<br />Legal and Electronic Discovery<br />Compliance and Audit<br />Information Lifecycle Management<br />Portability and Interoperability<br />Other CSA Domains – Operations<br />Cloud Controls Matrix<br />CSA GRC Stack<br />
  3. 3. About the Cloud Security Alliance<br />Global, not-for-profit organization<br />Over 16,000 individual members, 80 corporate members<br />Building best practices and a trusted cloud ecosystem<br />Agile philosophy, rapid development of applied research<br />GRC: Balance compliance with risk management<br />Reference models: build using existing standards<br />Identity: a key foundation of a functioning cloud economy<br />Champion interoperability<br />Advocacy of prudent public policy<br />“To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.”<br />
  4. 4. What We Did in 2010<br />Threat Research: Top Threats to Cloud Computing; announced at RSA 2010, shared technology vulnerabilities, data loss/leakage, malicious insiders, insecure APIs, etc.<br />Certificate of Cloud Security Knowledge; released Sep 1 2010, web-based test for competency in CSA Guidance<br />Trusted Cloud Initiative; Cloud security reference architecture, secure and interoperable identity in the cloud, responsibilities for identity providers<br />Cloud Controls Matrix Tool; 98 controls derived from guidance, mapped to ISO 27001, COBIT, PCI DSS, HIPAA <br />Consensus Assessment Initiative; research tool and processes to assess cloud providers, V 1 released Oct 2010 with 140 provider questions<br />Cloud Audit; Open standard and API to automate provider audit assertions, uses CCM,<br />CSA GRC Stack; suite of tools, best practices, enabling technology, simplify GRC in the cloud<br />
  5. 5. Plans for 2011<br />CSA Guidance Research; V3 target for Q3 2011; best practices<br />CSA GRC Stack; Expand, pilot projects, embed in providers and products<br />Trusted Cloud Initiative; Release reference architecture and certifications<br />CloudCERT; Consensus research, best practices<br />CCSK; Role-specific training, hands-on lab<br />CCM; V 2 target 1H 2011; increase mappings, fine tune controls, ISO engagement<br />Cloud Metrics Research; Metrics for each of the 98 controls in CCM; create baseline capability<br />Security as a Service; Define it, solution categories, guidance, align with other CSA research<br />
  6. 6. CSA Norway Chapter<br />Established in October 2010<br />80 individual members (Feb 2011)<br />Board of six directors elected Oct 2011:<br />Rolf Frydenberg, Joymount (president)<br />Geir-Arild EnghHellesvik, KPMG (secretary)<br />Lars Egil Sætrang, Promon (treasurer)<br />Helge Skrivervik, Team Mellvik<br />Tor Andre Breivikås, Teleplan<br />ChunmingRong, University of Stavanger<br />First Members’ Meeting in December 2010 (Private vs Public Cloud)<br />Second Members’ Meeting in February 2011 (Compliance in the Cloud)<br />Co-op seminar planned with Dataforeningen (Norwegian Computing Society)<br />
  7. 7. CSA Guidance Research<br />Cloud Architecture<br />Governance and Enterprise Risk Management<br />Legal and Electronic Discovery<br />Compliance and Audit<br />Governing the Cloud<br />Information Lifecycle Management<br />Portability and Interoperability<br />Security, Bus. Cont,, and Disaster Recovery<br />Data Center Operations<br />Incident Response, Notification, Remediation<br />Application Security<br />Operating in the Cloud<br />Encryption and Key Management<br />CSA Guidance 2.1 > 100k downloads:<br /><br />Identity and Access Management<br />Virtualization<br />
  8. 8. Cloud Reference Architecture (According to NIST)<br />
  9. 9. Governance and Enterprise Risk Management<br />Develop robust information security guidance regardless of the service or delivery model<br />Review information security governance structures and processes, as well as security controls; include the vendor’s complete supply chain!<br />Collaborative governance and risk management as part of development, deployment and operation of services<br />Methods and metrics for measuring performance and effectiveness of security management<br />Determine risk exposure before detailed requirements<br />Risk Management through valuation of assets, identification of threats and vulnerabilities; management acceptance of risk levels and options (control, avoid, transfer, accept)<br />Cloud vendors should include measures and controls to assist customers in their Risk Management<br />
  10. 10. Legal and Electronic Discovery<br />Mutual understanding of each other’s roles and responsibilities related to e-discovery, litigation, searches, etc.<br />Plan for both expected and unexpected termination of agreement<br />Agreement must allow customer and/or third party to monitor service provider’s performance and test for vulnerabilities<br />In many cases there is a requirement to know – down to physical disk – where data is stored<br />Customer must ensure it retains ownership of all data it stores on behalf of its customers and employees<br />
  11. 11. Compliance and Audit<br />The provider’s standard terms and conditions many not address your compliance needs<br />Make sure you have the right and access capabilities to perform audits<br />Determine whether you are subject to compliance regulations with specific Cloud Computing requirements<br />Analyze the impact of regulations regarding data security on use of Cloud Computing<br />Require that the cloud provider has at least a roadmap for ISO/IEC 27001 compliance<br />CSA has called for the whole industry to be ISO/IEC 27002 compliant<br />When selecting an external auditor, ensure he has Cloud Computing knowledge and experience<br />
  12. 12. Information Lifecycle Management<br />Understand how data integrity is maintained and how compromise of integrity is detected and communicated<br />Ensure specific identification of all controls used during the lifecycle of the data<br />Understand circumstances under which storage can be seized by a third party or government entity, and require advance notification of and such action<br />Use a “Default Deny All” policy for all data, applied to all cloud provider personnel and subcontractors, as well as third parties; often also preferable to use for your own employees as well<br />Identify trust boundaries throughout the IT architecture and abstraction layers<br />Understand how encryption and key management are handled on multi-tenant storage and other multi-tenant components of the service<br />
  13. 13. Portability and Interoperability<br />Substituting cloud providers is in virtually all cases a negative transaction for at least one party; plan for this from the outset<br />Document the security architecture, configuration and controls<br />IaaS: Understand how virtual machine images can be captured and ported; identify and eliminate provider-specific extensions to VM environment<br />PaaS: Use platform components with standard syntax, open APIs and open standards; understand how tools and services like backup/restore, monitoring, logging and audit would transfer to a new vendor <br />SaaS: Perform regular data extractions to a format that is usable without the current SaaS provider; Understand any custom tools that are developed and configured specially<br />
  14. 14. Other CSA Domains: Operations<br />Security, Business Continuity, Disaster Recovery<br />Data Center Operations<br />Incident Response, Notification, Remediation<br />Application Security<br />Encryption and Key Management<br />Identity and Access Management<br />Virtualization<br />
  15. 15. Cloud Controls Matrix Tool<br />Controls derived from guidance<br />Rated as applicable to S-P-I<br />Customer vs Provider role<br />Mapped to ISO 27001, COBIT, PCI, HIPAA<br />Help bridge the gap for IT & IT auditors<br />
  16. 16. CSA GRC Stack<br />Recent News: CSA GRC Stack – on your USB drive<br />Suite of tools, best practices and enabling technology<br />Consolidate industry research & simplify GRC in the cloud<br />For cloud providers, enterprises, solution providers and audit/compliance<br /><br />Provider Assertions<br />Private & Public Clouds<br />Control Requirements<br />
  17. 17. Thanks for listening!<br />Rolf Frydenberg,<br />CSA Norway & Joymount AS<br />