Taiye Lambo - Auditing the cloud


Published on

1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Taiye Lambo - Auditing the cloud

  1. 1. Kuwait Info Security Conference Auditing the Cloud
  2. 2. About MeTaiye L b CISSP, CISA, CISM, HISP,T i Lambo CISSP CISA CISM HISP ISO 27001 Auditor A dit President & Founder, eFortresses, Inc. Author Holistic Information Security Practitioner ( y (HISP) Certification Course ) Founder Holistic Information Security Practitioner (HISP) Institute – www.hispi.org Founder UK Honeynet Project – www honeynet org uk www.honeynet.org.uk Hybrid technical and business information security practitioner, with 14 years Information Security experience, including: Delivered critical BS 7799, ISO 17799, ISO 27002 & ISO 27001 consulting engagements to various clients in the Manufacturing, Government, Financial Services and Healthcare sectors in the UK and US. Presented at security events including conferences organized by organized by ISSA, InfraGard, ISACA, CPM, HITRUST and SOFE. 2
  3. 3. Caveats and Disclaimers• This presentation provides education on cloud technology and its benefits to set up a discussion of cloud security• It is NOT intended to provide official eFortresses and/or NIST guidance and NIST does not make policy• A mention of a vendor or product is NOT Any ti f d d ti an endorsement or recommendationCitation Note: Most sources for the material in this presentation are includedwithin the PowerPoint “ slides 3
  4. 4. Cloud Computing Quotes from Vivek Kundra (Federal CIO):"The cloud will do for government what theInternet did in the 90s " he said. "Were 90s, said We reinterested in consumer technology for theenterprise,enterprise " Kundra added "Its a fundamental added. It schange to the way our government operates bymoving to the cloud Rather than owning the cloud.infrastructure, we can save millions."http://www.nextgov.com/nextgov/ng 20081126_1117.php p g g g_ p p 4
  5. 5. Part I: Effective and Secure Use Understanding Cloud Computing Cloud Computing Clo d Comp ting Case St dies StudiesPart II: Cl d A diti B t PP t II Cloud Auditing Best Practices ti ENISAAGENDA CSA Microsoft CloudeAssurance 5
  6. 6. Part I: Effective and Secure Use 6
  7. 7. Understanding Cloud Computing Origin of the term “Cloud Computing Cloud Computing”• “Comes from the early days of the Internet where we drew y y the network as a cloud… we didn’t care where the messages went… the cloud hid it from us” – Kevin Marks, Google• First cloud around networking (TCP/IP abstraction)• Second cloud around documents (WWW data abstraction)• The emerging cloud abstracts infrastructure complexities of servers, applications, data, and heterogeneous platforms – (“muck” as Amazon’s CEO Jeff Bezos calls it) Jeff Bezos’ quote: http://news cnet com/8301-13953 3-9977100-80 html?tag=mncol Bezos http://news.cnet.com/8301 13953_3 9977100 80.html?tag mncol Kevin Marks quote: http://news.cnet.com/8301-13953_3-9938949-80.html?tag=mncol video interview 7
  8. 8. A Working Definition of Cloud Computing• Cl d computing i a model f enabling Cloud ti is d l for bli convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.• This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models. models 8
  9. 9. Five Essential Cloud Characteristics 9
  10. 10. Three Cloud Service Models• Cloud Software as a Service (SaaS) – Use provider’s applications over a network• Cloud Platform as a Service (PaaS) ( ) – Deploy customer-created applications to a cloud• Cloud Infrastructure as a Service (IaaS) – R t processing, storage, network capacity, and other Rent i t t k it d th fundamental computing resources• To be considered “cloud” they must be deployed on top of cloud infrastructure that has the key characteristics 10
  11. 11. Service Model Architectures Cloud Infrastructure Cloud Infrastructure Cloud Infrastructure IaaS Software as a Service PaaS PaaS (SaaS) SaaS SaaS SaaS Architectures Cloud Infrastructure Cloud Infrastructure IaaS Platform as a Service (PaaS) ( ) PaaS PaaS Architectures Cloud Infrastructure IaaS Infrastructure as a Service (IaaS) Architectures 11
  12. 12. NIST Four Cloud Deployment Models• Private cloud – enterprise owned or leased• Community cloud – shared infrastructure for specific community• Public cloud – Sold to the public, mega-scale infrastructure• Hybrid cloud – composition of two or more clouds 12
  13. 13. The NIST Cloud Definition Framework Hybrid CloudsDeploymentModels Private Community C it Public Cloud Cloud CloudService Software as a Platform as a Infrastructure as aModels Service (SaaS) Service (PaaS) Service (IaaS) On Demand Self-ServiceEssential Broad Network A B dN k Access Rapid Elasticity R id El i iCharacteristics Resource Pooling Measured Service Massive Scale Resilient ComputingCommon Homogeneity Geographic DistributionCharacteristics Virtualization Service Orientation Low Cost Software Advanced Security 13
  14. 14. Jericho Forum’s Cloud Cube Deployment Model 14
  15. 15. General Security Advantages• Shifting public data to a external cloud reduces the exposure of the internal sensitive data• Cloud homogeneity makes security auditing/testing simpler• Clouds enable automated security management t• Redundancy / Disaster Recovery 15
  16. 16. Cloud Computing Case Studies and Security Models 16
  17. 17. Google Cloud User: City of Washington D.C. DC• Vivek Kundra, Former CTO for the DC (now Federal CIO)• Migrating 38,000 employees to Google Apps• Replace office software – Gmail – Google Docs (word processing and spreadsheets) – Google video for business – Google sites (intranet sites and wikis)• “Its a fundamental change to the way our government It s operates by moving to the cloud. Rather than owning the infrastructure, we can save millions.”, Mr. Kundra• 500 000+ organizations use Google Apps 500,000+ 17
  18. 18. Case Study: Facebook’s Use of Open Source and Commodity Hardware (8/08)• Jonathan Heiliger Facebooks vice president of technical operations Heiliger, Facebook s• 80 million users + 250,000 new users per day• 50,000 transactions per second, 10,000+ servers• Built on open source software – Web and App tier: Apache, PHP, AJAX – Middleware tier: Memcached (Open source caching) – Data tier: MySQL (Open source DB) y ( p )• Thousands of DB instances store data in distributed fashion (avoids collisions of many users accessing the same DB)• “We dont need fancy graphics chips and PCI cards," he said. “We need one USB port and optimized power and airflow Give me one airflow. CPU, a little memory and one power supply. If it fails, I dont care. We are solving the redundancy problem in software.” Data taken from CNET news article and interview 8/18/08 http://news.cnet.com/8301-13953_3-10027064-80.html?tag=mncol 18
  19. 19. Amazon Cloud Users: New York Times and Nasdaq (4/08)• Both companies used Amazon’s cloud offering• New York Times – Didn’t coordinate with Amazon, used a credit card! – Used EC2 and S3 to convert 15 million scanned news articles to PDF (4TB data) – Took 100 Linux computers 24 hours (would have taken months on NYT computers – “It was cheap experimentation, and the learning curve isnt steep.” – Derrick Gottfrid, New York Times• Nasdaq – Uses S3 to deliver historic stock and fund information – Millions of files showing price changes of entities over 10 minute segments – “The expenses of keeping all that data online [in Nasdaq servers] was too high.” – Claude Courbois, Nasdaq VP – Created lightweight Adobe AIR application to let users view data Source: Infoworld article (availability zones and elastic IP) IP), http://www.infoworld.com/article/08/03/27/Amazon-adds-resilience-to-cloud- computing_1.html 19
  20. 20. Case Study: Salesforce.com Salesforce com in Government• 5,000+ Public Sector and Nonprofit Customers use Salesforce Cloud Computing Solutions• President Obama’s Citizen’s Briefing Book Based on Salesforce.com Ideas application – Concept to Live in Three Weeks – 134,077 Registered Users – 1.4 M Votes – 52,015 Ideas – Peak traffic of 149 hits per second• US Census Bureau Uses Salesforce.com Cloud Application – Project implemented in under 12 weeks j p – 2,500+ partnership agents use Salesforce.com for 2010 decennial census – Allows projects to scale from 200 to 2,000 users overnight to meet peak periods with no capital expenditure Source: http://arstechnica.com/software/news/2008/10/washington-dc-latest-to-drop- p g p microsoft-for-web-apps.ars Quote is from http://www.nextgov.com/nextgov/ng_20081126_1117.php 20
  21. 21. Case Study: Salesforce.com Salesforce com in Government• New Jersey Transit Wins InfoWorld 100 Award for its Cloud Computing Project – Use Salesforce.com to run their call center, incident management, complaint tracking, and service portal – 600% More Inquiries Handled – 0 New Agents Required – 36% Improved Response Time• U S Army uses Salesforce CRM for Cloud-based U.S. Recruiting – U.S. Army needed a new tool to track potential recruits who visited its Army Experience Center Center. – Use Salesforce.com to track all core recruitment functions and allows the Army to save time and resources. Source: http://arstechnica.com/software/news/2008/10/washington-dc-latest-to-drop- microsoft-for-web-apps.ars Quote is from http://www.nextgov.com/nextgov/ng_20081126_1117.php 21
  22. 22. Part II: Cloud Audit Best Practices 22
  23. 23. ENISA 23
  24. 24. ENISAINFORMATION ASSURANCE REQUIREMENTSPERSONNEL SECURITYThe majority of questions relating to personnel will be similar to those you would ask your own IT personnel or other personnel who are dealing with your IT. As with most assessments, there is a balance between the risks and the cost. What policies and procedures do you have in place when hiring your IT administrators or others with system access? Th th ith t ? These should i l d h ld include: o pre-employment checks (identity, nationality or status, employment history and references, criminal convictions, and vetting (for senior personnel in high privilege roles)). Are there diff A th different policies d t li i depending on where th d t i stored or applications are run? di h the data is t d li ti ? o For example, hiring policies in one region may be different from those in another. o Practices need to be consistent across regions. o It may be that sensitive data is stored in one particular region with appropriate personnel. What security education program do you run for all staff? Is there a process of continuous evaluation? o How often does this occur? o Further interviews o Security access and privilege reviews o Policy and procedure reviews. 24
  25. 25. ENISASUPPLY-CHAIN ASSURANCEThe following questions apply where the cloud provider subcontracts some operations that are key to the security of the operation to third parties (e.g., a SaaS provider outsourcing the underling platform to a third party provider, a cloud provider outsourcing the security services to a managed security services provider, use of an external provider for identity management of operating systems, etc). It also includes third parties with physical or remote access to the systems etc) cloud provider infrastructure. It is assumed that this entire questionnaire may be applied recursively to third (or nth) party cloud service providers. Define those services that are outsourced or subcontracted in your service delivery supply chain which are key to the security (including availability) of your operations. Detail the procedures used to assure third parties accessing your infrastructure (physical and/or logical). o Do you audit your outsourcers and subcontractors and how often? Are any SLA provisions guaranteed by outsourcers lower than the SLAs you offer to your customers? If not, do you have supplier redundancy in place? What Wh t measures are t k t ensure thi d party service levels are met and maintained? taken to third t i l l t d i t i d? Can the cloud provider confirm that security policy and controls are applied (contractually) to their third party providers? 25
  26. 26. ENISAOPERATIONAL SECURITYIt is expected that any commercial agreement with external providers will include service levels for all network services. However, in addition to the defined agreements, the end customer should still ensure that the provider employs appropriate controls to mitigate unauthorized disclosure. Detail your change control procedure and policy. This should also include the process used to re- assess risks as a result of changes and clarify whether the outputs are available to end customers. c stomers Define the remote access policy. Does the provider maintain documented operating procedures for information systems? Is there a staged environment to reduce risk, e.g., development, test and operational environments, and are they separated? Define the host and network controls employed to protect the systems hosting the applications and information for the end customer. These should include details of certification against external standards (e.g., ISO 27001/2). Specify the controls used to protect against malicious code. S f Are secure configurations deployed to only allow the execution of authorized mobile code and authorized functionality (e.g., only execute specific commands)? Detail policies and procedures for backup. This should include procedures for the management of removable media and methods f securely d f bl di d h d for l destroying media no l i di longer required. (D i d (Depending di on his business requirements, the customer may wish to put in place an independent backup strategy. This is particularly relevant where time-critical access to back-up is required.) 26
  27. 27. ENISAOPERATIONAL SECURITYAudit logs are used in the event of an incident requiring investigation; they can also be used for troubleshooting. For these purposes, the end customer will need assurance that such information is available: Can the provider detail what information is recorded within audit logs? o For what period is this data retained? o Is it possible to segment data within audit logs so they can be made available to the end customer and/or law enforcement without compromising other customers and still be admissible in court? o What controls are employed to protect logs from unauthorized access or tampering? o What method is used to check and protect the integrity of audit logs? How are audit logs reviewed? What recorded events result in action being taken? What time source is used to synchronize systems and provide accurate audit log time stamping? 27
  28. 28. ENISASOFTWARE ASSURANCE Define controls used to protect the integrity of the operating system and applications software used. Include any standards that are followed, e.g., OWASP (46), SANS Checklist (47), SAFECode (48). How do you validate that new releases are fit-for-purpose or do not have risks (backdoors, Trojans, etc)? Are these reviewed before use? What practices are followed to keep the applications safe? Is a software release penetration tested to ensure it does not contain vulnerabilities? If vulnerabilities are discovered, what is the process for remedying these?PATCH MANAGEMENT Provide details of the patch management procedure followed. Can you ensure that the patch management process covers all layers of the cloud delivery technologies – i.e., network (infrastructure components, routers and switches, etc), server g , ( p , , ), operating systems, virtualization software, applications and security subsystems (firewalls, antivirus gateways, intrusion detection systems, etc)? 28
  29. 29. ENISANETWORK ARCHITECTURE CONTROLS Define the controls used to mitigate DDoS (distributed denial–of-service) attacks. o Defense in depth (deep packet analysis, traffic throttling, packet black-holing, etc) o Do you have defenses against ‘internal’ ( g y g (originating from the cloud p g providers networks) ) attacks as well as external (originating from the Internet or customer networks) attacks? What levels of isolation are used? o for virtual machines physical machines network storage (e g storage area networks) machines, machines, network, (e.g., networks), management networks and management support systems, etc. Does the architecture support continued operation from the cloud when the company is separated from the service provider and vice versa (e g is there a critical dependency on (e.g., the customer LDAP system)? Is the virtual network infrastructure used by cloud providers (in PVLANs and VLAN tagging 802.1q 802 1q (49) architecture) secured to vendor and/or best practice specific standards (e.g., are (e g MAC spoofing, ARP poisoning attacks, etc, prevented via a specific security configuration)? 29
  30. 30. ENISAHOST ARCHITECTURE Does the provider ensure virtual images are hardened by default? Is the hardened virtual image p g protected from unauthorized access? Can the provider confirm that the virtualized image does not contain the authentication credentials? Is the host firewall run with only the minimum ports necessary to support the services within the virtual instance? Can a host based intrusion prevention service (IPS) be run in the virtual instance? host-based 30
  31. 31. ENISAPAAS – APPLICATION SECURITYGenerally speaking, P S service providers are responsible f th security of th platformG ll ki PaaS i id ibl for the it f the l tf software stack, and the recommendations throughout this document are a good foundation for ensuring a PaaS provider has considered security principles when designing and managing their PaaS platform. It is often difficult to obtain detailed information from PaaS providers on exactly how they secure their platforms – however the following questions questions, along with other sections within this document, should be of assistance in assessing their offerings. Request information on how multi-tenanted applications are isolated from each other – a high multi tenanted level description of containment and isolation measures is required. What assurance can the PaaS provider give that access to your data is restricted to your enterprise users and to the applications you own? The platform architecture should be classic ‘sandbox’ – does the provider ensure that the PaaS platform sandbox is monitored for new bugs and vulnerabilities? PaaS providers should be able to offer a set of security features (re-useable amongst their (re useable clients) – do these include user authentication, single sign on, authorization (privilege management), and SSL/TLS (made available via an API)? 31
  32. 32. ENISASAAS – APPLICATION SECURITYThe SaaS model dictates that the provider manages the entire suite of applications delivered to p g pp end-users. Therefore SaaS providers are mainly responsible for securing these applications. Customers are normally responsible for operational security processes (user and access management). However the following questions, along with other sections within this document, should assist in assessing their offerings: What d i i Wh administration controls are provided and can these b used to assign read and write i l id d d h be d i d d i privileges to other users? Is the SaaS access control fine grained and can it be customized to your organizations policy?RESOURCE PROVISIONING In the event of resource overload (processing, memory, storage, network)? o What information is given about the relative priority assigned to my request in the event of a failure in provisioning? o Is there a lead time on service levels and changes in requirements? How much can you scale up? Does the provider offer guarantees on maximum available resources within a minimum period? How fast can you scale up? Does the p y p provider offer g guarantees on the availability of y supplementary resources within a minimum period? What processes are in place for handling large-scale trends in resource usage (e.g., seasonal effects)? 32
  33. 33. ENISAIDENTITY AND ACCESS MANAGEMENTThe following controls apply to the cloud p g pp y provider’s identity and access management systems y g y (those under their control):AUTHORIZATION Do any accounts have system wide privileges for the entire cloud system and if so for what system-wide and, so, operations (read/write/delete)? How are the accounts with the highest level of privilege authenticated and managed? How are the most critical decisions (e g simultaneous de provisioning of large resource (e.g., de-provisioning blocks) authorized (single or dual, and by which roles within the organization)? Are any high-privilege roles allocated to the same person? Does this allocation break the segregation of duties or least privilege rules? Do you use role-based access control (RBAC)? Is the principle of least privilege followed? What changes, if any, are made to administrator privileges and roles to allow for extraordinary access in the event of an emergency? Is there an ‘administrator’ role for the c stomer? For e ample does the c stomer customer? example, customer administrator have a role in adding new users (but without allowing him to change the underlying storage!)? 33
  34. 34. ENISAIDENTITY PROVISIONING What h k Wh t checks are made on th id tit of user accounts at registration? Are any standards d the identity f t t i t ti ? A t d d followed? For example, the e-Government Interoperability Framework? Are there different levels of identity checks based on the resources required? What processes are in place for de-provisioning credentials? Are credentials provisioned and de-provisioned simultaneously throughout the cloud system, or are there any risks in de-provisioning them across multiple geographically distributed locations?MANAGEMENT OF PERSONAL DATA What data storage and protection controls apply to the user directory (e.g., AD, LDAP) and access to it? Is user directory data exportable in an interoperable format? Is need-to-know the basis for access to customer data within the cloud provider? 34
  35. 35. ENISAKEY MANAGEMENTFor keys under the control of the cloud provider: Are security controls in place for reading and writing those keys? For example, strong password policies, keys stored in a separate system, hardware security modules (HSM) for root certificate keys, smart card based authentication, direct shielded access to storage, short key lifetime, etc. Are A security controls in place f using th it t l i l for i those k keys t sign and encrypt d t ? to i d t data? Are procedures in place in the event of a key compromise? For example, key revocation lists. Is key revocation able to deal with simultaneity issues for multiple sites? Are customer system images protected or encrypted?ENCRYPTION Encryption can be used in multiple places − where is it used? o data in transit o data at rest o data in processor or memory? Usernames and passwords? Is there a well-defined policy for what should be encrypted and what should not be encrypted? Who holds the access keys? How are the keys protected? 35
  36. 36. ENISAAUTHENTICATION What forms of authentication are used for operations requiring high assurance? This may include login to management interfaces, key creation, access to multiple-user accounts, firewall configuration, remote access, etc. Is two-factor authentication used to manage critical components within the infrastructure, such two factor infrastructure as firewalls, etc?CREDENTIAL COMPROMISE OR THEFT Do D you provide anomaly d t ti (th ability t spot unusual and potentially malicious IP id l detection (the bilit to t l d t ti ll li i traffic and user or support team behavior)? For example, analysis of failed and successful logins, unusual time of day, and multiple logins, etc. What provisions exist in the event of the theft of a customer’s credentials (detection, revocation, revocation evidence for actions)?IDENTITY AND ACCESS MANAGEMENT SYSTEMS OFFERED TO THE CLOUD CUSTOMERThe following questions apply to the identity and access management systems which are offered by the l d b th cloud provider f use and control b th cloud customer: id for d t l by the l d t 36
  37. 37. ENISAIDENTITY MANAGEMENT FRAMEWORKS Does the system allow for a federated IDM infrastructure which is interoperable both for high assurance (OTP systems, where required) and low assurance (e.g.. username and password)? Is the cloud provider interoperable with third party identity providers? Is there the ability to incorporate single sign-on?ACCESS CONTROL Does the client credential system allow for the separation of roles and responsibilities and for y p p multiple domains (or a single key for multiple domains, roles and responsibilities)? How do you manage access to customer system images – and ensure that the authentication and cryptographic keys are not contained within in them?AUTHENTICATION How does the cloud provider identify itself to the customer (i.e., is there mutual authentication)? o when the customer sends API commands? o when the customer logs into the management interface? Do you support a federated mechanism for authentication? 37
  38. 38. ENISAASSET MANAGEMENTIt is important to ensure the provider maintains a current list of hardware and software (applications) assets under the cloud providers control. This enables checks that all systems have appropriate controls employed, and that systems cannot be used as a backdoor into pp p p y y the infrastructure. Does the provider have an automated means to inventory all assets, which facilitates their appropriate management? pp p g Is there a list of assets that the customer has used over a specific period of time?The following questions are to be used where the end customer is deploying data that would require additional protection (i.e.. deemed as sensitive). Are assets classified in terms of sensitivity and criticality? o If so, does the provider employ appropriate segregation between systems with different classifications and for a single customer who has systems with different security classifications? 38
  39. 39. ENISADATA AND SERVICES PORTABILITYThis set of questions should be considered in order to understand the risks related to vendor lock-in. Are there d A th documented procedures and API f exporting d t f t d d d APIs for ti data from th cloud? the l d? Does the vendor provide interoperable export formats for all data stored within the cloud? In the case of SaaS, are the API interfaces used standardized? Are there any provisions for exporting user-created applications in a standard format? Are there processes for testing that data can be exported to another cloud provider – should the client wish to change provider, for example? Can the client perform their own data extraction to verify that the format is universal and is capable of being migrated to another cloud provider? 39
  40. 40. ENISABUSINESS CONTINUITY MANAGEMENTProviding continuity is important to an organization. Although it is possible to set service level agreements detailing the minimum amount of time systems are available, there remain a number of additional considerations. Does the provider maintain a documented method that details the impact of a disruption? o What are the RPO (recovery point objective) and RTO (recovery time objective) for services? Detail according to the criticality of the service. o Are information security activities appropriately addressed in the restoration process? o What are the lines of communication to end customers in the event of a disruption? o Are the roles and responsibilities of teams clearly identified when dealing with a disruption? Has the provider categorized the priority for recovery, and what would be our relative priority (the end customer) to be restored? Note: this may be a category (HIGH/MED/LOW). What dependencies relevant to the restoration process exist? Include suppliers and outsource partners. partners In the event of the primary site being made unavailable, what is the minimum separation for the location of the secondary site? 40
  41. 41. ENISAINCIDENT MANAGEMENT AND RESPONSEIncidentI id t management and response is a part of business continuity management. The goal of t d i t fb i ti it t Th l f this process is to contain the impact of unexpected and potentially disrupting events to an acceptable level for an organization.To evaluate the capacity of an organization to minimize the probability of occurrence or reduce the negative impact of an information security incident the following questions should be incident, asked to a cloud provider: Does the provider have a formal process in place for detecting, identifying, analyzing and responding to incidents? Is this process rehearsed to check that incident handling processes are effective? Does the provider also ensure, during the rehearsal, that everyone within the cloud provider’s support organization is aware of the processes and of their roles during incident handling (both during the incident and post analysis)? How are the detection capabilities structured? o How can the cloud customer report anomalies and security events to the provider? o What facilities does the provider allow for customer-selected third party RTSM services to intervene in their systems (where appropriate) or to co-ordinate incident response capabilities with the cloud provider? o Is there a real time security monitoring (RTSM) service in place? Is the service outsourced? What kind of parameters and services are monitored? o Do you provide (upon request) a periodical report on security incidents (e.g.,. according to the ITIL definition)? o For how long are the security logs retained? Are those logs securely stored? Who has access to the logs? o Is it possible for the customer to build a HIPS/HIDS in the virtual machine image? Is it possible to integrate the information collected by the intrusion detection and prevention systems of the customer into the RTSM service of the cloud provider or that of a third party? 41
  42. 42. ENISAINCIDENT MANAGEMENT AND RESPONSE How are severity levels defined? How are escalation procedures defined? When (if ever) is the cloud customer involved? How are incidents documented and evidence collected? Besides a thentication accounting and a dit what other controls are in place to pre ent (or authentication, acco nting audit, hat prevent minimize the impact of) malicious activities by insiders? Does the provider offer the customer (upon request) a forensic image of the virtual machine? Does the provider collect incident metrics and indicators (i.e.,. number of detected or reported incidents per months number of incidents caused by the cloud provider’s subcontractors and months, the total number of such incidents, average time to respond and to resolve, etc)?). o Which of these does the provider make publicly available (NB not all incident reporting data can be made public since it may compromise customer confidentiality and reveal security critical information)??) How often does the provider test disaster recovery and business continuity plans? Does the provider collect data on the levels of satisfaction with SLAs? Does the provider carry out help desk tests? For example: oIImpersonation tests (is the person at the end of the phone requesting a password reset, i (i h h d f h h i d really who they say they are?) or so called ‘social engineering’ attacks. 42
  43. 43. ENISAINCIDENT MANAGEMENT AND RESPONSE Does the provider carry out penetration testing? How often? What are actually tested during the penetration test – for example, do they test the security isolation of each image to ensure it is not possible to ‘break out’ of one image into another and also g p g gain access to the host infrastructure?. The tests should also check to see if it is possible to gain access, via the virtual image, to the cloud providers management and support systems (e.g., example the provisioning and admin access control systems). Does the provider carry out vulnerability testing? How often? What is the process for rectifying vulnerabilities (hot fixes, re-configuration, uplift to later ) versions of software, etc)? 43
  44. 44. ENISAPHYSICAL SECURITYAs with personnel security, many of the potential issues arise because the IT infrastructure is under the control of a third party – like traditional outsourcing, the effect of a physical security breach can have an impact on multiple customers ( g p p (organizations). ) What assurance can you provide to the customer regarding the physical security of the location? Please provide examples, and any standards that are adhered to, e.g.,. Section 9 of ISO 27001/2.o Who, other than authorized IT personnel, has unescorted (physical) access to IT infrastructure? For example, cleaners, managers, ‘physical security’ staff, contractors, consultants, physical security vendors, etc.o How often are access rights reviewed? How quickly can access rights be revoked?o Do you assess security risks and evaluate perimeters on a regular basis? How frequently? 44
  45. 45. ENISAPHYSICAL SECURITYo Do you assess security risks and evaluate perimeters on a regular basis? How frequently?o Do you carry out regular risk assessments which include things such as neighboring buildings?o D you control or monitor personnel (i l di thi d parties) who access secure areas? Do t l it l (including third ti ) h ?o What policies or procedures do you have for loading, unloading and installing equipment?o Are deliveries inspected for risks before installation?o Is there an up-to-date physical inventory of items in the data centre?o Do network cables run through public access areas? Do you use armored cabling or conduits?o Do you regularly survey premises to look for unauthorized equipment?o Is there any off-site equipment? How is this protected? 45
  46. 46. ENISAPHYSICAL SECURITYo Do your personnel use portable equipment (e.g.,. laptops, smart phones) which can give access to the data centre? How are these protected?o What measures are in place to control access cards?o What processes or procedures are in place to destroy old media or systems when required to do so? data overwritten? physical destruction?o What authorization processes are in place for the movement of equipment from one site to another? How do you identify staff (or contractors) who are authorized to do this?o How often are equipment audits carried out to monitor for unauthorized equipment removal?o How often are checks made to ensure that the environment complies with the appropriate legal and regulatory requirements? 46
  47. 47. ENISAENVIRONMENTAL CONTROLS What procedures or policies are in place to ensure that environmental issues do not cause an interruption to service? What methods do you use to prevent damage from a fire, flood, earthquake, etc? o In the event of a disaster what additional security measures are put in place to protect disaster, physical access? o Both at the primary as well as at the secondary sites? Do you monitor the temperature and humidity in the data centre? o Air conditioning considerations or monitoring? Air-conditioning Do you protect your buildings from lightening strikes? o Including electrical and communication lines? Do you have stand-alone generators in the event of a power failure? o For how long can they run? o Are there adequate fuel supplies? o Are there failover generators? o How often do you check UPS equipment? o How often do you check your generators? o Do you have multiple power suppliers? 47
  48. 48. ENISAENVIRONMENTAL CONTROLS Are all utilities (electricity, water, etc) capable of supporting your environment?How often is this re-evaluated and tested? Is your air-conditioning capable of supporting your environment? o How often is it tested? Do you follow manufacturers recommended maintenance schedules? Do you only allow authorized maintenance or repair staff onto the site? o How do you check their identity? When equipment is sent away for repair, is the data cleaned from it first? o How is this done? 48
  49. 49. ENISALEGAL REQUIREMENTSCustomers and potential customers of cloud provider services should have regard to their respective national and supra-national obligations for compliance with regulatory frameworks and ensure that any such obligations are appropriately complied with.The key legal questions the customer should ask the cloud provider are: In what country is the cloud provider located? Is the cloud provider’s infrastructure located in the same country or in different countries? Will the cloud provider use other companies whose infrastructure is located outside that of the cloud provider? Where will the data be physically located? Will jurisdiction over the contract terms and over the data be divided? Will any of the cloud provider’s services be subcontracted out? Will any of the cloud provider’s services be outsourced? How will the data provided by the customer and the customer’s customers, be collected, processed and transferred? What happens to the data sent to the cloud provider upon termination of the contract? 49
  50. 50. Cloud Security Alliance ( y (CSA) ) 50
  51. 51. Cloud Security Alliance (CSA) Taxonomy 51
  52. 52. Cloud Security Alliance (CSA) Mapping 52
  53. 53. Cloud Security Alliance ( y (CSA) )Domain 4: Compliance and AuditWith Cloud Computing developing as a viable and cost effective means to outsource entiresystems or even entire business processes, maintaining compliance with your security policyAnd the various regulatory and legislative requirements to which your organization is subjectcan become more difficult to achieve and even harder to demonstrate to auditors and assessors.Of the many regulations touching upon information technology with which organizations mustcomply, few were written with Cloud Computing in mind. Auditors and assessors may not befamiliar with Cloud Computing generally or with a given cloud service in particular. That beingthe case, it falls upon the cloud customer to understand: case • Regulatory applicability for the use of a given cloud service • Division of compliance responsibilities between cloud provider and cloud customer •CCloud provider’s ability to produce evidence needed f compliance ’ for • Cloud customer’s role in bridging the gap between cloud provider and auditor/assessor 53
  54. 54. Cloud Security Alliance ( y (CSA) )Recommendations√ Involve Legal and Contracts Teams. The cloud provider’s standard terms of servicemay not address your compliance needs; therefore it is beneficial to have both legal andcontracts personnel involved early to ensure that cloud services contract provisions areadequate for compliance and audit obligations.√ Right to Audit Clause. Customers will often need the ability to audit the cloudprovider, given the dynamic natures of both the cloud and the regulatory environment.A right to audit contract clause should be obtained whenever possible, particularlywhen using the cloud provider for a service for which the customer has regulatorycompliance responsibilities. Over time, the need for this right should be reduced and inmany cases replaced by appropriate cloud provider certifications related to our certifications,recommendation for ISO/IEC 27001 certification scoping later in this section.√ Analyze Compliance Scope. Determining whether the compliance regulations whichthe organization is subject to will be impacted by the use of cloud services, for a givenset of applications and data. 54
  55. 55. Cloud Security Alliance ( y (CSA) )Recommendations√ Analyze Impact of Regulations on Data Security. Potential end users of CloudComputing services should consider which applications and data they are consideringmoving to cloud services, and the extent to which they are subject to compliance g , y j pregulations.√ Review Relevant Partners and Services Providers. This is general guidance forensuring that service provider relationships do not negatively impact compliance compliance.Assessing which service providers are processing data that is subject to complianceregulations, and then assessing the security controls provided by those serviceproviders, is fundamental. Several compliance regulations have specific language aboutassessing and managing third party vendor risk. As with non-cloud IT and businessservices, organizations need to understand which of their cloud business partners areprocessing data subject to compliance regulations. 55
  56. 56. Cloud Security Alliance ( y (CSA) )RecommendationsUnderstand Contractual Data Protection Responsibilities and Related Contracts. Thecloud service model to an extent dictates whether the customer or the cloud servicepprovider is responsible for deploying security controls. In an IaaS deployment scenario, p p y g y p y ,the customer has a greater degree of control and responsibility than in a SaaS scenario.From a security control standpoint, this means that IaaS customers will have to deploymany of the security controls for regulatory compliance. In a SaaS scenario, the cloudservice provider must provide the necessary controls From a contractual perspective controls. perspective,understanding the specific requirements, and ensuring that the cloud services contractand service level agreements adequately address them, are key.√ Analyze Impact of Regulations on Provider Infrastructure. In the area of infrastructure,moving to cloud services requires careful analysis as well. Some regulatoryrequirements specify controls that are difficult or impossible to achieve in certain cloudservice types. 56
  57. 57. Cloud Security Alliance ( y (CSA) )√ Analyze Impact of Regulations on Policies and Procedures. Moving data andapplications to cloud services will likely have an impact on policies and procedures.Customers should assess which policies and procedures related to regulations will haveto change. Examples of impacted policies and procedures include activity reporting,logging,logging data retention, incident response, controls testing, and privacy policies retention response testing policies.√ Prepare Evidence of How Each Requirement Is Being Met. Collecting evidence ofcompliance across the multitude of compliance regulations and requirements is achallenge. Customers of cloud services should develop p g p processes to collect and storecompliance evidence including audit logs and activity reports, copies of systemconfigurations, change management reports, and other test procedure output.Depending on the cloud service model, the cloud provider may need to provide muchof this information. information√ Auditor Qualification and Selection. In many cases the organization has no say inselecting auditors or security assessors. If an organization does have selection input, itis highly advisable to pick a “cloud aware” auditor since many might not be familiar cloud awarewith cloud and virtualization challenges. Asking their familiarity with the IaaS, PaaS,and SaaS nomenclature is a good starting point. 57
  58. 58. Cloud Security Alliance ( y (CSA) )√ Cloud Provider’s SAS 70 Type II Providers should have this audit statement at a Provider s II.minimum, as it will provide a recognizable point of reference for auditors andassessors. Since a SAS 70 Type II audit only assures that controls are implemented asdocumented, it is equally important to understand the scope of the SAS 70 audit, andwhether these controls meet your requirements.√ Cloud Provider’s ISO/IEC 27001/27002 Roadmap. Cloud providers seeking to providemission critical services should embrace the ISO/IEC 27001 standard for informationsecurity management systems. If the provider has not achieved ISO/IEC 27001certification, they should demonstrate alignment with ISO 27002 practices.√ ISO/IEC 27001/27002 Scoping. The Cloud Security Alliance is issuing an industry call Scopingto action to align cloud providers behind the ISO/IEC 27001 certification, to assure thatscoping does not omit critical certification criteria.Contributors: Nadeem Bukhari, Anton Chuvakin, Peter Gregory, Jim Hietala, Greg Kane,Patrick Sullivan 58
  59. 59. MICROSOFT 59
  60. 60. Microsoft Azure ServicesSource: Microsoft Presentation, A Lap Around Windows Azure, Manuvir Das 60
  61. 61. Windows Azure Applications, Storage, Storage and Roles n m LB Web Role Worker Role Cloud Storage (blob, table, queue)Source: Microsoft Presentation, A Lap Around Windows Azure, Manuvir Das 61
  62. 62. MICROSOFTMicrosoft provides a t tMi ft id trustworthy cloud th th l d through f h focus on th three areas: Utilizing a risk-based information security program that assesses and prioritizes security and operational th t t th b i i iti it d ti l threats to the business Maintaining and updating a detailed set of security controls that mitigate risk Operating a compliance framework that ensures controls are designed appropriately and are operating effectivelyMicrosoft is able to obtain key certifications such as International Organization for Standardization / International Society of Electrochemistry 27001:2005 (ISO/IEC 27001:2005) and Statement of Auditing Standard (SAS) 70 Type I and Type II attestations, and to more efficiently pass attestations regular audits from independent third parties. 62
  63. 63. MICROSOFT 63
  64. 64. MICROSOFT 64
  65. 65. MICROSOFT 65
  66. 66. MICROSOFT 66
  67. 67. MICROSOFT 67
  68. 68. MICROSOFTMicrosoft Trustworthy Computing, home page: http://www.microsoft.com/twcMicrosoft Online Privacy Notice Highlights: http://www.microsoft.com/privacyThe ISO 27001:2005 certificate for the Global Foundation Services group at Microsoft: http://www.bsi global.com/en/Assessment and certification services/Client http://www.bsi-global.com/en/Assessment-and-certification-services/Client- directory/CertificateClient-Directory-Search- Results/?pg=1&licencenumber=IS+533913&searchkey=companyXeqXmicrosoftMicrosoft Global Foundation Services, home page: http://www.globalfoundationservices.comThe Microsoft Security Development Lifecycle (SDL): http://msdn.microsoft.com/en- http://msdn.microsoft.com/en us/security/cc448177.aspxMicrosoft Security Development Lifecycle (SDL) – version 3.2, process guidance: http://msdn.microsoft.com/en-us/library/cc307748.aspxMicrosoft Security Response Center: http://www.microsoft.com/security/msrcThe Microsoft SDL Threat Modeling Tool: http://msdn.microsoft.com/en- us/security/dd206731.aspxMicrosoft Online Services: http://www.microsoft.com/online 68
  69. 69. CloudeAssurance.com 69
  70. 70. CloudeAssurance.com 70
  71. 71. CloudeAssurance.com 71
  72. 72. CloudeAssurance.com 72
  73. 73. CloudeAssurance.com 73
  74. 74. CloudeAssurance.com 74
  75. 75. Questions?• Thank-you! Email questions to tlambo@eFortresses.com Requests for materials, slides etc materials slides, etc. Keep in touch 75