Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

RSA: CSA GRC Stack Update for the CSA Atlanta Chapter

2,252 views

Published on

RSA CSA GRC Stack Update for the Atlanta CSA Chapter by Phil Agcaoili

  • Be the first to comment

  • Be the first to like this

RSA: CSA GRC Stack Update for the CSA Atlanta Chapter

  1. 1. RSA: Cloud Security AllianceGRC Stack Update<br />Cloud Security Alliance, Atlanta Chapter<br />Phil Agcaoili, Cox Communications<br />Dennis Hurst, HP<br />March 2011<br />
  2. 2. Cloud ComputingNIST Definition<br />UPDATED (Jan 2011) – National Institute of Standards and Technology (NIST) Special Publication 800-145 (Draft)<br />Model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) <br />Rapidly provisioned and released with minimal management effort or service provider interaction<br />Composed of 5 essential characteristics, 3 service models, and 4 deployment models.<br />Source: http://www.nist.gov/itl/csd/cloud-020111.cfm<br />
  3. 3. Cloud Computing5 Essential Characteristics<br />On-demand tenant self-service model for provisioning computing capabilities (server time, network storage, etc.)<br />Broad network access with capabilities over the network accessible by standard mechanisms and mobile platforms<br />Resource pooling through dynamically assigned physical and virtual capabilities delivered in a multi-tenant model and location independent<br />Rapid elasticity of provisioned resources automatically or manually adjusted aligned with service level flexibility and needs<br />Measured service to monitor, control and report on transparent resource optimization<br />
  4. 4. Cloud Computing3 Service Models<br />Software as a Service (SaaS)<br />Capability made available to tenant (or consumer) to use provider’s applications running on cloud infrastructure, accessible via web browser, mobile apps, and system interfaces.<br />Examples: Salesforce.com, Drop Box, Box.net, Google Docs, WebEx<br />Platform as a Service (PaaS)<br />Capability made available to tenant to deploy tenant owned (created or acquired) applications using programming languages and tools supported by provider.<br />Examples: Microsoft Azure, Amazon Web Services, Bungee Connect<br />Infrastructure as a Service (IaaS) / Datacenter as a Service (DaaS)<br />Capability made available to tenant to provision processing, storage, networks or other fundamental computing resources to host and run tenant’s applications.<br />Examples: Rackspace, Terremark (Verizon), Savvis, AT&T<br />
  5. 5. Cloud Computing4 Deployment Models<br />(4) HYBRID<br /><ul><li>Composition of 2 or more deployment models that remain unique entities
  6. 6. Bound together by standardized or proprietary technology enabling data and application portability</li></li></ul><li>Cloud ComputingSecurity: Largest Barrier to Adoption<br />
  7. 7. What is Different about Cloud?<br />
  8. 8. What is Different about Cloud?<br />
  9. 9. What is Different about Cloud?<br />
  10. 10. Proposal for Atlanta Chapter Objective #1: Cloud Security Contract Template<br />Vendor and Customer Needs:<br />A simple, but uniform security contract and questionnaire/checklist <br />Benefits:<br />Standard/uniform customer response<br />Minimizes unique customer requests<br />Provide basic security attestation and assurance<br />
  11. 11. What is Different about Cloud?<br />
  12. 12. What is Different about Cloud?<br />
  13. 13. Cloud Controls Matrix<br />
  14. 14. Cloud Controls Matrix<br />Leadership Team<br /><ul><li>Becky Swain – Cisco Systems, Inc.
  15. 15. Philip Agcaoili – Cox Communications
  16. 16. Marlin Pohlman – EMC, RSA
  17. 17. Kip Boyle – CSA</li></ul>V1.1 Released Dec 2010<br />Rated as applicable to S-P-I with Cloud Provider / Tenant Delineation<br />Controls baselined and mapped to:<br />COBIT<br />HIPAA / HITECH Act<br />ISO/IEC 27001-2005<br />NISTSP800-53<br />FedRAMP<br />PCI DSSv2.0<br />BITS Shared Assessments<br />GAPP<br />
  18. 18. Cloud Controls MatrixGlobal Industry Contribution<br /><ul><li>AdalbertoAfonso A Navarro F do Valle – Deloitte LLP
  19. 19. Addison Lawrence – Dell
  20. 20. Akira Shibata – NTT DATA Corp
  21. 21. Andy Dancer
  22. 22. Anna Tang – Cisco Systems, Inc.
  23. 23. April Battle – MITRE
  24. 24. ChandrasekarUmpathy
  25. 25. Chris Brenton – Dell
  26. 26. Dale Pound – SAIC
  27. 27. Daniel Philpott – Tantus Technologies
  28. 28. Dr. Anton Chuvakin – Security Warrior Consulting
  29. 29. Elizabeth Ann Wickham – L47 Consulting Limited
  30. 30. Gary Sheehan – Advanced Server Mgmt Group, Inc.
  31. 31. Georg Heß
  32. 32. Georges Ataya Solvay – Brussels School of Economics & Mgmt
  33. 33. Glen Jones – Cisco Systems, Inc.
  34. 34. Greg Zimmerman – Jefferson Wells
  35. 35. Guy Bejerano - LivePerson
  36. 36. Henry Ojo – Kamhen Services Ltd,
  37. 37. Jakob Holm Hansen – Neupart A/S
  38. 38. Joel Cort – Xerox Corporation
  39. 39. John DiMaria – HISPI
  40. 40. John Sapp – McKesson Healthcare, HISPI
  41. 41. Joshua Schmidt – Vertafore, Inc.
  42. 42. KarthikAmrutesh – Ernst and Young LLP
  43. 43. Kelvin Arcelay – Arcelay& Associates
  44. 44. Kyle Lai – KLC Consulting, Inc.
  45. 45. Larry Harvey – Cisco Systems, Inc.
  46. 46. Laura Kuiper – Cisco Systems, Inc.
  47. 47. Lisa Peterson – Progressive Insurance
  48. 48. Lloyd Wilkerson – Robert Half International
  49. 49. Marcelo Gonzalez – Banco Central Republica Argentina
  50. 50. Mark Lobel – PricewaterhouseCoopers LLP
  51. 51. Meenu Gupta – Mittal Technologies
  52. 52. Mike Craigue, Ph.D. – Dell
  53. 53. MS Prasad, Exec Dir CSA India
  54. 54. Niall BrowneI – LiveOps
  55. 55. Patrick Sullivan
  56. 56. Patty Williams – Symetra Financial
  57. 57. Paul Stephen – Ernst and Young LLP
  58. 58. Phil Genever-Watling - Dell
  59. 59. Philip Richardson – Logicalis UK Ltd
  60. 60. PritamBankar – Infosys Technologies Ltd.
  61. 61. RamesanRamani – Paramount Computer Systems
  62. 62. Steve Primost
  63. 63. TaiyeLambo – eFortresses, Inc .
  64. 64. Tajeshwar Singh
  65. 65. Thej Mehta – KPMG LLP
  66. 66. Thomas Loczewski – Ernst and Young GmbH, Germany
  67. 67. Vincent Samuel – KPMG LLP
  68. 68. Yves Le Roux – CA Technologies
  69. 69. HISPI membership (Release ISO Review Body)</li></li></ul><li>Cloud Controls MatrixCharacteristics<br /><ul><li>Objective measure to monitor activities and then take corrective action to accomplish organizational goals.
  70. 70. Comprised of a set of policies and processes (internal controls) affecting the way Cloud services are directed, administered or controlled.
  71. 71. Aligned to Information Security regulatory rules and industry accepted guidance.
  72. 72. Controls reflect the intent of the CSA Guidance as applied to existing patterns of Cloud execution.</li></li></ul><li>Cloud Controls MatrixOptimal & Holistic Compliance<br />Bridging Regulatory Governance And Practical Compliance<br />
  73. 73. Cloud Controls Matrix11 Domains<br />1. Compliance (CO)<br />2. Data Governance (DG)<br />3. Facility Security (FS)<br />4. Human Resources (HR)<br />5. Information Security (IS)<br />6. Legal (LG)<br />7. Operations Management (OM)<br />8. Risk Management (RI)<br />9. Release Management (RM)<br />10. Resiliency (RS)<br />11.Security Architecture (SA)<br />
  74. 74. Cloud Controls Matrix98 Controls<br />Compliance<br /><ul><li>CO01 – Audit Planning
  75. 75. CO02 – Independent Audits
  76. 76. CO03 – Third Party Audits
  77. 77. CO04 – Contact / Authority Maintenance
  78. 78. CO05 – Information System Regulatory Mapping
  79. 79. CO06 – Intellectual Property</li></ul>Legal<br /><ul><li>LG01 - Non-Disclosure Agreements
  80. 80. LG02 - Third Party Agreements</li></ul>Data Governance<br /><ul><li>DG01 – Ownership / Stewardship
  81. 81. DG02 – Classification
  82. 82. DG03 – Handling / Labeling / Security Policy
  83. 83. DG04 – Retention Policy
  84. 84. DG05 – Secure Disposal
  85. 85. DG06 – Non-Production Data
  86. 86. DG07 – Information Leakage
  87. 87. DG08 – Risk Assessments</li></ul>Risk Management<br /><ul><li>RI01 – Program
  88. 88. RI02 – Assessments
  89. 89. RI03 – Mitigation / Acceptance
  90. 90. RI04 – Business / Policy Change Impacts
  91. 91. RI05 – Third Party Access</li></li></ul><li>Cloud Controls Matrix98 Controls (cont.)<br />Resiliency<br /><ul><li>RS01 – Management Program
  92. 92. RS02 – Impact Analysis
  93. 93. RS03 – Business Continuity Planning
  94. 94. RS04 – Business Continuity Testing
  95. 95. RS05 – Environmental Risks
  96. 96. RS06 – Equipment Location
  97. 97. RS07 – Equipment Power Failures
  98. 98. RS08 – Power / Telecommunications</li></ul>Human Resources<br /><ul><li>HR01 – Background Screening
  99. 99. HR02 – Employment Agreements
  100. 100. HR03 – Employment Termination</li></ul>Release Management<br /><ul><li>RM01 – New Development / Acquisition
  101. 101. RM02 – Production Changes
  102. 102. RM03 – Quality Testing
  103. 103. RM04 – Outsourced Development
  104. 104. RM05 – Unauthorized Software Installations</li></ul>Operational Management<br /><ul><li>OP01 – Policy
  105. 105. OP02 – Documentation
  106. 106. OP03 – Capacity / Resource Planning
  107. 107. OP04 – Equipment Maintenance</li></li></ul><li>Cloud Controls Matrix98 Controls (cont.)<br />Security Architecture<br /><ul><li>SA01 – Customer Access Requirements
  108. 108. SA02 – User ID Credentials
  109. 109. SA03 – Data Security / Integrity
  110. 110. SA04 – Application Security
  111. 111. SA05 – Data Integrity
  112. 112. SA06 – Production / Non-Production Environments
  113. 113. SA07 – Remote User Multi-Factor Authentication
  114. 114. SA08 – Network Security
  115. 115. SA09 – Segmentation
  116. 116. SA10 – Wireless Security
  117. 117. SA11 – Shared Networks
  118. 118. SA12 – Clock Synchronization
  119. 119. SA13 – Equipment Identification
  120. 120. SA14 – Audit Logging / Intrusion Detection
  121. 121. SA15 – Mobile Code</li></ul>Facility Security<br /><ul><li>FS01 – Policy
  122. 122. FS02 – User Access
  123. 123. FS03 – Controlled Access Points
  124. 124. FS04 – Secure Area Authorization
  125. 125. FS05 – Unauthorized Persons Entry
  126. 126. FS06 – Off-Site Authorization
  127. 127. FS07 – Off-Site Equipment
  128. 128. FS08 – Asset Management</li></li></ul><li>Cloud Controls Matrix98 Controls (cont.)<br />Information Security<br /><ul><li>IS01 – Management Program
  129. 129. IS02 – Management Support / Involvement
  130. 130. IS03 – Policy
  131. 131. IS04 – Baseline Requirements
  132. 132. IS05 – Policy Reviews
  133. 133. IS06 – Policy Enforcement
  134. 134. IS07 – User Access Policy
  135. 135. IS08 – User Access Restriction / Authorization
  136. 136. IS09 – User Access Revocation
  137. 137. IS10 – User Access Reviews
  138. 138. IS11 – Training / Awareness
  139. 139. IS12 – Industry Knowledge / Benchmarking
  140. 140. IS13 – Roles / Responsibilities
  141. 141. IS14 – Management Oversight
  142. 142. IS15 – Segregation of Duties
  143. 143. IS16 – User Responsibility
  144. 144. IS17 – Workspace
  145. 145. IS18 – Encryption
  146. 146. IS19 – Encryption Key Management
  147. 147. IS20 – Vulnerability / Patch Management
  148. 148. IS21 – Anti-Virus / Malicious Software
  149. 149. IS22 – Incident Management
  150. 150. IS23 – Incident Reporting
  151. 151. IS24 – Incident Response Legal Preparation
  152. 152. IS25 – Incident Response Metrics
  153. 153. IS26 – Acceptable Use
  154. 154. IS27 – Asset Returns
  155. 155. IS28 – eCommerce Transactions
  156. 156. IS29 – Audit Tools Access
  157. 157. IS30 – Diagnostic / Configuration Ports Access
  158. 158. IS31 – Network Services
  159. 159. IS32 – Portable / Mobile Devices
  160. 160. IS33 – Source Code Access Restriction
  161. 161. IS34 – Utility Programs Access</li></li></ul><li>Consensus Assessment Initiative<br />
  162. 162. Consensus Assessment Initiative<br />Research tools and processes to perform shared assessments of cloud providers<br />Lightweight “common assessment criteria” concept<br />Integrated with Controls Matrix<br />Ver 1 CAI Questionnaire released Oct 2010, approx 140 provider questions to identify presence of security controls or practices<br />
  163. 163. Consensus Assessment InitiativeTeam<br />Contributors<br /><ul><li>Matthew Becker – Bank of America
  164. 164. Aaron Benson – Novell
  165. 165. Ken Biery – Verizon Business
  166. 166. Kristopher Fador – Bank of America
  167. 167. David Gochenaur – Aon Corporation
  168. 168. Jesus Molina – Fujitsu
  169. 169. John Nootens – AMA Association
  170. 170. HemmaPrafullchandra – Hytrust
  171. 171. GorkaSadowski – Log Logic
  172. 172. Richard Schimmel – Bank of America
  173. 173. Patrick Vowles – RSA
  174. 174. Kenneth Zoline – IBM</li></ul>Leaders<br /><ul><li>Laura Posey – Microsoft
  175. 175. Jason Witty – Bank of America
  176. 176. Marlin Pohlman – EMC, RSA
  177. 177. Earle Humphreys – ITEEx</li></ul>Editor<br /><ul><li>Christofer Hoff – Cisco</li></li></ul><li>Consensus Assessment InitiativeApproach<br /><ul><li>Build “cloud-specific” question-set
  178. 178. CSA guidance
  179. 179. Industry experts
  180. 180. Align questions with the CSA Cloud Controls Matrix
  181. 181. Release 1.0 question-set publically
  182. 182. Integrate into CloudAudit.org framework
  183. 183. Post to CloudSecurityAlliance.org </li></li></ul><li>Consensus Assessment Initiative Questionnaire (CAIQ) – 148 Qs<br />
  184. 184. CloudAudit<br />
  185. 185. CloudAudit<br />Provide a common interface and namespace that allows cloud computing providers to automate the Audit, Assertion, Assessment, and Assurance (A6) of their environments<br />Allow authorized consumers of services to do likewise via an open, extensible and secure interface and methodology.<br />
  186. 186. CloudAuditObjective<br />A structure for organizing assertions and supporting documentation for specific controls across different compliance frameworks in a way that simplifies discovery by humans and tools.<br />Define a namespace that can support diverse frameworks<br />Express five critical compliance frameworks in that namespace<br />Define the mechanisms for requesting and responding to queries relating to specific controls<br />Integrate with portals and AAA systems<br />
  187. 187. CloudAuditAligned to Cloud Controls Matrix<br />First efforts aligned to compliance frameworks as established by CSA Control Matrix:<br />PCI DSS<br />HIPAA<br />COBIT<br />ISO/IEC 27001-2005<br />NISTSP800-53<br />Incorporate CSA’s CAI and additional CompliancePacks<br />Expand alignment to “infrastructure” and “operations” -centric views also<br />
  188. 188. CloudAuditSample Implementation<br />CSA Compliance Pack<br />
  189. 189. CloudAuditSample Implementation (cont.)<br />CSA Compliance Pack<br />
  190. 190. CloudAuditSample Implementation (cont.)<br />CSA Compliance Pack<br />
  191. 191. CloudAuditRelease Deliverables<br />Contains all Compliance Packs, documentation and scripts needed to begin implementation of CloudAudit<br />Working with Service Providers and Tool Vendors for Adoption<br />Officially folded CloudAudit under the Cloud Security Alliance in October, 2010<br />http://www.cloudaudit.org/CloudAudit_Distribution_20100815.zip<br />
  192. 192. CloudAuditRelease Deliverables (cont.)<br />Request Flow for Users & Tools<br />
  193. 193. CloudAuditRelease Deliverables (cont.)<br />index.html/default.jsp/etc.<br />Index.html is for dumb browser consumptions<br />Typically, the direct human user use case<br />It can be omitted if directory browsing is enabled<br />It contains JavaScript to look for the manifest.xml file, parse it, and display it as HTML.<br />If no manifest.xml exists, it should list the directory contents relevant to the control in question<br />
  194. 194. CloudAuditRelease Deliverables (cont.)<br />manifest.xml<br />Structured listing of control endpoints contents<br />Can be extended to provide contextual information<br />Primarily aimed at tool consumption<br />In Atom format<br />
  195. 195. CSA GRC Stack<br />
  196. 196. CSA GRC Stack<br />Bringing it all together to peel back the layers of control ownership and address concerns for trusted Cloud adoption.<br />Provider Assertions<br />Private, Community & Public Clouds<br />Control Requirements<br />
  197. 197. CSA GRC Stack<br /><ul><li>Whether implementing private, public or hybrid clouds, the shift to compute as a service presents new challenges across the spectrum of Governance, Risk Management and Compliance (GRC) requirements – success dependent upon:
  198. 198. Appropriate assessment criteria; and
  199. 199. Relevant control objectives and timely access to necessary supporting data.
  200. 200. CSA GRC Stack provides a toolkit for enterprises, cloud providers, security solution providers, IT auditors and other key stakeholders to instrument and assess both private and public clouds against industry established best practices, standards and critical compliance requirements.
  201. 201. Integrated suite of 3 CSA initiatives: CloudAudit, Cloud Controls Matrix (CCM) and Consensus Assessments Initiative Questionnaire (CAIQ).
  202. 202. Available now for free download at: www.cloudsecurityalliance.org/grcstack.zip</li></li></ul><li>CSA GRC StackBringing it all together…<br />
  203. 203. CSA GRC StackIndustry Collaboration & Support<br /><ul><li>International Organization for Standards (ISO)
  204. 204. ISO/IEC JTC 1 SC 27 (“SC 27”) WG 1, 4 and 5 in Study Period in the area of Cloud Computing Security and Privacy with active CSA representation
  205. 205. European Network and Information Security Agency (ENISA)
  206. 206. Common Assurance Maturity Model (CAMM)
  207. 207. American Institute of Certified Public Accountants (AICPA)
  208. 208. Statement on Standards for Attestation Engagements (SSAE) No. 16 SOC 2 – Service Organization Controls over Security, Confidentiality, Processing Integrity, Availability, and Privacy
  209. 209. National Institute of Standards and Technology (NIST)
  210. 210. Consolidated feedback on Federal Risk and Authorization Management Program (FedRAMP)</li></li></ul><li>CSA GRC StackIndustry Collaboration & Support (cont.)<br /><ul><li>Inverse Control Framework Mappings
  211. 211. Health Information Trust Alliance (HITRUST)
  212. 212. Unified Compliance Framework (UCF)
  213. 213. Information Systems Audit and Control Association (ISACA)
  214. 214. BITS Shared Assessments SIG/AUP + TG Participation
  215. 215. Information Security Forum (ISF)</li></li></ul><li>About the Cloud Security Alliance<br />
  216. 216. About the Cloud Security Alliance<br />Global, not-for-profit organization<br />Almost 18,000 individual members, 80 corporate members<br />Building best practices and a trusted cloud ecosystem<br />Agile philosophy, rapid development of applied research<br />GRC: Balance compliance with risk management<br />Reference models: build using existing standards<br />Identity: a key foundation of a functioning cloud economy<br />Champion interoperability<br />Advocacy of prudent public policy<br />“To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.”<br />
  217. 217. Contact<br />Help us secure cloud computing<br />www.cloudsecurityalliance.org<br />info@cloudsecurityalliance.org<br />LinkedIn: www.linkedin.com/groups?gid=1864210<br />Twitter: @cloudsa<br />
  218. 218. Thank You<br />

×