Secure Computing Magazine - SC World Congress 2/7 eConference - Keynote: Securing the cloud


Published on

Enterprise end-users are becoming more reliant on cloud computing applications and virtualized environments, in general, to enable the sharing of information with one another more quickly. And while some companies are being cautious with their moves to the cloud, limiting the kinds of information stored and exchanged there, others are taking some risks. What can executives do to better plan and implement security best practices in the cloud? We speak with some experts.

Published in: Technology, Business
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Secure Computing Magazine - SC World Congress 2/7 eConference - Keynote: Securing the cloud

  1. 1. Keynote address: Securing the cloudJuly 28, 2011<br />Phil Agcaoili<br />Cloud Security Alliance, Co-founding member<br />CSA Cloud Controls Matrix (CCM), Inventor and co-author<br />CSA GRC Stack , Co-founder and committee co-chair<br />CSA Atlanta Chapter, Founder and Chapter Officer<br />
  2. 2. 2<br />Customers of Cloud<br />Enterprises – large scale services<br /> Outsource whole-sale IT services such as payroll, HR/benefits, CRM, help desk/service desk, etc.<br />Startups — developers using Web at scale<br />Web-based business, SaaS, collaboration services, widget providers, mobile services, and social networking<br />Small businesses — using SaaS <br />Online businesses, online presence, collaboration, and enterprise integration<br />Enterprises — developers and one-off projects<br />R&D projects, quick promotions, widgets, online collaboration, partner integration, social networking, and new business ventures<br />Firms — with compute intensive tasks<br />Overnight ad placement or transportation calculations <br />“If you move your data centre to a cloud provider, it will cost a tenth of the cost.” – Brian Gammage, Gartner Fellow<br />“Using cloud infrastructures saves 18% to 29% before considering that you no longer need to buy for peak capacity” - George Reese, founder Valtira and enStratus<br />“Web service providers offer APIs that enable developers to exploit functionality over the Internet, rather than delivering full-blown applications.” - Infoworld<br />
  3. 3. 3<br />“In the Cloud, step one is trusting, and that's not security — that's hope.” <br /> - Andrew Walls, Gartner Group<br />You cannot outsource responsibility.<br />
  4. 4. 4<br />Top Threats of Cloud Computing<br />CSA Research Study Findings:<br />Shared Technology Vulnerabilities<br />Data Loss/Data Leakage<br />Malicious Insiders<br />Interception or Hijacking of Traffic<br />Insecure APIs<br />Account/Service Hijacking<br />Nefarious Use of Service<br />HTTP://CLOUDSECURITYALLIANCE.ORG/TOPTHREATS<br />
  5. 5. 5<br />Cloud Security = Loss of Control<br />Loss of Direct access - In the Cloud you are at least one step removed<br />Multi-tenancy – not an issue in private computing, no shared devices or services<br />Commingling – will your data be mixed in with other clients? How will it be segregated?<br />Resource Pooling – how will resource conflicts be resolved? Who gets first response?<br />Ineffective data deletion – if you change providers does your data get destroyed? Unintentional destruction?<br />Legal snafus/data exhaust – if Company A has their data subpoenaed and your data is also on the same device, what happens to your data?<br />Traditional Security ModelNew Security Model<br />
  6. 6. 6<br />Moving to the Cloud<br />Assess the business<br />Assess the culture<br />Assess the value<br />Understand your data<br />Understand your services<br />Understand your processes<br />Understand the cloud resources<br />Identify candidate data<br />Identify candidate services<br />Identify candidate processes<br />Create a governance strategy<br />Bind candidate services to data and processes<br />Relocate services, processes, and information <br />Implement security<br />Implement governance<br />Implement operations<br />Create a security strategy<br />
  7. 7. 7<br />Secure Adoption of the Cloud<br />Understand the threats and the risks<br />CSA Guidance<br />Identify the asset for the cloud deployment<br />Evaluate the asset<br />Map the asset to potential cloud deployment models<br />Evaluate potential cloud service models and providers<br />Sketch the potential data flow<br /><br />Mitigating the risks<br />Legal contracts and SLAs with Cloud Service Providers (CSPs)<br />CSA Atlanta Chapter Project 2 – Contractual Guidance (coming soon)<br />Audits, Attestations, and Certifications for Cloud Trust and Assurance<br />ISO 27001 Certification<br />Amazon<br />ISO 27001<br />SAS 70 Type II<br />FISMA moderate Authority to Operate<br />HIPAA - Current customer deployments<br />Whitepaper describes the specifics<br /><br />AICPA SSAE 16 (SOC 1, 2, and 3) / ISAE 3402<br />Replaced SAS 70 as of June 2011<br />CSA STAR (coming soon) and CSA GRC Stack standards usage<br />Microsoft Office 365 (formerly BPOS) ISO27K to CSA CCM Mapping<br /><br />CloudAudit<br />Cloud Controls Matrix (CCM)<br />Consensus Assessments Initiative Questionnaire (CAIQ)<br />Cloud Trust Protocol (CTP)<br />
  8. 8. CSA Governance, Risk, and Compliance (CSA GRC) Stack<br />Provider Assertions<br />Suite of tools, best practices and enabling technology<br />Consolidate industry research & simplify GRC in the cloud<br />For cloud providers, enterprises, solution providers and audit/compliance<br />Controls Framework, Questionnaire and Continuous Controls Monitoring Automation<br />Simplifies customer and cloud provider attestation to accelerate cloud adoption <br /><br />Private & Public Clouds<br />Control Requirements<br />
  9. 9. CSA GRC StackIndustry Collaboration & Support<br /><ul><li>International Organization for Standards (ISO)
  10. 10. ISO/IEC JTC 1 SC 27 (“SC 27”) WG 1, 4 and 5 in Study Period in the area of Cloud Computing Security and Privacy
  11. 11. European Network and Information Security Agency (ENISA)
  12. 12. Common Assurance Maturity Model (CAMM)
  13. 13. American Institute of Certified Public Accountants (AICPA)
  14. 14. Statement on Standards for Attestation Engagements (SSAE) No. 16 SOC 2 – Service Organization Controls over Security, Confidentiality, Processing Integrity, Availability, and Privacy
  15. 15. Next generation SAS 70 Type I and II attestation
  16. 16. National Institute of Standards and Technology (NIST)
  17. 17. Consolidated feedback on Federal Risk and Authorization Management Program (FedRAMP)
  18. 18. Inverse Control Framework Mappings
  19. 19. Unified Compliance Framework (UCF)
  20. 20. Payment Card Industry (PCI) DSS
  21. 21. Health Information Trust Alliance (HITRUST)
  22. 22. Information Systems Audit and Control Association (ISACA) COBIT
  23. 23. BITS Shared Assessments SIG/AUP + TG Participation
  24. 24. Information Security Forum (ISF)</li></li></ul><li>Challenges for the CAIQ<br />Due Diligence and contracting represent major obstacles to cloud adoption, with vendors forced to respond to a multitude of similar customer concerns, expressed differently by each prospective customer. <br />The CAIQ was identified by the CSA Atlanta Chapter legal support group as the best beginning for a standardized due diligence tool but the CAIQ is not widely used in the due diligence prior to cloud contracting yet.<br />The CAIQ is constructed as a series of yes/no questions, useful for high-level comparisons between vendors.<br />A "yes" or "no" response to any of the CAIQ's terse, broad questions may have little value or even mislead, however, without narrative describing the basis for that response.<br />The CAIQ has not received legal review, and does not address some important legal issues. <br />
  25. 25. The CSA Atlanta Chapter Project and Its Value<br />Fill the CAIQ out so that it addresses effectively all general legal and risk management issues (i.e., issues not limited to a specific business sector or region) that should arise in the due diligence process.<br />Provide for supporting narrative complementing the yes/no answers to all questions. <br />The value to vendors is that they can write only once (and then update) a single, comprehensive set of answers to due diligence questions.<br />Prospective customers can use the yes/no answers to make instantaneous vendor comparisons, and then drill deeper into the related narratives. <br />
  26. 26. 12<br />Legal and Contract Issues with Cloud<br />“Many cloud providers appear reluctant to negotiate contracts, as the premise of their core model is a highly leveraged approach. <br />The starting point contractually often favors the vendor, resulting in a potential misalignment with user requirements.” Gartner<br />9 Security Areas to Include in CSP-related Contract:<br /> Security <br /> Data privacy conditions <br />Uptime guarantees<br /> Service-level agreement (SLA) penalties <br /> SLA penalty exclusions <br /> Business continuity and disaster recovery <br /> Suspension of service <br /> Termination <br /> Liability<br />
  27. 27. philA’s Approach to Using the CSA GRC Stack<br />Pre-sales - Use CAI Questionnaire<br />Contracts (MSA) – Attach CAIQ + CCM<br />Post Sales Assurance and Continuous Compliance – Use CloudAudit to verify contract and pre-sales assertions<br />*CSA STAR will support this approach in an official manner.<br />
  28. 28. 14<br />Cloud Back Out Plan Considerations<br />Include provisions for transition assistance requiring the vendor to assist you with transition to a new vendor.<br />Require the return or secure destruction of all data held by vendor.<br />Have right to verify compliance.<br />Transition period may last from 30 days to 6 months.<br />
  29. 29. 15<br />Summary<br />Adopt Cloud that works for you<br />Understand the risks<br />Know your limits<br />Conduct due diligence<br />Use available Cloud Trust and Assurance tools<br />Work with your Legal and Procurement teams to ensure contractual obligations exist and are met<br />
  30. 30. 16<br />About the Cloud Security Alliance<br />Global, not-for-profit organization<br />Over 22,000 individual members, 100 corporate members<br />Building good practices and a trusted cloud ecosystem<br />Agile philosophy, rapid development of applied research<br />GRC: Balance compliance with risk management<br />Reference models: build using existing standards<br />Identity: a key foundation of a functioning cloud economy<br />Champion interoperability<br />Advocacy of prudent public policy<br />“To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.”<br />
  31. 31. 17<br />Questions and Answers…<br />HTTP://CLOUDSECURITYALLIANCE.ORG<br /><br /><br /><br />CSA LinkedIn:<br />Many thanks to:<br />Jon Neiditz, Nelson Mullins Riley & Scarborough, for leading the development of the CSA Atlanta Chapter Project 2 (Contractual Guidance) and for some of the material used in today’s presentation.<br />David Barton, UHY LLP, for some of the material used in today’s presentation.<br />Phil Agcaoili<br />Twitter: hacksec<br />