CSA & GRC Stack

© 2011 Cloud Security Alliance, Inc. All rights reserved.
Cloud Security
Alliance &
GRC Stack
Materials by Cloud Security Alliance.org ©
& PCI in the cloud training, created by SecurityWarrior LLC for Cloud Security Alliance ,
& Prof. Kai Hwang, University of Southern California
Presented to Triad ISSA, NC January 26, 2012
Valdez Ladd, ISSA Raleigh, NC 2012
1

About the Cloud Security Alliance
Global, not-for-profit organization
Building best practices and a trusted cloud
ecosystem
Comprehensive research and tools
Certificate of Cloud Security Knowledge (CCSK)
www.cloudsecurityalliance.org
2

Presentation Outline
Introduction
What this class is about, prerequisites, how to benefit
Cloud basics
PCI DSS + cloud scenario for example
Cloud Security Alliance toolsets: Control Matrix,
Consensus Assessments, etc.,
Conclusions and action items
3

Cloud?
4

NIST Definition of Cloud Computing
“Cloud computing is a model for
enabling convenient, on-demand
network access to a shared pool of
configurable computing resources
that can be rapidly provisioned and
released with minimal management
effort or service provider interaction. “
55

5 Essential Cloud
Characteristics
1. On-demand self-service
2. Broad network access
3. Resource pooling
– Location independence
4. Rapid elasticity
5. Measured service
66

3 Cloud Service Models
1. Cloud Software as a Service (SaaS)
– Use provider’s applications over a network
2. Cloud Platform as a Service (PaaS)
– Deploy customer-created applications to a cloud
3. Cloud Infrastructure as a Service (IaaS)
– Rent processing, storage, network capacity, and other
fundamental computing resources
To be considered “cloud” they must be deployed on
top of cloud infrastructure that has the essential
characteristics
7

4 Cloud Deployment Models
Private cloud
Enterprise owned or leased
Community cloud
Shared infrastructure for specific community
Public cloud <- our focus in this class!
Sold to the public, mega-scale infrastructure
Hybrid cloud
Composition of two or more clouds
88

7 Common Cloud
Characteristics
1. Massive scale
2. Homogeneity
3. Virtualization
4. Resilient computing
5. Low cost software
6. Geographic distribution
7. Service orientation
10

All of this TOGETHER: The Cloud
Community
Cloud
Private
Cloud
Public Cloud
Hybrid Clouds
Deployment
Models
Service
Models
Essential
Characteristics
Common
Characteristics
Software as a
Service (SaaS)
Platform as a
Service (PaaS)
Infrastructure as a
Service (IaaS)
Resource Pooling
Broad Network Access Rapid Elasticity
Measured Service
On Demand Self-Service
Low Cost Software
Virtualization Service Orientation
Advanced Security
Homogeneity
Massive Scale Resilient Computing
Geographic Distribution
1111

Example IaaS//
Amazon Cloud
Amazon cloud components
– Elastic Compute Cloud (EC2)
• Run your own or Amazon’s OS “instances”
– Simple Storage Service (S3)
– SimpleDB
– Other services
1212

Example PaaS//
Google App Engine
Create, deploy and run applications
NO control (or, in fact, even visibility) of OS
Use SDK to
develop the
applications
Run “natively”
in the cloud
13

Example SaaS//
Salesforce
Well-known SaaS CRM application
Cloud CRM + a lot more applications
1414

Example P/IaaS //
Azure
Source: Microsoft Presentation, A Lap Around Windows Azure, Manuvir Das
1515

Service Model Architectures
Cloud Infrastructure
IaaS
PaaS
SaaS
Infrastructure as a Service (IaaS)
Architectures
Platform as a Service (PaaS)
Architectures
Software as a Service
(SaaS)
Architectures
SaaS
PaaS
SaaS
IaaS
PaaS
PaaS
IaaS
1616

18
Security: Barrier to Adoption?

19
What is Different about Cloud?

Security Relevant Cloud
Components
Cloud Provisioning Services
Cloud Data Storage Services
Cloud Processing Infrastructure
Cloud Support Services
Cloud Network and Perimeter Security
Elastic Elements: Storage, Processing, and
Virtual Networks
2020

21
SERVICE OWNER SaaS PaaS IaaS
Data Joint Tenant Tenant
Application Joint Joint Tenant
Compute Provider Joint Tenant
Storage Provider Provider Joint
Network Provider Provider Joint
Physical Provider Provider Provider

22

23

CSA Cloud “Threats”
1. Abuse & Nefarious Use of Cloud Computing
2. Insecure Interfaces & APIs
3. Malicious Insiders
4. Shared Technology Issues
5. Data Loss or Leakage
6. Account or Service Hijacking
7. Unknown Risk Profile
24

ENISA Cloud Computing Risk
Assessment
http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment
1. Loss of governance
2. Lock-in
3. Isolation failure
4. Compliance risks
5. Management interface compromise
6. Data protection
7. Insecure or incomplete data deletion
8. Malicious insider
25

Cloud “Threats” – Top 3
1. Authentication abuse
2. Operations breakdown
3. Misuse of cloud-specific technology
26

FBI Takes Cloud Away
27

While we are “in the cloud”
Here are some additional
CSA/cloud security resources…
28

CSA GRC Stack
Bringing it all together to peel back the
layers of control ownership and
address concerns for trusted Cloud
adoption.
29
Control
Requirements
Provider
Assertions
Private,
Community &
Public Clouds

CSA CloudAudit
Open standard and API to automate
provider audit assertions
Change audit from data gathering to data analysis
Necessary to provide audit & assurance at the
scale demanded by cloud providers
Uses Cloud Controls Matrix as controls namespace
Use to instrument cloud for continuous controls
monitoring
30

CSA Cloud Controls Matrix
31
Controls derived from
guidance
Mapped to familiar
frameworks: ISO 27001,
COBIT, PCI, HIPAA
Rated as applicable to
SaaS/PaaS/IaaS
Customer vs Provider role
Help bridge the “cloud gap”
for IT & IT auditors
https://cloudsecurityalliance.org/research/projects/cloud-controls-matrix-ccm/

32
Next?

Thanks for Your Review!
Acknowledgement to Dr. Anton Chuvakin,
SecurityWarrior LLC for Cloud Security Alliance, Cloud Security
Alliance.org,
Materials by Cloud Security Alliance.org ©
& PCI in the cloud training, created by
for Triad ISSA, NC
January 26, 2012
Valdez Ladd, ISSA Raleigh, NC 2011
33

34

CSA & GRC Stack

More Related Content

What's hot

Similar to CSA & GRC Stack

Recently uploaded

CSA & GRC Stack