What is needed to start trusting the security of your applications in the cloud?

Application Security Institute Standards, Security, and Audit
What is needed to start trusting the
security of your applications in the cloud?

Application Security Institute 2
What is needed to start trusting the security of your
applications in the cloud?
Synopsis
 Application security is not easy to achieve and it mainly deals
with how an application is developed and tested.
– But what about using it and operating it?
– Is it not at this point that we put into the application the
information that really needs to be protected?
 This presentation will show how ISO 27034 can help you apply
and verify the security of operational applications that you can
trust, whether they are hosted in your infrastructure, in a
provider’s, or somewhere in the cloud.

Application Security Institute
Luc Poulin Ph.D. CISSP-ISSMP CSSLP CISM CISA 27034CASLI 27034CASLA
CEO, Cogentas – Application Security Institute
ISO/IEC 27034 Project editor
Mr. Luc Poulin has more than thirty years' experience in IT where he is helping
governments and organizations to address application security issues.
Leading as project editor the ISO/IEC 27034: Application Security series of
International standards, which addresses the integration of security concerns in
the application life cycle.
Mr. Poulin is also participating in various projects in information security areas
such as e-voting, blockchain services, IoT, cloud, virtualization, and AGILE secure
development methods.
Contact Information
+1 418 473-4473
Luc.Poulin@Cogentas.org
www.Cogentas.org
ca.linkedin.com/in/LucPoulin
twitter.com/Cogentas.org

What is needed to start trusting the security of your
applications in the cloud?
Plan
1. Understand Application Scope vs Application Security Scope
2. Cloud application architecture in 3 layers
3. Understand Cloud Security vs Application Security
4. Cloud application architecture in 3 layers
5. Cloud application – Back office layer
6. What are the existing CSP security certifications
7. Improving CSP security certification with ISO/IEC 27034
8. Conclusion
Acronyms
CSP Cloud Service Provider
AS Application security
ASC Application Security Control

Understand Application Scope vs Application Security Scope
Understand the applications’ scope on the cloud
 We cannot protect something we don’t understand
– Before we can protect the information involved by an application,
we must understand and agree on
“What is the application we are talking about...”
 If someone asks you to protect a big application such as an
accounting system, an electronic voting system or Facebook
– What is he exactly talking about ?
 How to determine the scope of an application in the cloud to
protect the information involved by it?

Understand application scope
Stand alone application
Application’s scope
D
D
D
D
OS
A A
A
A
Data Data

D
D
D
D
OS
A A
A
A
Data Data

User / Admin
D
D
D
D
OS
A A
A
A
Data Data

Processes
Application scope
User / Admin
D
D
D
D
OS
A A
A
A
Data Data

Processes
Application scope
User / Admin
D
D
D
D
OS
A A
A
A
Data Data
AS scope to protect an application

Processes
Client-server application
Application scope
OS
D
D
D
D
A
User
Data
Data
A
A
A
D
D
D
D
DBMS
Admin
Data
Data
Data
OS
A
A
A
A
LAN / WAN

Processes
Internet application
Application scope
D
D
D
D
Admin
Data
Data
Data
DBMS
OS
A
A
A
A
User
Data
OS
D
D
D
D
A A
A
A
Data
Internet

Cloud application
Application hosted in the cloud
Processes
Cloud
Application scope
User
Data
Data
OS
D
D
D
D
A A
A
A
D
D
D
D
Admin
Data
Data
Data
DBMS
OS
A
A
A
A
Internet

Processes
Cloud
Mobile application (Tablet)
Application scope
Data
Data
User
OS
D
D
D
D
A A
A
A
D
D
D
D
Data
Data
Data
Admin
DBMS
OS
A
A
A
A
Internet

N-tier and Web application
Processes
Application scope
User
A
OS
DBMS
A
A
D
D
D
D Admin
A
User
D
A
OS
A
A
A
D
D
D
Admin
A
User
A
A
OS
A D
D
D
D
Admin
Admin
AD
D
D
A
OS
AD
A
User
Internet

Cloud “B”
Cloud “A”
N-tier / Web application in clouds
Processes
Application scope
User
Admin
OS
D
D
D
D
A
DBMS
OS
A
A
A
A
A
AA
A
A
A
OS
OS
A
A
A
A
D
D
D
D
D
D
D
D
D
D
D
D
User
Admin
A
User
Admin
User
Admin
Internet

Cloud application architecture in 3 layers
From client-server to N-Tier application architecture
 To make it simple, let’s define 3 architecture layers
Cloud
Application scope
Data
Data
OS
D
D
D
D
A A
A
A
D
D
D
D
Data
Data
Data
DBMS
OS
A
A
A
A
Internet
Client layer Back office layer
Communication
Layer

Cloud application – back office layer
Shared by CSA, NIST, ISACA, Gartner, etc.
 Cloud services provider’s view
 Examples
– NIST Special Publication 800-145: NIST Definition of Cloud
Computing
– NIST Special Publication 500-292: NIST Cloud Computing Reference
Architecture

 Cloud services provider’s view: SaaS
– Client owns and manages its
• Data
• Access to its data
– Cloud services provider (CSP)
manages its
• Software
• Platform
• IT Infrastructure
– CSP is accountable for service level
– Client is accountable for
data protection
The 3 models of cloud service
Software
as a Service
(SaaS)
Backofficelayer
Software
Platform
Infrastructure
Client’s responsibilitiesCSP’s responsibilities Client’s user responsibilities

 Provider’s view: back office side
– Client owns and manages its
• Data
• Access to its data
• Software
– CSP manages its
• Platform
– CSP is accountable for
service level
– Client is accountable for
data protection
Software
as a Service
(SaaS)
Platform
as a Service
(PaaS)
Backofficelayer

 Provider’s view: back office side
– Client owns and
manages its
• Data
• Access to its
Data
• Software
• Platform
– CSP manages its
Software
as a Service
(SaaS)
Platform
as a Service
(PaaS)
Infrastructure
as a Service
(IaaS)
Backofficelayer

 Client owns and manages everything
The 4th model of cloud service: CoS
Client-owned
service
(CoS)
Software
as a Service
(SaaS)
Platform
as a Service
(PaaS)
Infrastructure
as a Service
(IaaS)
Backofficelayer
SoftwarePlatformInfrastructure

CSP must comply with laws, but which ones?
 Whatever territory the device belongs to
– Laws and territorial regulations from the
provider’s localization apply
• Cities, provinces, states, countries, etc.
– The client, not the CSP is accountable
for the confidentiality and integrity
of data in the cloud
Backofficelayer
Cloud Provider’s
territory
Infrastructure
Platform
Software
(USA)
Regulatory
Context

What are the existing CSP security certifications
Some existing Cloud security certifications
 ISO/SC27
– ISO/IEC 27017 – Code of practice for information security controls
based on ISO/IEC 27002 for cloud services
 Cloud Security Alliance
– Cloud Controls Matrix (CCM v3.0.1 – from CSA and AICPA)
– Star Program Assessment and Certifications: Open Certification
Framework
 ISACA
– Security Considerations for Cloud Computing (toolkit included)
– IS Audit/Assurance Program for Cloud Computing

Improving CSP security certification with ISO/IEC 27034
Scope of popular CSP certifications
CSPlayer
Platform
Infrastructure
Admin
Software
Regulatory
Context

Application scope
AS scope to protect
an application
in the cloud
with ISO/IEC 27034
CSPlayer
Processes
Platform
Infrastructure
Client
Admin
User
Software
Regulatory
Context

Improving regulatory context scope
 Whatever territory the device belongs to
– Laws and
territorial
regulations
may apply Infrastructure
Platform
Software
Backofficelayer
Clientlayer
Cloud Provider’s
territory
Client’s
territory
Client’s User’s
territory
Infrastructure
Platform
Software
Infrastructure
Platform
Software
(France) (Canada) (USA)

What is missing
under ISO/IEC 27034
application security
scope?
 The ONF
– Technological
context
and
regulatory
context
are covered
at around 33%
– Security
conformance
process exists,
but subjective
Organization Normative Framework (ONF)
Business
context
Application specifications and
functionalities repository
Roles, responsibilities and
qualifications repository
ASC Library
Application Security
Tracability Matrix
Regulatory
context
Technological
context
Categorized information groups
repository
ASC
(Application Securty Controls)
Management processes related to
Application Normative
Frameworks (ANF)
Life Cycle Reference Model
Application
Security Life
Cycle Model
Application Security Risk Management
ONF Committee Management
ONF Management
Application Security Management
Application Security Conformance

What ISO/IEC 27034 can provide to trust Application Security
in the cloud?
 Elements to make cloud application security implementation,
validation, verification and audit
– Measurable
• Unambiguous result
• Minimize subjectivity
– Repeatable
• Audit scope and measurements are independent of the
auditee/verifier/auditor

Some ISO/IEC 27034
key elements
 The ONF
– ASC
– ASC Library
– ASLCRM
– AS Conformance
Organization Normative Framework (ONF)
Business
context
Application specifications and
functionalities repository
Roles, responsibilities and
qualifications repository
ASC Library
Tracability Matrix
Regulatory
context
Technological
context
Categorized information groups
repository
ASC
(Application Securty Controls)
Management processes related to
Application Normative
Frameworks (ANF)
Life Cycle Reference Model
Application
Security Life
Cycle Model
Application Security Risk Management
ONF Committee Management
ONF Management
Application Security Management
Application Security Conformance

The Application Security Control (ASC)
 Including implementation and verification activities
€/t
Application Target
Level of Trust
(why)
Security Requirements
· Application specifications,
· Compliance to regulations,
· Standards and best practices,
· Etc.
(why)
Application Security Life Cycle Reference Model
€/t
Verification Measurement
(what, how, where, who, when, how much)
Security Activity
(what, how, where, who, when, how much)

ASC graph relationship
 ASCs may have a
graph relationship
– Multi-layers
risks mitigation
– Hide complexity
– Ease measurability ASC
ASC ASC
ASC
ASC
ASC
ASC
ASC
ASC
ASC
ASC
ASC
ASC
ASC
Business
Functional
Infrastructure
Users
ASC
Online Payment

ASC graph relationship
Facilitates
– Verification,
– Certification,
– Non-compliance
management,
– Etc ...
ASC
ASC ASC
ASC
ASC
ASC
ASC
ASC
ASC
ASC
ASC
ASC
ASC
ASC
Business
Functional
Infrastructure
Users
ASC
Online Payment

Organization ASC Library
...0 1 32 9 10
Application’s levels of trust used
by the organizationASCs name & id
Security
requirements
CSACSA
Secure
authentication
Must provide...
CSACSA
Aeronautics
regulations
Must comply with...
CSA CSACSA
Online
payment
Must securely
provide...
CSAPCI-DSS StandardMust comply with... CSA
CSA CSACSAPrivacy Law (Canada)Must comply with...
CSA CSACSASSL tunnellingMust provide...
CSA CSACSA
Secure
destruction
Must provide...
3
The ASC Library

The Application Security Life Cycle Reference Model
Actors
Role 1 Role 2 Role 3 Role 4 Role n
Application Security Life Cycle Reference Model
Operation stages
Utilization and
maintenance
Archival DestructionDisposal
Provisioning stages
Preparation Realization Transition
Application
management
Application provisionning management Application operation management
Infrastructure
management
Application provisionning infrastructure management
Application operation
infrastructure management Disposal
Application
audit
Application provisioning audit Application operation audit
Layers
Application
provisionning
and operation
Preparation Utilization Archival Destruction
Outsourcing
Development
Acquisition
Transition

Level of Trust
 Target: List of ASCs that have been identified and
approved by the application owner
 Actual: List of ASCs that succeeded verification tests
 Application can be considered secure when
≥Actual
Level of Trust
Target
Level of Trust

Application security conformance
Defined in:
· ISO/IEC 27034-2, clause 6
· ISO/IEC 27034-3, clause 5 and 6
Introduced by:
· ISO/IEC 27034-2, clause 5.4.8
· ISO/IEC 27034-3, clause 6.5
Auditee
(entity to be audited)
Body certification processApplication security
audit scope
definition process
Application security validation process
Application security
implementation processes
Provide knowledge:
scope and criteria, alligned to
the certification scheme
Delivers
certificate
insurances
Ordering an audit / Hire
Perform an AS audit
(clause 5.5)
Provides
recommendations
Requests
an auditISO 27034-4
Verification
scope
(clause 6 & 7)
Manage an
AS audit programme
(clause 5.4)
ISO 27034-4
Certification
scheme
(clause 8)
Provides
training
Certifies
ISO 17021
ISO 19011
Is provided
to
AS authority
Accreditation authority
Implementer
Personnal
certification body
Training supplier
Auditor
Certification body
ISO 17024
Lead the implementation of
the AS framework or a AS verifcation scope
Accredit
ISO 27034-4
Certification
scheme
ISO 27034-4
AS verification
scope

 Provide elements to implement and enforce security conformance for
applications in the cloud
 Help you to build an application security strategy to
– Make security target flexible
– Respect organization maturity / risk tolerance / resources
– Provide a level of trust to manage “impacts vs security costs”
– Improve your RFPs for CSP selection that will include security
– Provide one simple security audit/verification/conformance process to
• Make security target measurable and verifiable
• Make repeatable results independent from the measurer/verifier
• Minimize subjectivity
• Minimize certification costs
Conclusion
ISO/IEC 27034 proposes frameworks that can

Conclusion
Example of an ISO/IEC 27034 implementation strategy
 To protect an application in the cloud
– Analyze and select existing certification standards that suit the
business, regulatory, and technological contexts for your
application, such as:
• Logical security controls / monitoring
• Data center physical security controls
• Incident management controls
• Change management controls
• Organization and administration controls
• System availability controls

Conclusion
Example of an ISO/IEC 27034 implementation strategy
 To protect an application in the cloud (cont.)
– Convert proposed controls in ASC format & structure
• Detailing the proposed controls with sub-controls if needed
• Adding a verification-measurement process to each one
– Develop new controls in ASC format & structure that may be
required to mitigate security risks, for instance:
• Secure development/deployment process
• Encryption and monitoring components
• Internal vulnerability testing
– Identify the ASC that will be inserted in RFPs to select CSPs that will
best suit your security requirements

Conclusion
Reutilization of approved controls is one of the keys
 Do not reinvent but improve the wheel
– ISO/IEC 27017 and the Cloud Controls Matrix (CCM v3)
• Propose high level security controls that can be detailed with CSA graphs
• Once implemented, some controls can be reused to be compliant with
several standards
– Ex. CCM v3 proposes 139 controls and maps them with other certification
standards
 As a CSP’s client, always remember…
– The CSP is not accountable for data confidentiality or data integrity
• SLAs often make CSPs accountable for data availability, but not always
• Contracts and SLAs of major CSPs are very detailed and must be studied
carefully
– The ultimate data responsibility/accountability remains to the CSP’s
client, even if the CSP provides insurance

THANK YOU
?
+1 418 473-4473
Luc.Poulin@Cogentas.org
www.Cogentas.org
ca.linkedin.com/in/LucPoulin
twitter.com/Cogentas.org

ISO/IEC 27034 Training Courses
 ISO/IEC 27034 Application Security Introduction
27034ASI – 1 Day Course
 ISO/IEC 27034 Application Security Foundation
27034ASF – 2 Days Course
 ISO/IEC 27034 Certified Lead Application Security Implementer
27034CASLI – 5 Days Course
 ISO/IEC 27034 Certified Lead Application Security Auditor
27034CASLA – 5 Days Course
Exam and certification fees are included in the training price.
https://pecb.com/iso-iec-27034-training-courses | www.pecb.com/events

What is needed to start trusting the security of your applications in the cloud?

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to What is needed to start trusting the security of your applications in the cloud?

Similar to What is needed to start trusting the security of your applications in the cloud? (20)

More from PECB

More from PECB (20)

Recently uploaded

Recently uploaded (20)

What is needed to start trusting the security of your applications in the cloud?