Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Cloud Security Alliance's GRC Stack Overview


Published on

Cloud Security Alliance's GRC Stack Overview presented at CloudCamp RTP August, 2011

Version 2, update January 2012.

Published in: Technology, Business
  • Be the first to comment

Cloud Security Alliance's GRC Stack Overview

  1. 1. Cloud Security Alliance & GRC Stack Materials by Cloud Security © & PCI in the cloud training, created by SecurityWarrior LLC for Cloud Security Alliance , & Prof. Kai Hwang, University of Southern California Presented to Triad ISSA, NC January 26, 2012 Valdez Ladd, ISSA Raleigh, NC 2012
  2. 2. About the Cloud Security Alliance <ul><li>Global, not-for-profit organization </li></ul><ul><li>Building best practices and a trusted cloud ecosystem </li></ul><ul><li>Comprehensive research and tools </li></ul><ul><li>Certificate of Cloud Security Knowledge (CCSK) </li></ul><ul><li> </li></ul>
  3. 3. Presentation Outline <ul><li>Introduction </li></ul><ul><ul><li>What this class is about, prerequisites, how to benefit </li></ul></ul><ul><li>Cloud basics </li></ul><ul><li>PCI DSS + cloud scenario for example </li></ul><ul><li>Cloud Security Alliance toolsets: Control Matrix, Consensus Assessments , etc., </li></ul><ul><li>Conclusions and action items </li></ul>
  4. 4. Cloud?
  5. 5. NIST Definition of Cloud Computing <ul><li>“ Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources </li></ul><ul><li>that can be rapidly provisioned and released with minimal management effort or service provider interaction. “ </li></ul>
  6. 6. 5 Essential Cloud Characteristics <ul><li>On-demand self-service </li></ul><ul><li>Broad network access </li></ul><ul><li>Resource pooling </li></ul><ul><ul><li>Location independence </li></ul></ul><ul><li>Rapid elasticity </li></ul><ul><li>Measured service </li></ul>
  7. 7. 3 Cloud Service Models <ul><li>Cloud Software as a Service (SaaS) </li></ul><ul><ul><li>Use provider’s applications over a network </li></ul></ul><ul><li>Cloud Platform as a Service (PaaS) </li></ul><ul><ul><li>Deploy customer-created applications to a cloud </li></ul></ul><ul><li>Cloud Infrastructure as a Service (IaaS) </li></ul><ul><ul><li>Rent processing, storage, network capacity, and other fundamental computing resources </li></ul></ul><ul><li>To be considered “cloud” they must be deployed on top of cloud infrastructure that has the essential characteristics </li></ul>
  8. 8. 4 Cloud Deployment Models <ul><li>Private cloud </li></ul><ul><ul><li>Enterprise owned or leased </li></ul></ul><ul><li>Community cloud </li></ul><ul><ul><li>Shared infrastructure for specific community </li></ul></ul><ul><li>Public cloud <- our focus in this class! </li></ul><ul><ul><li>Sold to the public, mega-scale infrastructure </li></ul></ul><ul><li>Hybrid cloud </li></ul><ul><ul><li>Composition of two or more clouds </li></ul></ul>
  9. 10. 7 Common Cloud Characteristics <ul><li>Massive scale </li></ul><ul><li>Homogeneity </li></ul><ul><li>Virtualization </li></ul><ul><li>Resilient computing </li></ul><ul><li>Low cost software </li></ul><ul><li>Geographic distribution </li></ul><ul><li>Service orientation </li></ul>
  10. 11. All of this TOGETHER: The Cloud Deployment Models Service Models Essential Characteristics Common Characteristics Homogeneity Massive Scale Resilient Computing Geographic Distribution Community Cloud Private Cloud Public Cloud Hybrid Clouds Software as a Service (SaaS) Platform as a Service (PaaS) Infrastructure as a Service (IaaS) Resource Pooling Broad Network Access Rapid Elasticity Measured Service On Demand Self-Service Low Cost Software Virtualization Service Orientation Advanced Security
  11. 12. Example IaaS// Amazon Cloud <ul><li>Amazon cloud components </li></ul><ul><ul><li>Elastic Compute Cloud (EC2) </li></ul></ul><ul><ul><ul><li>Run your own or Amazon’s OS “instances” </li></ul></ul></ul><ul><ul><li>Simple Storage Service (S3) </li></ul></ul><ul><ul><li>SimpleDB </li></ul></ul><ul><ul><li>Other services </li></ul></ul>
  12. 13. Example PaaS// Google App Engine <ul><li>Create, deploy and run applications </li></ul><ul><li>NO control (or, in fact, even visibility) of OS </li></ul><ul><li>Use SDK to </li></ul><ul><li>develop the </li></ul><ul><li>applications </li></ul><ul><li>Run “natively” </li></ul><ul><li>in the cloud </li></ul>
  13. 14. Example SaaS// Salesforce <ul><li>Well-known SaaS CRM application </li></ul><ul><li>Cloud CRM + a lot more applications </li></ul>
  14. 15. Example P/IaaS // Azure Source: Microsoft Presentation, A Lap Around Windows Azure, Manuvir Das
  15. 16. Service Model Architectures
  16. 17. Foundational Elements of Cloud Computing <ul><li>Virtualization </li></ul><ul><li>Grid technology </li></ul><ul><li>Service Oriented Architectures </li></ul><ul><li>Distributed Computing </li></ul><ul><li>Broadband Networks </li></ul><ul><li>Browser as a platform </li></ul><ul><li>Free and Open Source Software </li></ul><ul><li>Autonomic Systems </li></ul><ul><li>Web 2.0 </li></ul><ul><li>Web application frameworks </li></ul><ul><li>Service Level Agreements </li></ul>Primary Technologies Other Technologies
  17. 18. Security: Barrier to Adoption?
  18. 19. What is Different about Cloud?
  19. 20. Security Relevant Cloud Components <ul><li>Cloud Provisioning Services </li></ul><ul><li>Cloud Data Storage Services </li></ul><ul><li>Cloud Processing Infrastructure </li></ul><ul><li>Cloud Support Services </li></ul><ul><li>Cloud Network and Perimeter Security </li></ul><ul><li>Elastic Elements: Storage, Processing, and Virtual Networks </li></ul>
  20. 21. What is Different about Cloud?
  21. 22. What is Different about Cloud?
  22. 23. What is Different about Cloud?
  23. 24. CSA Cloud “Threats” <ul><li>Abuse & Nefarious Use of Cloud Computing </li></ul><ul><li>Insecure Interfaces & APIs </li></ul><ul><li>Malicious Insiders </li></ul><ul><li>Shared Technology Issues </li></ul><ul><li>Data Loss or Leakage </li></ul><ul><li>Account or Service Hijacking </li></ul><ul><li>Unknown Risk Profile </li></ul>
  24. 25. ENISA Cloud Computing Risk Assessment <ul><li>Loss of governance </li></ul><ul><li>Lock-in </li></ul><ul><li>Isolation failure </li></ul><ul><li>Compliance risks </li></ul><ul><li>Management interface compromise </li></ul><ul><li>Data protection </li></ul><ul><li>Insecure or incomplete data deletion </li></ul><ul><li>Malicious insider </li></ul>
  25. 26. Cloud “Threats” – Top 3 <ul><li>Authentication abuse </li></ul><ul><li>Operations breakdown </li></ul><ul><li>Misuse of cloud-specific technology </li></ul>
  26. 27. FBI Takes Cloud Away
  27. 28. While we are “in the cloud” <ul><li>Here are some additional </li></ul><ul><li>CSA/cloud security resources… </li></ul>
  28. 29. CSA GRC Stack <ul><li>Bringing it all together to peel back the layers of control ownership and address concerns for trusted Cloud adoption. </li></ul>Control Requirements Provider Assertions Private, Community & Public Clouds
  29. 30. CSA CloudAudit <ul><li>Open standard and API to automate provider audit assertions </li></ul><ul><li>Change audit from data gathering to data analysis </li></ul><ul><li>Necessary to provide audit & assurance at the scale demanded by cloud providers </li></ul><ul><li>Uses Cloud Controls Matrix as controls namespace </li></ul><ul><li>Use to instrument cloud for continuous controls monitoring </li></ul>
  30. 31. CSA Cloud Controls Matrix <ul><li>Controls derived from guidance </li></ul><ul><li>Mapped to familiar frameworks: ISO 27001, COBIT, PCI, HIPAA </li></ul><ul><li>Rated as applicable to SaaS/PaaS/IaaS </li></ul><ul><li>Customer vs Provider role </li></ul><ul><li>Help bridge the “cloud gap” </li></ul><ul><li>for IT & IT auditors </li></ul>
  31. 32. Next?
  32. 33. Thanks for Your Review! <ul><li>Acknowledgement to Dr. Anton Chuvakin, SecurityWarrior LLC for Cloud Security Alliance, Cloud Security, </li></ul><ul><li>Materials by Cloud Security © & PCI in the cloud training, created by for Triad ISSA, NC January 26, 2012 Valdez Ladd, ISSA Raleigh, NC 2011 </li></ul>