Post on 07-Mar-2018
Using the CSA Control Matrix and ISO
27017 controls to facilitate regulatory
compliance in the cloud
Marlin Pohlman Ph.D.Marlin Pohlman Ph.D.CISA, CISM, CGEIT, CISSP, PE, HITRUST CSV
Co-Chair: CSA CCM, CSA CAIQ, CSA Cloud Audit
CoEditor: ISO 27017 & ITU-T FG Cloud x. srfctse
Co-Chair/Founder, CSA GRC Stack
Chief Governance Officer, EMC CTO Office
www.cloudsecurityalliance.org
Copyright © 2010 Cloud Security Alliance
Cloud adds the concept of Supply Chain
Each member does
what they do best
2
Harmony in
Specialization
Chains are only as strong as the weakest link
3
GRC Insures the
integrity of the
chain
CSA GRC Stack
Family of 4 research projects:• Cloud Controls Matrix (CCM)
• Consensus Assessments Initiative Questionnaire (CAIQ)
• Cloud Trust Protocol (CTP)• Cloud Trust Protocol (CTP)
• Cloud Audit
Tools for governance, risk and compliance management.
Enabling automation and continuous monitoring of GRC.
4
www.cloudsecurityalliance.org
Copyright © 2010 Cloud Security Alliance
Cloud Controls Matrix (CCM)
5
www.cloudsecurityalliance.org
Copyright © 2010 Cloud Security Alliance
What is the CCM?
• First ever baseline control framework specifically designed for managing risk in the Cloud Supply Chain:– Addressing the inter and intra-organizational challenges of
persistent information security by clearly delineating control ownership.
– Providing an anchor point and common language for balanced measurement of security and compliance balanced measurement of security and compliance postures.
– Providing the holistic adherence to the vast and ever evolving landscape of global data privacy regulations and security standards.
• Serves as the basis for new industry standards and certifications.
6
www.cloudsecurityalliance.org
Copyright © 2010 Cloud Security Alliance
CCM – 11 Domains
7
www.cloudsecurityalliance.org
Copyright © 2010 Cloud Security Alliance
CCM – 98 Controls
8
www.cloudsecurityalliance.org
Copyright © 2010 Cloud Security Alliance
CCM – 98 Controls (cont.)
9
www.cloudsecurityalliance.org
Copyright © 2010 Cloud Security Alliance
CCM – 98 Controls (cont.)
10
www.cloudsecurityalliance.org
Copyright © 2010 Cloud Security Alliance
CCM – 98 Controls (cont.)
11
www.cloudsecurityalliance.org
Copyright © 2010 Cloud Security Alliance
An Unified Compliance Approach
Bridging Regulatory Governance And Practical Compliance
12
Consensus Assessments
Initiative Questionnaire (CAIQ)
13
www.cloudsecurityalliance.org
Copyright © 2010 Cloud Security Alliance
What is the CAIQ?
• Cloud Supply Chain risk management and due
diligence questionnaire (148 questions)
– Enables 1 or more Cloud service providers to
demonstrate compliance with the CSA CCM.
– Forms the basis for establishing Cloud specific
14
– Forms the basis for establishing Cloud specific
Service Level Objectives that can be incorporated
into supplier agreements.
• AICPA SSAE 16 SOC 2 Normative Qualification
Questionnaire.
www.cloudsecurityalliance.org
Copyright © 2010 Cloud Security Alliance
CloudAudit Protocol
• Provides an open, extensible and secure interface for automation of Audit, Assertion, Assessment, and Assurance (A6) of cloud computing environments
• A structure for organizing assertions and supporting documentation for specific controls across different compliance frameworks in a way that simplifies discovery by humans and tools.
15
discovery by humans and tools.– Define a namespace that can support diverse frameworks.
– Expressed in namespace – CSA CCM, ISO/IEC 27001, COBIT, HIPAA, NIST SP 800-53, PCI DSS.
– Defines the mechanisms for requesting and responding to queries relating to specific controls.
– Integrates with portals and AAA systems.
www.cloudsecurityalliance.org
Copyright © 2010 Cloud Security Alliance
Sample Implementation –CSA Compliance Pack
16
www.cloudsecurityalliance.org
Copyright © 2010 Cloud Security Alliance
Sample Implementation –CSA Compliance Pack
17
www.cloudsecurityalliance.org
Copyright © 2010 Cloud Security Alliance
CloudAudit – How it Works
18www.cloudsecurityalliance.org
Copyright © 2010 Cloud Security Alliance
CloudAudit –Manifest.xml Example
19
www.cloudsecurityalliance.org
Copyright © 2010 Cloud Security Alliance
DMTF – CADF (Cloud Audit Data Federation)Cloud Audit Data Federation Resource Model
Resource
ComputeNetwork Storage DataService
Example Instance
is-a Relationship
NetworkNode
Router
Repository
* Machine
ProcessingNode
Initiator
… … ConfigurationRepository
User
PrivilegedUser
Application
Workload
CRMService
BSSService
… … … …
Node Description
20
Node Description
Network Represents the logical resources that interconnect computer systems, terminals, and other equipment allowing information to be exchanged. (general, compiled definition)* A realized entity that is capable of providing Network Addresses, routing rules, mapping tables, and network access limits. (as defined by CMWG)
Compute Represents the logical resources that are used to perform logical operations or calculations on data
Storage Represents the logical constructs that represent storage containers
Service Represents the logical sets of functions, packaged into a single entity, that provide access to and add value to cloud resources.
Data Represents the logical named sets of information that are referenced and managed by services.
Initiator Separate Taxonomy. Classifies the initiator (human or non-human entities) that of event actions
Elements of Transparency in the CTP
6 TYPES
Initiation
Policy introduction ELEMENTS
On
ly 2
3 i
n e
nti
re p
roto
col
FAMILIES
Configuration
Vulnerabilities
CloudTrust Protocol Orientation
Provider assertions
Provider notifications
EVIDENCE REQUESTS
Client extensions
Geographic
Platform
Process On
ly 2
3 i
n e
nti
re p
roto
col
Vulnerabilities
ANCHORING
Audit log
Service Management
Service Statistics
CloudTrust Protocol PathwaysMapping the Elements of Transparency in Deployment
Admin& Ops
Specs Transparency Requests Extensions
Assertions Evidence Affirmations
Configuration
definition: 20
Security capabilities and
operations: 17
Configuration &
vulnerabilities: 3,4,5,6,7
Anchoring: 8, 9, 10
(geographic,
platform, process)
CloudTrust Protocol Orientation
Session
start: 1
Session end:
2
Alerts: 18
Users: 19
Anchors: 21
Quotas: 22
Alert conditions:
23
Violation: 11
Audit: 12
Access: 13
Incident log: 14
Config/control: 15
Stats: 16
Consumer/provider
negotiated: 24
2323 11
CloudAudit.org SCAPSCAP Sign / sealing
CloudTrust Protocol V2.0
Syntax• Based on XML
• Traditional RESTful web
service over HTTP
CloudTrust Protocol Orientation
RESTful Web
Service
RESTful Web
Service
RESTfulWeb
Service
Multiple Styles of ImplementationThe CTP is machine and human readable
RESTful Web
Service
RESTful Web
Service
Trust Trust
RESTfulWeb
Service
Cloud Provider
Cloud Consumer
OUT-OF-BAND
ServiceService
Trust
Evidence (Elements of
transparency)
Trust
Evidence (Elements of
transparency)
Cloud Provider
CloudTrustProtocol Service
Cloud Consumer
Trust
Evidence (Elements of
transparency)
Trust
Evidence (Elements of
transparency)CloudTrust
Protocol Service
IN-BAND
Legal and Electronic Discovery
The highest risk of conducting e-discovery in the cloud are:
• The loss/alteration of data and associated metadata
• The potential violation of international data privacy laws by illegally disclosing data
in the jurisdiction in which the cloud is located
• The unintentional waiver of the attorney-client privilege by co-mingling data or
disclosing attorney client communications to third parties
• The failure to properly and timely implement and monitor litigation holds
Companies can manage the risk of altering metadata and the risk of violating Companies can manage the risk of altering metadata and the risk of violating
international data privacy laws by insisting the service agreement with their cloud
provider require that:
• None of the company’s data may be stored outside the United States
• Provide a detailed mechanism for how the cloud will implement litigation holds
• Address how metadata will be created and stored in the cloud environment
Obligatory Predicates & SLA Supply Chain
OBLIGATION
The requirement to do what is imposed
by law, promise, or contract; a duty.
In its general and most extensive sense,
obligation is synonymous with duty. In
a more technical meaning, it is a tie
which binds us to pay or to do
26
which binds us to pay or to do
something agreeably to the laws and
customs of the country in which the
obligation is made. The term obligation
also signifies the instrument or writing
by which the contract is witnessed. And
in another sense, an obligation still
subsists, although the civil obligation is
said to be a bond containing a penalty.
Obligatory Predicates can also address
Jurisdictional issues in the cloud
1. <rdf:Property rdf:ID=”value”>
2. <rdfs:domain rdf:resources=”Asset”/>
3. <rdfs:range rdf:resources=&xsd:integer/>
4. </rdf:Property>
5. <rdf:Property rdf:ID=”depends”>
6. <rdfs:domain rdf:resources=”Asset”/>
7. <rdfs:range rdf:resources=”Asset”/>
8. </rdf:Property>
9. <rdf:Property rdf:ID=”contains”>
10. <rdfs:domain rdf:resources=”Asset”/>
11. <rdfs:range rdf:resources=”Asset”/>
12. <rdf:Property rdf:ID=”subjecttoObligation”>
27
12. <rdf:Property rdf:ID=”subjecttoObligation”>
13. <rdfs:domain rdf:resources=”Asset”/>
14. <rdfs:range rdf:resources=”Obligation”/>
15. <rdf:Property rdf:ID=”Predicate”>
16. <rdfs:domain rdf:resources=”Asset”/>
17. <rdfs:range rdf:resources=”Resource”/>
18. <rdf:Property rdf:ID=”Constraint”>
19. <rdfs:domain rdf:resources=”Asset”/>
20. <rdfs:range rdf:resources=”Value”/>
21. <rdf:Property rdf:ID=”supportUsage”>
22. <rdfs:domain rdf:resources=”Asset”/>
23. <rdfs:range rdf:resources=”CaseLaw”/>
24. </rdf:Property>
ISO 27017 Coordinated Editorial Activity
ISO 27017
Control
Standard
28
ITU-T
X.srfctse
StandardITU-T FG SG17
Cloud-I-0465
Requirement
Document
FedRamp
2012
Controls
Security requirements and framework
of cloud based telecommunication
service environment
ISO 27017 Work In Progress
29
ISO 27017 Example: Obligatory Predicates
CSA Control Matrix RS-08
ISO 27017:11.7.2
30
ITU-T FG SG17
Cloud-I-0465
Requirement
Document
Req 8.12
Agreements on
information transfer and
forensic traceability
ISO 27017 Example: Virtualization Security
CSA Control Matrix IS-34
FedRAMP SC-30
31
FedRAMP SC-30
X.srfctse: Security requirements and framework of cloud
based telecommunication service environment
7.1 Security Vulnerabilities in Virtualization
ISO 27017 A.13.6.4
Secure Virtual Machine
27017 Appendix B: Minimum Baseline
32
SECURITY CONTROL SELECTION
Organizations (CSU, CSP IaaS, PaaS, SaaS) must meet the minimum
security requirements in this standard by selecting the
appropriate security controls and assurance requirement
Thank you for your Time and Attention
Questions ?
Marlin Pohlman
mpohlman@cloudsecurityalliance.org
Marlin.pohlman@emc.com
+1.503.662.2245
33