© 2011 Cloud Security Alliance, Inc. All rights...
Transcript of © 2011 Cloud Security Alliance, Inc. All rights...
© 2011 Cloud Security Alliance, Inc. All rights reserved.
2 Vast Landscape of Cloud Standards
Development Organizations (SDOs)
© 2011 Cloud Security Alliance, Inc. All rights reserved.
Promote common level of understanding
– Consumers Providers
– Security Requirements
– Attestation of Assurance
Promote independent, agile research development – incubator for
standards development efforts
Address cloud security and assurance risks and guidance through
collective expertise
Awareness campaigns and educational programs
– Cloud computing use cases
– Cloud security solutions
4
Mission Statement (Non-Profit)
© 2011 Cloud Security Alliance, Inc. All rights reserved.
Title Proposed: International Standardization Council
Formed at CSA Congress, Nov 2011 (Orlando)
Aloysius Cheang, CSA Singapore appointed at Head of
Standards Secretariat (Council Lead)
Council Charter, Appointment of Co-Chairs (In Progress)
Allows for CSA Members to actively engage in SDO process
(contributions, comments, etc.)
6
Standards Workgroup
© 2011 Cloud Security Alliance, Inc. All rights reserved.
7 International Standardization Council –
Global Membership
Laura Kuiper (Cisco)
Becky Swain (EKKO Consulting)
Marlin Pohlman (EMC)
Crispen Maung (Salesforce.com)
Heather Ouellette (Salesforce.com)
Cameron Smith (Zscaler)
Aloysius Cheang
(CSA Secretariat)
Laura Posey (Microsoft)
Andreas Fuchsberger (Microsoft)
Bernd Jäger (Colt Telecom)
Jason Creasy (ISF)
Said Tabet (EMC)
Xavier Guerin (France Telecom – Orange)
© 2011 Cloud Security Alliance, Inc. All rights reserved.
The Guidance Version 3.0 (Nov 2011)
– Seeks to establish a stable, secure baseline for cloud operations.
– Provides a practical, actionable road map to managers wanting to
adopt the cloud paradigm safely and securely.
– 14 Domains – rewritten to emphasize security, stability, and privacy,
ensuring corporate privacy in a multi-tenant environment.
Download @ …/research/initiatives/security-guidance/
Prior Releases:
– Version 1.2 (Dec 2009)
• Incorporated into CCSK learning criteria
– Version 1.0 (April 2009)
• CSA founding publication
9 Security Guidance for Critical Areas of
Focus in Cloud Computing
© 2011 Cloud Security Alliance, Inc. All rights reserved.
10 Security Guidance for Critical Areas of
Focus in Cloud Computing Section I.
Cloud Architecture
Section II.
Governing in the Cloud
Section III.
Operating in the Cloud
Domain 1 Cloud Computing Architectural Framework
Domain 2 Governance and Enterprise Risk Management
Domain 3 Legal Issues: Contracts and Electronic Discovery
Domain 4 Compliance and Audit Management
Domain 5 Information Management and Data Security
Domain 6 Interoperability and Portability
Domain 7 Traditional Security, Business Continuity, and Disaster Recovery
Domain 8 Data Center Operations
Domain 9 Incident Response
Domain 10 Application Security
Domain 11 Encryption and Key Management
Domain 12 Identity, Entitlement, and Access Management
Domain 13 Virtualization
Domain 14 Security as a Service
© 2011 Cloud Security Alliance, Inc. All rights reserved.
The CSA GRC Stack
A suite of four integrated and reinforcing CSA initiatives (the
“stack packages”)
– The Stack Packs
• Cloud Controls Matrix
• Consensus Assessments Initiative
• Cloud Audit
• CloudTrust Protocol
Designed to support cloud consumers and cloud providers
Prepared to capture value from the cloud as well as support
compliance and control within the cloud
11
© 2011 Cloud Security Alliance, Inc. All rights reserved.
12
Delivering Stack Pack Description
Continuous monitoring … with a purpose
• Common technique and nomenclature to request and receive evidence and affirmation of current cloud service operating circumstances from cloud providers
Claims, offers, and the basis for auditing service
delivery
• Common interface and namespace to automate the Audit, Assertion, Assessment, and Assurance (A6) of cloud environments
Pre-audit checklists and questionnaires to inventory controls
• Industry-accepted ways to document what security controls exist
The recommended foundations for controls
• Fundamental security principles in specifying the overall security needs of a cloud consumers and assessing the overall security risk of a cloud provider
The CSA GRC Stack (Start from the bottom, then work your way up…)
© 2011 Cloud Security Alliance, Inc. All rights reserved.
The GRC Stack Solving the Value Equation in the Cloud
13
Delivering evidence-based confidence…
with compliance-supporting data & artifacts.
Security Requirements
and Capabilities
Security Transparency and Visibility
Compliance and
Trust
GRC Stack
© 2011 Cloud Security Alliance, Inc. All rights reserved.
CSA GRC Value Equation
Contributions for Consumers and
Providers
14
What control requirements should I
have as a cloud consumer or cloud
provider?
How do I ask about the control
requirements that are satisfied
(consumer) or express my claim of
control response (provider)?
How do I announce and automate my
claims of audit support for all of the
various compliance mandates and
control obligations?
How do I know that the controls I
need are working for me now
(consumer)? How do I provide actual
security and transparency of service
to all of my cloud users (provider)?
• Individually useful
• Collectively powerful
• Productive way to reclaim
end-to-end information risk
management capability
Static
claims &
assurances
Dynamic
(continuous)
monitoring and
transparency
• Public Registry of Cloud Provider self assessments
• Leverages GRC Stack Projects – Consensus Assessments Initiative Questionnaire
– Provider may substitute documented Cloud Controls Matrix compliance
• Voluntary industry action promoting transparency
• Free market competition to provide quality assessments
• Available October 2011
Security, Trust, and Assurance
Registry (CSA STAR)
15
© 2011 Cloud Security Alliance, Inc. All rights reserved.
Security, Trust, and Assurance
Registry (CSA STAR)
16
Encourage transparency of security practices within cloud providers
Documents the security controls provided by various cloud computing
offerings
Free and open to all cloud providers
Option to use data/report based on CCM or the CAIQ
Expose control claims
Compete to improve GRC capabilities
GRC
Stack
© 2011 Cloud Security Alliance, Inc. All rights reserved.
CSA certification criteria and seal program for cloud
providers
Initial focus on secure & interoperable identity in the
cloud, and its alignment with data encryption
Assemble with existing standards
Reference models & Proof of concept
Outline responsibilities for Identity Providers,
Enterprises, Cloud Providers, Consumers
Download @ …/trustedcloud.html
17
Trusted Cloud Initiative (TCI)
© 2011 Cloud Security Alliance, Inc. All rights reserved.
TCI Mission
“To create a Trusted Cloud reference architecture for cloud use cases that leverage
cloud delivery models (SaaS, PaaS, IaaS) in the context of operational models
(Public, Private, Hybrid) to deliver a secure and trusted cloud service.”
18
© 2011 Cloud Security Alliance, Inc. All rights reserved.
Holistic approach
around controls…
19
https://cloudsecurityalliance.org/research/projects/cloud-controls-matrix-ccm/
© 2011 Cloud Security Alliance, Inc. All rights reserved.
… and Architecture best
practices
20
https://cloudsecurityalliance.org/research/projects/cloud-controls-matrix-ccm/
© 2011 Cloud Security Alliance, Inc. All rights reserved.
National Institute of Standards and Technology (NIST) – Promotes the
effective and secure use of the technology within the U.S. Federal Government,
and, therefore, leading a number of efforts to develop cloud standards and
guidelines in close consultation and collaboration with standards bodies, the
private sector, and other stakeholders.
– Standards Acceleration to Jumpstart the adoption of Cloud Computing
(SAJACC)
– Strategy to build a US Government (USG) Cloud Computing Technology
Roadmap.
Publications – SP 800-144: DRAFT Guidelines on Security and Privacy in Public Cloud Computing (Jan 28, 2011)
– SP 800-145: A NIST Definition of Cloud Computing (Sept 2011)
– SP 800-146: DRAFT Cloud Computing Synopsis and Recommendations (May 12, 2011)
– SP 500-291: NIST Cloud Computing Standards Roadmap (August 10, 2011)
– SP 500-292: NIST Cloud Computing Reference Architecture (September 08, 2011)
23
NIST
© 2011 Cloud Security Alliance, Inc. All rights reserved.
27
NIST Definition of Cloud
The NIST definition of cloud
computing (SP 800-145)
• 5 essential characteristics
• 3 service models
• 4 deployment models
Already widely adopted by
Cloud Computing industry,
including ISO/IEC JTC 1/SC38
and recognized in CSA
Guidance.
© 2011 Cloud Security Alliance, Inc. All rights reserved.
28
NIST Cloud Computing Reference Model SP 500-292 (September 08, 2011)
© 2011 Cloud Security Alliance, Inc. All rights reserved.
29 The CSA GRC Stack Architecture Reference Model Readiness
Tra
nsp
are
ncy
© 2011 Cloud Security Alliance, Inc. All rights reserved.
30
NIST Cloud Computing Reference Model SP 500-292 (September 08, 2011)
© 2011 Cloud Security Alliance, Inc. All rights reserved.
“Proposed Security Assessment & Authorization for U.S.
Government Cloud Computing" DRAFT (FedRamp) – Based on
NIST SP 800-37R1 and SP800-53 as a proposed Assessment
and Authorization (A&A) for U.S. Government Cloud Computing.
– Chapter 1: Cloud Computing Security Requirement Baseline (SP 800-53)
– Chapter 2: Continuous Monitoring
– Chapter 3: Potential Assessment & Authorization Approach (SP 800-37R1)
CSA provided feedback on FedRamp DRAFT
CSA CCM v1.2 incorporates mapping of SP 800-53 R3 and
FedRamp DRAFT
CSA CCM v1.3 to include mapping of SP 800-53 R4 and
FedRamp FINAL
31
NIST FedRamp
© 2011 Cloud Security Alliance, Inc. All rights reserved.
The Security Content Automation Protocol (SCAP)
– Suite of specifications that standardize format/nomenclature by which software flaw and security
configuration information is communicated, both to machines and humans
– Multi-purpose framework of specifications that support automated configuration, vulnerability and
patch checking, technical control compliance activities, and security measurement
– Promote interoperability of security products, and fostering the use of standard expressions of
security content
– Mandated by FedRAMP Continuous Monitoring
5 Specification Categories – Languages standard vocabularies/conventions for expressing security policy, technical check mechanisms, and assessment
results Extensible Configuration Checklist Description Format (XCCDF), Open Vulnerability and Assessment Language
(OVAL®), and Open Checklist Interactive Language (OCIL™)
– Reporting Formats provide necessary constructs to express collected information in standardized formats Asset
Reporting Format (ARF) and Asset Identification
– Enumerations define standard nomenclature and official dictionary expressed using that nomenclature Common Platform
Enumeration (CPE™), Common Configuration Enumeration (CCE™), and Common Vulnerabilities and Exposures (CVE®)
– Measurement and scoring systems evaluation of specific characteristics of a security weakness (i.e., software
vulnerabilities and security configuration issues) and, based on those characteristics, generating a score that reflects their
relative severity Common Vulnerability Scoring System (CVSS), Common Configuration Scoring System (CCSS)
– Integrity preserve the integrity of SCAP content and results Trust Model for Security Automation Data (TMSAD)
32 NIST SCAP (Pronounced “S-Cap”)
& XCCDF
© 2011 Cloud Security Alliance, Inc. All rights reserved.
The Extensible Configuration Checklist Description Format (XCCDF)
– Specification language for writing security checklists, benchmarks, and related kinds of
documents
– XCCDF document represents a structured collection of security configuration rules for
some set of target systems
– Designed to support information interchange, document generation, organizational and
situational tailoring, automated compliance testing, and compliance scoring
– Defines a data model and format for storing results of benchmark compliance testing
– The intent to provide a uniform foundation for expression of security checklists,
benchmarks, and other configuration guidance, and thereby foster more widespread
application of good security practices.
33 NIST SCAP (Pronounced “S-Cap”)
& XCCDF
© 2011 Cloud Security Alliance, Inc. All rights reserved.
Source: NIST SP 800-117
34 NIST SCAP (Pronounced “S-Cap”)
& XCCDF
© 2011 Cloud Security Alliance, Inc. All rights reserved.
Publications – SP 800-117: FINAL Guide to Adopting and Using the Security Content Automation
Protocol (SCAP) Version 1 (July 27, 2010)
– SP 800-126 Rev 2: DRAFT The Technical Specification for the Security Content
Automation Protocol (SCAP) (July 12, 2011)
– IR 7511: DRAFT Security Content Automation Protocol (SCAP) Version 1.0 Validation
Program Test Requirements (Feb 2009)
– SP 800-51 Rev 1: FINAL Guide to Using Vulnerability Naming Schemes (Feb 24, 2011)
– IR 7275 Rev 4: Specification for the Extensible Configuration Checklist Description
Format (XCCDF) Version 1.2 (Sept 2011)
• Incorporated into the NIST SCAP Validation Program, which supports the United States Government
Configuration Baseline (USGCB), an OMB‐mandated security configuration for all Federal desktops
• Increasing interest to make international standard – ISO/IEC JTC 1, ITU-T SG17
• Other SBOs involved – IETF, DMTF
35 NIST SCAP (Pronounced “S-Cap”)
& XCCDF
© 2011 Cloud Security Alliance, Inc. All rights reserved.
CloudTrust Protocol Pathways Mapping the Elements of Transparency in
Deployment
Admin and Ops
Specs Transparency Requests Extensions
Assertions Evidence Affirmations
Configuration
definition: 20
Security capabilities
and operations: 17
Configuration and
vulnerabilities:
3,4,5,6,7
Anchoring: 8, 9, 10
(geographic,
platform, process)
Session
start: 1
Session
end: 2
Alerts: 18
Users: 19
Anchors: 21
Quotas: 22
Alert
conditions: 23
Violation: 11
Audit: 12
Access: 13
Incident log: 14
Config./control: 15
Stats: 16
Consumer/
provider
negotiated: 24
CloudAudit.org SCAP SCAP Sign/sealing
23 1
36
© 2011 Cloud Security Alliance, Inc. All rights reserved.
• Syntax
Based on XML
Traditional RESTful
web service over
HTTP
CloudTrust Protocol V2.0
Legend:
New in V2.0
SCAP / XCCDF query &
response structure
38
© 2011 Cloud Security Alliance, Inc. All rights reserved.
MISSION: Enhance the capability of the cloud community to
prepare for and respond to vulnerabilities, threats, and
incidents in order to preserve trust in cloud computing.
Community of organizations sharing threat identification, liaising
with security organizations, providing incident response
assistance and consultation, and collaborating on research,
including education, training and awareness:
– Cloud service providers
– Telecommunications service providers
– Country CERT/CCs and ISACs
39
CSA CloudSIRT
© 2011 Cloud Security Alliance, Inc. All rights reserved.
European Network and Information Security Agency
(ENISA) – EU’s response to these cyber security issues of
the European Union and described as the 'pace-setter' for
Information Security in Europe, and a centre of expertise,
working for the EU Institutions and Member States.
– “Cloud computing: benefits, risks and recommendations for information
technology” by ENISA uses a risk assessment approach to analyze the
security issues raised by cloud services and incorporated into CSA CCSK
training criteria.
– “Security and Resilience in Governmental Clouds” , which provides a
decision-making model that can be used by governments considering using
cloud computing to determine which architectural solution that best suits the
security requirements of their organization.
40
ENISA
© 2011 Cloud Security Alliance, Inc. All rights reserved.
ISO/IEC JTC 1 is Joint Technical Committee 1 of the International
Organization for Standardization (ISO) and the International
Electrotechnical Commission (IEC) with a mandate to develop, maintain,
promote and facilitate IT standards required by global markets meeting
business and user requirements concerning: – the design and development of IT systems and tools
– the performance and quality of IT products and systems
– the security of IT systems and information
– the portability of application programs
– the interoperability of IT products and systems
– the unified tools and environments
– the harmonized IT vocabulary, and
– the user-friendly and ergonomically-designed user interfaces
Work is conducted by subcommittees (SC) dealing with a particular field
and SCs may be comprised of several working groups (WGs).
41
ISO/IEC JTC 1
© 2011 Cloud Security Alliance, Inc. All rights reserved.
42 ISO/IEC JTC 1 Development
Process
© 2011 Cloud Security Alliance, Inc. All rights reserved.
International Organization for Standardization (ISO)/International
Electrotechnical Commission (IEC) Joint Technical Committee
1/Subcommittee 27 (ISO/IEC JTC1/SC 27) – Information Technology Security
Techniques (2700x series of ISMS standards)
– Study period on Cloud Computing Security and Privacy to investigate the
requirements for cloud computing and a feasible program of standards work to
meet requirements, involving 3 WGs: • WG 1 (Information Security Management) leading the coordinating efforts on this study period in conjunction
with the following working groups:
• WG 4 – Security Control and Services
• WG 5 – Identity Management, Privacy Technology and Biometrics
– Topics for consideration – information security management, risk
management, application and network security, cybersecurity, business
continuity, privacy and identity management with contributions from CSA
(CAIQ, CCM, Guidance, TCI Architecture), ITU-T, SC 38 and others.
43
ISO/IEC JTC 1/SC 27
© 2011 Cloud Security Alliance, Inc. All rights reserved.
44
ISO/IEC JTC 1/SC 27
© 2011 Cloud Security Alliance, Inc. All rights reserved.
45
ISO/IEC JTC 1/SC 27
© 2011 Cloud Security Alliance, Inc. All rights reserved.
WG1: ISO/IEC 27017 – Output from Cloud Security & Privacy (CSP) Joint WG
1/4/5 Study Period
– 2nd WD – Guidelines on information security controls for the use of cloud computing services based
on ISO/IEC 27002 (Project Co-Editors: Satoru Yamasaki, JP & Marlin Pohlman, US/CSA)
WG 4: ISO/IEC 27036-X – Information technology – Security techniques –
Information security for supplier relationships…
– 2nd WD Part 1 – Overview and Concepts (Project Co-Editor: Becky Swain, US/CSA)
– 2nd WD Part 2 – Common Requirements (Project Co-Editor: Benoit Poletti, Luxemburg)
– 2nd WD Part 3 – Guidelines for ICT Supply Chain Security (Project Co-Editor: Nadya Bartol, US)
– Part 4 – Guidelines for Outsourcing (TBD)
– Part 5 – Cloud Computing (TBD)
– Part 6 – TBD
WG 5: NWIP – Output from CSP Joint WG 1/4/5 Study Period
– Information technology – Security techniques – Code of practice for data protection controls for
public cloud computing services (Project Co-Editor: Chris Mitchell, UK)
46
ISO/IEC JTC 1/SC 27 Nairobi, Kenya Resolutions (Oct 2011)
CSA NWIP Planned for
WG 4 CSP Study Period
© 2011 Cloud Security Alliance, Inc. All rights reserved.
International Organization for Standardization (ISO)/International
Electrotechnical Commission (IEC) Joint Technical Committee
1/Subcommittee 28 (ISO/IEC JTC 1/SC 28) – Distributed Application Platform &
Services (DAPS) comprised of 2 WGs focused on SOA and Web Services, and a
study group on Cloud computing.
Established a Cloud Computing Study Group (SGCC) in order to provide
candidates of standardization issues on Cloud Computing to JTC 1 and to
develop NPs (New Work Item Proposals) on Cloud Computing to be studied in
JTC 1.
Working Group on Cloud (WG3), 1st Delegation Meeting Feb 2012
– NWIP: Distributed Application Platforms and Services – Cloud Computing – Vocabulary
– NWIP: Distributed Application Platforms and Services – Cloud Computing – Reference Architecture
48
ISO/IEC JTC 1/SC 38
© 2011 Cloud Security Alliance, Inc. All rights reserved.
ITU Telecommunication Standardization Sector (ITU-T) – 1 of 3
sectors (divisions or units) of the International Telecommunication Union
(ITU) that coordinates standards for telecommunications.
– Mission is to ensure the efficient and timely production of standards covering all fields of
telecommunications on a worldwide basis, as well as defining tariff and accounting
principles for international telecommunication services, and as part of the ITU (UN
specialized agency), its standards carry formal international weight.
– In addition to the ITU-T Recommendations, which have non-mandatory status until they
are adopted in national laws, ITU-T is also the custodian of a binding international
treaty, the International Telecommunication Regulations (ITRs).
– The technical work, the development of Recommendations, of ITU-T is managed by
Study Groups (SGs).
49
ITU-T
© 2011 Cloud Security Alliance, Inc. All rights reserved.
ITU-T Focus Group on Cloud Computing (FG Cloud) – Established further to
ITU-T TSAG (parent group) agreement at its meeting in Geneva, 8-11 February
2010 followed by ITU-T study groups (SG17, 13) and membership consultation.
– Contribute with the telecommunication aspects in order to support services/applications
of “cloud computing” making use of telecommunication networks.
– Collaborate with worldwide cloud computing communities (e.g., research institutes,
forums, academia) including other SDOs and consortia.
– Workgroups:
• WG1: Cloud computing benefits & requirements
• WG2: Gap Analysis and Roadmap on Cloud Computing Standards development in ITU-T
– Focus Group Output from Seoul, Korea 26-30 September 2011 (Cloud-O-0072), Marlin
Pohlman (CSA) co-authored with Koji Nakao (Vice-Chair, ITU-T SG 17)
– CSA Contributions CAIQ, CCM, Guidance, TCI Architecture
50
ITU-T FG Cloud
© 2011 Cloud Security Alliance, Inc. All rights reserved.
ITU-T Study Group 17 (SG17) – Designated Lead Study Group for
"Telecommunication Security" which include developing and maintaining security
outreach material; coordination of security-related work; and identification of
needs and assignment and prioritization of work to encourage timely
development of telecommunication security Recommendations.
For Cloud Computing, SG17 has been working on cloud computing security
since April 2010, and the following three work items were recognized and are
currently in progress.
– Security guideline for cloud computing in telecommunication area (X.ccsec)
– Security requirements and framework of cloud based telecommunication service
environment (X.srfcts), Marlin Pohlman (CSA) co-authored with Koji Nakao (Vice-Chair,
ITU-T SG 17)
– Security functional requirements for Software as a Service (SaaS) application
environment (X.sfcse)
ITU-T SG17 collaborates closely with ISO/IEC SC 27 and SC 38
51
ITU-T SG17
© 2011 Cloud Security Alliance, Inc. All rights reserved.
52
SDO Liaison Collaboration International
© 2011 Cloud Security Alliance, Inc. All rights reserved.
53 SDO Liaison Collaboration Supply Chain Risk Management (SCRM) for information
communication and technology (ICT)
© 2011 Cloud Security Alliance, Inc. All rights reserved.
54 SDO Liaison Collaboration Supply Chain Risk Management (SCRM) for information
communication and technology (ICT)
© 2011 Cloud Security Alliance, Inc. All rights reserved.
Comments/Contributions for ISO/IEC 27036-X:
– Information security for external suppliers: A common
baseline (Dec 2010)
– Common baseline information security arrangements
Standard of Good Practice on roadmap for CSA CCM
mapping
CSA Representative: Jason Creasy
– CSA GRC Stack Steering Committee
– Standards WG
55
ISF
© 2011 Cloud Security Alliance, Inc. All rights reserved.
Comments/Contributions for ISO/IEC JTC 1/SC27 CSP
Joint WG 1/4/5 Study Period:
– Cloud Computing: Business Benefits With Security,
Governance and Assurance Perspectives
– IT Control Objectives for Cloud Computing
– Cloud Computing Management Audit/Assurance Program
CSA CCM includes mapping to COBIT 5.0
CSA Representative: Ron Hale
– CSA GRC Stack Steering Committee
56
ISACA
© 2011 Cloud Security Alliance, Inc. All rights reserved.
Cloud Controls Matrix (CCM)
Leadership Team
Becky Swain – EKKO Consulting
Philip Agcaoili – Cox Communications
Marlin Pohlman – EMC, RSA
Kip Boyle – CSA
V1.0 (Apr 2010), v1.1 (Dec 2010, v1.2 (Aug 2011),
V1.3 (2012), V2.0 (2012)
Controls baselined and mapped to:
COBIT BITS Shared Assessments
HIPAA/HITECH Act Jericho Forum
ISO/IEC 27001-2005 NERC CIP
NISTSP800-53
FedRAMP
PCI DSSv2.0
58
© 2011 Cloud Security Alliance, Inc. All rights reserved.
What is the CCM?
First ever baseline control framework specifically designed
for managing risk in the Cloud Supply Chain:
– Addressing the inter and intra-organizational challenges of persistent
information security by clearly delineating control ownership.
– Providing an anchor point and common language for balanced
measurement of security and compliance postures.
– Providing the holistic adherence to the vast and ever evolving
landscape of global data privacy regulations and security standards.
Serves as the basis for new industry standards and
certifications.
59
© 2011 Cloud Security Alliance, Inc. All rights reserved.
CCM v1.1 Industry
Participation
This grass roots movement continues to grow with over 100
volunteer industry experts in the recent release of v1.2!
61
© 2011 Cloud Security Alliance, Inc. All rights reserved.
Consensus Assessments
Initiative Questionnaire (CAIQ)
67
Leaders
• Laura Posey – Microsoft
• Jason Witty – Bank of America
• Marlin Pohlman – EMC, RSA
• Earle Humphreys – ITEEx
© 2011 Cloud Security Alliance, Inc. All rights reserved.
Consensus Assessments
Initiative Questionnaire (CAIQ)
68
© 2011 Cloud Security Alliance, Inc. All rights reserved.
Consensus Assessment
Initiative
A cloud supply chain risk management and due diligence questionnaire
~ 200 yes/no questions that map directly to the CCM, and thus, in turn, to many
industry standards.
can be used by both CSPs for self-assessment or by potential customers for the
following purposes
– to identify the presence of security controls and practices for cloud offerings
– procurement negotiation
– contract inclusion
– to quantify SLAs
For potential customers, the CAIQ is intended to be part of an initial assessment
followed by further clarifying questions of the provider as it is applicable to their
particular needs.
v1.1 available as of Sept 2011; v1.2 underway to map to CCM v1.2
69
© 2011 Cloud Security Alliance, Inc. All rights reserved.
CAIQ Guiding Principles
The following are the principles that the working group utilized as guidance when
developing the CAIQ:
The questionnaire is organized using CSA 13 governing & operating domains divided into
“control areas” within CSA’s Control Matrix structure
Questions are to assist both cloud providers in general principles of cloud security and
clients in vetting cloud providers on the security of their offering and company security
profile
CAIQ not intended to duplicate or replace existing industry security assessments but to
contain questions unique or critical to the cloud computing model in each control area
Each question should be able to be answered yes or no
If a question can’t be answered yes or no then it was separated into two or more questions
to allow yes or no answers.
Questions are intended to foster further detailed questions to provider by client specific to
client’s cloud security needs. This was done to limit number of questions to make the
assessment feasible and since each client may have unique follow-on questions or may
not be concerned with all “follow-on questions
70
© 2011 Cloud Security Alliance, Inc. All rights reserved.
CAIQ Questionnaire
Control Group, Control Group ID (CGID) and Control
Identifier (CID) all map the CAIQ question being asked
directly to the CCM control that is being addressed.
Relevant compliance and standards are mapped line by line
to the CAIQ, which, in turn, also map to the CCM. The CAIQ
v1.1 maps to the following compliance areas – HIPPA, ISO
27001, COBIT, SP800_53, FedRAMP, PCI_DSS, BITS and
GAPP. V1.2 will additionally include mappings to Jericho
Forum and NERC CIP.
Each question can be answered by a provider with a yes or
no answer.
72
© 2011 Cloud Security Alliance, Inc. All rights reserved.
Sample Questions to Vendors 73
Compliance -
Independent Audits
CO-02 CO-02a - Do you allow tenants to view your SAS70 Type II/SSAE 16 SOC2/ISAE3402 or
similar third party audit reports?
CO-02b - Do you conduct network penetration tests of your cloud service infrastructure
regularly as prescribed by industry best practices and guidance?
CO-02c - Do you conduct application penetration tests of your cloud service infrastructure
regularly as prescribed by industry best practices and guidance?
CO-02d - Do you conduct internal audits regularly as prescribed by industry best
practices and guidance?
CO-02e - Do you conduct external audits regularly as prescribed by industry best
practices and guidance?
CO-02f - Are the results of the network penetration tests available to tenants at their
request?
CO-02g - Are the results of internal and external audits available to tenants at their
request?
Data Governance -
Classification
DG-02 DG-02a - Do you provide a capability to identify virtual machines via policy tags/metadata
(ex. Tags can be used to limit guest operating systems from
booting/instanciating/transporting data in the wrong country, etc.?)
DG-02b - Do you provide a capability to identify hardware via policy
tags/metadata/hardware tags (ex. TXT/TPM, VN-Tag, etc.)?
DG-02c - Do you have a capability to use system geographic location as an
authentication factor?
DG-02d - Can you provide the physical location/geography of storage of a tenant’s data
upon request?
DG-02e - Do you allow tenants to define acceptable geographical locations for data
routing or resource instantiation?
© 2011 Cloud Security Alliance, Inc. All rights reserved.
CloudAudit (formerly A6)
Provides an open, extensible and secure interface for automation
of Audit, Assertion, Assessment, and Assurance (A6) of cloud
computing environments
A structure for organizing assertions and supporting documentation
for specific controls across different compliance frameworks in a
way that simplifies discovery by humans and tools.
– Define a namespace that can support diverse frameworks.
– Expressed in namespace – CSA CCM, ISO/IEC 27001, COBIT, HIPAA,
NIST SP 800-53, PCI DSS.
– Defines the mechanisms for requesting and responding to queries
relating to specific controls.
– Integrates with portals and AAA systems.
74
© 2011 Cloud Security Alliance, Inc. All rights reserved.
Sample Implementation – CSA Compliance Pack
75
© 2011 Cloud Security Alliance, Inc. All rights reserved.
Sample Implementation – CSA Compliance Pack
76
© 2011 Cloud Security Alliance, Inc. All rights reserved.
Sample Implementation – CSA Compliance Pack
77
© 2011 Cloud Security Alliance, Inc. All rights reserved.
As visibility is lost …
• Where is the data?
• Who can see the data?
• Who has seen the data?
• Is data untampered?
• Where is processing performed?
• How is processing configured?
• Does backup happen? How? Where?
Why a CloudTrust Protocol? Information Assurance is Cloud-Complicated … “Clouds are
cloudy”
Amazon
Requirements
Services
… Security, compliance, and value are lost as well
Microsof
t
82
© 2011 Cloud Security Alliance, Inc. All rights reserved.
Transparency Restores Information Assurance Working with a “glass cloud” delivers the elastic benefits of the cloud
Amazon
Requirements
Services
Microsof
t
As visibility is gained …
• Configurations are known and verified
• Data exposure and use is collected and reported
• Access permissions are discovered and validated
• Processing and data locations are exposed
• Compliance evidence can be gathered and analyzed
• Processing risks and readiness become known
… Security, compliance, and value are captured as well
83