Assessing the Security of Cloud SaaS Solutions

Assessing the Security of Cloud SaaS Solutions Matthew Theobald Cybersecurity Architect

Schneider Electric 2 – Digital Services Transformation – Matthew Theobald – January 2015

Agenda

1.  Introduction 2.  Cloud Security Standards

3.  Trust in the Cloud

4.  Privacy in the Cloud

5.  Exercise – Assessing Security of a Cloud SaaS Solution


INTRODUCTION


Control System Data in the Cloud ● ICS vendors are beginning to develop cloud SaaS (Software as a

Service) solutions to store and analyze control system data ● Driven by need to collect, cleanse, store, analyze and report on large

volumes of data from multiple sources, in a cost-effective manner

● Through analysis, this data can be turned into information to quantify, improve and optimize business processes

● Examples ● Cloud Historian ● Remote Monitoring ● Asset Management ● Smart Buildings


Difficulty Assessing Cloud SaaS Solutions

● Cloud provider’s security controls must be assessed at multiple layers: ● Facilities (physical security) ● Network infrastructure (network security) ● IT systems (system security) ● Information and applications (application security) ● People (for example, separation of duties between development and

production) ● Process (for example, change management and incident response)

● Biggest obstacle to assessing the security of a Cloud SaaS solution is a

lack of transparency on the part of the Cloud Provider


Term Definition Cloud Provider An organization or entity responsible for making a

service available to interested parties - for example, an ICS vendor providing a Cloud Historian service

Cloud Consumer An organization that maintains a business relationship with, and uses services from, a Cloud Provider – for example, an asset owner that has subscribed to and uses an ICS vendor’s Cloud Historical service

Definitions


CLOUD SECURITY STANDARDS


ISO/IEC

ISO/IEC 27001 Information technology -- Security techniques -- Information security management systems -- Requirements

● Provides requirements for an information security management system (ISMS), which is a systematic approach to keep information assets secure ● Auditable

ISO/IEC 27002 Information technology -- Security techniques -- Code of practice for information security controls

● Provides best practice recommendations for use by those responsible for those initiating, implementing or maintaining an ISMS


Cloud Security Alliance CSA Cloud Controls Matrix

● First ever baseline control framework specifically designed for Cloud supply chain risk management

● Backbone of CSA’s Cloud Certification framework (more later) ● 16 control areas, 133 controls

● Controls mapped to 32 other security standards, regulations, and controls frameworks including ISO 27001 and 27002, ISACA COBIT, FedRAMP, NERC CIP, NIST SP800-53, 95/46/EC, HIPAA, PCI DSS


NIST

NIST SP 800-53 Rev. 4 Security and Privacy Controls for Federal Information Systems and Organizations NIST SP 800-161 (Draft) Supply Chain Risk Management Practices for Federal Information Systems and Organizations


TRUST IN THE CLOUD


Trust

● Lack of Cloud Provider transparency inhibits Governance, Risk Management, and Compliance (GRC) ● Difficult to monitor and audit supply chains necessary for the company’s

consistent performance and growth

● Difficult to identify and understand exposure to risk and the capability to manage risk

● Challenge for a Cloud Consumer to show auditors that the organization is in compliance with industry security / privacy standards and regulations


The higher up the Service Model stack, the more security the Cloud Provider is responsible for implementing and managing

Build It In

RFP / Contract

It In


General Approach

•  Network segmentation and segregation

•  Boundary protection •  Firewall policy •  Defense in depth •  Authentication and

authorization •  Monitoring and auditing •  etc.

NIST 800-82

IEC-62443

NIST 800-53


Cloud Certifications

● Provide transparency and visibility to cloud customers ● Deliver compliance-supporting data and artifacts

ISO/IEC 27001

CSA STAR

SSAE-16 SOC 2


SSAE-16 SOC 2 Report

● Reports on the design (Type I) and operating effectiveness (Type II) of a service organization’s controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system


CSA STAR (Security, Trust & Assurance Registry)

● Goal is to improve transparency and assurance in the cloud

● Searchable, publicly accessible registry to allow cloud customers to review the security practices of providers, accelerating their due diligence and leading to higher quality procurement experiences ● Helps customers to assess the security of Cloud Providers

● Based on a multilayered structure defined by Open Certification Framework Working Group


CSA STAR


CSA STAR Self-Assessment

● Voluntary ● Based on: ● Cloud Control Matrix

● Consensus Assessments Initiative Questionnaire


CSA STAR


CSA STAR Certification

● Rigorous third party independent assessment of a cloud provider’s security ● Measures cloud provider’s capability levels ● No formal approach ● Reactive approach ● Proactive approach ● Improvement based approach ● Optimising approach


CSA STAR Certification

● Leverages the requirements of: ● ISO 27001:2013 ● CSA Cloud Control Matrix

● Ensures the scope, processes and objectives are “fit for purpose”


CSA STAR


CSA STAR Attestation

● Provides a framework for performing assessments of cloud service providers using SOC 2 engagements supplemented by criteria in the CSA Cloud Control Matrix ● Typically, Cloud Providers acquire a CSA Attestation, 27001 certification, and SOC 2 Type II certification at the same time since so many of the criteria are common between the three


CSA STAR


CSA CAI Questionnaire

● Consensus Assessments Initiative Questionnaire ● Provides a set of questions a cloud consumer can ask of a

cloud provider about their security controls ● Questions can be tailored to suit each unique cloud consumer’s

evidentiary requirements ● Questions mapped to the compliance requirements in Cloud

Control Matrix


PRIVACY IN THE CLOUD


PII and Personal Information

● PII (Personally Identifiable Information) ● Information that can identify an individual (name, date

of birth, etc.)

● Personal information ● Information that does not directly identify an individual,

but is deemed sensitive by social mores è race, religion, shopping habits


Privacy vs Security

● Privacy governs how PII should be used, shared, and retained ● Security restricts access to the sensitive data and protects

confidentiality/integrity during collection, storage, and transmission

Privacy in ICS ● Information primarily Business Sensitive / Confidential

● Biggest privacy impact is Identity / Account stores

● Full name ● Email address ● Etc.


Privacy Standards and Regulations

● FTC Consent Decrees ● Designate individuals to be accountable for the information security program ● Identify risks to personal information ● Design, implement and test reasonable safeguards to control risk

● EU Data Protection Directive (95/46/EC)

● Data controller (cloud customer) “must implement appropriate technical and organizational measures to protect personal data against …. all unlawful forms of processing…”

● Processing of data by a data processor (cloud provider) must be governed by a contract or legal act binding the processor to the controller

● Cross-border data transfer out of the EEA prohibited unless the third country in question ensures an adequate level of protection



● US/EU Safe Harbor ● Allows US companies to register their certification that they meet the EU

Data Protection requirements ● Take reasonable precautions to protect personal information ● Onward Transfer Principle

● PIPEDA Principles for the Protection of Personal Data (Canada)

● An organization is responsible for personal information in its possession or control, including information that has been transferred to a third party (cloud provider) for processing



● NIST SP800-53 Rev. 4 Appendix J “Privacy Control Catalog”

● ISO/IEC 27018 Information technology -- Security techniques -- Code of practice for PII protection in public cloud acting as PII processors ● HIPAA Health Insurance Portability and Accountability Act

● PCI DSS Payment Card Industry Data Security Standard


Privacy Policy

● Cloud Provider should have a strong Privacy Policy that specifies the following for personal information: ● Collection ● Usage ● Storage ● Release ● Retention ● Deletion

● Cloud Provider should provide Privacy Notice to Cloud Consumer upon demand


EXERCISE Assessing the Security of a Cloud SaaS Solution


Network Segmentation and Zoning

IEC 62443-3-3 Requirement Impact SR 5.1 – Network Segmentation The network with access to the Cloud Provider’s

application should be logically or physically segmented from the (critical) control system network

SR 5.2 – Zone boundary protection Access to the Cloud Provider’s application must take place via a zone and conduit designed for this purpose

SR 5.2 – Zone boundary protection The Cloud Provider’s security and access controls must fulfill the requirements of the asset owner’s zone and conduit security policy designed to meet the target Security Level


Data Integrity and Confidentiality

IEC 62443-3-3 Requirement Impact SR 3.1 – Communication integrity SR 4.1 – Information confidentiality

The confidentiality and integrity of all network communication between the asset owner’s system and the Cloud Provider’s system must be protected via cryptographic means

SR 3.4 – Software and information integrity SR 4.1 – Information confidentiality

The confidentiality and integrity of data at rest must be protected by the Cloud Provider using strong access and/or cryptographic controls



Control Group Consensus Assessment Question(s) Interoperability & Portability Standardized Network Protocols

Can data import, data export and service management be conducted over secure (e.g., non-clear text and authenticated), industry accepted standardized network protocols? Do you provide consumers (tenants) with documentation detailing the relevant interoperability and portability network protocol standards that are involved?

Application & Interface Security Data Integrity

Are data input and output integrity routines (i.e., reconciliation and edit checks) implemented for application interfaces and databases to prevent manual or systematic processing errors or corruption of data?


Multi-Tenancy

● Def. ● Resources and services used by multiple cloud consumers are

physically collocated, but logically separated – for example, data from multiple cloud consumers are stored in the same database, or on the same server, and security controls keep the data logically separated

● To Cloud Providers ● Enables economies of scale, availability, management, segmentation,

isolation, and operational efficiency

● To Cloud Consumers ● Implies a need for security controls, at different layers, to ensure logical

separation


Encrypting Data At Rest in Cloud SaaS

● Typical cloud guidance ● Cloud Consumer (tenant) generates encryption key, encrypts and

decrypts data en-route to/from the Cloud SaaS Provider

● Cloud SaaS encryption hurdles ● SaaS is not just storage – need to validate, estimate, aggregate, search,

sort, and analyze

● Cloud Consumer (tenant) should control their own encryption keys ● Encryption keys should never be stored alongside the encrypted data

● Extremely important to manage encryption keys securely



Control Group Consensus Assessment Question(s) Audit Assurance & Compliance Information System Regulatory Mapping

Do you have the ability to logically segment or encrypt customer data such that data may be produced for a single tenant only, without inadvertently accessing another tenant's data? Do you have capability to recover data for a specific customer in the case of a failure or data loss?

Encryption & Key Management Encryption

Do you encrypt tenant data at rest (on disk/storage) within your environment? Do you support tenant-generated encryption keys or permit tenants to encrypt data to an identity without access to a public key certificate (e.g. identity-based encryption)? Do you have documentation establishing and defining your encryption management policies, procedures and guidelines?



Control Group Consensus Assessment Question(s) Encryption & Key Management Storage and Access

Are your encryption keys maintained by the cloud consumer or a trusted key management provider? Do you store encryption keys in the cloud? Do you have separate key management and key usage duties?

Supply Chain Management, Transparency and Accountability Data Quality and Integrity

Do you inspect and account for data quality errors and associated risks, and work with your cloud supply-chain partners to correct them? Do you design and implement controls to mitigate and contain data security risks through proper separation of duties, role-based access, and least-privileged access for all personnel within your supply chain?


Identity and Account Management

IEC 62443-3-3 Requirement Impact SR 1.3 – Account management Ideally the asset owner should manage accounts

centrally and the cloud provider should federate against the asset owner’s identity store, or the cloud provider can provide an application account store

SR 1.5 – Authenticator management SR 1.7 – Strength of password-based authentication SR 1.11 – Unsuccessful login attempts

The asset owner must be able to customize account and password policies when managing accounts in the Cloud Provider’s application account store



Control Group Consensus Assessment Question(s) Identity & Access Management User ID Credentials

Do you support use of, or integration with, existing customer-based Single Sign On (SSO) solutions to your service? Do you use open standards to delegate authentication capabilities to your tenants? Do you support identity federation standards (SAML, SPML, WS-Federation, etc.) as a means of authenticating/ authorizing users? Do you provide tenants with strong (multifactor) authentication options (digital certs, tokens, biometrics, etc.) for user access? Do you allow tenants to use third-party identity assurance services?



Control Group Consensus Assessment Question(s) Identity & Access Management User ID Credentials

Do you support the ability to force password changes upon first logon? Do you support password (minimum length, age, history, complexity) and account lockout (lockout threshold, lockout duration) policy enforcement? Do you allow tenants/customers to define password and account lockout policies for their accounts? Do you have mechanisms in place for unlocking accounts that have been locked out (e.g., self-service via email, defined challenge questions, manual unlock)?


Auditing and Monitoring

IEC 62443-3-3 Requirement Impact SR 6.2 – Continuous monitoring The Cloud Provider must continuously monitor

their system and use common security industry practices and tools (a SIEM, for example) to detect and respond to security breaches in a timely manner

SR 6.1 – Audit log accessibility The Cloud Provider must provide the capability for an asset owner to access tenant-specific audit log reports

SR 2.8 – Auditable events It should be possible to export tenant-specific audit logs from the Cloud Provider into a centrally managed audit trail on the asset owner's system where they can be further analyzed by standard log analysis tools such as a SIEM


Auditing and Monitoring Control Group Consensus Assessment Question(s) Security Incident Management, E-Discovery & Cloud Forensics Incident Management

Do you have a documented security incident response plan? Do you integrate customized tenant requirements into your security incident response plans? Do you publish a roles and responsibilities document specifying what you vs. your tenants are responsible for during security incidents? Have you tested your security incident response plans in the last year?

Security Incident Management, E-Discovery & Cloud Forensics Incident Reporting

Does your security information and event management (SIEM) system merge data sources (app logs, firewall logs, IDS logs, physical access logs, etc.) for granular analysis and alerting? Does your logging and monitoring framework allow isolation of an incident to specific tenants?



Control Group Consensus Assessment Question(s) Security Incident Management, E-Discovery & Cloud Forensics Incident Response Legal Preparation

Does your incident response plan comply with industry standards for legally admissible chain-of-custody management processes and controls? Does your incident response capability include the use of legally admissible forensic data collection and analysis techniques? Are you capable of supporting litigation holds (freeze of data from a specific point in time) for a specific tenant without freezing other tenant data? Do you enforce and attest to tenant data separation when producing data in response to legal subpoenas?



Control Group Consensus Assessment Question(s) (Custom) Do you provide the capability for a customer (tenant) to access

their audit logs via a visual or programmatic interface? Do you provide the capability for a customer (tenant) to export their audit logs in an industry standard format such that the logs may be analyzed by the customer’s organization using industry standard log analysis tools such as a SIEM?


Legal Compliance

Control Group Consensus Assessment Question(s) Audit Assurance & Compliance Information System Regulatory Mapping

Do you have the capability to restrict the storage of customer data to specific countries or geographic locations?

Data Security & Information Lifecycle Management Data Inventory / Flows

Can you ensure that data does not migrate beyond a defined geographical residency?

Datacenter Security Secure Area Authorization

Do you allow tenants to specify which of your geographic locations their data is allowed to move into/out of (to address legal jurisdictional considerations based on where data is stored vs. accessed)?


Summary

● Assessing the security of a Cloud SaaS solution can be daunting

● Certifications provide transparency and visibility into the Cloud Provider’s security controls ● Delivers evidence-based confidence and compliance-supporting data and

artifacts

● Cloud Providers that are not certified can be assessed using the Consensus Assessments Initiative Questionnaire

TRUST

Questions

Assessing the Security of Cloud SaaS Solutions

Technology

Transcript of Assessing the Security of Cloud SaaS Solutions