Cloud Security Alliance: Industry Efforts to Secure Cloud Computing

(1)

Cloud Security Alliance:

Industry Efforts to

Secure Cloud Computing

Jim Reavis, Executive Director

September, 2010

(2)

Cloud: Dawn of a New Age

•

Art Coviello - the most overhyped, underestimated phenomenon since the Internet

•

Compute as a utility: third major era of computing

•

Changes everything: business models, venture capital, R&D, ……

(3)

What is Cloud Computing?

•

Compute as a utility: third major era of computing • Mainframe

• PC Client/Server

• Cloud computing: On demand model for allocation and consumption of computing – Version 2 of Internet

•

Cloud enabled by

• Moore’s Law: Costs of compute & storage approaching zero

• Hyperconnectivity: Robust bandwidth from dotcom investments

• Service Oriented Architecture (SOA)

(4)

Defining Cloud

•

On demand provisioning

•

Elasticity

•

Multi-tenancy

•

Key types • Infrastructure as a Service (IaaS): basic O/S & storage

• Platform as a Service (PaaS): IaaS + rapid dev

• Software as a Service (SaaS): complete application

• Public, Private, Community & Hybrid Cloud deployments

(5)

How to think about Cloud

•

“Perfect storm” convergence of existing technologies in a new business model

•

The next platform for software applications – Disruption!

•

Not one “cloud” – many types and deployments of cloud

•

Aspects of our legacy we can learn from – but key

differences

•

Mainframes

•

Virtualization

•

Outsourcing

(6)

How will Cloud Computing play out?

• Much investment in private clouds for 3-5 years

• Compliance use cases being developed

• Cloud assurance ecosystem being built

• Virtual private clouds compromise between public

and private

• Long legacy of hybrid clouds

(7)

Key Cloud Security Problems

From CSA Top Threats Research:

•

Trust: Lack of Provider transparency, impacts Governance, Risk Management, Compliance

•

Data: Leakage, Loss or Storage in unfriendly geography

•

Insecure Cloud software

•

Malicious use of Cloud services

•

Account/Service Hijacking

•

Malicious Insiders

(8)

Cloud: Reset security industry

•

Critical mass of separation between data owners and data processors

•

Cloud customers retain governance responsibility

•

Physical controls must be replaced by virtual controls

•

Opportunity to make security better

•

Requires broad perspective

(9)

Cloud security ecosystem

•

Body of practices

•

Laws and regulations

•

Tools

•

Technology innovation

•

Audit/assurance

•

Education

•

Certification: individual & organizational

•

Shared responsibility, private/public partnerships on a global scale

(10)

About the Cloud Security Alliance

•

Global, not-for-profit organization

•

Over 11,000 individual members, 60 corporate members

•

Building best practices and a trusted cloud ecosystem • CSA Guidance V2.1 – Released Dec 2009

• CSA Top Threats Research – Released March 2010

• CSA Cloud Controls Matrix – Released April 2010

• CCSK Certification – Release Sept 2010

• Trusted Cloud Initiative – Release Q4 2010

• CSA Cloud Metrics Working Group

• Consensus Assessment Initiative – Release Q4 2010

“To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help

(11)

CSA viewpoint and philosophy

•

Enterprises more afraid of compliance issues than security issues

•

Agile development – produce guidance rapidly and fix later

•

Enable compliance ecosystem – create the tools, knowledge and processes for assurance

•

Champion interoperability of all cloud types – fundamental change in the balance of power

(12)

S

-

_-

P

_P

-

_-

I Framework

_{I Framework}

IaaS Infrastructure as a Service You build security in You “RFP” security in PaaS Platform as a Service SaaS Software as a Service

(13)

CSA Guidance Research

Guidance > 100k downloads: cloudsecurityalliance.org/guidance Governance and Enterprise Risk Management

Governance and Enterprise Risk Management

Legal and Electronic Discovery

Compliance and Audit

Information Lifecycle Management

Portability and Interoperability

Security, Bus. Cont,, and Disaster Recovery

Data Center Operations

Incident Response, Notification, Remediation

Application Security

Encryption and Key Management

Identity and Access Management

Virtualization Virtualization Cloud Architecture Cloud Architecture Ope rat in g in t h e Cloud Gove rnin g the Cloud

•

Popular best practices Popular best practices for securing cloud

for securing cloud

computing

•

13 Domains of concern 13 Domains of concern – – governing & operating

governing & operating

groupings

(14)

CSA Guidance Research

-

Status

Governance and Enterprise Risk Management

Legal and Electronic Discovery

Compliance and Audit

Information Lifecycle Management

Portability and Interoperability

Security, Bus. Cont,, and Disaster Recovery

Data Center Operations

Incident Response, Notification, Remediation

Application Security

Encryption and Key Management

Identity and Access Management

Virtualization Virtualization Cloud Architecture Cloud Architecture Ope rat in g in t h e Cloud Gove rnin g the Cloud

•

Ver 2.1 released Dec Ver 2.1 released Dec 2009

2009

•

Ver 3 midVer 3 mid--20112011

•

2010 focus2010 focus

• • Translations

Translations

• • Wiki format

Wiki format

• • Per domain whitepapers

Per domain whitepapers

(not official guidance)

(15)

Securing the Cloud

-

Governance

•

Best opportunity to secure cloud engagement is

before procurement – contracts, SLAs, architecture

•

Know provider’s third parties, BCM/DR, financial

viability, employee vetting

•

Identify data location when possible

•

Plan for provider termination & return of assets

•

Preserve right to audit

(16)

Securing the Cloud

-

Operating

•

Encrypt data when possible, segregate key mgt from cloud provider

•

Adapt secure software development lifecycle

•

Understand provider’s patching, provisioning,

protection

•

Logging, data exfiltration, granular customer segregation

•

Hardened VM images

(17)

Trusted Cloud Initiative

• CSA certification criteria and seal program for cloud providers

• Initial focus on secure & interoperable identity in the cloud, and its alignment with data encryption

• Assemble with existing standards

• Reference models & Proof of concept

• Outline responsibilities for Identity Providers, Enterprises, Cloud Providers, Consumers

(18)

TCI Mission

“To create a Trusted Cloud reference architecture for cloud use cases that leverage cloud delivery models (SaaS, PaaS, IaaS) in the context of operational models (Public, Private,

(19)

Background

• A new white paper, "CSA Domain 12 Guidance for Identity & Access Management" was published on April 27 by workgroup 5 led by Subra Kumaraswamy

• TCI initiative announced during Infosecurity Europe Conference. Led by Liam Lynch, Chief security strategist, eBay

• Three Sub-Groups:

 Architecture – Chaired by Jairo Orea, ING and Subra Kumaraswamy, eBay

 Implementation – Chaired by Scott Matsumoto, Cigital

 Certification - Chaired by Nico Popp, Verisign

• Alignment with Industry groups:

 CloudAudit.org - John Menerick, CISO for NetSuite, primary liaison

 OASIS ID Cloud - Liam Lynch, primary liaison

(20)

Principle

“Identity Providers have a responsibility to issue IDs that can be used holistically by the individual, and not just for the relationship with that provider. This includes

(21)

Principle

“Identity and access management must absolutely be applied to devices, data and applications as well as users.”

(22)

Principle

“Cloud service providers should by default NOT seek to be identity providers unless there is a compelling public interest being served and IDP is a core business.”

(23)

Principle

“Consumers should reward cloud service providers who offer their services as relying parties to well known and trusted identity providers and minimize their own

(24)

Principle

“Strong authentication should be ubiquitous, flexible and natively supported by the identity provider.”

(25)

Principle

“Individuals should have the tools to manage their own digital identity and be able to leverage claims-based identity principles to access cloud services.”

(26)

Principle

“Enterprises acting as identity providers solely for their own employees and partners need to embrace a

(27)

Principle

“Major cloud identity providers need to publicly commit to ‘network neutrality’ principles to provide no

competitive advantage to their own SaaS commercial applications over third party SaaS commercial

(28)

Cloud Controls Matrix Tool

• Controls derived from

guidance

• Rated as applicable to S-P-I

• Customer vs Provider role

• Mapped to ISO 27001,

COBIT, PCI, HIPAA

• Help bridge the gap for IT & IT

auditors

(29)

Cloud Controls Matrix Tool

-

_-

Status

_Status

• Version 1 tool released

April, 2010

• Version 2 kickoff late June,

2010

• Presented Nov 2010

(30)

Trusted Cloud Initiative

-

Status

• Initial Domain 12 IdM best practices whitepaper released

• Working Group structure established

• Subgroup Architecture

• Subgroup Certification

• Subgroup Implementation

• Seeking volunteers for working groups

• Ver 1 final criteria published Q4 2010

(31)

Consensus Assessments Initiative

-

Status

• Ver 1 deliverable: Assessment questionnaire for

October 2010 release

• To be presented at RSA Europe Oct 12-14

• Workstreams and leadership established

• Editorial drafts being completed

(32)

CCSK – Certificate of Cloud Security Knowledge

• Announced July 28

• User certification

• Web-based test for competency in CSA

guidance & ENISA research

• September 1 release

(33)

Cloud Metrics Research

• Identifying CSA guidance we can build

metrics for

• Developing metrics for all Controls Matrix

controls

• Survey industry on maturity

(34)

Third party: Common Assurance Maturity

Model (CAMM)

• CAMM is a methodology & solution for creating an independent maturity model-based measurement of a cloud provider’s security program and capabilities

• Potential to evolve into authoritative repository of provider security maturity

• ENISA driving force

(35)

Cloud Audit

• CloudAudit is an open

standard and interface to allow cloud providers to automate audit assertions

• Controls Matrix provides CloudAudit with its cloud controls namespace

• CloudAudit answers the

How? of audit assertions,

Controls Matrix answers

Provider Assertions

Providers Providers

(36)

ENISA

• Important globally recognized thought leader for cloud security research

• “Cloud Computing: Benefits, Risks and

Recommendations for Information Security” - whitepaper key part of CCSK

• “Security and Resilience in Government Clouds” – research in progress

• Driving force of CAMM

• SecureCloud Conference

(37)

Cloud Security Alliance Congress

• Presenting findings from above research

• Global multi-track cloud security conference

• Industry thought leaders

• Technical, compliance, government tracks

• Conference November 16-17, DisneyWorld in

Orlando, Florida

• Optional workshops November 15 & 18

(38)

Contact

•

Help us secure cloud computing

•

www.cloudsecurityalliance.org

•

[email protected]

•

LinkedIn: www.linkedin.com/groups?gid=1864210

(39)

Thank you!