Cloud Risk Management and Audit

(1)

Cloud Risk Management and Audit

Sukumar Nayak, CTO Cloud Services Integration & Automation Leader

Date Created: 01/27/2014

Date last updated: 03/15/2015

(2)

2

Scope:

• Cloud Fundamentals

• Cloud Models & Approaches

• Intro to OpenStack

• Reference Architecture & Framework

• Intro to CSA

1 Cloud Control Matrix (CCM)

• 16 Domains & 133 Controls

• Intro to DMTF

2 Cloud Auditing Data Federation (CADF)

• Risks Management Challenges & Opportunities

• 10 Steps to Manage Cloud Security by CSCC

3

• Q&A

Objective: Provide an overview of Cloud Risk Management and Audit

1. CSA: Cloud Security Alliance

2. DMTF: Distributed Management Task Force 3. CSCC: Cloud Standards Customers Council

(3)

3

Acronyms

• ADFS: Active Directory Federated Services

• CADF: Cloud Auditing Data Federation

• CSA: Cloud Security Alliance

• CSCC: Cloud Standards Customers Council

• DMTF: Distributed Management Task Force

• ENISA: European Network and Information Security Agency

• GRC: Global Regulatory Compliance

• LDAP: Lightweight Directory Access Protocol

• NIST: National Institute of Standards and Technology

• NIST CC SRA: Cloud Computing Standard Reference Architecture

• SAML: Security Authorization Markup Language

• SCIM: System for Cross-domain Identity Management

• SLA: Service Level Agreement

• SLO: Service Level Objectives

• SSAE 16: Statement on Standards for Attestation Engagements (SSAE) No. 16

• XACML: eXtensible Access Control Markup Language

(4)

4

Cloud… where is the money?

Example recent news:

Deutsche Bank signs 10 years multibillion-dollar IT deal with HP in Feb 2015

Solution: HP Helion OpenStack based Cloud Services

HP will provide computing capacity and data storage to host Deutsche's operations.

Deutsche will retain activities such as IT architecture and information security.

Pareto Principle

Infrastructure/Platform Management Data Center Server Resources OS Platforms Application Management Business Focus 20% 80% Application Management Business Focus Innovations Creativity Agility 80% Infrastructure/Platform Management Cloud Resources 20%

(5)

5

Cloud computing basics

NIST Definition:

Cloud computing is a model for enabling ubiquitous, convenient, on-demand network

access to a shared pool of configurable computing resources (e.g., networks, servers,

storage, applications, and services) that can be rapidly provisioned and released with

minimal management effort or service provider interaction. This cloud model is

composed of five essential characteristics, three service models, and four deployment

models.

Ref: NIST Cloud Computing Definition SP 800-145 http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf

5 Essential Characteristics

• On-demand self-service

• Resource pooling

• Rapid elasticity

• Measured service

• Broad network access

3 Service Delivery Models

• Software as a Service (SaaS)

• Platform as a Service (PaaS)

• Infrastructure as a Service (IaaS)

4 Deployment Models

• Public Cloud

• Private Cloud

• Community Cloud

• Hybrid Cloud

(6)

7

Storage

Servers

Networking

O/S

Middleware

Virtualization

Data

Applications

Runtime

C

LI EN T

M

AN AG ED

Storage

Servers

Networking

O/S

Middleware

Virtualization

Data

Applications

Runtime

I

NFRASTRUCTURE

(ASA SERVICE)

V

EN DO R

M

AN AG ED

Storage

Servers

Networking

O/S

Middleware

Virtualization

Data

Applications

Runtime

P

LATFORM

(ASA SERVICE)

C

LI EN T

M

AN AG ED

V

EN DO R

M

AN AG ED

C

LI EN T

M

AN AG ED

Storage

Servers

Networking

O/S

Middleware

Virtualization

Data

Applications

Runtime

S

OFTWARE

(ASA SERVICE)

V

EN DO R

M

AN AG ED

Service Delivery Models

T

RADITIONAL

(ONPREMISE)

J

OI NTL Y

M

AN AG ED

(7)

8

Private vs. Public: Understanding the Trade-Offs

Enterprise 1 Enterprise 2

Private Cloud

Private Cloud

• Designated enterprise data center (or segment) managed centrally • Data center resources shared

by all divisions, protected by enterprise central controls • Divisions of enterprise act as

independent tenants • Some elasticity of resources;

good resource utilization; reduced cost of business

No Cloud

Enterprise IT

• Each enterprise division manages its own data center (or a subdivision)

• Exclusive local control of resources

• Internally borne costs and burdens of management • High-cost overcapacity, low

resource utilization

Virtual Private

Cloud

Virtual Private Cloud

• Third-party data center providers (public cloud characteristic) • Data center sharing is restricted

to only the divisions of this enterprise (private cloud characteristic)

• Divisions of enterprise act as independent tenants (private cloud characteristic) • Some elasticity; good resource

utilization; low cost of business

Community

Cloud

Community Cloud

• Consortium or a government scope data center (larger than private, but smaller than public) • Members of the consortium or

government agencies act as independent tenants

• Data center resources are shared by all members; consortium provides security, privacy and capacity

• Good elasticity of resources; high resource utilization; reduced cost of business

Public Cloud

• Third-party data center providers

• Computing resources shared by independent enterprises (tenants), protected by third parties in cloud

• Maximum elasticity; maximum resource utilization; low cost of business

(8)

9

Private vs. Public: Understanding the Trade-Offs

Enterprise 1 Enterprise 2

Private Cloud

Private Cloud

• Designated enterprise data center (or segment) managed centrally • Data center resources shared

by all divisions, protected by enterprise central controls • Divisions of enterprise act as

independent tenants • Some elasticity of resources;

good resource utilization; reduced cost of business

No Cloud

Enterprise IT

• Each enterprise division manages its own data center (or a subdivision)

• Exclusive local control of resources

• Internally borne costs and burdens of management • High-cost overcapacity, low

resource utilization

Virtual Private

Cloud

Virtual Private Cloud

• Third-party data center providers (public cloud characteristic) • Data center sharing is restricted

to only the divisions of this enterprise (private cloud characteristic)

• Divisions of enterprise act as independent tenants (private cloud characteristic) • Some elasticity; good resource

utilization; low cost of business

Community

Cloud

Community Cloud

• Consortium or a government scope data center (larger than private, but smaller than public) • Members of the consortium or

government agencies act as independent tenants

• Data center resources are shared by all members; consortium provides security, privacy and capacity

• Good elasticity of resources; high resource utilization; reduced cost of business

Public Cloud

• Third-party data center providers

• Computing resources shared by independent enterprises (tenants), protected by third parties in cloud

• Maximum elasticity; maximum resource utilization; low cost of business

Public Cloud

Autonomy

(9)

10

Workloads shifting to the Cloud

Traditional IT

• Server capacity on demand • Business apps (CRM, ERP)

• IT management

• Email

• Personal productivity apps • Website creation & management

• Storage capacity on demand •Server capacity on demand • App dev. & test

•Tech. computing apps •Data analysis and mining

• Custom apps • Apps with sensitive data

Private cloud

Public cloud

•IT help desk •Collaborative apps •Data backup/archive svcs

(10)

11

Enterprise Architecture and Cloud Architecture

Business

Architecture

Information

Architecture

Application

Technology &

Infrastructure

Architecture

Service Delivery

What, Who, Why

• Mission

• Vision

• Stakeholders

• Operating

Model &

Processes

• Value Chain

Models

• Metrics &

Measures

• Align Business

Strategy to IT

Strategy

What, How

• Data Models

• Data Flows

• Interface,

Integration &

Interoperability

• Relevance to

Business

functions

With what

• Applications

• Tools

• Functions

• Capabilities

• Workflows

With what

• Servers

• Software

• Network

• Storage

• GRC, Legal,

Security &

Privacy

• Data Centers

Sites

How & How much

• Deployment

• Chargeback

• Break fix

• SLAs/SLOs

• Operations &

Management

Enterprise Architecture focus

Cloud Architecture focus

IaaS & PaaS

(11)

12

Promise of Cloud Computing

Cloud will not necessarily help map IT to business but…

Cloud could enable:

• Economies of scale & Improved resources utilization

• Reduced capital spending on technology infrastructure

• Lower barriers to entry for small businesses & lower start-up costs

• Usage based billing (pay as you go)

• Globalization of workforce

• Faster Deployment, Onboarding, Provisioning & De-provisioning

• Improved accessibility anytime & anywhere

• Improved transparency for Integration & flexibility

• Implementation of Chargebacks

• Improved Operations support & Provide SLAs / SLOs

• More predictable delivery of projects

• Reduced software licensing costs

Challenges & success factors…

• Legacy migration

• Integration & Interoperability

• Data & Applications Architecture

• Technology compatibility Issues

• Security & Privacy risks

• Legal & Regulatory Compliance

• Management of Change

(12)

13

Cloud simplifies IT services, but realize there is a lot behind this

Security

management

services

Access devices

Cloud services

SaaS

PaaS

IaaS

Cloud platform

Demand

Identity & access

management services

IT management services with

security impact

IT management framework

Delivery

(13)

14

And make sure you understand security

Se cu rity m an ag em en t se rv ic es

Access devices

Malware protection Network security Client security Data protection Application security

Cloud services

SaaS

PaaS

IaaS

Application

security SecureSDLC Instancesecurity

Cloud platform

Sup ply Del iver y De ma nd Account management Access control management

Authentication Key management Identity provisioning Federation Auditing Change management Patch management Configuration management GRC Capacity management Availability management Incident management Virtualization managment Vulnerability management SIEM Compliance management

Security service portal

Id en tity & a cce ss m an ag em en t se rv ic es IT m an ag em en t s erv ic es w ith se cu rity im pa ct

IT management framework

Application security, data protection and availability Malware protection Network security Server security Client security Storage security Data protection Virtualization security Platform availability Clo ud p latf orm se cu rity Se cu rit y m on ito rin g Physical security

(14)

15

Secure Cloud Environment technologies & concepts

Segmentation and Isolation

Threat Detection and Mitigation

Security Information & Event Management (SEIM) / Log Management

Incident Response and Forensics

Identity & Access Management

Data Protection; Data & Information Security

Secure Software Development

Vulnerability Scanning and Patch Management

Physical & Personnel Security

Security Policy Management

Endpoint Management

(15)

18

OpenStack introduction

Key Components:

• Compute (Nova)

• Image Service (Glance)

• Networking (Neutron)

• Object Storage (Swift)

• Block Storage (Cinder)

• Dashboard (Horizon)

• Identity Service (Keystone)

• Telemetry (Ceilometer)

• Orchestration (Heat)

• Database (Trove)

• Bare Metal Provisioning (Ironic)

• Multiple Tenant Cloud Messaging (Zaqar)

(16)

19

OpenStack Basic Deployment

Automation

Database

Blobs

Files

Messages

Database

Identity

Library

Compute

Network

Portal

_Network

_Compute

Network

Metering

Portal

Identity

Library

Compute

Network

Automation

Database

Blobs

Files

Database

Messages

Metering

Portal Identity Library / Images Compute Network Block Storage Object Storage Database Services Automation Message Broker Metering ConfigDatabase

Metering

(17)

20

OpenStack Feature Releases

Compute

Blobs

Object Storage

Library

Library / Images

Portal

Identity

Portal Identity

Network

Files

Network Block Storage

Automation

Metering

Database

Database Services



Nov 2010 Feb 2011 Apr 2011 Sep 2011 Apr 2012 Sep 2012 Apr 2013 Oct 2013 Apr 2014

Database

Hadoop Cluster



Nov 2014



(18)

21

Cloud Security Alliance TCI Reference Architecture

Legend:

CSA: Cloud Security Alliance TCI: Trusted Cloud Initiative Source: https://cloudsecurityalliance.org/wp-content/uploads/2011/10/TCI_Whitepaper.pdf

(19)

22

Cloud Security Alliance TCI Reference Architecture

Source: https://cloudsecurityalliance.org/wp-content/uploads/2011/10/TCI_Whitepaper.pdf

SRM Services:

• Governance Risk and Compliance • Information Security Management • Privilege Management Infrastructure • Threat and Vulnerability Management • Infrastructure Protection Services • Data Protection

• Policies and Standards

ITOS Services:

• IT Operations • Service Delivery • Service Support • Incident Management • Problem Management • Knowledge Management • Change Management • Release Management

BOSS Services:

• Compliance • Data Governance

• Operational Risk Management • Human Resources Security • Security Monitoring Services • Legal Services • Internal Investigation

Presentation Services:

• Presentation Modality • Presentation Platform

Application Services:

• Development Process • Security Knowledge Lifecycle • Programming Interfaces • Integration Middleware • Connectivity & Delivery • Abstraction

Infrastructure Services:

• Facility Services • Servers • Storage Services • Network Services • Availability Services • Patch Management • Equipment Maintenance

• Virtualization (Desktop, Storage, Server, Network)

Information Services:

• User Directory Services

• Security Monitoring Data Management • Service Delivery Data Management • Service Support Data Management • Data Governance Data Management • Risk Management Data Management • ITOS Data Management

• BOSS Data Management

(20)

23

CSA Cloud Control Matrix CCM v3.0.1;

16 Domains

Source: https://cloudsecurityalliance.org/research/ccm/

Legend:

CSA: Cloud Security Alliance CCM: Cloud Control Matrix

(Number of controls) for each Domain

1. AIS: Application & Interface Security (4)

2. AAC: Audit Assurance & Compliance (3)

3. BCR: Business Continuity Management & Operational Resilience (11)

4. CCC: Change Control & Configuration Management (5)

5. DSI: Data Security & Information Lifecycle Management (7)

6. DCS: Datacenter Security (9)

7. EKM: Encryption & Key Management (4)

8. GRM: Governance and Risk Management (11)

9. HRS: Human Resources (11)

10. IAM: Identity & Access Management (13)

11. IVS: Infrastructure & Virtualization Security (13)

12. IPY: Interoperability & Portability (5)

13. MOS: Mobile Security (20)

14. SEF: Security Incident Management, E-Discovery & Cloud Forensics (5)

15. STA: Supply Chain Management, Transparency and Accountability (9)

16. TVM: Threat and Vulnerability Management (3)

(21)

24

CSA Cloud Control Matrix CCM v3.0.1;

133 Controls

Application & Interface Security (AIS)

• AIS-01: Application Security

• AIS-02: Customer Access Requirements • AIS-03: Data Integrity

• AIS-04: Data Security / Integrity

Audit Assurance & Compliance (AAC)

• _{AAC-01: Audit Planning}

• _{AAC-02: Independent Audits}

• AAC-03: Information System Regulatory Mapping

Business Continuity Management & Operational Resilience (BCR)

• BCR-01: Business Continuity Planning

• BCR-02: Business Continuity Testing

• BCR-03: Datacenter Utilities / Environmental Conditions • BCR-04: Documentation

• BCR-05: Environmental Risks • BCR-06: Equipment Location • BCR-07: Equipment Maintenance • BCR-08: Equipment Power Failures • BCR-09: Impact Analysis

• BCR-10: Policy

• BCR-11: Retention Policy

Change Control & Configuration Management (CCC)

• CCC-01: New Development / Acquisition

• CCC-02: Outsourced Development • CCC-03: Quality Testing

• CCC-04: Unauthorized Software Installations • CCC-05: Production Changes

Data Security & Information Lifecycle Management (DSI)

• _{DSI-01: Classification}

• DSI-02: Data Inventory / Flows • _{DSI-03: eCommerce Transactions}

• _{DSI-04: Handling / Labeling / Security Policy} • DSI-05: Non-Production Data

• _{DSI-06: Ownership / Stewardship} • _{DSI-07: Secure Disposal}

(22)

25

CSA Cloud Control Matrix CCM v3.0.1;

133 Controls

Datacenter Security (DCS)

• DCS-01: Asset Management • DCS-02: Controlled Access Points • DCS-03: Equipment Identification • DCS-04: Off-Site Authorization • DCS-05: Off-Site Equipment • DCS-06: Policy

• DCS-07: Secure Area Authorization • DCS-08: Unauthorized Persons Entry • DCS-09: User Access

Encryption & Key Management (EKM)

• EKM-01: Entitlement

• _{EKM-02: Key Generation}

• _{EKM-03: Sensitive Data Protection} • EKM-04: Storage and Access

Governance and Risk Management (GRM)

• GRM-01: Baseline Requirements

• GRM-02: Data Focus Risk Assessments • GRM-03: Management Oversight • GRM-04: Management Program

• GRM-05: Management Support/Involvement • GRM-06: Policy

• GRM-07: Policy Enforcement

• GRM-08: Policy Impact on Risk Assessments • GRM-09: Policy Reviews

• GRM-10: Risk Assessments

• GRM-11: Risk Management Framework

(23)

26

CSA Cloud Control Matrix CCM v3.0.1;

133 Controls

Human Resources (HRS)

• HRS-01: Asset Returns

• HRS-02: Background Screening • HRS-03: Employment Agreements • HRS-04: Employment Termination • HRS-05: Mobile Device Management • HRS-06: Non-Disclosure Agreements • HRS-07: Roles / Responsibilities • HRS-08: Technology Acceptable Use • HRS-09: Training / Awareness • HRS-10: User Responsibility • HRS-11: Workspace

Identity & Access Management (IAM)

• IAM-01: Audit Tools Access

• IAM-02: Credential Lifecycle / Provision Management • IAM-03: Diagnostic / Configuration Ports Access • IAM-04: Policies and Procedures

• IAM-05: Segregation of Duties

• IAM-06: Source Code Access Restriction • IAM-07: Third Party Access

• IAM-08: Trusted Sources

• IAM-09: User Access Authorization • IAM-10: User Access Reviews • IAM-11: User Access Revocation • IAM-12: User ID Credentials • IAM-13: Utility Programs Access

(24)

27

CSA Cloud Control Matrix CCM v3.0.1;

133 Controls

Infrastructure & Virtualization Security (IVS)

• IVS-01: Audit Logging / Intrusion Detection

• IVS-02: Change Detection • IVS-03: Clock Synchronization

• IVS-04: Information System Documentation • IVS-05: Management - Vulnerability Management • IVS-06: Network Security

• IVS-07: OS Hardening and Base Controls

• IVS-08: Production / Non-Production Environments • IVS-09: Segmentation

• IVS-10: VM Security - vMotion Data Protection • IVS-11: VMM Security - Hypervisor Hardening • IVS-12: Wireless Security

• IVS-13: Network Architecture

Interoperability & Portability (IPY)

• IPY-01: APIs

• _{IPY-02: Data Request} • IPY-03: Policy & Legal

• IPY-04: Standardized Network Protocols • _{IPY-05: Virtualization}

Mobility Security (MOS)

• MOS-01: Anti-Malware • MOS-02: Application Stores • MOS-03: Approved Applications • MOS-04: Approved Software for BYOD • MOS-05: Awareness and Training • MOS-06: Cloud Based Services • MOS-07: Compatibility • MOS-08: Device Eligibility • MOS-09: Device Inventory • MOS-10: Device Management • MOS-11: Encryption

• MOS-12: Jailbreaking and Rooting • MOS-13: Legal

• MOS-14: Lockout Screen • MOS-15: Operating Systems • MOS-16: Passwords

• MOS-17: Policy • MOS-18: Remote Wipe • MOS-19: Security Patches • MOS-20: Users

(25)

28

CSA Cloud Control Matrix CCM v3.0.1;

133 Controls

Security Incident Management, E-Discovery & Cloud Forensics (SEF)

• SEF-01: Contact / Authority Maintenance

• SEF-02: Incident Management • SEF-03: Incident Reporting

• SEF-04: Incident Response Legal Preparation • SEF-05: Incident Response Metrics

Supply Chain Management, Transparency and Accountability (STA)

• _{STA-01: Data Quality and Integrity}

• STA-02: Incident Reporting

• STA-03: Network / Infrastructure Services • _{STA-04: Provider Internal Assessments} • STA-05: Supply Chain Agreements

• STA-06: Supply Chain Governance Reviews • _{STA-07: Supply Chain Metrics}

• STA-08: Third Party Assessment • STA-09: Third Party Audits

Threat and Vulnerability Management (TVM)

• TVM-01: Anti-Virus / Malicious Software

• TVM-02: Vulnerability / Patch Management • TVM-03: Mobile Code

(26)

29

DMTF Cloud Auditing Data Federation (CADF) Standard

Defines a full event model anyone can use to fill in the essential data needed to certify, self-manage

and self-audit application security in cloud environments. CADF is part of the DMTF’s

Cloud

Management Initiative.

Auditing using a standard such as CADF has many benefits:

• Create and request customized views for Audit & Compliance data

• Track regional, industry and corporate policy compliance using standardized APIs / Reports

• Key event data is normalized and categorized to support auditing of hybrid Cloud applications

• CADF assures consistent mappings across cloud components and cloud providers

• Format is agnostic to the underlying provider infrastructure

• Provides transparency for low-level operational processes

Source: http://dmtf.org/sites/default/files/standards/documents/DSP0262_1.0.0.pdf

Customer Benefits:

• Ability to self manage auditing of their data

• Similar reports from different Cloud service providers

• Aggregate audit data from different Clouds / Partners

(27)

30

Cloud Auditing Data aggregated from multiple sources

Source: http://dmtf.org/sites/default/files/standards/documents/DSP0262_1.0.0.pdf Company A’s OSS/BSS Processes

Company A

Company A’s Auditor

Company A’s Hybrid Applications

Standard API’s for requesting Audit Data

Standard Audit Data (Logs and Reports)

Cloud Provider P1

Company A’s Hybrid Applications

Cloud Provider P2

Company A’s Hybrid Applications Aggregate Audit Data

from Hybrid Applications

Stan dar d A PI’s fo r re que sting A ud it D ata

OSS: Operational Support Services BSS: Business Support Services

(28)

31

CADF Taxonomy

Includes:

• Resources by the role played in the event ex: Initiator, Target, Observer.

• Actions used to classify the event by the activity that caused it to be generated.

• Outcomes used to describe the outcome of the attempted action of the event.

CADF Event Model: Basic and conditional model components

Model Component

CADF Definition

OBSERVER

The RESOURCE that generates the CADF Event Record based on its

_{observation (directly or indirectly) of the Actual Event.}

INITIATOR

The RESOURCE that initiated, originated, or instigated the event's ACTION,

_{according to the OBSERVER.}

ACTION

The operation or activity the INITIATOR has performed, attempted to

perform or has pending against the event's TARGET, according to the

OBSERVER.

TARGET

The RESOURCE against which the ACTION of a CADF Event Record was

performed, was attempted, or is pending, according to the OBSERVER.

NOTE A TARGET (in the CADF Event Model) can represent a plurality of

target resources.

(29)

33

CADF 7 essential W’s auditing and monitoring

CADF Event Model: Basic and conditional model components

What

What activity occurred? What was the result? event.action

event.outcome

event.type (activity, monitoring, control)

event.reason (ex: security, reason code, policy id)

CADF Event Model and it’s components

• Work for any Activity Monitoring or, Control event

• Provides guidance on how to record Basic, Detailed or, Precise information for each component

When

When did the action happen? When was it observed? How long did it take? ISO 8601 transactions Timestamp event.eventTime

reporter.timestamp, event.duration Who

Who (user/service) initiated the Action? initiator.id; initiator.type

initiator.id (id, name) initiator.credential

initiator.credential.assertions

Legend: Italics are optional properties

1

2

3

Where

Where was the Action observed, reported or, modified? What role does the event serve? How was it recorded?

observer.id, observer.type

reporterstep.role, reporterstep.reporterTime

4

On What

On What resource did the Activity Target? target.id

5

FromWhere

From Where the Action was initiated? May include

• logical/physical addresses

• ISO-6709-2008, precise geolocations

initiator.addresses, initiator.host, initiator.geolocation

6

ToWhere

To Where was the Action Targeted?

Can be as simple as an IP address or server name. target.addresses, target.host, target.geolocation

7

(30)

34

CADF Resource Top-level Taxonomy hierarchy

Name Description

storage Logical resources that represent storage containers.

compute Logical resources that are used to perform logical operations or calculations on data.

network Logical resources that interconnect computer systems, terminals, and other equipment allowing information to be exchanged.

data Logical named sets of information (objectified data) that are referenced and managed by services.

service Logical set of operations, packaged into a single entity, that provides access to and management of cloud resources (for a given domain).

system Logical resources that are a combination of several other [cloud] resources that operate as a functional whole, this combination being manageable _{(created, operated, audited, etc.) as a unit, i.e., offering some operations that could activate lower-level operations over each of the subresources.}

(31)

48

10 Steps to Manage Cloud Security

Focus areas

Standards

Certifications

Step 1: Ensure effective governance, risks & compliance

• ISO 38500 – IT Governance1 • COBIT

• ITIL (ISO 27002)

• ISO 20000-7 & ISO 20000-11 (jn devl) • SSAE 16 • PCI-DSS • ISO 27002 (ISO 27017) • SSAE 16 • HIPAA • PCI-DSS • FedRAMP • FISMA

Step 2: Audit operational and business processes

• DMTF Cloud Auditing Data Federation _(CADF) •_• ISO 27002 (ISO 27017)_{SSAE 16}

Step 3: Manage people, roles and identities

• ISO 27002

• IAM Kerberos, LDAP, SAML 2.0, Oauth 2.0, WS-Federation, OpenID Connect • SCIM

• Active Directory Federated Services (ADFS2)

• XACML

• PKCS, X.509, OpenPGP

• ISO 27002 (ISO 27017)

Step 4: Ensure proper protection of data & information

• ISO 27002 / 27017 (in devl) • Data in motion: HTTPS, SFTP, VPC

using IPSec or SSL • US FIPS 140-2 • OASIS KMIP

• ISO 27002 (ISO 27017)

(32)

49

10 Steps to Manage Cloud Security

Focus areas

Standards

Certifications

Step 5: Enforce privacy policies

• Personally Identifiable Information (PII)

• U.S – EU Safe Harbor framework • ISO 27018 (in devl)

• TRUSTe Safe Harbor certification seal program

• ISO 27018 (in devl)

Step 6: Assess the security provisions for cloud apps

• NIST Guidelines on Firewalls and Firewall Policy

• Open Web Application Security Project (OWASP)

• OVF 2.0 & OASIS TOSCA

• ISO 27002 (ISO 27017)

Step 7: Ensure cloud networks and connections are secure

• ISO 27001 & 27002 • ISO/IEC 27033-1/2/3 • FISMA (FIPS 199 & 200)

• OpenFlow, TM Forum Frameworx, NIST SP 800-53

• ISO 27002 (ISO 27017)

Step 8: Evaluate security controls on physical infrastructure &

facilities

• ISO 27002

• ISO 27017 & 18 (in devl)

• ISO 27002 (ISO 27017)

Step 9: Manage security terms in the cloud SLA

• CSCC Practical Guide to SLA • ISO 27004, NIST SP 800-55 • CIS Consensus Security Metrics • ENISA

• ISO 27002 (ISO 27017) • SSAE 16 (financial)

Step 10: Understand the security requirements of exit process

• None, ISO SC38 WG3 (future) • None

(33)

50

References

• Cloud Standards Customer Council (CSCC) Cloud Security Standards

• Cloud Auditing Data Federation

• NIST Cloud Computing Standards Roadmap

• Detailed CSA TCI Reference Architecture

• Payment Card Industry (PCI) Data Security Standards (DSS) Guidelines

• OpenStack wiki

• OpenStack Main Page

• OpenStack Developers Guides

• Cloud Audit Data Federation - OpenStack Profile

• Cloud Auditing Data Federation (CADF) - 5 Data Format and Interface Definitions Specification (DSP0262_1.0.0)

• CADF Event Model and Taxonomies

(34)

51

(35)

52

Conclusion

• The world is becoming more digital

• Cloud is all about services and service

delivery

• The cloud is only worth the services it

delivers

(36)