Building an Effec.ve Cloud Security Program

(1)

Building an Eﬀec.ve

Cloud Security Program

Laura Posey

Senior Security Strategist, Microso3 Corpora6on

Co-‐Chair, CSA CAIQ

Programming Chair, NY Metro CSA Chapter

www.cloudsecurityalliance.org

(2)

Is Cloud worth it? Yes!

2

Pla?orm for Innova.on with U.lity IT

Any Device, Anywhere, Any.me

Collabora.on & Social Media

(3)

What are the Cloud risks?

3

Shadow & Consumeriza.on of IT

Security, Trust & Assurance

Jurisdic.onal Data Governance

(4)

About the

Cloud Security Alliance (CSA)

• Global, not-‐for-‐proﬁt organiza6on

• Over 23,000 individual members, 100 corporate members, 50

chapters

• Building best prac6ces and a trusted cloud ecosystem

• Agile philosophy, rapid development of applied research

–

 

GRC: Balance compliance with risk management

–

 

Reference models: build using exis6ng standards

–

 

Iden6ty: a key founda6on of a func6oning cloud economy

–

 

Champion interoperability

–

 

Enable innova6on

–

 

Advocacy of prudent public policy

“To promote the use of best prac1ces for providing security assurance within Cloud Compu1ng, and provide educa1on on the uses of Cloud Compu1ng to help secure all

other forms of compu1ng.”

4

(5)

CSA Contribu.ng Members

5

And MANY

more…

(6)

What is GRC?

6

(7)

Related exis.ng standards

(8)

Who is accountable for what?

8

(9)

Control Ownership Clarity

9

You can outsource business capability or func6on but you cannot outsource

accountability for informa6on security à do your due diligence to iden6fy and address…

(10)

CSA Guidance Research

"  

Popular best prac6ces

for securing cloud

compu6ng

"  

14 Domains of

concern

"  

governing & opera6ng

groupings

Governance and Enterprise Risk Management Legal and Electronic Discovery

Compliance and Audit Information Lifecycle Management

Portability and Interoperability

Security, Bus. Cont,, and Disaster Recovery Data Center Operations

Incident Response, Notification, Remediation Application Security

Encryption and Key Management Identity and Access Management

Virtualization Cloud Architecture O p er ati n g in th e C lo u d G o ve rn in g th e Cloud Transparency

(11)

Guidance Highlights – 1/2

• Governance, ERM: Secure the cloud before procurement –

contracts, SLAs, architecture

• Governance, ERM: Know provider’s third par6es, BCM/DR, ﬁnancial

viability, employee vebng

• Legal: Plan for provider termina6on & return of assets

• Compliance: Iden6fy data loca6on when possible

• ILM: Persistence, Protec6on

(12)

Guidance Highlights – 2/2

• BCM/DR: provider redundancy vs. your own

• DC Ops: provisioning, patching, logging

• Encryp6on: encrypt data when possible, segregate key mgt from

cloud provider

• AppSec: Adapt secure so3ware development lifecycle

• Virtualiza6on: Harden, rollback, port VM images

(13)

A Cloud Security Governance, Risk,

and Compliance (GRC) Stack

13

Delivering ç Stack Pack è Description

The recommended founda.ons for controls

•  Fundamental security principles in specifying

the overall security needs of a cloud

consumers and assessing the overall security risk of a cloud provider

Pre-‐audit checklists and ques.onnaires to inventory controls

•  Industry-‐accepted ways to document what

security controls exist

Con.nuous monitoring … with a purpose

•  Common technique and nomenclature to

request and receive evidence and aﬃrma.on of current cloud service opera.ng

circumstances from cloud providers

Claims, oﬀers, and the basis for audi.ng service

delivery

•  Common interface and namespace to

automate the Audit, Asser.on, Assessment, and Assurance (A6) of cloud environments

(14)

CSA GRC Stack (cont.)

14

(15)

Cloud Controls matrix (CCM)

•  First ever baseline control framework speciﬁcally

designed for managing risk in the Cloud Supply Chain:

–  Addresses the inter and intra-‐organiza6onal

challenges of persistent informa6on security by clearly delinea6ng control ownership.

–  Provides an anchor point and common

language for balanced measurement of security and compliance postures.

–  Provides the holis6c adherence to the vast

and ever evolving landscape of global data privacy regula6ons and security standards. •  Serving as the basis for new industry standards

and cer6ﬁca6ons.

•  v1.2 released Aug 2011; v2.0 to be released Nov

2012

15

(16)

CCM – 11 Domains

16

(17)

CCM snapshot – architectural

and delivery model relevance

(18)

CCM snapshot – mappings

to popular standards*

18

*Standards represented in CCM v1.2: COBIT 4.1, HIPAA/HITECH Act, ISO/IEC 27001-‐ 2005,

NIST SP800-‐53 R3, FedRAMP, PCI DSS v2.0, BITS Shared Assessments SIG v6.0, BITS Shared

Assessments AUP v5.0, GAPP (Aug 2009), Jericho Forum, NERC CIP

(19)

Consensus Assessments

Ini.a.ve Ques.onnaire (CAIQ)

• Cloud Supply Chain risk

management and due diligence

ques6onnaire (148 ques6ons)

• Enables Cloud service providers

to demonstrate compliance with

the CSA CCM.

• Forms the basis for establishing

Cloud-‐speciﬁc Service Level

Objec6ves that can be

incorporated into supplier

agreements.

• Along with CSA CCM,

integrated into third party GRC

solu6on providers.

19

(20)

CAIQ Guiding Principles

The following are the principles that the working group u6lized as guidance when developing the CAIQ:

•  The ques6onnaire is organized using CSA 13 governing & opera6ng domains divided

into “control areas” within CSA’s Control Matrix structure

•  Ques6ons are to assist both cloud providers in general principles of cloud security and

clients in vebng cloud providers on the security of their oﬀering and company security proﬁle

•  CAIQ not intended to duplicate or replace exis6ng industry security assessments but to

contain ques6ons unique or cri6cal to the cloud compu6ng model in each control area •  Each ques6on should be able to be answered yes or no

•  If a ques6on can’t be answered yes or no then it was separated into two or more

ques6ons to allow yes or no answers.

•  Ques6ons are intended to foster further detailed ques6ons to provider by client

speciﬁc to client’s cloud security needs. This was done to limit number of ques6ons to make the assessment feasible and since each client may have unique follow-‐on

ques6ons or may not be concerned with all follow-‐on ques6ons

(21)

CAIQ snapshot

(22)

CAIQ snapshot –

ques.ons detail

22 Encryp6on Key Management

IS-‐19 IS-‐19.1 Do you encrypt tenant data at rest (on disk/storage) within your environment?

IS-‐19.2 Do you leverage encryp6on to protect data and virtual machine images during transport across and between networks and hypervisor instances?

IS-‐19.3 Do you have a capability to manage encryp6on keys on behalf of tenants? IS-‐19.4 Do you maintain key management procedures?

Vulnerability / Patch

Management

IS-‐20 IS-‐21.1 Do you conduct network-‐layer vulnerability scans regularly as prescribed by industry best prac6ces?

IS-‐20.2 Do you conduct applica6on-‐layer vulnerability scans regularly as prescribed by industry best prac6ces?

IS-‐20.3 Do you conduct local opera6ng system-‐layer vulnerability scans regularly as prescribed by industry best prac6ces?

IS-‐20.4 Will you make the results of vulnerability scans available to tenants at their request?

IS-‐20.5 Do you have a capability to rapidly patch vulnerabili6es across all of your compu6ng devices, applica6ons, and systems?

IS-‐20.6 Will you provide your risk-‐based systems patching 6meframes to your tenants upon request?

(23)

CSA Security Trust & Assurance

Registry (STAR)

23

Public and free registry of Cloud

Provider self assessments,

demonstra7ng adop7on of:

• Cloud Controls Matrix (CCM)

• Consensus Assessments Ini6a6ve

Ques6onnaire (CAIQ)

Ø

 

Promotes transparency of

security prac.ces within cloud

providers

Ø

 

Documents the security controls

provided by various cloud

compu.ng oﬀerings

Ø

 

Free market compe77on to

provide quality assessments.

(24)

CSA STAR Lis.ng Process

24

• Provider ﬁlls out CAIQ or customizes CCM

• Uploads document at /star

• CSA performs basic veriﬁca6on

–

 

Authorized lis6ng from provider

–

 

Delete SPAM, “poisoned” lis6ng

–

 

Basic content accuracy check

• CSA digitally signs and posts at /star

• Registry loca6on:

htps://cloudsecurityalliance.org/research/

ini6a6ves/star-‐registry/

(25)

Completed STAR snapshot –

Microsod’s Oﬃce 365

25

Control ID

In CCM (CCM Version R1.1. Final)Descrip.on Microsod Response

IS-‐19 Informa6on Security -‐ Encryp6on Key Management

Policies and procedures shall be established and mechanisms implemented for eﬀec6ve key management to support encryp6on of data in storage and in

transmission.

Encryp6on is provided on several layers, such as Transport Layer, encryp6on between clients and Exchange Online (SSL), Instant Messaging and IM federa6on. For more informa6on consult the Oﬃce 365 Security Service Descrip6on available on the Download Center. Furthermore, we support S/MIME, Ac6ve Directory Rights Management Services or PGP.

Oﬃce 365 currently does not encrypt data at rest, however, the customer may do so through IRM or RMS.

“Media Handling” is covered under the ISO 27001 standards, speciﬁcally addressed in Annex A, domain 10.7.3. For more informa6on review of the publicly available ISO standards we are cer6ﬁed against is suggested.

IS-20 Information

Security - Vulnerability / Patch Management

Policies and procedures shall be established and mechanism implemented for vulnerability and patch management, ensuring that application, system, and network device vulnerabilities are evaluated and Contractor-supplied security patches applied in a timely manner taking a risk-based approach for prioritizing critical patches.

Microsoft Online Services implements technologies to scan the environment for vulnerabilities. Identified vulnerabilities are tracked, and verified for remediation. In addition, regular vulnerability/penetration assessments to identify vulnerabilities and determine whether key logical controls are operating effectively are performed. Microsoft’s Security Response Center (MSRC) regularly monitors external security vulnerability awareness sites. As part of the routine vulnerability management process, Microsoft Online Services evaluates our exposure to these vulnerabilities and leads action across Microsoft Online Services to mitigate risks when necessary.

The Microsoft Security Response Center (MSRC) releases security bulletins on the second Tuesday of every month (“Patch Tuesday”), or as appropriate to mitigate zero-day exploits. In the event that proof-of-concept code is publicly available regarding a possible exploit, or if a new critical security patch is released, Microsoft Online Services is required to apply patches to affected Microsoft Online Services systems according to a patching policy to remediate the vulnerability to the customer’s hosted environment. “Control of technical vulnerabilities” is covered under the ISO 27001 standards, specifically addressed in Annex A, domain 12.6. For more information review of the publicly available ISO standards we are certified against is suggested.

(26)

CSA STAR – What You Should Do

26

• Providers

–

 

Start ﬁlling out CAIQ and/or CCM

–

 

Ask us for help

• Customers

–

 

Put your providers on no6ce, point them to CAIQ

and/or CCM

–

 

Make CSA STAR entries a standard part of

procurement & assessment

–

 

Get ready for the update in November.

(27)

CSA Collabora.on with SBOs

27

(28)

Other CSA Research

28

•  

Trusted Cloud Ini7a7ve (TCI) -‐-‐ Presents a mul6-‐6er architecture integra6on TOGAF

(The Open Group) ITIL, and SABSA (Zachman security model) with individual security elements mapped to CMM controls.

•  

CloudSIRT – Enhance the capability of the cloud community to prepare for and respond

to vulnerabili6es, threats, and incidents in order to preserve trust in cloud compu6ng.

•  

Cloud Metrics -‐-‐ Companion project of CCM and CloudAudit deﬁning objec6ve criteria

related security control items, encompassing xDas, CEE and Syslog-‐ng and collaborates with the DMTF cloud audit data federa6on work group.

•  

Big Data -‐ Iden6fying scalable techniques for data-‐centric security and privacy problems

to lead to crystalliza6on of best prac6ces for security and privacy in big data that can help industry and government with adop6on of best prac6ces.

•  

Mobile – Crea6ng guidelines for the mobile device security framework and mobile

cloud architectures. Securing applica6on stores and other public en66es deploying so3ware to mobile devices, analysis of mobile security capabili6es and features of key mobile opera6ng systems and cloud-‐based management, provisioning, policy, and data management of mobile devices to achieve security objec6ves.