2011 Cloud Security Alliance, Inc. All rights reserved.

(1)

(2)

2 Vast Landscape of Cloud Standards

Development Organizations (SDOs)

(3)

(4)

Promote common level of understanding

– Consumers Providers – Security Requirements

– Attestation of Assurance

Promote independent, agile research development – incubator for

standards development efforts

Address cloud security and assurance risks and guidance through

collective expertise

Awareness campaigns and educational programs

– Cloud computing use cases – Cloud security solutions

4

(5)

Organization & Operations

(6)

Title Proposed:

_{International Standardization Council}

Formed at CSA Congress, Nov 2011 (Orlando)

Aloysius Cheang, CSA Singapore appointed at Head of

Standards Secretariat (Council Lead)

Council Charter, Appointment of Co-Chairs (In Progress)

Allows for CSA Members to actively engage in SDO process

(contributions, comments, etc.)

6

(7)

7 International Standardization Council –

Global Membership

Laura Kuiper (Cisco)

Becky Swain (EKKO Consulting) Marlin Pohlman (EMC)

Crispen Maung (Salesforce.com) Heather Ouellette (Salesforce.com) Cameron Smith (Zscaler)

Aloysius Cheang (CSA Secretariat)

Laura Posey (Microsoft)

Andreas Fuchsberger (Microsoft) Bernd Jäger (Colt Telecom) Jason Creasy (ISF)

Said Tabet (EMC)

(8)

(9)

The Guidance Version 3.0 (Nov 2011)

– Seeks to establish a stable, secure baseline for cloud operations.

– Provides a practical, actionable road map to managers wanting to

adopt the cloud paradigm safely and securely.

– 14 Domains – rewritten to emphasize security, stability, and privacy,

ensuring corporate privacy in a multi-tenant environment.

Download @ …/research/initiatives/security-guidance/

Prior Releases:

– Version 1.2 (Dec 2009)

• Incorporated into CCSK learning criteria

– Version 1.0 (April 2009)

• CSA founding publication

9 Security Guidance for Critical Areas of

Focus in Cloud Computing

(10)

10 Security Guidance for Critical Areas of

Focus in Cloud Computing

Section I.

Cloud Architecture

Section II.

Governing in the Cloud

Section III.

Operating in the Cloud

Domain 1 Cloud Computing Architectural Framework Domain 2 Governance and Enterprise Risk Management Domain 3 Legal Issues: Contracts and Electronic Discovery Domain 4 Compliance and Audit Management

Domain 5 Information Management and Data Security Domain 6 Interoperability and Portability

Domain 7 Traditional Security, Business Continuity, and Disaster Recovery Domain 8 Data Center Operations

Domain 9 Incident Response Domain 10 Application Security

Domain 11 Encryption and Key Management

Domain 12 Identity, Entitlement, and Access Management

Domain 13 Virtualization

(11)

The CSA GRC Stack

A suite of four integrated and reinforcing CSA initiatives (the

“stack packages”)

– The Stack Packs

• Cloud Controls Matrix

• Consensus Assessments Initiative • Cloud Audit

• CloudTrust Protocol

Designed to support cloud consumers and cloud providers

Prepared to capture value from the cloud as well as support

compliance and control within the cloud

(12)

12

Delivering  Stack Pack  Description

Continuous monitoring … with a purpose

• Common technique and nomenclature to request and receive evidence and affirmation of current cloud service operating

circumstances from cloud providers

Claims, offers, and the basis for auditing service

delivery

• Common interface and namespace to

automate the Audit, Assertion, Assessment, and Assurance (A6) of cloud environments

Pre-audit checklists and questionnaires to inventory controls

• Industry-accepted ways to document what security controls exist

The recommended foundations for controls

• Fundamental security principles in specifying the overall security needs of a cloud

consumers and assessing the overall security risk of a cloud provider

The CSA GRC Stack

(13)

The GRC Stack

Solving the Value Equation in the Cloud

13

Delivering evidence-based confidence… with compliance-supporting data & artifacts.

Security Requirements and Capabilities Security Transparency and Visibility

Compliance

and

Trust

GRC Stack

(14)

CSA GRC Value Equation

Contributions for Consumers and

Providers

14

What control requirements should I have as a cloud consumer or cloud provider?

How do I ask about the control requirements that are satisfied (consumer) or express my claim of control response (provider)?

How do I announce and automate my claims of audit support for all of the various compliance mandates and control obligations?

How do I know that the controls I need are working for me now

(consumer)? How do I provide actual security and transparency of service to all of my cloud users (provider)?

• Individually useful • Collectively powerful • Productive way to reclaim

end-to-end information risk management capability Static claims & assurances Dynamic (continuous) monitoring and transparency

(15)

• Public Registry of Cloud Provider self assessments

• Leverages GRC Stack Projects

– Consensus Assessments Initiative Questionnaire

– Provider may substitute documented Cloud Controls Matrix

compliance

• Voluntary industry action promoting transparency

• Free market competition to provide quality assessments

• Available October 2011

Security, Trust, and Assurance

Registry

(CSA STAR)

(16)

Security, Trust, and Assurance

Registry

(CSA STAR)

16 Encourage transparency of security practices within cloud providers

Documents the security controls provided by various cloud computing

offerings

Free and open to all cloud providers

Option to use data/report based on CCM or the CAIQ

Expose control claims Compete to improve GRC capabilities

GRC

Stack

(17)

CSA certification criteria and seal program for cloud

providers

Initial focus on secure & interoperable identity in the

cloud, and its alignment with data encryption

Assemble with existing standards

Reference models & Proof of concept

Outline responsibilities for Identity Providers,

Enterprises, Cloud Providers, Consumers

Download @ …/trustedcloud.html

17

(18)

TCI Mission

“To create a Trusted Cloud reference architecture for cloud use cases that leverage cloud delivery models (SaaS, PaaS, IaaS) in the context of operational models

(Public, Private, Hybrid) to deliver a secure and trusted cloud service.”

(19)

Holistic approach

around controls…

19

https://cloudsecurityalliance.org/research/projects/cloud-controls-matrix-ccm/

(20)

… and Architecture best

practices

20

https://cloudsecurityalliance.org/research/projects/cloud-controls-matrix-ccm/

(21)

(22)

(23)

National Institute of Standards and Technology (NIST) – Promotes the

effective and secure use of the technology within the U.S. Federal Government, and, therefore, leading a number of efforts to develop cloud standards and

guidelines in close consultation and collaboration with standards bodies, the private sector, and other stakeholders.

–

Standards Acceleration to Jumpstart the adoption of Cloud Computing (SAJACC)

–

Strategy to build a US Government (USG) Cloud Computing Technology Roadmap.

Publications

– SP 800-144:DRAFT Guidelines on Security and Privacy in Public Cloud Computing (Jan 28, 2011)

– SP 800-145:A NIST Definition of Cloud Computing (Sept 2011)

– SP 800-146:DRAFT Cloud Computing Synopsis and Recommendations (May 12, 2011)

– SP 500-291:NIST Cloud Computing Standards Roadmap (August 10, 2011)

– SP 500-292:NIST Cloud Computing Reference Architecture (September 08, 2011)

23

(24)

24

(25)

25

(26)

26

(27)

27 NIST Definition of Cloud

The NIST definition of cloud

computing (SP 800-145)

• 5 essential characteristics

• 3 service models

• 4 deployment models

Already widely adopted by

Cloud Computing industry,

including ISO/IEC JTC 1/SC38

and

recognized in CSA

(28)

28 NIST Cloud Computing Reference Model

(29)

29 The CSA GRC Stack

Architecture Reference Model Readiness

T ra nsp ar enc y

(30)

30 NIST Cloud Computing Reference Model

(31)

“Proposed Security Assessment & Authorization for U.S.

Government Cloud Computing" DRAFT (FedRamp) – Based on

NIST SP 800-37R1 and SP800-53 as a proposed Assessment

and Authorization (A&A) for U.S. Government Cloud Computing.

–

Chapter 1: Cloud Computing Security Requirement Baseline (SP 800-53)

–

Chapter 2: Continuous Monitoring

–

Chapter 3: Potential Assessment & Authorization Approach (SP 800-37R1)

CSA provided feedback on FedRamp DRAFT

CSA CCM v1.2 incorporates mapping of SP 800-53 R3 and

FedRamp DRAFT

CSA CCM v1.3 to include mapping of SP 800-53 R4 and

FedRamp FINAL

31

(32)

The Security Content Automation Protocol (SCAP)

– Suite of specifications that standardize format/nomenclature by which software flaw and security configuration information is communicated, both to machines and humans

– Multi-purpose framework of specifications that support automated configuration, vulnerability and patch checking, technical control compliance activities, and security measurement

– Promote interoperability of security products, and fostering the use of standard expressions of security content

– Mandated by FedRAMP Continuous Monitoring 5 Specification Categories

– Languages standard vocabularies/conventions for expressing security policy, technical check mechanisms, and assessment results  Extensible Configuration Checklist Description Format (XCCDF), Open Vulnerability and Assessment Language (OVAL®), and Open Checklist Interactive Language (OCIL™)

– Reporting Formats_{provide necessary constructs to express collected information in standardized formats}_Asset

Reporting Format (ARF) and Asset Identification

– Enumerations define standard nomenclature and official dictionary expressed using that nomenclature  Common Platform Enumeration (CPE™), Common Configuration Enumeration (CCE™), and Common Vulnerabilities and Exposures (CVE®)

– Measurement and scoring systems_{evaluation of specific characteristics of a security weakness (i.e., software}

vulnerabilities and security configuration issues) and, based on those characteristics, generating a score that reflects their relative severity  Common Vulnerability Scoring System (CVSS), Common Configuration Scoring System (CCSS)

– Integrity preserve the integrity of SCAP content and results  Trust Model for Security Automation Data (TMSAD)

32 NIST SCAP

(

Pronounced “S-Cap”)

(33)

The Extensible Configuration Checklist Description Format (XCCDF)

–

Specification language for writing security checklists, benchmarks, and related kinds of documents

–

XCCDF document represents a structured collection of security configuration rules for some set of target systems

–

Designed to support information interchange, document generation, organizational and situational tailoring, automated compliance testing, and compliance scoring

–

Defines a data model and format for storing results of benchmark compliance testing

–

The intent to provide a uniform foundation for expression of security checklists,

benchmarks, and other configuration guidance, and thereby foster more widespread application of good security practices.

33 NIST SCAP

(

Pronounced “S-Cap”)

(34)

Source: NIST SP 800-117

34 NIST SCAP

(

Pronounced “S-Cap”)

(35)

Publications

–

SP 800-117: FINAL Guide to Adopting and Using the Security Content Automation Protocol (SCAP) Version 1 (July 27, 2010)

–

SP 800-126 Rev 2: DRAFT The Technical Specification for the Security Content Automation Protocol (SCAP) (July 12, 2011)

–

IR 7511: DRAFT Security Content Automation Protocol (SCAP) Version 1.0 Validation Program Test Requirements (Feb 2009)

–

SP 800-51 Rev 1: FINAL Guide to Using Vulnerability Naming Schemes (Feb 24, 2011)

–

IR 7275 Rev 4: Specification for the Extensible Configuration Checklist Description Format (XCCDF) Version 1.2 (Sept 2011)

• Incorporated into the NIST SCAP Validation Program, which supports the United States Government Configuration Baseline (USGCB), an OMB‐mandated security configuration for all Federal desktops

• Increasing interest to make international standard – ISO/IEC JTC 1, ITU-T SG17

• Other SBOs involved – IETF, DMTF

35 NIST SCAP

(

Pronounced “S-Cap”)

(36)

CloudTrust Protocol Pathways

Mapping the Elements of Transparency in

Deployment

Admin and

Ops Specs Transparency Requests Extensions

Assertions Evidence Affirmations Configuration

definition: 20 Security capabilities and operations: 17

Configuration and vulnerabilities: 3,4,5,6,7 Anchoring: 8, 9, 10 (geographic, platform, process) Session start: 1 Session end: 2 Alerts: 18 Users: 19 Anchors: 21 Quotas: 22 Alert conditions: 23 Violation: 11 Audit: 12 Access: 13 Incident log: 14 Config./control: 15 Stats: 16 Consumer/ provider negotiated: 24 CloudAudit.org SCAP SCAP Sign/sealing 23 1

36

(37)

(38)

• Syntax

 _{Based on XML}  _{Traditional RESTful}

web service over HTTP

CloudTrust Protocol V2.0

Legend:

(39)

MISSION: Enhance the capability of the cloud community to

prepare for and respond to vulnerabilities, threats, and

incidents

in order to preserve

trust in cloud computing

.

Community of organizations sharing threat identification, liaising

with security organizations, providing incident response

assistance and consultation, and collaborating on research,

including education, training and awareness:

–

Cloud service providers

–

Telecommunications service providers

–

Country CERT/CCs and ISACs

39

(40)

European Network and Information Security Agency

(ENISA)

– EU’s response to these cyber security issues of

the European Union and described as the 'pace-setter' for

Information Security in Europe, and a centre of expertise,

working for the EU Institutions and Member States.

–

“Cloud computing: benefits, risks and recommendations for information technology” by ENISA uses a risk assessment approach to analyze the

security issues raised by cloud services and incorporated into CSA CCSK training criteria.

–

“Security and Resilience in Governmental Clouds” , which provides a

decision-making model that can be used by governments considering using cloud computing to determine which architectural solution that best suits the security requirements of their organization.

40

(41)

ISO/IEC JTC 1 is Joint Technical Committee 1 of the International

Organization for Standardization (ISO) and the International

Electrotechnical Commission (IEC) with a mandate to develop, maintain,

promote and facilitate IT standards required by global markets meeting

business and user requirements concerning:

– the design and development of IT systems and tools

– the performance and quality of IT products and systems

– the security of IT systems and information

– the portability of application programs

– the interoperability of IT products and systems

– the unified tools and environments

– the harmonized IT vocabulary, and

– the user-friendly and ergonomically-designed user interfaces

Work is conducted by subcommittees (SC) dealing with a particular field

and SCs may be comprised of several working groups (WGs).

41

(42)

42 ISO/IEC JTC 1 Development

Process

(43)

International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) Joint Technical Committee

1/Subcommittee 27 (ISO/IEC JTC1/SC 27) – Information Technology Security Techniques (2700x series of ISMS standards)

–

Study period on Cloud Computing Security and Privacy to investigate the

requirements for cloud computing and a feasible program of standards work to meet requirements, involving 3 WGs:

• WG 1 (Information Security Management) leading the coordinating efforts on this study period in conjunction with the following working groups:

• WG 4 – Security Control and Services

• WG 5 – Identity Management, Privacy Technology and Biometrics

–

Topics for consideration – information security management, risk

management, application and network security, cybersecurity, business continuity, privacy and identity management with contributions from CSA (CAIQ, CCM, Guidance, TCI Architecture), ITU-T, SC 38 and others.

43

(44)

44

(45)

45

(46)

WG1: ISO/IEC 27017 – Output from Cloud Security & Privacy (CSP) Joint WG 1/4/5 Study Period

– 2nd WD – Guidelines on information security controls for the use of cloud computing services based on ISO/IEC 27002 (Project Co-Editors: Satoru Yamasaki, JP & Marlin Pohlman, US/CSA)

WG 4: ISO/IEC 27036-X – Information technology – Security techniques – Information security for supplier relationships…

– 2nd WD Part 1 – Overview and Concepts (Project Co-Editor: Becky Swain, US/CSA)

– 2nd WD Part 2 – Common Requirements (Project Co-Editor: Benoit Poletti, Luxemburg)

– 2nd WD Part 3 – Guidelines for ICT Supply Chain Security (Project Co-Editor: Nadya Bartol, US)

– Part 4 – Guidelines for Outsourcing (TBD)

– Part 5 – Cloud Computing (TBD)

– Part 6 – TBD

WG 5: NWIP – Output from CSP Joint WG 1/4/5 Study Period

– Information technology – Security techniques – Code of practice for data protection controls for public cloud computing services (Project Co-Editor: Chris Mitchell, UK)

46 ISO/IEC JTC 1/SC 27

Nairobi, Kenya Resolutions (Oct 2011)

CSA NWIP Planned for WG 4 CSP Study Period

(47)

Control Matrix >> Guidance >>

ISO/IEC 27017 & 37036-5

(48)

International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) Joint Technical Committee

1/Subcommittee 28 (ISO/IEC JTC 1/SC 28) – Distributed Application Platform & Services (DAPS) comprised of 2 WGs focused on SOA and Web Services, and a study group on Cloud computing.

Established a Cloud Computing Study Group (SGCC) in order to provide candidates of standardization issues on Cloud Computing to JTC 1 and to

develop NPs (New Work Item Proposals) on Cloud Computing to be studied in JTC 1.

Working Group on Cloud (WG3), 1st_{Delegation Meeting Feb 2012}

– NWIP: Distributed Application Platforms and Services – Cloud Computing – Vocabulary

– NWIP: Distributed Application Platforms and Services – Cloud Computing – Reference Architecture

48

(49)

ITU Telecommunication Standardization Sector (ITU-T)

– 1 of 3

sectors (divisions or units) of the International Telecommunication Union

(ITU) that coordinates standards for telecommunications.

–

Mission is to ensure the efficient and timely production of standards covering all fields of telecommunications on a worldwide basis, as well as defining tariff and accounting

principles for international telecommunication services, and as part of the ITU (UN specialized agency), its standards carry formal international weight.

–

In addition to the ITU-T Recommendations, which have non-mandatory status until they are adopted in national laws, ITU-T is also the custodian of a binding international

treaty, the International Telecommunication Regulations (ITRs).

–

The technical work, the development of Recommendations, of ITU-T is managed by Study Groups (SGs).

49

(50)

ITU-T Focus Group on Cloud Computing (FG Cloud) – Established further to ITU-T TSAG (parent group) agreement at its meeting in Geneva, 8-11 February 2010 followed by ITU-T study groups (SG17, 13) and membership consultation.

–

Contribute with the telecommunication aspects in order to support services/applications of “cloud computing” making use of telecommunication networks.

–

Collaborate with worldwide cloud computing communities (e.g., research institutes, forums, academia) including other SDOs and consortia.

–

Workgroups:

• WG1: Cloud computing benefits & requirements

• WG2: Gap Analysis and Roadmap on Cloud Computing Standards development in ITU-T

–

Focus Group Output from Seoul, Korea 26-30 September 2011 (Cloud-O-0072), Marlin Pohlman (CSA) co-authored with Koji Nakao (Vice-Chair, ITU-T SG 17)

–

CSA Contributions  CAIQ, CCM, Guidance, TCI Architecture

50

(51)

ITU-T Study Group 17 (SG17) – Designated Lead Study Group for

"Telecommunication Security" which include developing and maintaining security outreach material; coordination of security-related work; and identification of

needs and assignment and prioritization of work to encourage timely development of telecommunication security Recommendations.

For Cloud Computing, SG17 has been working on cloud computing security since April 2010, and the following three work items were recognized and are currently in progress.

–

Security guideline for cloud computing in telecommunication area (X.ccsec)

–

Security requirements and framework of cloud based telecommunication service

environment (X.srfcts), Marlin Pohlman (CSA) co-authored with Koji Nakao (Vice-Chair, ITU-T SG 17)

–

Security functional requirements for Software as a Service (SaaS) application environment (X.sfcse)