2 Vast Landscape of Cloud Standards Development Organizations (SDOs) 2
4 4 Mission Statement (Non-Profit) Promote common level of understanding Consumers Providers Security Requirements Attestation of Assurance Promote independent, agile research development incubator for standards development efforts Address cloud security and assurance risks and guidance through collective expertise Awareness campaigns and educational programs Cloud computing use cases Cloud security solutions
5 5 Organization & Operations
6 6 Standards Workgroup Title Proposed: International Standardization Council Formed at CSA Congress, Nov 2011 (Orlando) Aloysius Cheang, CSA Singapore appointed at Head of Standards Secretariat (Council Lead) Council Charter, Appointment of Co-Chairs (In Progress) Allows for CSA Members to actively engage in SDO process (contributions, comments, etc.)
7 International Standardization Council Global Membership 7 Jason Creasy (ISF) Said Tabet (EMC) Andreas Fuchsberger (Microsoft) Bernd Jäger (Colt Telecom) Xavier Guerin (France Telecom Orange) Laura Kuiper (Cisco) Becky Swain (EKKO Consulting) Marlin Pohlman (EMC) Crispen Maung (Salesforce.com) Heather Ouellette (Salesforce.com) Cameron Smith (Zscaler) Laura Posey (Microsoft) Aloysius Cheang (CSA Secretariat)
9 Security Guidance for Critical Areas of Focus in Cloud Computing 9 The Guidance Version 3.0 (Nov 2011) Seeks to establish a stable, secure baseline for cloud operations. Provides a practical, actionable road map to managers wanting to adopt the cloud paradigm safely and securely. 14 Domains rewritten to emphasize security, stability, and privacy, ensuring corporate privacy in a multi-tenant environment. /research/initiatives/security-guidance/ Prior Releases: Version 1.2 (Dec 2009) Incorporated into CCSK learning criteria Version 1.0 (April 2009) CSA founding publication
10 Security Guidance for Critical Areas of Focus in Cloud Computing 10 Section I. Cloud Architecture Section II. Governing in the Cloud Domain 1 Domain 2 Domain 3 Domain 4 Domain 5 Domain 6 Cloud Computing Architectural Framework Governance and Enterprise Risk Management Legal Issues: Contracts and Electronic Discovery Compliance and Audit Management Information Management and Data Security Interoperability and Portability Section III. Operating in the Cloud Domain 7 Domain 8 Domain 9 Domain 10 Domain 11 Domain 12 Domain 13 Domain 14 Traditional Security, Business Continuity, and Disaster Recovery Data Center Operations Incident Response Application Security Encryption and Key Management Identity, Entitlement, and Access Management Virtualization Security as a Service
11 11 The CSA GRC Stack A suite of four integrated and reinforcing CSA initiatives (the stack packages ) The Stack Packs Cloud Controls Matrix Consensus Assessments Initiative Cloud Audit CloudTrust Protocol Designed to support cloud consumers and cloud providers Prepared to capture value from the cloud as well as support compliance and control within the cloud
12 The CSA GRC Stack (Start from the bottom, then work your way up ) 12 Delivering Stack Pack Description Continuous monitoring with a purpose Common technique and nomenclature to request and receive evidence and affirmation of current cloud service operating circumstances from cloud providers Claims, offers, and the basis for auditing service delivery Common interface and namespace to automate the Audit, Assertion, Assessment, and Assurance (A6) of cloud environments Pre-audit checklists and questionnaires to inventory controls Industry-accepted ways to document what security controls exist The recommended foundations for controls Fundamental security principles in specifying the overall security needs of a cloud consumers and assessing the overall security risk of a cloud provider
13 The GRC Stack Solving the Value Equation in the Cloud 13 GRC Stack Security Requirements and Capabilities Security Transparency and Visibility Compliance and Trust Delivering evidence-based confidence with compliance-supporting data & artifacts.
14 CSA GRC Value Equation Contributions for Consumers and Providers What control requirements should I have as a cloud consumer or cloud provider? How do I ask about the control requirements that are satisfied (consumer) or express my claim of control response (provider)? Individually useful Collectively powerful 14 Productive way to reclaim end-to-end information risk management capability Static claims & assurances How do I announce and automate my claims of audit support for all of the various compliance mandates and control obligations? Dynamic (continuous) monitoring and transparency How do I know that the controls I need are working for me now (consumer)? How do I provide actual security and transparency of service to all of my cloud users (provider)?
15 Security, Trust, and Assurance Registry (CSA STAR) 15 Public Registry of Cloud Provider self assessments Leverages GRC Stack Projects Consensus Assessments Initiative Questionnaire Provider may substitute documented Cloud Controls Matrix compliance Voluntary industry action promoting transparency Free market competition to provide quality assessments Available October 2011
16 Security, Trust, and Assurance Registry (CSA STAR) 16 Expose control claims Compete to improve GRC capabilities GRC Stack Encourage transparency of security practices within cloud providers Documents the security controls provided by various cloud computing offerings Free and open to all cloud providers Option to use data/report based on CCM or the CAIQ
17 17 Trusted Cloud Initiative (TCI) CSA certification criteria and seal program for cloud providers Initial focus on secure & interoperable identity in the cloud, and its alignment with data encryption Assemble with existing standards Reference models & Proof of concept Outline responsibilities for Identity Providers, Enterprises, Cloud Providers, Consumers /trustedcloud.html
18 18 TCI Mission To create a Trusted Cloud reference architecture for cloud use cases that leverage cloud delivery models (SaaS, PaaS, IaaS) in the context of operational models (Public, Private, Hybrid) to deliver a secure and trusted cloud service.
19 Holistic approach 19 around controls https://cloudsecurityalliance.org/research/projects/cloud-controls-matrixccm/
20 and Architecture best 20 practices https://cloudsecurityalliance.org/research/projects/cloud-controls-matrixccm/
21 21 Reference model structure
23 23 NIST National Institute of Standards and Technology (NIST) Promotes the effective and secure use of the technology within the U.S. Federal Government, and, therefore, leading a number of efforts to develop cloud standards and guidelines in close consultation and collaboration with standards bodies, the private sector, and other stakeholders. Standards Acceleration to Jumpstart the adoption of Cloud Computing (SAJACC) Strategy to build a US Government (USG) Cloud Computing Technology Roadmap. Publications SP : DRAFT Guidelines on Security and Privacy in Public Cloud Computing (Jan 28, 2011) SP : A NIST Definition of Cloud Computing (Sept 2011) SP : DRAFT Cloud Computing Synopsis and Recommendations (May 12, 2011) SP : NIST Cloud Computing Standards Roadmap (August 10, 2011) SP : NIST Cloud Computing Reference Architecture (September 08, 2011)
24 24 NIST Collaboration
25 25 NIST SAJACC Process
26 26 NIST Use Case
27 27 NIST Definition of Cloud The NIST definition of cloud computing (SP ) 5 essential characteristics 3 service models 4 deployment models Already widely adopted by Cloud Computing industry, including ISO/IEC JTC 1/SC38 and recognized in CSA Guidance.
31 31 NIST FedRamp Proposed Security Assessment & Authorization for U.S. Government Cloud Computing" DRAFT (FedRamp) Based on NIST SP R1 and SP as a proposed Assessment and Authorization (A&A) for U.S. Government Cloud Computing. Chapter 1: Cloud Computing Security Requirement Baseline (SP ) Chapter 2: Continuous Monitoring Chapter 3: Potential Assessment & Authorization Approach (SP R1) CSA provided feedback on FedRamp DRAFT CSA CCM v1.2 incorporates mapping of SP R3 and FedRamp DRAFT CSA CCM v1.3 to include mapping of SP R4 and FedRamp FINAL
32 NIST SCAP (Pronounced S-Cap ) 32 & XCCDF The Security Content Automation Protocol (SCAP) Suite of specifications that standardize format/nomenclature by which software flaw and security configuration information is communicated, both to machines and humans Multi-purpose framework of specifications that support automated configuration, vulnerability and patch checking, technical control compliance activities, and security measurement Promote interoperability of security products, and fostering the use of standard expressions of security content Mandated by FedRAMP Continuous Monitoring 5 Specification Categories Languages standard vocabularies/conventions for expressing security policy, technical check mechanisms, and assessment results Extensible Configuration Checklist Description Format (XCCDF), Open Vulnerability and Assessment Language (OVAL ), and Open Checklist Interactive Language (OCIL ) Reporting Formats provide necessary constructs to express collected information in standardized formats Asset Reporting Format (ARF) and Asset Identification Enumerations define standard nomenclature and official dictionary expressed using that nomenclature Common Platform Enumeration (CPE ), Common Configuration Enumeration (CCE ), and Common Vulnerabilities and Exposures (CVE ) Measurement and scoring systems evaluation of specific characteristics of a security weakness (i.e., software vulnerabilities and security configuration issues) and, based on those characteristics, generating a score that reflects their relative severity Common Vulnerability Scoring System (CVSS), Common Configuration Scoring System (CCSS) Integrity preserve the integrity of SCAP content and results Trust Model for Security Automation Data (TMSAD)
33 NIST SCAP (Pronounced S-Cap ) 33 & XCCDF The Extensible Configuration Checklist Description Format (XCCDF) Specification language for writing security checklists, benchmarks, and related kinds of documents XCCDF document represents a structured collection of security configuration rules for some set of target systems Designed to support information interchange, document generation, organizational and situational tailoring, automated compliance testing, and compliance scoring Defines a data model and format for storing results of benchmark compliance testing The intent to provide a uniform foundation for expression of security checklists, benchmarks, and other configuration guidance, and thereby foster more widespread application of good security practices.
35 NIST SCAP (Pronounced S-Cap ) 35 & XCCDF Publications SP : FINAL Guide to Adopting and Using the Security Content Automation Protocol (SCAP) Version 1 (July 27, 2010) SP Rev 2: DRAFT The Technical Specification for the Security Content Automation Protocol (SCAP) (July 12, 2011) IR 7511: DRAFT Security Content Automation Protocol (SCAP) Version 1.0 Validation Program Test Requirements (Feb 2009) SP Rev 1: FINAL Guide to Using Vulnerability Naming Schemes (Feb 24, 2011) IR 7275 Rev 4: Specification for the Extensible Configuration Checklist Description Format (XCCDF) Version 1.2 (Sept 2011) Incorporated into the NIST SCAP Validation Program, which supports the United States Government Configuration Baseline (USGCB), an OMB mandated security configuration for all Federal desktops Increasing interest to make international standard ISO/IEC JTC 1, ITU-T SG17 Other SBOs involved IETF, DMTF
38 38 CloudTrust Protocol V2.0 Syntax Based on XML Traditional RESTful web service over HTTP Legend: New in V2.0 SCAP / XCCDF query & response structure
39 39 CSA CloudSIRT MISSION: Enhance the capability of the cloud community to prepare for and respond to vulnerabilities, threats, and incidents in order to preserve trust in cloud computing. Community of organizations sharing threat identification, liaising with security organizations, providing incident response assistance and consultation, and collaborating on research, including education, training and awareness: Cloud service providers Telecommunications service providers Country CERT/CCs and ISACs
40 40 ENISA European Network and Information Security Agency (ENISA) EU s response to these cyber security issues of the European Union and described as the 'pace-setter' for Information Security in Europe, and a centre of expertise, working for the EU Institutions and Member States. Cloud computing: benefits, risks and recommendations for information technology by ENISA uses a risk assessment approach to analyze the security issues raised by cloud services and incorporated into CSA CCSK training criteria. Security and Resilience in Governmental Clouds, which provides a decision-making model that can be used by governments considering using cloud computing to determine which architectural solution that best suits the security requirements of their organization.
41 41 ISO/IEC JTC 1 ISO/IEC JTC 1 is Joint Technical Committee 1 of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) with a mandate to develop, maintain, promote and facilitate IT standards required by global markets meeting business and user requirements concerning: the design and development of IT systems and tools the performance and quality of IT products and systems the security of IT systems and information the portability of application programs the interoperability of IT products and systems the unified tools and environments the harmonized IT vocabulary, and the user-friendly and ergonomically-designed user interfaces Work is conducted by subcommittees (SC) dealing with a particular field and SCs may be comprised of several working groups (WGs).
42 ISO/IEC JTC 1 Development 42 Process
43 43 ISO/IEC JTC 1/SC 27 International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) Joint Technical Committee 1/Subcommittee 27 (ISO/IEC JTC1/SC 27) Information Technology Security Techniques (2700x series of ISMS standards) Study period on Cloud Computing Security and Privacy to investigate the requirements for cloud computing and a feasible program of standards work to meet requirements, involving 3 WGs: WG 1 (Information Security Management) leading the coordinating efforts on this study period in conjunction with the following working groups: WG 4 Security Control and Services WG 5 Identity Management, Privacy Technology and Biometrics Topics for consideration information security management, risk management, application and network security, cybersecurity, business continuity, privacy and identity management with contributions from CSA (CAIQ, CCM, Guidance, TCI Architecture), ITU-T, SC 38 and others.
44 44 ISO/IEC JTC 1/SC 27
45 45 ISO/IEC JTC 1/SC 27
46 ISO/IEC JTC 1/SC 27 Nairobi, Kenya Resolutions (Oct 2011) 46 WG1: ISO/IEC Output from Cloud Security & Privacy (CSP) Joint WG 1/4/5 Study Period 2nd WD Guidelines on information security controls for the use of cloud computing services based on ISO/IEC (Project Co-Editors: Satoru Yamasaki, JP & Marlin Pohlman, US/CSA) WG 4: ISO/IEC X Information technology Security techniques Information security for supplier relationships 2nd WD Part 1 Overview and Concepts (Project Co-Editor: Becky Swain, US/CSA) 2nd WD Part 2 Common Requirements (Project Co-Editor: Benoit Poletti, Luxemburg) 2nd WD Part 3 Guidelines for ICT Supply Chain Security (Project Co-Editor: Nadya Bartol, US) Part 4 Guidelines for Outsourcing (TBD) Part 5 Cloud Computing (TBD) Part 6 TBD CSA NWIP Planned for WG 4 CSP Study Period WG 5: NWIP Output from CSP Joint WG 1/4/5 Study Period Information technology Security techniques Code of practice for data protection controls for public cloud computing services (Project Co-Editor: Chris Mitchell, UK)
47 Control Matrix >> Guidance >> 47 ISO/IEC &
48 48 ISO/IEC JTC 1/SC 38 International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) Joint Technical Committee 1/Subcommittee 28 (ISO/IEC JTC 1/SC 28) Distributed Application Platform & Services (DAPS) comprised of 2 WGs focused on SOA and Web Services, and a study group on Cloud computing. Established a Cloud Computing Study Group (SGCC) in order to provide candidates of standardization issues on Cloud Computing to JTC 1 and to develop NPs (New Work Item Proposals) on Cloud Computing to be studied in JTC 1. Working Group on Cloud (WG3), 1 st Delegation Meeting Feb 2012 NWIP: Distributed Application Platforms and Services Cloud Computing Vocabulary NWIP: Distributed Application Platforms and Services Cloud Computing Reference Architecture
49 49 ITU-T ITU Telecommunication Standardization Sector (ITU-T) 1 of 3 sectors (divisions or units) of the International Telecommunication Union (ITU) that coordinates standards for telecommunications. Mission is to ensure the efficient and timely production of standards covering all fields of telecommunications on a worldwide basis, as well as defining tariff and accounting principles for international telecommunication services, and as part of the ITU (UN specialized agency), its standards carry formal international weight. In addition to the ITU-T Recommendations, which have non-mandatory status until they are adopted in national laws, ITU-T is also the custodian of a binding international treaty, the International Telecommunication Regulations (ITRs). The technical work, the development of Recommendations, of ITU-T is managed by Study Groups (SGs).
50 50 ITU-T FG Cloud ITU-T Focus Group on Cloud Computing (FG Cloud) Established further to ITU-T TSAG (parent group) agreement at its meeting in Geneva, 8-11 February 2010 followed by ITU-T study groups (SG17, 13) and membership consultation. Contribute with the telecommunication aspects in order to support services/applications of cloud computing making use of telecommunication networks. Collaborate with worldwide cloud computing communities (e.g., research institutes, forums, academia) including other SDOs and consortia. Workgroups: WG1: Cloud computing benefits & requirements WG2: Gap Analysis and Roadmap on Cloud Computing Standards development in ITU-T Focus Group Output from Seoul, Korea September 2011 (Cloud-O-0072), Marlin Pohlman (CSA) co-authored with Koji Nakao (Vice-Chair, ITU-T SG 17) CSA Contributions CAIQ, CCM, Guidance, TCI Architecture
51 51 ITU-T SG17 ITU-T Study Group 17 (SG17) Designated Lead Study Group for "Telecommunication Security" which include developing and maintaining security outreach material; coordination of security-related work; and identification of needs and assignment and prioritization of work to encourage timely development of telecommunication security Recommendations. For Cloud Computing, SG17 has been working on cloud computing security since April 2010, and the following three work items were recognized and are currently in progress. Security guideline for cloud computing in telecommunication area (X.ccsec) Security requirements and framework of cloud based telecommunication service environment (X.srfcts), Marlin Pohlman (CSA) co-authored with Koji Nakao (Vice-Chair, ITU-T SG 17) Security functional requirements for Software as a Service (SaaS) application environment (X.sfcse) ITU-T SG17 collaborates closely with ISO/IEC SC 27 and SC 38
52 SDO Liaison Collaboration International 52
53 SDO Liaison Collaboration Supply Chain Risk Management (SCRM) for information communication and technology (ICT) 53
54 SDO Liaison Collaboration Supply Chain Risk Management (SCRM) for information communication and technology (ICT) 54
55 55 ISF Comments/Contributions for ISO/IEC X: Information security for external suppliers: A common baseline (Dec 2010) Common baseline information security arrangements Standard of Good Practice on roadmap for CSA CCM mapping CSA Representative: Jason Creasy CSA GRC Stack Steering Committee Standards WG
56 56 ISACA Comments/Contributions for ISO/IEC JTC 1/SC27 CSP Joint WG 1/4/5 Study Period: Cloud Computing: Business Benefits With Security, Governance and Assurance Perspectives IT Control Objectives for Cloud Computing Cloud Computing Management Audit/Assurance Program CSA CCM includes mapping to COBIT 5.0 CSA Representative: Ron Hale CSA GRC Stack Steering Committee
DRAFT, Version 0.9, March 2013 ii About ENISA The European Network and Information Security Agency (ENISA) is a centre of network and information security expertise for the EU, its member states, the private
Cloud Service Level Agreement Standardisation Guidelines Brussels 24/06/2014 1 Table of Contents Preamble... 4 1. Principles for the development of Service Level Agreement Standards for Cloud Computing...
Towards security management in the cloud utilizing SECaaS JAN MÉSZÁROS University of Economics, Prague Department of Information Technologies W. Churchill Sq. 4, 130 67 Prague 3 CZECH REPUBLIC firstname.lastname@example.org
Checklist to Assess Security in IT Contracts Federal Agencies that outsource or contract IT services or solutions must determine if security is adequate in existing and new contracts. Executive Summary
CYBERSECURITY WORKFORCE DEVELOPMENT MATRIX RESOURCE GUIDE October 2011 CIO.GOV Workforce Development Matrix Resource Guide 1 Table of Contents Introduction & Purpose... 2 The Workforce Development Matrix
National Emergency Communications Plan 2014 This page intentionally left blank. MESSAGE FROM THE SECRETARY Since the Department of Homeland Security (DHS) was established in 2003, one of its top priorities
Institute of Architecture of Application Systems University of Stuttgart Universittsstrae 38 D 70569 Stuttgart Diplomarbeit Nr. 3538 Risk assessment-based decision support for the migration of applications
National Spatial Data Infrastructure Strategic Plan 2014 2016 Federal Geographic Data Committee December 2013 Federal Geographic Data Committee Federal Geographic Data Committee, Reston, Virginia: 2013
The IAASB s Work Plan for 2015 2016 December 2014 International Auditing and Assurance Standards Board Work Plan for 2015 2016: Enhancing Audit Quality and Preparing for the Future This document was developed
FEDERAL HEALTH IT STRATEGIC PLAN 2015 2020 Prepared by: The Office of the National Coordinator for Health Information Technology (ONC) Office of the Secretary, United States Department of Health and Human
Practice Guide Reliance by Internal Audit on Other Assurance Providers DECEMBER 2011 Table of Contents Executive Summary... 1 Introduction... 1 Principles for Relying on the Work of Internal or External
Joint UNECE/Eurostat/OECD Work Session on Statistical Metadata (METIS) Generic Statistical Business Process Model Version 4.0 April 2009 Prepared by the UNECE Secretariat 1 I. Background 1. The Joint UNECE
Chapter 2 A Context for the Study: Using the Literature to Develop a Preliminary Conceptual Model 2.1. Introduction Chapter 1 introduced the research study. This chapter locates Z39.50 development in the
Consumerization of IT: Risk Mitigation Strategies [Deliverable 2012-12-19] Consumerization of IT: Risk Mitigation Strategies I Acknowledgements This report has been produced by ENISA using input and comments
www.pwc.com/cybersecurity Why you should adopt the NIST Cybersecurity Framework May 2014 The National Institute of Standards and Technology Cybersecurity Framework may be voluntary, but it offers potential
The IT Industry s Cybersecurity Principles for Industry and Government 2011 ITI MEMBER COMPANIES Apple Inc. TABLE OF CONTENTS Executive Summary 5 Setting the Stage 7 Six Cybersecurity Principles 9 Principle
An introduction to Service Integration and Management and ITIL Kevin Holland AXELOS.com White Paper January 2015 Contents Foreword 3 Introduction 4 Models for SIAM 7 Principles and considerations 9 The
CYBERSECURITY POLICY MAKING AT A TURNING POINT Analysing a new generation of national cybersecurity strategies for the Internet economy Also includes contributions from non-governmental stakeholders Cybersecurity
GUIDANCE ON EXHIBITS 53 AND 300 INFORMATION TECHNOLOGY AND E-GOVERNMENT Table of Contents 1. Why must I report on information technology (IT) investments? 2. What background information must I know? 3.
Transforming the Way Government Builds Solutions > ACT-IAC Institute for Innovation 2013 American)Council)for)Technology Industry)Advisory)Council:)) The American Council for Technology (ACT) is a non-profit
C o m m i t t e e o f S p o n s o r i n g O r g a n i z a t i o n s o f t h e T r e a d w a y C o m m i s s i o n G o v e r n a n c e a n d I n t e r n a l C o n t r o l C O S O I N T H E C Y B E R A G
Principles to be observed by Pre-LOUs that wish to integrate into the Interim Global Legal Entity Identifier System (GLEIS) Executive Summary This note establishes the principles that should be observed
WHITEPAPER CLOUD Possible Use of Cloud Technologies in Public Administration Version 1.0.0 2012 Euritas THE BEST WAY TO PREDICT THE FUTURE IS TO CREATE IT. [Willy Brandt] 2 PUBLISHER'S IMPRINT Publisher:
28.03.2014 1 (18) OPEN CALL FOR EXPRESSIONS OF INTEREST FOR SECONDED NATIONAL EXPERTS AT THE EUROPEAN CHEMICALS AGENCY (ECHA), HELSINKI Seconded National Experts (SNEs) are drawn from the civil services