Cloud Audit and Cloud Trust Protocol. By David Lingenfelter 2011

Cloud Audit and Cloud Trust Protocol By David Lingenfelter 2011

Background > MaaS360 SaaS Cloud Model > Mobile Device Management > FISMA Moderate Certified > SAS-70/SOC-2

Cloud Adoption Obstacles Planning often neglects Information Risk Management Transition & Transformation Traditional Enterprise strategy Business function (workload) adaptation to cloud delivery Technical architecture Network connections Application standards Interoperability Buying time for current compliance programs Concept of Operations Neglected but Necessary IT and IT risk governance Traditional sourcing? Cloud? Private? Community? Public? Hybrid? Traditional + cloud? How measured? Security policy Uniform across all delivery methods? Cloud adjusted? Private? Community? Public? Hybrid? Risk/compliance management standards/benchmarks Cloud adjusted? Private? Community? Public? Hybrid?

The Value Equation in the Cloud Security Service + Transparency Service = Compliance & Trust VALUE Captured delivering evidence-based confidence with compliance-supporting data & artifacts using the best virtualization and cloud technologies within quality processes operated by trained and certified staff and partners 4

The Roots of the Value Equation in the Cloud Impact Standards Portability Transparency The Rebound Effect between security & interoperability Information risk management transition & transformation planning Policy Governance Compliance & Risk Management Thresholds Business model Downstream application of reclaimed transparency 5

The GRC Stack Solving the Value Equation in the Cloud GRC Stack Security Requirements and Capabilities Security Transparency and Visibility Compliance and Trust Delivering evidence-based confidence with compliance-supporting data & artifacts. 6

The CSA GRC Stack > A suite of four integrated and reinforcing CSA initiatives (the stack packages ) The Stack Packs Cloud Controls Matrix Consensus Assessments Initiative Cloud Audit CloudTrust Protocol > Designed to support cloud consumers and cloud providers > Prepared to capture value from the cloud as well as support compliance and control within the cloud 7

A Complete Cloud Security Governance, Risk, and Compliance (GRC) Stack Delivering Stack Pack Description Continuous monitoring with a purpose Claims, offers, and the basis for auditing service delivery Common technique and nomenclature to request and receive evidence and affirmation of current cloud service operating circumstances from cloud providers Common interface and namespace to automate the Audit, Assertion, Assessment, and Assurance (A6) of cloud environments Pre-audit checklists and questionnaires to inventory controls Industry-accepted ways to document what security controls exist The recommended foundations for controls Fundamental security principles in specifying the overall security needs of a cloud consumers and assessing the overall security risk of a cloud provider 8

CSA GRC Value Equation Contributions for Consumers and Providers What control requirements should I have as a cloud consumer or cloud provider? Individually useful Collectively powerful Productive way to reclaim end-to-end information risk management capability How do I ask about the control requirements that are satisfied (consumer) or express my claim of control response (provider)? Static claims & assurances How do I announce and automate my claims of audit support for all of the various compliance mandates and control obligations? Dynamic (continuous) monitoring and transparency How do I know that the controls I need are working for me now (consumer)? How do I provide actual security and transparency of service to all of my cloud users (provider)? 9

Complimenting NIST Cloud Model Transparency Source: NIST SP500-291-v1.0, p. 42, Figure 12 10

What is the CCM? > First ever baseline control framework specifically designed for managing risk in the Cloud Supply Chain: Addressing the inter and intra-organizational challenges of persistent information security by clearly delineating control ownership. Providing an anchor point and common language for balanced measurement of security and compliance postures. Providing the holistic adherence to the vast and ever evolving landscape of global data privacy regulations and security standards. > Serves as the basis for new industry standards and certifications.

Cloud Supply Chain Information Security Risks > You can outsource business capability or function but you cannot outsource accountability for information security do your due diligence to identify and address Control Gaps (Shared Control) Information Security (Access Controls, Vulnerability & Patch Management) Security Architecture Data Governance (Lifecycle Management) Release Management (Change Control) Facility Security Control Dependencies Corporate Governance Incident Response Resiliency (BCM & DR) Risk & Compliance Management

Sample Questions to Vendors Compliance - Independent Audits Data Governance - Classification CO-02 CO-02a - Do you allow tenants to view your SAS70 Type II/SSAE 16 SOC2/ISAE3402 or similar third party audit reports? CO-02b - Do you conduct network penetration tests of your cloud service infrastructure regularly as prescribed by industry best practices and guidance? CO-02c - Do you conduct application penetration tests of your cloud service infrastructure regularly as prescribed by industry best practices and guidance? CO-02d - Do you conduct internal audits regularly as prescribed by industry best practices and guidance? CO-02e - Do you conduct external audits regularly as prescribed by industry best practices and guidance? CO-02f - Are the results of the network penetration tests available to tenants at their request? CO-02g - Are the results of internal and external audits available to tenants at their request? DG-02 DG-02a - Do you provide a capability to identify virtual machines via policy tags/metadata (ex. Tags can be used to limit guest operating systems from booting/instanciating/transporting data in the wrong country, etc.?) DG-02b - Do you provide a capability to identify hardware via policy tags/metadata/hardware tags (ex. TXT/TPM, VN-Tag, etc.)? DG-02c - Do you have a capability to use system geographic location as an authentication factor? DG-02d - Can you provide the physical location/geography of storage of a tenant s data upon request? DG-02e - Do you allow tenants to define acceptable geographical locations for data routing or resource instantiation?

CloudAudit Objectives 14 > Provide a common interface and namespace that allows cloud computing providers to automate collection of Audit, Assertion, Assessment, and Assurance Artifacts (A6) of their operating environments > Allow authorized consumers of services and concerned parties to do likewise via an open, extensible and secure interface and methodology.

What CloudAudit Does 15 > Provide a structure for organizing assertions and supporting documentation for specific controls across different compliance frameworks in a way that simplifies discovery by humans and tools. Define a namespace that can support diverse frameworks Express compliance frameworks in that namespace Define the mechanisms for requesting and responding to queries relating to specific controls Integrate with portals and AAA systems

How CloudAudit Works 16 > Utilize security automation capabilities with existing tools/protocols/frameworks via a standard, open and extensible set of interfaces > Keep it simple, lightweight and easy to implement; offer primitive definitions & language structure using HTTP(S) first at a very basic level > Allow for extension and elaboration by providers and choice of trusted assertion validation sources, checklist definitions, etc.

Context for CloudAudit 17 > CloudAudit is not designed to validate or attest compliance > Automates collection and presentation of data supporting queries using a common set of namespaces aligned CSA Cloud Control Matrix > Artifacts are accessible by a human operating a web browser or a tool capable of utilizing CloudAudit over HTTP(S). > The consumers of this information are internal & external auditors, compliance teams, risk managers, security teams, etc. & in the longer term, brokers

What Was Delivered > The first release of CloudAudit provides for the scoped capability for providers to store evidentiary data in well-defined namespaces aligned to the 5 CSA Control Matrix Mappings (PCI, HIPAA, NIST800-53, ISO27002,COBIT) > The data in these namespaces is arbitrary and can be named and file-typed as such, so we need a way of dealing with what can be one to hundreds of supporting files, the contents of some of which are actually URIs to other locations

What s On The Roadmap 19 > Extend ATOM in manifest.xml to provide for timestamps, signatures and version control [need XML/ATOM expertise] > Version control and change notification in conjunction with > Architecture for registry services [cloudaudit.net] and extensions of such (public and/or private) > Implementation architecture for atomic queries (e.g. PCI Compliant, or SAS-70 Certified > Expand On Specific CloudAudit Use Cases: CloudAudit for Federal Government CloudAudit for Cloud Providers CloudAudit for Auditors/Assessors CloudAudit as Evidence for Proper Financial Due Dilligance Intensify and clarify connection between CloudAudit and the CTP

Metrics: CloudAudit Use Case for Auditors, Assessors and Cloud Providers

Why a CloudTrust Protocol? Information Assurance is Cloud-Complicated Clouds are cloudy Requirements Amazon Services As visibility is lost > Where is the data? > Who can see the data? > Who has seen the data? Google > Is data untampered? > Where is processing performed? > How is processing configured? > Does backup happen? How? Where? Security, compliance, and value are lost as well Microsoft

Cloud Processing Three Big Obstacles to Value Capture Lack of standards Lack of portability Lack of transparency PCI DSS HIPAA ITAR ISO27001 HMG Infosec Standard 2 U.K. Manual of Protective Security HITECH in ARRA 2009 DIACAP GLBA NIST 800-53 and FISMA and FedRAMP FRCP SAS70 SSAE16 controls, compliance, sustained payoff, reliability, liability, confidentiality, privacy, Compliance issues

Absent Transparency Some Big Problems For example, without transparency > No confirmed chain of custody for information > No way to conduct investigative forensics > Little confidence in the ability to detect attempts or occurrences of illegal disclosure > Little capability to discover or enforce configurations > No ability to monitor operational access or service management actions (e.g., change management, patch management, vulnerability management, )

Transparency Restores Information Assurance Working with a glass cloud delivers the elastic benefits of the cloud Requirements Amazon Services As visibility is gained Configurations are known and verified Data exposure and use is collected and reported Access permissions are discovered and validated Processing and data locations are exposed Compliance evidence can be gathered and analyzed Google Processing risks and readiness become known Security, compliance, and value are captured as well Microsof t

Thoughtful progression inevitable conclusion Reclaim transparency Continuous monitoring (with a purpose) Simple, dynamic information request and response CloudTrust Protocol

CloudTrust Protocol (CTP) to deliver Transparency-as-a-Service (TaaS)

Elements of Transparency in the CTP v2.0 > 6 Types Initiation Policy Introduction Provider assertions Provider notifications Evidence requests Client extensions Families Configuration Vulnerabilities Anchoring Audit log Service Management Service Statistics Only 23 in total in the entire protocol! Elements Geographic Platform Process

CloudTrust Protocol (CTP) Sample

CloudTrust Protocol V2.0 Legend: New in V2.0 SCAP / XCCDF query & response structure

Elastic Characteristics of the CTP

CTP Implementation Architecture Configuration Item Relationships Identification, authorization, accounting, flow control, CTMB interface, response and reporting TaaS (CTP) U/I and service director Cloud Consume r Legend Cloud consumer or service broker Cloud provider The storage of user authorizations and credentials, request status, result histories, specifications, and commentary; management of the CTMB CloudTrust Management Base (CTMB) Automated Manual CTP request & response stack CTP request /response translation, packaging, and brokering CTP request queuing and execution in a conforming cloud Cloud that acknowledges CTP (CTP conforming) (RE) CTP Response Engine Savvis Google RE Amazon RE CSC Microsoft Salesforc e RE IBM Others Cloud Provider s RE RE

Transparency-as-a-Service (TaaS) Turn on the lights you need when you need them Authorized TaaS Users What does my cloud computing configuration look like right now? Where are my data and processing being performed? Who has access to my data now? Who has had access to my data? What audit events have occurred in my cloud configuration?...... What vulnerabilities exist in my cloud configuration? CloudTrust Protocol (CTP) Elements of Transparency 1 23 CTP Amazon CTP Microsoft CTUI Host (Cloud) CTUI CTP Transparency-as-a-Service (TaaS) CTP CTP Google Salesforce CTP Others

Security, Trust, and Assurance Registry (CSA STAR) Expose control claims Compete to improve GRC capabilities GRC Stack > Encourage transparency of security practices within cloud providers > Documents the security controls provided by various cloud computing offerings > Free and open to all cloud providers > Option to use data/report based on CCM or the CAIQ

What s Happening Now? CCM update CAIQ update CloudAudit update A great time to move the security ecosystem forward in the cloud CloudTrust Protocol update and integration into CSA GRC stack Trusted Cloud Initiative CloudSIRT Cloud data governance Cloud metrics Security as a service (SecaaS) Education CCSK update GRC stack training PCI compliance in the cloud Legend Current planned sources of evolution for the GRC stack

Thank You David Lingenfelter Email: dlingenfelter@fiberlink.com Twitter: @simply_security More Information: www.cloudsecurityalliance.org www.cloudaudit.org www.maas360.com