Building an Effec.ve Cloud Security Program Laura Posey Senior Security Strategist, Microso3 Corpora6on Co- Chair, CSA CAIQ Programming Chair, NY Metro CSA Chapter
Is Cloud worth it? Yes! Pla?orm for Innova.on with U.lity IT Any Device, Anywhere, Any.me Collabora.on & Social Media 2
What are the Cloud risks? Shadow & Consumeriza.on of IT Security, Trust & Assurance Jurisdic.onal Data Governance 3
About the Cloud Security Alliance (CSA) Global, not- for- profit organiza6on Over 23,000 individual members, 100 corporate members, 50 chapters Building best prac6ces and a trusted cloud ecosystem Agile philosophy, rapid development of applied research GRC: Balance compliance with risk management Reference models: build using exis6ng standards Iden6ty: a key founda6on of a func6oning cloud economy Champion interoperability Enable innova6on Advocacy of prudent public policy To promote the use of best prac1ces for providing security assurance within Cloud Compu1ng, and provide educa1on on the uses of Cloud Compu1ng to help secure all other forms of compu1ng. 4
CSA Contribu.ng Members And MANY more 5
What is GRC? 6
Related exis.ng standards 7
Who is accountable for what? 8
Control Ownership Clarity You can outsource business capability or func6on but you cannot outsource accountability for informa6on security à do your due diligence to iden6fy and address 9
CSA Guidance Research " Popular best prac6ces for securing cloud compu6ng " 14 Domains of concern " governing & opera6ng groupings Operating in the Cloud Cloud Architecture Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Transparency Security, Bus. Cont,, and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Governing the Cloud
Guidance Highlights 1/2 Governance, ERM: Secure the cloud before procurement contracts, SLAs, architecture Governance, ERM: Know provider s third par6es, BCM/DR, financial viability, employee vebng Legal: Plan for provider termina6on & return of assets Compliance: Iden6fy data loca6on when possible ILM: Persistence, Protec6on Portability & Interoperability: SOA loose coupling principles
Guidance Highlights 2/2 BCM/DR: provider redundancy vs. your own DC Ops: provisioning, patching, logging Encryp6on: encrypt data when possible, segregate key mgt from cloud provider AppSec: Adapt secure so3ware development lifecycle Virtualiza6on: Harden, rollback, port VM images IdM: Federa6on & standards e.g. SAML, OpenID
A Cloud Security Governance, Risk, and Compliance (GRC) Stack Delivering ç Stack Pack è Description The recommended founda.ons for controls Fundamental security principles in specifying the overall security needs of a cloud consumers and assessing the overall security risk of a cloud provider Pre- audit checklists and ques.onnaires to inventory controls Industry- accepted ways to document what security controls exist Con.nuous monitoring with a purpose Claims, offers, and the basis for audi.ng service delivery Common technique and nomenclature to request and receive evidence and affirma.on of current cloud service opera.ng circumstances from cloud providers Common interface and namespace to automate the Audit, Asser.on, Assessment, and Assurance (A6) of cloud environments 13
CSA GRC Stack (cont.) 14
Cloud Controls matrix (CCM) First ever baseline control framework specifically designed for managing risk in the Cloud Supply Chain: Addresses the inter and intra- organiza6onal challenges of persistent informa6on security by clearly delinea6ng control ownership. Provides an anchor point and common language for balanced measurement of security and compliance postures. Provides the holis6c adherence to the vast and ever evolving landscape of global data privacy regula6ons and security standards. Serving as the basis for new industry standards and cer6fica6ons. v1.2 released Aug 2011; v2.0 to be released Nov 2012 15
CCM 11 Domains 16
CCM snapshot architectural and delivery model relevance 17
CCM snapshot mappings to popular standards* *Standards represented in CCM v1.2: COBIT 4.1, HIPAA/HITECH Act, ISO/IEC 27001-2005, NIST SP800-53 R3, FedRAMP, PCI DSS v2.0, BITS Shared Assessments SIG v6.0, BITS Shared Assessments AUP v5.0, GAPP (Aug 2009), Jericho Forum, NERC CIP 18
Consensus Assessments Ini.a.ve Ques.onnaire (CAIQ) Cloud Supply Chain risk management and due diligence ques6onnaire (148 ques6ons) Enables Cloud service providers to demonstrate compliance with the CSA CCM. Forms the basis for establishing Cloud- specific Service Level Objec6ves that can be incorporated into supplier agreements. Along with CSA CCM, integrated into third party GRC solu6on providers. 19
CAIQ Guiding Principles The following are the principles that the working group u6lized as guidance when developing the CAIQ: The ques6onnaire is organized using CSA 13 governing & opera6ng domains divided into control areas within CSA s Control Matrix structure Ques6ons are to assist both cloud providers in general principles of cloud security and clients in vebng cloud providers on the security of their offering and company security profile CAIQ not intended to duplicate or replace exis6ng industry security assessments but to contain ques6ons unique or cri6cal to the cloud compu6ng model in each control area Each ques6on should be able to be answered yes or no If a ques6on can t be answered yes or no then it was separated into two or more ques6ons to allow yes or no answers. Ques6ons are intended to foster further detailed ques6ons to provider by client specific to client s cloud security needs. This was done to limit number of ques6ons to make the assessment feasible and since each client may have unique follow- on ques6ons or may not be concerned with all follow- on ques6ons 20
CAIQ snapshot 21
CAIQ snapshot ques.ons detail Encryp6on Key Management IS- 19 IS- 19.1 Do you encrypt tenant data at rest (on disk/storage) within your environment? IS- 19.2 Do you leverage encryp6on to protect data and virtual machine images during transport across and between networks and hypervisor instances? IS- 19.3 Do you have a capability to manage encryp6on keys on behalf of tenants? IS- 19.4 Do you maintain key management procedures? Vulnerability / IS- 20 IS- 21.1 Do you conduct network- layer vulnerability scans regularly as prescribed by Patch industry best prac6ces? Management IS- 20.2 Do you conduct applica6on- layer vulnerability scans regularly as prescribed by industry best prac6ces? IS- 20.3 Do you conduct local opera6ng system- layer vulnerability scans regularly as prescribed by industry best prac6ces? IS- 20.4 Will you make the results of vulnerability scans available to tenants at their request? IS- 20.5 Do you have a capability to rapidly patch vulnerabili6es across all of your compu6ng devices, applica6ons, and systems? IS- 20.6 Will you provide your risk- based systems patching 6meframes to your tenants upon request? 22
CSA Security Trust & Assurance Registry (STAR) Public and free registry of Cloud Provider self assessments, demonstra7ng adop7on of: Cloud Controls Matrix (CCM) Consensus Assessments Ini6a6ve Ques6onnaire (CAIQ) Ø Promotes transparency of security prac.ces within cloud providers Ø Documents the security controls provided by various cloud compu.ng offerings Ø Free market compe77on to provide quality assessments. 23
CSA STAR Lis.ng Process Provider fills out CAIQ or customizes CCM Uploads document at /star CSA performs basic verifica6on Authorized lis6ng from provider Delete SPAM, poisoned lis6ng Basic content accuracy check CSA digitally signs and posts at /star Registry loca6on: htps://cloudsecurityalliance.org/research/ ini6a6ves/star- registry/ 24
Completed STAR snapshot Microsod s Office 365 Control ID In CCM Descrip.on (CCM Version R1.1. Final) Microsod Response IS- 19 Informa6on Security - Encryp6on Key Management Policies and procedures shall be established and mechanisms implemented for effec6ve key management to support encryp6on of data in storage and in transmission. Encryp6on is provided on several layers, such as Transport Layer, encryp6on between clients and Exchange Online (SSL), Instant Messaging and IM federa6on. For more informa6on consult the Office 365 Security Service Descrip6on available on the Download Center. Furthermore, we support S/MIME, Ac6ve Directory Rights Management Services or PGP. Office 365 currently does not encrypt data at rest, however, the customer may do so through IRM or RMS. Media Handling is covered under the ISO 27001 standards, specifically addressed in Annex A, domain 10.7.3. For more informa6on review of the publicly available ISO standards we are cer6fied against is suggested. IS-20 Information Security - Vulnerability / Patch Management Policies and procedures shall be established and mechanism implemented for vulnerability and patch management, ensuring that application, system, and network device vulnerabilities are evaluated and Contractor-supplied security patches applied in a timely manner taking a risk-based approach for prioritizing critical patches. Microsoft Online Services implements technologies to scan the environment for vulnerabilities. Identified vulnerabilities are tracked, and verified for remediation. In addition, regular vulnerability/penetration assessments to identify vulnerabilities and determine whether key logical controls are operating effectively are performed. Microsoft s Security Response Center (MSRC) regularly monitors external security vulnerability awareness sites. As part of the routine vulnerability management process, Microsoft Online Services evaluates our exposure to these vulnerabilities and leads action across Microsoft Online Services to mitigate risks when necessary. The Microsoft Security Response Center (MSRC) releases security bulletins on the second Tuesday of every month ( Patch Tuesday ), or as appropriate to mitigate zeroday exploits. In the event that proof-of-concept code is publicly available regarding a possible exploit, or if a new critical security patch is released, Microsoft Online Services is required to apply patches to affected Microsoft Online Services systems according to a patching policy to remediate the vulnerability to the customer s hosted environment. Control of technical vulnerabilities is covered under the ISO 27001 standards, specifically addressed in Annex A, domain 12.6. For more information review of the publicly available ISO standards we are certified against is suggested. 25
CSA STAR What You Should Do Providers Start filling out CAIQ and/or CCM Ask us for help Customers Put your providers on no6ce, point them to CAIQ and/or CCM Make CSA STAR entries a standard part of procurement & assessment Get ready for the update in November. 26
CSA Collabora.on with SBOs Copyright 2010 Cloud Security Alliance 27
Other CSA Research Trusted Cloud Ini7a7ve (TCI) - - Presents a mul6-6er architecture integra6on TOGAF (The Open Group) ITIL, and SABSA (Zachman security model) with individual security elements mapped to CMM controls. CloudSIRT Enhance the capability of the cloud community to prepare for and respond to vulnerabili6es, threats, and incidents in order to preserve trust in cloud compu6ng. Cloud Metrics - - Companion project of CCM and CloudAudit defining objec6ve criteria related security control items, encompassing xdas, CEE and Syslog- ng and collaborates with the DMTF cloud audit data federa6on work group. Big Data - Iden6fying scalable techniques for data- centric security and privacy problems to lead to crystalliza6on of best prac6ces for security and privacy in big data that can help industry and government with adop6on of best prac6ces. Mobile Crea6ng guidelines for the mobile device security framework and mobile cloud architectures. Securing applica6on stores and other public en66es deploying so3ware to mobile devices, analysis of mobile security capabili6es and features of key mobile opera6ng systems and cloud- based management, provisioning, policy, and data management of mobile devices to achieve security objec6ves. 28
Contact CSA Help us secure cloud compu7ng! info@cloudsecurityalliance.org LinkedIn: www.linkedin.com/groups?gid=1864210 Twiter: @cloudsa Join your local CSA Chapter: htps://cloudsecurityalliance.org/chapters/ 29
Thank You! 30
Appendix Back- Up Slides 31
CSA Organiza.on & Opera.ons 32
CCM 98 Controls 33
CCM 98 Controls (cont.) 34
CCM 98 Controls (cont.) 35
CCM 98 Controls (cont.) 36
CSA STAR FAQ Where? /star/ Help? Special LinkedIn support group and private mailbox moderated by CSA volunteers Costs? Free to post, free to use Is this a new hacker threat vector? No, it is responsible disclosure of security prac6ces Will CSA police STAR? Ini6al verifica6on and maintenance of Abuse mailbox Do lis7ngs expire? Yes, 1 year limit 37
Key Cloud Security Problems From CSA Top Threats Research: Trust: Lack of Provider transparency, impacts Governance, Risk Management, Compliance, and the capture of real value Data: Leakage, Loss or Storage in unfriendly geography Insecure Cloud so3ware Malicious use of Cloud services Account/Service Hijacking Malicious Insiders Cloud- specific atacks 38