Cloud Security Alliance: Industry Efforts to Secure Cloud Computing

Cloud Security Alliance: Industry Efforts to Secure Cloud Computing Jim Reavis, Executive Director September, 2010

Cloud: Dawn of a New Age Art Coviello - the most overhyped, underestimated phenomenon since the Internet Compute as a utility: third major era of computing Changes everything: business models, venture capital, R&D,

What is Cloud Computing? Compute as a utility: third major era of computing Mainframe PC Client/Server Cloud computing: On demand model for allocation and consumption of computing Version 2 of Internet Cloud enabled by Moore s Law: Costs of compute & storage approaching zero Hyperconnectivity: Robust bandwidth from dotcom investments Service Oriented Architecture (SOA) Scale: Major providers create massive IT capabilities

Defining Cloud On demand provisioning Elasticity Multi-tenancy Key types Infrastructure as a Service (IaaS): basic O/S & storage Platform as a Service (PaaS): IaaS + rapid dev Software as a Service (SaaS): complete application Public, Private, Community & Hybrid Cloud deployments

How to think about Cloud Perfect storm convergence of existing technologies in a new business model The next platform for software applications Disruption! Not one cloud many types and deployments of cloud Aspects of our legacy we can learn from but key differences Mainframes Virtualization Outsourcing Challenges many of our IT definitions, e.g. what is data?

How will Cloud Computing play out? Much investment in private clouds for 3-5 years Compliance use cases being developed Cloud assurance ecosystem being built Virtual private clouds compromise between public and private Long legacy of hybrid clouds Rise of cloud brokering/intermediation

Key Cloud Security Problems From CSA Top Threats Research: Trust: Lack of Provider transparency, impacts Governance, Risk Management, Compliance Data: Leakage, Loss or Storage in unfriendly geography Insecure Cloud software Malicious use of Cloud services Account/Service Hijacking Malicious Insiders Cloud-specific attacks

Cloud: Reset security industry Critical mass of separation between data owners and data processors Cloud customers retain governance responsibility Physical controls must be replaced by virtual controls Opportunity to make security better Requires broad perspective Must build the cloud security ecosystem

Cloud security ecosystem Body of practices Laws and regulations Tools Technology innovation Audit/assurance Education Certification: individual & organizational Shared responsibility, private/public partnerships on a global scale

About the Cloud Security Alliance Global, not-for-profit organization Over 11,000 individual members, 60 corporate members Building best practices and a trusted cloud ecosystem CSA Guidance V2.1 Released Dec 2009 CSA Top Threats Research Released March 2010 CSA Cloud Controls Matrix Released April 2010 CCSK Certification Release Sept 2010 Trusted Cloud Initiative Release Q4 2010 CSA Cloud Metrics Working Group Consensus Assessment Initiative Release Q4 2010 To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.

CSA viewpoint and philosophy Enterprises more afraid of compliance issues than security issues Agile development produce guidance rapidly and fix later Enable compliance ecosystem create the tools, knowledge and processes for assurance Champion interoperability of all cloud types fundamental change in the balance of power Emphasize identity because the cloud will break if we don t

S-P-I I Framework You RFP security in SaaS Software as a Service You build security in IaaS Infrastructure as a Service PaaS Platform as a Service

CSA Guidance Research Cloud Architecture Popular best practices for securing cloud computing 13 Domains of concern governing & operating groupings Operating in the Cloud Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Security, Bus. Cont,, and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Governing the Cloud Guidance > 100k downloads: cloudsecurityalliance.org/guidance

CSA Guidance Research - Status Ver 2.1 released Dec 2009 Ver 3 mid-2011 2010 focus Translations Wiki format Per domain whitepapers (not official guidance) Operating in the Cloud Cloud Architecture Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Security, Bus. Cont,, and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Governing the Cloud

Securing the Cloud - Governance Best opportunity to secure cloud engagement is before procurement contracts, SLAs, architecture Know provider s third parties, BCM/DR, financial viability, employee vetting Identify data location when possible Plan for provider termination & return of assets Preserve right to audit Reinvest provider cost savings into due diligence

Securing the Cloud - Operating Encrypt data when possible, segregate key mgt from cloud provider Adapt secure software development lifecycle Understand provider s patching, provisioning, protection Logging, data exfiltration, granular customer segregation Hardened VM images Assess provider IdM integration, e.g. SAML, OpenID

Trusted Cloud Initiative CSA certification criteria and seal program for cloud providers Initial focus on secure & interoperable identity in the cloud, and its alignment with data encryption Assemble with existing standards Reference models & Proof of concept Outline responsibilities for Identity Providers, Enterprises, Cloud Providers, Consumers /trustedcloud.html

TCI Mission To create a Trusted Cloud reference architecture for cloud use cases that leverage cloud delivery models (SaaS, PaaS, IaaS) in the context of operational models (Public, Private, Hybrid) to deliver a secure and trusted cloud service

Background A new white paper, "CSA Domain 12 Guidance for Identity & Access Management" was published on April 27 by workgroup 5 led by Subra Kumaraswamy TCI initiative announced during Infosecurity Europe Conference. Led by Liam Lynch, Chief security strategist, ebay Three Sub-Groups: Architecture Chaired by Jairo Orea, ING and Subra Kumaraswamy, ebay Implementation Chaired by Scott Matsumoto, Cigital Certification - Chaired by Nico Popp, Verisign Alignment with Industry groups: CloudAudit.org - John Menerick, CISO for NetSuite, primary liaison OASIS ID Cloud - Liam Lynch, primary liaison Other Internal CSA initiatives

Principle Identity Providers have a responsibility to issue IDs that can be used holistically by the individual, and not just for the relationship with that provider. This includes governments.

Principle Identity and access management must absolutely be applied to devices, data and applications as well as users.

Principle Cloud service providers should by default NOT seek to be identity providers unless there is a compelling public interest being served and IDP is a core business.

Principle Consumers should reward cloud service providers who offer their services as relying parties to well known and trusted identity providers and minimize their own collection of identity information

Principle Strong authentication should be ubiquitous, flexible and natively supported by the identity provider.

Principle Individuals should have the tools to manage their own digital identity and be able to leverage claims-based identity principles to access cloud services.

Principle Enterprises acting as identity providers solely for their own employees and partners need to embrace a strategic direction to exit this business

Principle Major cloud identity providers need to publicly commit to network neutrality principles to provide no competitive advantage to their own SaaS commercial applications over third party SaaS commercial applications.

Cloud Controls Matrix Tool Controls derived from guidance Rated as applicable to S-P-I Customer vs Provider role Mapped to ISO 27001, COBIT, PCI, HIPAA Help bridge the gap for IT & IT auditors /cm.html

Cloud Controls Matrix Tool - Status Version 1 tool released April, 2010 Version 2 kickoff late June, 2010 Presented Nov 2010 /cm.html

Trusted Cloud Initiative - Status Initial Domain 12 IdM best practices whitepaper released Working Group structure established Subgroup Architecture Subgroup Certification Subgroup Implementation Seeking volunteers for working groups Ver 1 final criteria published Q4 2010 /trustedcloud.html

Consensus Assessments Initiative - Status Ver 1 deliverable: Assessment questionnaire for October 2010 release To be presented at RSA Europe Oct 12-14 Workstreams and leadership established Editorial drafts being completed Open for volunteers for final vetting

CCSK Certificate of Cloud Security Knowledge Announced July 28 User certification Web-based test for competency in CSA guidance & ENISA research September 1 release /certifyme

Cloud Metrics Research Identifying CSA guidance we can build metrics for Developing metrics for all Controls Matrix controls Survey industry on maturity Create baseline capability

Third party: Common Assurance Maturity Model (CAMM) CAMM is a methodology & solution for creating an independent maturity model-based measurement of a cloud provider s security program and capabilities Potential to evolve into authoritative repository of provider security maturity ENISA driving force CSA supporting efforts

Cloud Audit CloudAudit is an open standard and interface to allow cloud providers to automate audit assertions Controls Matrix provides CloudAudit with its cloud controls namespace CloudAudit answers the How? of audit assertions, Controls Matrix answers the What? Control Requirements Provider Assertions Providers

ENISA Important globally recognized thought leader for cloud security research Cloud Computing: Benefits, Risks and Recommendations for Information Security - whitepaper key part of CCSK Security and Resilience in Government Clouds research in progress Driving force of CAMM SecureCloud Conference Important partner for CSA

Cloud Security Alliance Congress Presenting findings from above research Global multi-track cloud security conference Industry thought leaders Technical, compliance, government tracks Conference November 16-17, DisneyWorld in Orlando, Florida Optional workshops November 15 & 18 www.misti.com/cloud

Contact Help us secure cloud computing info@cloudsecurityalliance.org LinkedIn: www.linkedin.com/groups?gid=1864210 Twitter: @cloudsa

Thank you!