1

To the Cloud: Key Risks and Security Concerns

3

Cloud ComputingCloud ComputingSecurity: Largest Barrier to AdoptionSecurity: Largest Barrier to Adoption

4

Key Cloud Security Problems of TodayKey Cloud Security Problems of Today

• From CSA Top Threats Research:– Trust: Lack of Provider transparency, impacts Governance, Risk

Management, Compliance

– Data: Leakage, Loss or Storage in unfriendly geography

– Insecure Cloud software

– Malicious use of Cloud services

– Account/Service Hijacking

– Malicious Insiders

– Cloud-specific attacks

5

Key Problems of TomorrowKey Problems of Tomorrow

• Globally incompatible legislation and policy

• Non-standard Private & Public clouds

• Lack of continuous Risk Management and Compliance monitoring

• Incomplete Identity Management implementations

• Haphazard response to security incidents

6

Current Assurance Demands Do Not Scale

Customers:• Reinvent the security wheel for each Cloud Provider• Construct detailed and custom questionnaires

– Pre-sales– Post-sales

Cloud Providers:• Answer lengthy and unique questionnaires from every

potential customer– Disregard/address– Larger Cloud Providers ignore questionnaires

• Right to Audit

7

Basic Question Everyone is Asking

Is it safe to put my data in this Cloud?

8

Cloud Computing Security Industry Initiatives

• Open Cloud Manifesto (http://www.opencloudmanifesto.org/)

– Making the case for an Open Cloud

• Jericho Forum (http://www.opengroup.org/jericho/)

– Cloud Cube Model: Recommendations & (Security) Evaluation Framework

• NIST Cloud Computing Program(http://www.nist.gov/itl/cloud/index.cfm )– Cloud Security Guidelines

• Cloud Security Alliance (http://www.cloudsecurityalliance.org/)

– Promoting Best Security Practices for the Cloud

6- Marcus J. Ranum on Cloud Computing Security video

9

Cloud Controls Matrix (CCM)Cloud Controls Matrix (CCM)

10

The Cloud Controls MatrixThe Cloud Controls Matrixaddresses these challengesaddresses these challenges

• Who is responsible? (Tenant, IaaS, PaaS, SaaS)

• How do you measure risk?

• How do you effectively decouple information intrinsic in infrastructure and applications?

• How do you satisfy regulators?

• How do you assure shareholders that the Cloud is a stable platform to conduct business?

Controls frameworks are the foundation of most attestation methodologies

11

Cloud Controls MatrixCloud Controls Matrix

• V1.1 Released Dec 2010• Rated as applicable to S-P-I with Cloud

Provider / Tenant Delineation• Controls baselined and mapped to:

– COBIT– HIPAA / HITECH Act– ISO/IEC 27001-2005– NISTSP800-53– FedRAMP– PCI DSS v2.0– BITS Shared Assessments– GAPP

Leadership Team•Phil Agcaoili – Cox Communications•Becky Swain – Cisco Systems, Inc.•Marlin Pohlman – EMC, RSA•Kip Boyle – CSA

www.cloudsecurityalliance.org/cm

12

Cloud Controls MatrixCloud Controls MatrixGlobal Industry ContributionGlobal Industry Contribution

• Kyle Lai – KLC Consulting, Inc.• Larry Harvey – Cisco Systems, Inc.• Laura Kuiper – Cisco Systems, Inc.• Lisa Peterson – Progressive Insurance• Lloyd Wilkerson – Robert Half International• Marcelo Gonzalez – Banco Central Republica

Argentina• Mark Lobel – PricewaterhouseCoopers LLP• Meenu Gupta – Mittal Technologies• Mike Craigue, Ph.D. – Dell• MS Prasad, Exec Dir CSA India • Niall BrowneI – LiveOps• Patrick Sullivan• Patty Williams – Symetra Financial• Paul Stephen – Ernst and Young LLP• Phil Genever-Watling - Dell• Philip Richardson – Logicalis UK Ltd• Pritam Bankar – Infosys Technologies Ltd.• Ramesan Ramani – Paramount Computer Systems• Steve Primost• Taiye Lambo – eFortresses, Inc .• Tajeshwar Singh• Thej Mehta – KPMG LLP• Thomas Loczewski – Ernst and Young GmbH,

Germany• Vincent Samuel – KPMG LLP• Yves Le Roux – CA Technologies• HISPI membership (Release ISO Review Body)

• Adalberto Afonso A Navarro F do Valle – Deloitte LLP• Addison Lawrence – Dell• Akira Shibata – NTT DATA Corp• Andy Dancer• Anna Tang – Cisco Systems, Inc.• April Battle – MITRE• Chandrasekar Umpathy - Symphony Services Ltd • Chris Brenton – Dell• Dale Pound – SAIC• Daniel Philpott – Tantus Technologies• Dr. Anton Chuvakin – Security Warrior Consulting• Elizabeth Ann Wickham – L47 Consulting Limited• Gary Sheehan – Advanced Server Mgmt Group, Inc.• Georg Heß• Georges Ataya Solvay – Brussels School of

Economics & Mgmt• Glen Jones – Cisco Systems, Inc.• Greg Zimmerman – Jefferson Wells• Guy Bejerano - LivePerson• Henry Ojo – Kamhen Services Ltd,• Jakob Holm Hansen – Neupart A/S• Joel Cort – Xerox Corporation• John DiMaria – HISPI• John Sapp – McKesson Healthcare, HISPI• Joshua Schmidt – Vertafore, Inc.• Karthik Amrutesh – Ernst and Young LLP• Kelvin Arcelay – Arcelay& Associates

13

Consensus Assessment InitiativeConsensus Assessment Initiative

14

Consensus Assessment InitiativeConsensus Assessment Initiative

• Questions for shared assessments of Cloud Providers

• Lightweight “common assessment criteria” concept

• Integrated with Cloud Controls Matrix (CCM)

• Ver 1 CAI Questionnaire (CAIQ) released Oct 2010– 148 questions – Identifies presence of security controls

or practices

www.cloudsecurityalliance.org/cai

15

Consensus Assessment InitiativeConsensus Assessment InitiativeTeamTeam

Contributors•Matthew Becker – Bank of America•Aaron Benson – Novell•Ken Biery – Verizon Business•Kristopher Fador – Bank of America•David Gochenaur – Aon Corporation •Jesus Molina – Fujitsu•John Nootens – AMA Association•HemmaPrafullchandra – Hytrust•GorkaSadowski – Log Logic•Richard Schimmel – Bank of America•Patrick Vowles – RSA•Kenneth Zoline – IBM

Leaders•Laura Posey – Microsoft•Jason Witty – Bank of America•Marlin Pohlman – EMC, RSA•Earle Humphreys – ITEEx

Editor•Christofer Hoff – Cisco

16

CloudAuditCloudAudit

17

CloudAuditCloudAudit

• Provide a common interface and namespace that allows cloud computing providers to automate the Audit, Assertion, Assessment, and Assurance (A6) of their environments

• Allow authorized consumers of services to do likewise via an open, extensible and secure interface and methodology.

• Aligned to CSA Cloud Controls Matrix (CCM)

• Incorporates CSA CAIQ and additional CompliancePacks

• Expands alignment to “infrastructure” and “operations”-centric views

http://cloudaudit.org

18

CloudAuditCloudAuditSample Implementation – CSA Compliance PackSample Implementation – CSA Compliance Pack

19

CSA GRC StackCSA GRC Stack

20

CSA Governance, Risk, and CSA Governance, Risk, and Compliance (CSA GRC) StackCompliance (CSA GRC) Stack

• Suite of tools, best practices and enabling technology

• Consolidate industry research & simplify GRC in the cloud

• For cloud providers, enterprises, solution providers and audit/compliance

• Simplifies customer and cloud provider attestation to accelerate cloud adoption – Common language to report security and

compliance– Common lexicon for communication

between tiers of service– Common ontology for reasoning about

providers

https://cloudsecurityalliance.org/grc-stack

Control Requirements

Provider Assertions

Private & Public Clouds

Private & Public Clouds

21

CSA GRC StackCSA GRC StackIndustry Collaboration & SupportIndustry Collaboration & Support

• International Organization for Standards (ISO)• ISO/IEC JTC 1 SC 27 (“SC 27”) WG 1, 4 and 5 in Study Period in the area of Cloud Computing Security

and Privacy

• National Institute of Standards and Technology (NIST) • Consolidated feedback on Federal Risk and Authorization Management Program (FedRAMP)

• European Network and Information Security Agency (ENISA)

• Common Assurance Maturity Model (CAMM)

• American Institute of Certified Public Accountants (AICPA)• Statement on Standards for Attestation Engagements (SSAE) No. 16 SOC 2 – Service Organization

Controls over Security, Confidentiality, Processing Integrity, Availability, and Privacy

• Next generation SAS 70 Type I and II attestation

• Inverse Control Framework Mappings• Unified Compliance Framework (UCF)

• Payment Card Industry (PCI) DSS

• Health Information Trust Alliance (HITRUST)

• Information Systems Audit and Control Association (ISACA) COBIT

• BITS Shared Assessments SIG/AUP + TG Participation

• Information Security Forum (ISF)

22

philA’s Approach to Using the CSA GRC Stack

1. Pre-sales - Use CAI Questionnaire

2. Contracts (MSA) – Attach CAIQ + CCM

3. Post Sales Assurance and Continuous Compliance – Use CloudAudit to verify contract and pre-sales assertions

23

Other Practical Risk Management Strategies for Cloud Computing

• Adoption and demand use of good industry practices– CSA GRC Stack

• Risk assessments

• Contract terms

• Service Level Agreement (SLA)

• Multi-Sourcing– Parallel in-house service– Several compatible suppliers

• More to come…Market is still evolving…

24

About the Cloud Security AllianceAbout the Cloud Security Alliance

25

• Global, not-for-profit organization• Almost 20,000 individual members, 80 corporate

members• Building best practices and a trusted cloud

ecosystem• Agile philosophy, rapid development of applied

research– GRC: Balance compliance with risk management– Reference models: build using existing standards– Identity: a key foundation of a functioning cloud economy– Champion interoperability– Advocacy of prudent public policy

“To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.”

About the Cloud Security AllianceAbout the Cloud Security Alliance

26

Help us secure cloud computing• Web: www.cloudsecurityalliance.org• Email: info@cloudsecurityalliance.org• LinkedIn: www.linkedin.com/groups?gid=1864210• Twitter: @cloudsa

•Email: Phil.Agcaoili@Cox.com•Twitter: @HackSec

Questions & Answers