cloudbytes_star certification v1

5/26/2018 CloudBytes_STAR Certification V1

1/56

CSA Cloud STAR

CertificationJohn A. DiMaria; CSSBB,HISP,MHISP,AMBCI

Certification Product Manager; BSI Group America Inc.

.

2014 Cloud Security Alliance - All Rights Reserved.CloudBytes // BSI Presentation

The Paradigm Has Changed


2/56

"When aparadigm shifts,everything goesback to zero.~Joel Barker~

Nothing youhave done in thepast matters any

more. You cannot count onpast success.


3/56


4/56

www.cloudsecurityalliance.orgCopyright 2014 Cloud Security Alliance

The CSA GRC Stack

A suite of four integrated and reinforcing CSA initiatives (the stack

packages) The Stack Packs

Cloud Controls Matrix

Consensus Assessments Initiative

Cloud Audit

CloudTrust Protocol

Designed to support cloud consumers and cloud providers

Prepared to capture value from the cloud as well as supportcompliance and control within the cloud


5/56


A Complete Cloud Security Governance, Risk,and Compliance (GRC) Stack

Delivering Stack Pack Description

Con nuousmonitoringwithapurpose

Commontechniqueandnomenclaturetorequestandreceiveevidenceandaffirma onofcurrentcloudserviceopera ngcircumstancesfromcloudproviders

Claims,offers,andthebasisforaudi ngservice

delivery

CommoninterfaceandnamespacetoautomatetheAudit,Asser on,Assessment,andAssurance(A6)ofcloudenvironments

Pre

auditchecklistsandques onnairestoinventory

controls

Industryacceptedwaystodocumentwhatsecuritycontrolsexist

Therecommendedfounda onsforcontrols

Fundamentalsecurityprinciplesin specifyingtheoverallsecurityneedsofacloudconsumersandassessingtheoverallsecurityriskofacloudprovider


6/56


CAIQ Guiding Principles

The following are the principles that the working group utilized as guidance when developing the CAIQ:

The questionnaire is organized using CSA 13 governing & operating domains divided into controlareas within CSAs Control Matrix structure

Questions are to assist both cloud providers in general principles of cloud security and clients invetting cloud providers on the security of their offering and company security profile

CAIQ not intended to duplicate or replace existing industry security assessments but to contain

questions unique or critical to the cloud computing model in each control area Each question should be able to be answered yes or no

If a question cant be answered yes or no then it was separated into two or more questions to allowyes or no answers.

Questions are intended to foster further detailed questions to provider by client specific to clients

cloud security needs. This was done to limit number of questions to make the assessment feasibleand since each client may have unique follow-on questions or may not be concerned with all follow-on questions


7/56


The CAIQ Questionnaire


8/56


CAIQ Questionnaire

Control Group, Control Group ID (CGID) and Control Identifier (CID) all map the

CAIQ question being asked directly to the CCM control that is being addressed. Relevant compliance and standards are mapped line by line to the CAIQ,

which, in turn, also map to the CCM. The CAIQ v1.1 maps to the followingcompliance areas HIPPA, ISO 27001, COBIT, SP800_53, FedRAMP,PCI_DSS, BITS and GAPP. V1.2 will additionally include mappings to Jericho

Forum and NERC CIP. Each question can be answered by a provider with a yes or no answer.

This provides a wide variety of transparency and of course is a self-assessment.


9/56


Sample Questions to Vendors

Compliance - Independent

Audits

CO-02 CO-02a - Do you allow tenants to view your SAS70 Type II/SSAE 16 SOC2/ISAE3402 or similar third party audit

reports?CO-02b - Do you conduct network penetration tests of your cloud service infrastructure regularly as prescribed by

industry best practices and guidance?

CO-02c - Do you conduct application penetration tests of your cloud service infrastructure regularly as prescribed

by industry best practices and guidance?

CO-02d - Do you conduct internal audits regularly as prescribed by industry best practices and guidance?

CO-02e - Do you conduct external audits regularly as prescribed by industry best practices and guidance?

CO-02f - Are the results of the network penetration tests available to tenants at their request?

CO-02g - Are the results of internal and external audits available to tenants at their request?

Data Governance -

Classification

DG-02 DG-02a - Do you provide a capability to identify virtual machines via policy tags/metadata (ex. Tags can be used to

limit guest operating systems from booting/instantiating/transporting data in the wrong country, etc.?)

DG-02b - Do you provide a capability to identify hardware via policy tags/metadata/hardware tags (ex. TXT/TPM,

VN-Tag, etc.)?

DG-02c - Do you have a capability to use system geographic location as an authentication factor?

DG-02d - Can you provide the physical location/geography of storage of a tenants data upon request?

DG-02e - Do you allow tenants to define acceptable geographical locations for data routing or resource

instantiation?


10/56


Example Answers


11/56


Example Answers


12/56

ISO/IEC 27001 is the international management systems standard for Information Security.

It is widely recognized and respected and in some cases mandated by some governments like Japan and G-

the Her Majesties' Government (HMG) G-Cloud. (?)

Does not focus in detail on any particular sector specific areas of security. It is scalable and flexible to allow

for growth and applicability.

The Cloud Controls Matrix (CCM) provides the additional detail required to ensure that the generic standard

focuses on the critical controls for Cloud Security.

ISO 27001 is written with the expectation that other controls could be added.

Extract from ISO/IEC 27001 Control objectives are implicitly included in the controls chosen. The control

objectives and controls listed in Annex A are not exhaustive and additional control objectives and controls

may be needed. Organizations can design controls as required, or identify them from any source.

In addition there was a concern that the pass/fail approach to standards does not give much information tocloud service purchasers. Therefore the CCM will be assessed against a 5 level capability model.

2014 Cloud Security Alliance - All Rights Reserved. 12CloudBytes // BSI Presentation

Background


13/56

ISO/IEC 27001 ensures an organization has the overarching management systems in place to manage the

processes and procedures governing the controls. Without this in place there would be little reassurance

that the controls sat within a sound management framework.

Scope must be Fit-for-Purpose and SLA Driven.

The audit has additional assessment of the CCM against a maturity because this not only lets an

organization and its clients understand that they have met the minimum standards, but shows them where

there is potential for improvement.

The maturity model was piloted and improved to ensure a reliable result can be achieved.

BSI facilitated the development because we have experience in creating maturity/capability models that work

with management system standards.

Our aim was to take the most appropriate approaches out there to create a model that works with the CCM.


Assessing the CCM


14/56


Assessing the CCMCCM 1.4 11 Do ma in s

1. Compliance (CO)

2. Data Governance (DG)

3. Facility Security (FS)

4. Human Resources (HR)

5. Information Security (IS)

6. Legal (LG)

7. Operations Management (OM)

8. Risk Management (RI)

9. Release Management (RM)

10. Resiliency (RS)

11.Security Architecture (SA)


15/56


Assessing the CCM 98 Controls


16/56

CloudBytes // BS Presentation 2014 Cloud Security Alliance - All Rights Reserved. 16



17/56

CloudBytes // BSI Presentation 2014 Cloud Security Alliance - All Rights Reserved. 17


Add controls to existing SOA


18/56

2014 Cloud Security Alliance - All Rights Reserved. 18

Capabil i ty Maturity Model

If you dont know where you aregoing, any road will get you there

~Lewis Carroll~


19/56


Capabil ity Life Cycle - PDM

Kaizen principle


20/56



21/56


The Management Capabil i ty Levels

Capability levels

1. No Formal Approach

2. Reactive Approach

3. Proactive Approach

4. Improvement Based Approach

5. Innovative Approach

Capability Factors

1. Communication and StakeholderEngagement

2. Policies, Plans and Procedures, and aSystematic Approach

3. Skills and Expertise

4. Ownership, Leadership andManagement

5. Monitoring and Measuring


22/56


23/56



24/56


General

Management

System

Cloud Specific

Controls

Well MANAGED and FOCUSED system

ISO/IEC27001

CapabilityModel

CCM


25/56

G-Cloud


26/56


The G-Cloud has a current accreditation scheme which focuses on the sensitivity of the information that

is stored within the cloud solution and couples that with certain controls, actions and evidence that the

cloud provider must provide in order to prove that the information is kept safe. ~ SaaSAssurance ~

By achieving Pan Government Accreditation it will enable these services to be procured by multiple

customers, benefiting both customer and supplier fitting with our mantra of do it once and re-use, re-use, re-use. ~HM Government G-Cloud~


27/56


Business Impact Levels

Extract from HMG IA Standard No.1 Business Impact Level Tables


28/56



29/56

Well, earlier on I made the claim that the answer to providetransparency in public sector cloud Certification when none exists isthe CSA (STAR).

Using the principles of the G-Cloud accreditation plus the CloudSecurity Alliance (STAR) Certification can provide a very high level ofassurance ~Mark Dunne, CEO; SaaSAssurance~

The following slides demonstrate how both G-Cloud and (STAR) canbe used together for that high level of assurance


What the Experts Say


30/56


G-Cloud Accreditation CSA (STAR)

Lets look at ways to optimise the best level of assurance by using both certification schemes

in tandem


31/56



Risk Assessment, RMADs, Residual

Risk Statement, Risk Register

For G-Cloud accreditation, the Pan Government Accreditor must review and approve the

Risk Management And Accreditation Documentation Set (RMADS)


32/56








33/56





Cloud Controls Matrix (CCM)



To bolster this process, ensure the controls from the Cloud Controls Matrix (CCM) are

reviewed while dealing with all assets related to cloud technology


34/56






ISO/IEC 27001 Certificate

For G-Cloud accreditation, ISO/IEC 27001 Certification must be carried out by a UKAS accredited

body or an international equivalent (a signatory to the EA MLA)


35/56






ISO/IEC 27001 Certificate ISO/IEC 27001 Certificate

For G-Cloud accreditation, ISO/IEC 27001 Certification must be carried out by a UKAS accredited

body or an international equivalent (a signatory to the EA MLA)

The STAR Certification is based upon achieving ISO/IEC 27001 and the specified set of criteria outlined

in the Cloud Controls Matrix


36/56







ISO/IEC 27001 Certificate (suitably

scoped)

On top of being UKAS or equivalent, IL1/2 (Business Impact Level profiles 11x/22x): Based on good

commercial standards, centred around a suitably scoped ISO/IEC 27001 certification


37/56








scoped)

ISO/IEC 27001 Certificate (fit for purpose)

On top of being UKAS or equivalent, IL1/2 (Business Impact Level profiles 11x/22x): Based on good

commercial standards, centred around a suitably scoped ISO/IEC 27001 certification

STAR Certification evaluates the efficiency of an organizations ISMS and ensures the scope,

processes and objectives are Fit for Purpose


38/56








scoped)


Information Assurance (IA) compliance

Public Sector requires information assurance as part of security accreditation of G-Cloud ICT

services (Providing evidence on DPA, Location, Personal Information, subcontractors,technical solution, etc..)


39/56








scoped)


Information Assurance (IA) compliance Management Capability Score

Public Sector requires information assurance as part of security accreditation of G-Cloud ICT services

(Providing evidence on DPA, Location, Personal Information, subcontractors, technical solution, etc..)

With STAR Each domain will be scored on a specific maturity and will be measured against fivemanagement principles, defining the Management Capability Score.

These levels will be designated as either No, Bronze, Silver or Gold awards.


40/56


UK G-Cloud & CSA (STAR)

As you can see, this is an example of when combined, the CSA (STAR) and Government

accreditation frameworks can provide an exceptional level of assurance for solutions operatingin the public sector and the (STAR) Certification will become that differentiator.

By: Mark Dunne, SaaSAssurance

[email protected]

@2SaaS

Digital Information Security Management SystemsISO/IEC 27001

Full article to feature in eForensics magazine


41/56


Cloud Controls What are they about?


42/56

Experience

They must be a qualified auditorworking for an ISO 27006

accredited CB

Evidence of conducting ISO

27001 assessments for acertification body accredited by anIAF member to ISO 27006 or their

qualifications as an auditor for thatorganization.

Competence

They must complete the CSA-approved course qualifying

them to audit the CCM for STARCertification (This course is

sanctioned by CSA and carriedout by BSI)

Approving Assessors

BackgroundThey must demonstrate

knowledge of the Cloud SectorEither through verifiable

industry experience this caninclude through assessing

organizationsOr through completing CCSKcertification or equivalent



43/56


Knowledge ofCloud

Knowledgeof the CCM

audit

Knowledgeof ISO 27k

auditAssessor


44/56

Credibility


45/56

European CommissionThailand

Singapore

TaiwanAustraliaNew Zealand

Internet2

Countries/entities that refer to OCF / STAR Certificationeither as requirement in cloud service procurement or

suitable certification for the security cloud services.

CloudBytes // BSI Presentation 2014 Cloud Security Alliance - All Rights Reserved.


46/56

Endorsements

CloudBytes // BSI Presentation 2014 Cloud Security Alliance - All Rights Reserved.

This unified third-party certification greatly improves the efficiency

with which consumers evaluate providers and provides an objective,thorough credential upon which to build trust in a providers services.

In the absence of CSAs STAR certification, parties negotiating cloud-

based services confront significant friction in putting in place the terms

and conditions of their arrangements. No one benefits from extensive

contract negotiations that are often shaped by lawyers struggling to

understand the technologies and assurances; STAR certification

streamlines the dialogue and provides a transparent, shared

foundation for moving forward.

Jeffery Ritter, EsqCyber Law, Research, Standards, Technology, International Trade and Author

Recognized as a pioneer in shaping the legal rules for cyberspace.

The CSA STAR Certification and Registry represent an importantinnovation toward improving the transparency and certainty with

which the global community can embrace cloud-based services with

greater confidence.


47/56

Real time monitoring of

security properties, as well as

continuous transparency of servicesand comparability between serviceson core security properties.

Cloud Trust Protocol


48/56

Consumers do not have simple, cost effective ways to evaluate andcompare their providers resilience, security processes, dataprotection capabilities, and service portability in real time.

The CSA Cloud Trust Protocol (CTP) is an industry initiative to enablereal time monitoring of cloud provider security properties, as well as

providing continuous transparency of services and comparabilitybetween services on core security properties.

CTP forms part of the GRC stack and the Open Certification

Framework as the continuous monitoring component, complementingassessments provided by STAR certification and STAR assessment.


CTP Real-Time Monitor ing


49/56

The CTP Application Programming Interface (API) is designed to be aRESTful protocol that Cloud Customers can use to query a CloudService Provider (CSP) on current security attributes related to a

cloud, such as the current level of availability of the service orinformation on the last vulnerability assessment, which can be donein a classical query response approach.

It will be built on the following CSA best practices/standards: Cloud Controls Matrix (CCM)

Cloud Trust Protocol (CTP)

CloudAudit

CSA STAR Continuous is currently under development and the target date of

delivery is 2015.


CTP Real-Time Monitor ing


50/56

New and evolving standardsStandards Update


51/56


2013

2013

2013


52/56


2013


53/56



54/56

CloudBytes // Lorem Ipsum Presentation 2014 Cloud Security Alliance - All Rights Reserved. 54

Transforming the Cloud

Our key to

transforminganything lies

in our ability

to reframe it.~Marianne Williamson~


55/56

Questions?


56/56

Contact Us

[email protected]

(571) 830 4555www.bsiamerica.com

[email protected]

THANK YOU!


cloudbytes_star certification v1

Documents