cloud security alliance's grc stack overview

© 2011 Cloud Security Alliance, Inc. All rights reserved.

Cloud Security Cloud Security Alliance & GRC Alliance & GRC

StackStackMaterials by Cloud Security Alliance.org Materials by Cloud Security Alliance.org ©©

& & PCI in the cloud training, created by SecurityWarrior LLC for PCI in the cloud training, created by SecurityWarrior LLC for Cloud Security Alliance , Cloud Security Alliance ,

& Prof. Kai Hwang, University of Southern California& Prof. Kai Hwang, University of Southern California

Presented to Triad ISSA, NC January 26, 2012Presented to Triad ISSA, NC January 26, 2012

Valdez Ladd, ISSA Raleigh, NC 2012Valdez Ladd, ISSA Raleigh, NC 2012


About the Cloud Security Alliance

Global, not-for-profit organization

Building best practices and a trusted cloud ecosystem

Comprehensive research and tools

Certificate of Cloud Security Knowledge (CCSK)www.cloudsecurityalliance.org

2


Presentation Outline

IntroductionWhat this class is about, prerequisites, how to benefit

Cloud basics PCI DSS + cloud scenario for exampleCloud Security Alliance toolsets: Control

Matrix, Consensus Assessments, etc.,

Conclusions and action items

3


Cloud?4


NIST Definition of Cloud Computing

“Cloud computing is a model for enabling convenient, on-demand network access to a shared pool

of configurable computing resources

that can be rapidly provisioned and released with minimal

management effort or service provider interaction. “

55


5 Essential Cloud Characteristics

1. On-demand self-service 2. Broad network access3. Resource pooling

– Location independence4. Rapid elasticity5. Measured service

66


3 Cloud Service Models

1. Cloud Software as a Service (SaaS)– Use provider’s applications over a network

2. Cloud Platform as a Service (PaaS)– Deploy customer-created applications to a cloud

3. Cloud Infrastructure as a Service (IaaS)– Rent processing, storage, network capacity, and

other fundamental computing resources

To be considered “cloud” they must be deployed on top of cloud infrastructure that has the

essential characteristics

7


4 Cloud Deployment Models

Private cloud Enterprise owned or leased

Community cloudShared infrastructure for specific community

Public cloud <- our focus in this class!

Sold to the public, mega-scale infrastructure

Hybrid cloudComposition of two or more clouds

88


7 Common Cloud Characteristics1. Massive scale2. Homogeneity3. Virtualization4. Resilient computing5. Low cost software6. Geographic distribution7. Service orientation

10

10


All of this TOGETHER: The Cloud

CommunityCommunityCloudCloud

Private Private CloudCloud

Public CloudPublic Cloud

Hybrid Clouds

DeploymentModels

ServiceModels

EssentialCharacteristics

Common Characteristics

Software as a Service (SaaS)

Platform as a Service (PaaS)

Infrastructure as a Service (IaaS)

Resource Pooling

Broad Network Access Rapid Elasticity

Measured Service

On Demand Self-Service

Low Cost Software

Virtualization Service Orientation

Advanced Security

Homogeneity

Massive Scale Resilient Computing

Geographic Distribution

1111


Example IaaS//

Amazon Cloud

Amazon cloud components– Elastic Compute Cloud (EC2)

• Run your own or Amazon’s OS “instances”

– Simple Storage Service (S3)– SimpleDB– Other services

1212


Example PaaS//

Google App Engine

Create, deploy and run applicationsNO control (or, in fact, even visibility) of OSUse SDK to

develop theapplications

Run “natively”in the cloud

13


Example SaaS//

Salesforce

Well-known SaaS CRM applicationCloud CRM + a lot more applications

1414


Example P/IaaS //

Azure

Source: Microsoft Presentation, A Lap Around Windows Azure, Manuvir Das

1515


Service Model Architectures

Cloud Infrastructure

IaaS

PaaS

SaaS

Infrastructure as a Service (IaaS) Architectures

Platform as a Service (PaaS)Architectures

Software as a Service (SaaS)

Architectures


SaaS


PaaS

SaaS


IaaS

PaaS


PaaS


IaaS

1616


18Security: Barrier to Adoption?


19What is Different about Cloud?


Security Relevant Cloud Components

Cloud Provisioning Services

Cloud Data Storage Services

Cloud Processing Infrastructure

Cloud Support Services

Cloud Network and Perimeter Security

Elastic Elements: Storage, Processing, and Virtual Networks

2020


CSA Cloud “Threats”

1. Abuse & Nefarious Use of Cloud Computing

2. Insecure Interfaces & APIs3. Malicious Insiders4. Shared Technology Issues5. Data Loss or Leakage6. Account or Service Hijacking7. Unknown Risk Profile

24


ENISA Cloud Computing Risk Assessment http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment

1. Loss of governance2. Lock-in3. Isolation failure4. Compliance risks5. Management interface compromise6. Data protection7. Insecure or incomplete data deletion8. Malicious insider

25


Cloud “Threats” – Top 3

1. Authentication abuse2. Operations breakdown3. Misuse of cloud-specific technology

26


FBI Takes Cloud Away27


While we are “in the cloud”

Here are some additional CSA/cloud security resources…

28


CSA GRC Stack

Bringing it all together to peel back the layers of control ownership and address concerns for trusted Cloud

adoption.

29

Control Requirements

Provider Assertions

Private, Community

& Public Clouds

Private, Community

& Public Clouds


CSA CloudAudit

Open standard and API to automate provider audit assertionsChange audit from data gathering to data analysis Necessary to provide audit & assurance at the scale demanded by cloud providersUses Cloud Controls Matrix as controls namespace Use to instrument cloud for continuous controls monitoring

30


CSA Cloud Controls Matrix

31

Controls derived from guidanceMapped to familiar frameworks: ISO 27001, COBIT, PCI, HIPAARated as applicable to SaaS/PaaS/IaaSCustomer vs Provider roleHelp bridge the “cloud gap”

for IT & IT auditorshttps://cloudsecurityalliance.org/research/projects/cloud-controls-matrix-ccm/


32

Next?


Thanks for Your Review!

Acknowledgement to Dr. Anton Chuvakin, SecurityWarrior LLC for Cloud Security Alliance,SecurityWarrior LLC for Cloud Security Alliance, Cloud Security Alliance.org,

Materials by Cloud Security Alliance.org Materials by Cloud Security Alliance.org ©©

& & PCI in the cloud training, created by PCI in the cloud training, created by for Triad ISSA, NCfor Triad ISSA, NCJanuary 26, 2012January 26, 2012

Valdez Ladd, ISSA Raleigh, NC 2011Valdez Ladd, ISSA Raleigh, NC 2011

33


34