b4 optimizing security spend and …...•document the lessons learned identify an initial...

B4 OPTIMIZING SECURITY SPEND

AND MAXIMIZING RISK REDUCTION

WITH CSA TOOLS

Jon-Michael Brook, CISSP, CCSK

Randall Brooks, CISSP, CCSK

@jonmichaelbrook @randallsbrooks

Copyright © 2018 Guide Holdings

• A brief Cloud History and architectural components

• Using the CAIQ and/or STARWatch in an assessment process

• Using the STAR and 3rd party ratings in vetting your supply chain

exposure

• Compliance cross-mapping and automation

• Automated assessment tools for AWS, Azure & Google Cloud

• Compare business spending

• Other bonus information on Top Threats

LEARNING OBJECTIVES


WHAT ENABLED THE CLOUD?


Pre-cloud• Early Virtualization

• 2001 - VMware created the first x86 server virtualization product

• 2003 - Release of first open-source x86 hypervisor, Xen

• Microsoft releases Microsoft Virtual PC

• 2005 - VMware Player, a free player for virtual machines

• Hardware Support• 2006 Intel (VT-x) and AMD (AMD-V)

introduced with limited hardware virtualization support

• 2006 - Amazon Elastic Compute Cloud (EC2) Beta

2000 2003 2006 2009 2012 2015

Post AWS• More Choices

• 2008 - Eucalyptus open-source Elastic Computing service

• 2010 - Rackspace teams up with NASA to release OpenStack

• More Segmentation• 2013 - Docker Open Source LinuX Container

(LXC) runs Unix processes in isolation

• 2013 - VMware introduces vCloud Hybrid Service (vCHS)

• 2014 - Software Defined Perimeter (SDP)

• 2015 – Lambda

• 2016 - Kubernetes

Technologies

• PaaS, IaaS, SaaS, Flat Network, VPN

Reliance on enterprise backhaul

• Cloud native technology lag for required services (DLP)

• Identity and Access Management - Active Directory

Trusted Insider – biggest concern

• 16 domains/133 controls in CSA Cloud Controls Matrix

• ISO27001: 14 groups/114 controls

• SANS Critical Controls/PCI/FedRAMP/PiPEDA

• Applications/Information/Management/Network

• Risks Type (Operational/Compliance/Strategic/Market)

ARCHITECTURAL COMPONENTS


Evaluation describes necessary mitigations categorically

INTRODUCTION TO THE CLOUD SECURITY ALLIANCE (CSA)

“The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to

defining and raising awareness of best practices to help ensure a secure cloud computing

environment.”

• Cloud Controls Matrix (CCM)

• Consensus Assessments Initiative Questionnaire (CAIQ)

• CloudAudit

• Cloud Trust Protocol (CTP)

5

https://cloudsecurityalliance.org


Strategic drivers

• What is the root justification for a

move to the cloud?

• What could/shouldn’t be moved?

• Are security concerns keeping you

from migrating to the cloud?

• Where are the serious risks within

your cloud strategy?

PURPOSE

• How do you prepare your team

for the migration?

• What steps are necessary for

success?

• How do you instill best practices

and uncover institutional

deficiencies that will impact the

project?

Ease your journey to the cloud. Understand the impact of adoption on your current IT infrastructure, policies & processes. Compare options of services with the necessity and efficacy of mitigations.


Security Concerns Impacting

Migration

• Identify migration security concerns

• Review or develop cloud strategy

• Generate success requirements

• Compare your organizational needs

with cloud expectations

• Perform a risk assessment and

discuss risk tolerances

METHODOLOGY - SURVEY

• Review, validate or create

institutional policies for cloud

appropriateness

• Review or develop a data

classification methodology and

protection capabilities

• Provide your team cloud baseline

understanding through group

training

• Provide best practices and find

institutional deficienciesTransformative advisory or co-development services for your move through the stages of cloud deployment. As you prepare for your cloud journey, we’ll help you address the pre-migration security details.


Getting Your Cloud Project Off the

Ground

• Evaluate/recommend security tools

for cloud capabilities

• Document areas of concern by

security domain, business segment

or internal processes

• Identify, catalog and architect risk

mitigations

METHODOLOGY - PREPARE


• Compare organizational performance

against similarly sized companies, by

industry verticals or by compliance

obligations

• Design, review and integrate third party

cloud vendor assessment

methodologies

• Develop a deployment roadmap

Resiliency, speed and cost are common benefits of cloud adoption – not accounting for cloud native designs and security patterns will

destroy most of those advantages. These oversights may leave an organization open to security and compliance risks.

How and When for the Initial

Move

• Schedule timelines and a project

plan

• Identify and catalog top transition

candidate applications

• Design and Integrate cloud into

existing processes

• Identify and architect necessary

security patterns

METHODOLOGY - EXECUTE


• Implement and test a sand boxed

pilot demo with sample data

• Migrate and test in the production

environment

• Document the lessons learned

Identify an initial application candidate and recommend a deployment methodology. Institutionalize the process with the identified

stakeholders, decision makers and reviewers. Know where and how organizational structure impacts capability integration. We’ll identify the

quick win with the expectation additional migrations will be justified.

Industry Standard CSA information• Cloud Controls Matrix (CCM) evaluations• CAIQ – Questionnaire for CCM• STAR – Repository of CAIQ responses

• Varying levels of reporting/auditing

CAIQ/STAR as foundation of rating• 298 Q’s allows wider distribution• Non-STAR needs confidence

incorporationMethodology: Quantitative vs. Qualitative• Consistency from submission to

submission• Automated Executive/Change Control

Board Dashboarding

COMPARISONS AND RATINGS FOR TOOLS


TOOLS - REPEATABLE RISK CALCULATIONS


RISK = LIKELIHOOD x IMPACTQUALITATIVE vs. QUANTIATIVE

CONSENSUS ASSESSMENT INITIATIVE

CAIQ provides consistent assessment questionnaire across vendors


CAIQ binary answers (Y/N/NA)

Justifications typically in notes

Validation through automation

• No answer, Two answers, No justification

Increase with public access

• STAR entry and audit level

• Length, verbs, links

Answer Correlation/Congruence

testing

CSA Assessor’s Grid – 1-16

CONFIDENCE OVERVIEW

Example CAIQ with selected answers

Ratings for CMM/I speaks to care, maturity and repeatability


STAR WATCH

https://star.watch/en/

STAR watch portal allows CCM/CAIQ assessment from a browser


STAR Watch portal allows CAIQ

assessment from a browser

Features include question

assignments and maturity ratings

STAR WATCH ASSESSMENT

https://star.watch/en/assessment/


Toggle Mappings

Mappings from the CCM against

the CAIQ

• Enterprise Architecture

• COBIT

• PCI

• EU DPD

• Etc…

INDUSTRY STANDARD MAPPINGS

Standards mappings within the STAR Watch portal


•Single Focus (Domains)

•Rudimentary

•Assessment Phase 1

DOMAIN DEFICIENCY SCORING

Initial Domain Dashboard


DOMAIN DEFICIENCY SCORING

AIS AAC BCR CCM DSI DCS EKM GRM HRM IAM IVS IPY MOS SEF STF TVM

Ap

plic

atio

n &

In

terf

ace

Se

cu

rity

Au

dit A

ssu

ran

ce

& C

om

plia

nce

Bu

sin

ess C

on

tin

uity M

an

ag

em

en

t &

Op

era

tio

na

l R

esili

en

ce

Ch

an

ge

Co

ntr

ol &

Co

nfig

ura

tio

n M

an

ag

em

en

t

Da

ta S

ecu

rity

& In

form

atio

n L

ife

cycle

Ma

na

ge

me

nt

Da

tace

nte

r S

ecu

rity

En

cry

ptio

n &

Ke

y M

an

ag

em

en

t

Go

ve

rna

nce a

nd

Ris

k M

an

ag

em

en

t

Hu

ma

n R

eso

urc

es

Ide

ntity

& A

cce

ss M

an

ag

em

en

t

Infr

astr

uctu

re &

Virtu

aliz

atio

n S

ecu

rity

Inte

rop

era

bili

ty &

Po

rta

bili

ty

Mo

bile

Se

cu

rity

Se

cu

rity

In

cid

en

t M

an

ag

em

en

t, E

-Dis

co

ve

ry &

Clo

ud

Fo

ren

sic

s

Su

pp

ly C

ha

in M

an

ag

em

en

t, T

ran

sp

are

ncy a

nd

Acco

un

tab

ility

Th

rea

t a

nd

Vu

lne

rab

ility

Ma

na

ge

me

nt

2 1 2 1 3 1 3 1 0 1 5 0 0 2 1 1

0 2 2 3 3 2 1 2 6 6 3 0 4 2 4 2

2 0 5 1 1 6 0 8 5 5 5 5 16 1 4 0

Enterprise Risk Tolerance

• Initial, interactive customer assessment service

Comparisons – As Is and Future CSP

• Provide mitigation possibilities w/ Risk Change

Confidence

• Example based on -1 to 1. Also, 1-5, 1-10, 1-16

Risk Control Areas

• CSA Domains, Organizational, Tech vs. Controls

COMPARATIVE METHODOLOGY

R

Comparative Risk Breakouts


What makes a 5 star/4 diamond/3 Michelin?

• 1 star represents "a very good restaurant in its category."

• 2 stars mean "excellent cooking and worth a detour."

• 3 stars honors with "exceptional cuisine" that's

"worth the journey.“

• More transparency? Same?

One customer question will be asked

• What risk level will meet my compliance needs?

Risk office know trends/domains to improve

Still must address

• Can you trust the data provided?

BEYOND A STAR(S) RATING

CCM & Functional Risk Breakouts


Where do I get them?

• Change control process

Scoping

Catalogue

Biggest Issues

Repeatability

PROCESS - MITIGATING CONTROLS


Integration with additional Questionnaires and Frameworks beyond the

CCM (i.e. 800.53 Technical Questionnaire or HITRUST)

Presentation layer based on Enterprise Architecture

• TOGAF, SABSA, ITIL, Jericho

• https://research.cloudsecurityalliance.org/tci/index.php/explore/

TECHNICAL MAPPINGS/OVERLAY CONTROLS


15 days – Drivers• Organizational structure and key players

• Strategic drivers discussions and success identification

60 days – Survey• Existing policies, current products, data classification

• Team training and understand future state

6 mos – Prepare• Security assessment, Risk mitigations

• Underlying security

9 mos – Execute• Environment development, sample data preparation, application demo

sandbox and product migration

ROADMAP – PILOT OBJECTIVES


AUTOMATED TECHNICAL ASSESSMENT TOOLS


System automation and scale incompatible with annual audits• Velocity of cloud with too many system changes hourly/daily/monthly• Multi-region and Multi-cloud implementation scale and logging differences• PaaS offerings – serverless, containers, automation scripts don’t readily translate

Continuous technical compliance check examples:• Administrator: MFA enabled, password complexity, super administrator created, root locked down• Services: service accounts, separation of duties, monitoring, alerting• Resources: public storage removal, serverless code, log deletion, Customer Master Keys, Data Encryption Keys

Compare business spending to

peers:

• Functional/operational

domains

• Projects

• Revenue center

FINAL RECOMMENDATION


CSA TOP THREATS: MARKET UPDATE

https://cloudsecurityalliance.org/working-groups/top-threats


Jon-Michael Brook, CISSP, CCSK

Randall Brooks, CISSP, CCSK

@jonmichaelbrook @randallsbrooks

THANK YOU


b4 optimizing security spend and …...•document the lessons learned identify an initial...

Documents