b4 optimizing security spend and …...•document the lessons learned identify an initial...
TRANSCRIPT
B4 OPTIMIZING SECURITY SPEND
AND MAXIMIZING RISK REDUCTION
WITH CSA TOOLS
Jon-Michael Brook, CISSP, CCSK
Randall Brooks, CISSP, CCSK
@jonmichaelbrook @randallsbrooks
Copyright © 2018 Guide Holdings
• A brief Cloud History and architectural components
• Using the CAIQ and/or STARWatch in an assessment process
• Using the STAR and 3rd party ratings in vetting your supply chain
exposure
• Compliance cross-mapping and automation
• Automated assessment tools for AWS, Azure & Google Cloud
• Compare business spending
• Other bonus information on Top Threats
LEARNING OBJECTIVES
Copyright © 2018 Guide Holdings
WHAT ENABLED THE CLOUD?
Copyright © 2018 Guide Holdings
Pre-cloud• Early Virtualization
• 2001 - VMware created the first x86 server virtualization product
• 2003 - Release of first open-source x86 hypervisor, Xen
• Microsoft releases Microsoft Virtual PC
• 2005 - VMware Player, a free player for virtual machines
• Hardware Support• 2006 Intel (VT-x) and AMD (AMD-V)
introduced with limited hardware virtualization support
• 2006 - Amazon Elastic Compute Cloud (EC2) Beta
2000 2003 2006 2009 2012 2015
Post AWS• More Choices
• 2008 - Eucalyptus open-source Elastic Computing service
• 2010 - Rackspace teams up with NASA to release OpenStack
• More Segmentation• 2013 - Docker Open Source LinuX Container
(LXC) runs Unix processes in isolation
• 2013 - VMware introduces vCloud Hybrid Service (vCHS)
• 2014 - Software Defined Perimeter (SDP)
• 2015 – Lambda
• 2016 - Kubernetes
Technologies
• PaaS, IaaS, SaaS, Flat Network, VPN
Reliance on enterprise backhaul
• Cloud native technology lag for required services (DLP)
• Identity and Access Management - Active Directory
Trusted Insider – biggest concern
• 16 domains/133 controls in CSA Cloud Controls Matrix
• ISO27001: 14 groups/114 controls
• SANS Critical Controls/PCI/FedRAMP/PiPEDA
• Applications/Information/Management/Network
• Risks Type (Operational/Compliance/Strategic/Market)
ARCHITECTURAL COMPONENTS
Copyright © 2018 Guide Holdings
Evaluation describes necessary mitigations categorically
INTRODUCTION TO THE CLOUD SECURITY ALLIANCE (CSA)
“The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to
defining and raising awareness of best practices to help ensure a secure cloud computing
environment.”
• Cloud Controls Matrix (CCM)
• Consensus Assessments Initiative Questionnaire (CAIQ)
• CloudAudit
• Cloud Trust Protocol (CTP)
5
https://cloudsecurityalliance.org
Copyright © 2018 Guide Holdings
Strategic drivers
• What is the root justification for a
move to the cloud?
• What could/shouldn’t be moved?
• Are security concerns keeping you
from migrating to the cloud?
• Where are the serious risks within
your cloud strategy?
PURPOSE
• How do you prepare your team
for the migration?
• What steps are necessary for
success?
• How do you instill best practices
and uncover institutional
deficiencies that will impact the
project?
Ease your journey to the cloud. Understand the impact of adoption on your current IT infrastructure, policies & processes. Compare options of services with the necessity and efficacy of mitigations.
Copyright © 2018 Guide Holdings
Security Concerns Impacting
Migration
• Identify migration security concerns
• Review or develop cloud strategy
• Generate success requirements
• Compare your organizational needs
with cloud expectations
• Perform a risk assessment and
discuss risk tolerances
METHODOLOGY - SURVEY
• Review, validate or create
institutional policies for cloud
appropriateness
• Review or develop a data
classification methodology and
protection capabilities
• Provide your team cloud baseline
understanding through group
training
• Provide best practices and find
institutional deficienciesTransformative advisory or co-development services for your move through the stages of cloud deployment. As you prepare for your cloud journey, we’ll help you address the pre-migration security details.
Copyright © 2018 Guide Holdings
Getting Your Cloud Project Off the
Ground
• Evaluate/recommend security tools
for cloud capabilities
• Document areas of concern by
security domain, business segment
or internal processes
• Identify, catalog and architect risk
mitigations
METHODOLOGY - PREPARE
Copyright © 2018 Guide Holdings
• Compare organizational performance
against similarly sized companies, by
industry verticals or by compliance
obligations
• Design, review and integrate third party
cloud vendor assessment
methodologies
• Develop a deployment roadmap
Resiliency, speed and cost are common benefits of cloud adoption – not accounting for cloud native designs and security patterns will
destroy most of those advantages. These oversights may leave an organization open to security and compliance risks.
How and When for the Initial
Move
• Schedule timelines and a project
plan
• Identify and catalog top transition
candidate applications
• Design and Integrate cloud into
existing processes
• Identify and architect necessary
security patterns
METHODOLOGY - EXECUTE
Copyright © 2018 Guide Holdings
• Implement and test a sand boxed
pilot demo with sample data
• Migrate and test in the production
environment
• Document the lessons learned
Identify an initial application candidate and recommend a deployment methodology. Institutionalize the process with the identified
stakeholders, decision makers and reviewers. Know where and how organizational structure impacts capability integration. We’ll identify the
quick win with the expectation additional migrations will be justified.
Industry Standard CSA information• Cloud Controls Matrix (CCM) evaluations• CAIQ – Questionnaire for CCM• STAR – Repository of CAIQ responses
• Varying levels of reporting/auditing
CAIQ/STAR as foundation of rating• 298 Q’s allows wider distribution• Non-STAR needs confidence
incorporationMethodology: Quantitative vs. Qualitative• Consistency from submission to
submission• Automated Executive/Change Control
Board Dashboarding
COMPARISONS AND RATINGS FOR TOOLS
Copyright © 2018 Guide Holdings
TOOLS - REPEATABLE RISK CALCULATIONS
Copyright © 2018 Guide Holdings
RISK = LIKELIHOOD x IMPACTQUALITATIVE vs. QUANTIATIVE
CONSENSUS ASSESSMENT INITIATIVE
CAIQ provides consistent assessment questionnaire across vendors
Copyright © 2018 Guide Holdings
CAIQ binary answers (Y/N/NA)
Justifications typically in notes
Validation through automation
• No answer, Two answers, No justification
Increase with public access
• STAR entry and audit level
• Length, verbs, links
Answer Correlation/Congruence
testing
CSA Assessor’s Grid – 1-16
CONFIDENCE OVERVIEW
Example CAIQ with selected answers
Ratings for CMM/I speaks to care, maturity and repeatability
Copyright © 2018 Guide Holdings
STAR WATCH
https://star.watch/en/
STAR watch portal allows CCM/CAIQ assessment from a browser
Copyright © 2018 Guide Holdings
STAR Watch portal allows CAIQ
assessment from a browser
Features include question
assignments and maturity ratings
STAR WATCH ASSESSMENT
https://star.watch/en/assessment/
Copyright © 2018 Guide Holdings
Toggle Mappings
Mappings from the CCM against
the CAIQ
• Enterprise Architecture
• COBIT
• PCI
• EU DPD
• Etc…
INDUSTRY STANDARD MAPPINGS
Standards mappings within the STAR Watch portal
Copyright © 2018 Guide Holdings
•Single Focus (Domains)
•Rudimentary
•Assessment Phase 1
DOMAIN DEFICIENCY SCORING
Initial Domain Dashboard
Copyright © 2018 Guide Holdings
DOMAIN DEFICIENCY SCORING
AIS AAC BCR CCM DSI DCS EKM GRM HRM IAM IVS IPY MOS SEF STF TVM
Ap
plic
atio
n &
In
terf
ace
Se
cu
rity
Au
dit A
ssu
ran
ce
& C
om
plia
nce
Bu
sin
ess C
on
tin
uity M
an
ag
em
en
t &
Op
era
tio
na
l R
esili
en
ce
Ch
an
ge
Co
ntr
ol &
Co
nfig
ura
tio
n M
an
ag
em
en
t
Da
ta S
ecu
rity
& In
form
atio
n L
ife
cycle
Ma
na
ge
me
nt
Da
tace
nte
r S
ecu
rity
En
cry
ptio
n &
Ke
y M
an
ag
em
en
t
Go
ve
rna
nce a
nd
Ris
k M
an
ag
em
en
t
Hu
ma
n R
eso
urc
es
Ide
ntity
& A
cce
ss M
an
ag
em
en
t
Infr
astr
uctu
re &
Virtu
aliz
atio
n S
ecu
rity
Inte
rop
era
bili
ty &
Po
rta
bili
ty
Mo
bile
Se
cu
rity
Se
cu
rity
In
cid
en
t M
an
ag
em
en
t, E
-Dis
co
ve
ry &
Clo
ud
Fo
ren
sic
s
Su
pp
ly C
ha
in M
an
ag
em
en
t, T
ran
sp
are
ncy a
nd
Acco
un
tab
ility
Th
rea
t a
nd
Vu
lne
rab
ility
Ma
na
ge
me
nt
2 1 2 1 3 1 3 1 0 1 5 0 0 2 1 1
0 2 2 3 3 2 1 2 6 6 3 0 4 2 4 2
2 0 5 1 1 6 0 8 5 5 5 5 16 1 4 0
Enterprise Risk Tolerance
• Initial, interactive customer assessment service
Comparisons – As Is and Future CSP
• Provide mitigation possibilities w/ Risk Change
Confidence
• Example based on -1 to 1. Also, 1-5, 1-10, 1-16
Risk Control Areas
• CSA Domains, Organizational, Tech vs. Controls
COMPARATIVE METHODOLOGY
R
Comparative Risk Breakouts
Copyright © 2018 Guide Holdings
What makes a 5 star/4 diamond/3 Michelin?
• 1 star represents "a very good restaurant in its category."
• 2 stars mean "excellent cooking and worth a detour."
• 3 stars honors with "exceptional cuisine" that's
"worth the journey.“
• More transparency? Same?
One customer question will be asked
• What risk level will meet my compliance needs?
Risk office know trends/domains to improve
Still must address
• Can you trust the data provided?
BEYOND A STAR(S) RATING
CCM & Functional Risk Breakouts
Copyright © 2018 Guide Holdings
Where do I get them?
• Change control process
Scoping
Catalogue
Biggest Issues
Repeatability
PROCESS - MITIGATING CONTROLS
Copyright © 2018 Guide Holdings
Integration with additional Questionnaires and Frameworks beyond the
CCM (i.e. 800.53 Technical Questionnaire or HITRUST)
Presentation layer based on Enterprise Architecture
• TOGAF, SABSA, ITIL, Jericho
• https://research.cloudsecurityalliance.org/tci/index.php/explore/
TECHNICAL MAPPINGS/OVERLAY CONTROLS
Copyright © 2018 Guide Holdings
15 days – Drivers• Organizational structure and key players
• Strategic drivers discussions and success identification
60 days – Survey• Existing policies, current products, data classification
• Team training and understand future state
6 mos – Prepare• Security assessment, Risk mitigations
• Underlying security
9 mos – Execute• Environment development, sample data preparation, application demo
sandbox and product migration
ROADMAP – PILOT OBJECTIVES
Copyright © 2018 Guide Holdings
AUTOMATED TECHNICAL ASSESSMENT TOOLS
Copyright © 2018 Guide Holdings
System automation and scale incompatible with annual audits• Velocity of cloud with too many system changes hourly/daily/monthly• Multi-region and Multi-cloud implementation scale and logging differences• PaaS offerings – serverless, containers, automation scripts don’t readily translate
Continuous technical compliance check examples:• Administrator: MFA enabled, password complexity, super administrator created, root locked down• Services: service accounts, separation of duties, monitoring, alerting• Resources: public storage removal, serverless code, log deletion, Customer Master Keys, Data Encryption Keys
Compare business spending to
peers:
• Functional/operational
domains
• Projects
• Revenue center
FINAL RECOMMENDATION
Copyright © 2018 Guide Holdings
CSA TOP THREATS: MARKET UPDATE
https://cloudsecurityalliance.org/working-groups/top-threats
Copyright © 2018 Guide Holdings
Jon-Michael Brook, CISSP, CCSK
Randall Brooks, CISSP, CCSK
@jonmichaelbrook @randallsbrooks
THANK YOU
Copyright © 2018 Guide Holdings
Copyright © 2018 Guide Holdings