the grc stack ( v2.0) understanding and applying the csa grc stack for payoffs and protection

© 2011 Cloud Security Alliance, Inc. All rights reserved.

THE GRC STACK (V2.0)Understanding and applying the CSA GRC stack for payoffs and protectionA learning workshop from the CSA


Working Groups

CSA Organization & OperationWhere does the GRC Stack fit in?

Executive Director

Board Steering Committee

Membership

CorporateIndividual

Affiliate

Chapters

EducationResearch

. . .

. . .

Special competencies …

Security Guidance for Critical Areas of Cloud

Computing

Cloud Controls Matrix (CCM)

Consensus Assessments Initiative Questionnaire (CAIQ)

GRC Stack(CCM, CAIQ,

CloudAudit, CTP)

CSA Security, Trust, & Assurance Registry

(STAR)

Trusted Cloud Initiative

CCSK

PCI

GRC Stack

Research Director

We are here today …We are here today …

2


3

Course SyllabusSession Schedule Speaker

AM Session

Welcome and session orientation 15 minutes Ron Knode1. Introduction to the CSA GRC stack

• The need for a cloud full GRC capability• The CSA GRC Value Equation

15 minutes Ron Knode

2. CSA GRC Stack Overview (the “stack packs”)• Combining the Cloud Controls Matrix (CCM), the

Consensus Assessments Initiative Questionnaire (CAIQ), CloudAudit, and the CloudTrust Protocol (CTP)

• Service roles and boundaries• Complements and supplements

30 minutes Ron Knode

3. Component Descriptionsa) CCMb) CAIQc) CloudAuditd) CTP

30 minutes each

(2 hours)

Becky Swain (a/b)

Marlin Pohlman (c)

Ron Knode (d)4. Where (and How) to Begin

• Stack Pack combinations that make sense• Deployment techniques and architectures …• Connections to other CSA initiatives (explored

more fully in afternoon session) … and some references

30 minutes Ron KnodeMarlin Pohlman

5. GRC Stack evolution and administration (+ “open mic” time with Q&A) 30 minutes Ron Knode

PM Sessi

on6. GRC stack connections and application in other

initiatives Becky Swain


SESSION 1 //Why a cloud GRC stack?The GRC stack value equation


The “big rocks” of cloud security, trust, and controlTake care of the big rocks first …

5

From CSA Top Threats Research:–Trust: Lack of Provider transparency, impacts

Governance, Risk Management, Compliance, and the capture of real value

–Data: Leakage, Loss or Storage in unfriendly geography

–Insecure Cloud software–Malicious use of Cloud services–Account/Service Hijacking–Malicious Insiders–Cloud-specific attacks

Key Cloud Security Problems

6


7

Neglected but Necessary• IT and IT risk governance

• Traditional sourcing?• Cloud?

• Private? Community? Public? Hybrid?

• Traditional + cloud?• How measured?

• Security policy• Uniform across all delivery

methods?• Cloud adjusted?


• Risk/compliance management standards/benchmarks• Cloud adjusted?


Cloud Adoption ObstaclesPlanning often neglects Information Risk Management Transition & Transformation

Traditional• Enterprise strategy• Business function

(workload) adaptation to cloud delivery

• Technical architecture• Network connections• Application standards• Interoperability• “Buying time” for current

compliance programs• …• Concept of Operations


8The Value Equation in the Cloud

Security Service + Transparency Service =

Compliance & Trust VALUE Captured

…delivering evidence-based confidence ……with compliance-supporting data & artifacts …… using the best virtualization and cloud technologies …… within quality processes …… operated by trained

and certified staffand partners …


9The Roots of the Value Equation in the Cloud

Impact• The “Rebound Effect”

between security & interoperability

Information risk management transition & transformation planning• Policy• Governance• Compliance & Risk

Management Thresholds• Business model• Downstream application of

reclaimed transparency

Standards

Portability

Transparency


10The GRC StackSolving the Value Equation in the Cloud

VALUE CapturedDelivering evidence-based confidence…

with compliance-supporting data & artifacts.

Security Requirements

and Capabilities

Security Transparencyand Visibility

Complianceand

Trust

GRC Stack

Payoffs


SESSION 2 //GRC Stack Overview“The Stack Packs”


The CSA GRC Stack

A suite of four integrated and reinforcing CSA initiatives (the “stack packages”)– The Stack Packs

• Cloud Controls Matrix• Consensus Assessments Initiative• Cloud Audit• CloudTrust Protocol

Designed to support cloud consumers and cloud providersPrepared to capture value from the cloud as well as support compliance and control within the cloud

12


A Complete Cloud Security Governance, Risk, and Compliance (GRC) Stack

13

Delivering Stack Pack Description

Continuous monitoring … with a purpose

• Common technique and nomenclature to request and receive evidence and affirmation of current cloud service operating circumstances from cloud providers

Claims, offers, and the basis for auditing service

delivery

• Common interface and namespace to automate the Audit, Assertion, Assessment, and Assurance (A6) of cloud environments

Pre-audit checklists and questionnaires to inventory controls

• Industry-accepted ways to document what security controls exist

The recommended foundations for controls

• Fundamental security principles in specifying the overall security needs of a cloud consumers and assessing the overall security risk of a cloud provider


14CSA GRC Value Equation Contributions for Consumers and ProvidersWhat control requirements should I have as a cloud consumer or cloud provider?

How do I ask about the control requirements that are satisfied (consumer) or express my claim of control response (provider)?

How do I announce and automate my claims of audit support for all of the various compliance mandates and control obligations?

How do I know that the controls I need are working for me now (consumer)? How do I provide actual security and transparency of service to all of my cloud users (provider)?

• Individually useful• Collectively powerful • Productive way to

reclaim end-to-end information risk management capability

Static claims & assurances

Dynamic (continuous) monitoring and transparency


15

Deliver “continuous monitoring” required by A&A methodologies

A Headstart for Control and ComplianceForged by the Global Marketplace; Ready for AllGovernment Commercial

??? Continuous monitoring … with a purpose

• Common technique and nomenclature to request and receive evidence and affirmation of controls from cloud providers

???Claims, offers, and the

basis for auditing service delivery

• Common interface and namespace to automate the Audit, Assertion, Assessment, and Assurance (A6) of cloud environments

• FedRAMP• DIACAP• Other C&A standards

Pre-audit checklists and questionnaires to inventory controls

• Industry-accepted ways to document what security controls exist

NIST 800-53, HITRUST CSF, ISO 27001/27002, ISACA COBIT, PCI, HIPAA, SOX, GLBA, STIG, NIST 800-144, SAS 70, …

A recommended foundations for controls

• Fundamental security principles in assessing the overall security risk of a cloud provider

Professional

SSAE SOC2 control

assessment criteria

Legend In placeOffered

http://www.google.com/imgres?imgurl=http://images.unurthed.com/Campbell-Great-Seal-of-the-United-States-129.jpg&imgrefurl=http://unurthed.com/2007/06/03/interlaced-tetractyses-and-the-great-seal-of-the-united-states/&h=405&w=400&sz=41&tbnid=oe7RuTwnB-dKlM:&tbnh=226&tbnw=223&prev=/images?q=seal+of+the+united+states&zoom=1&q=seal+of+the+united+states&hl=en&usg=__b8zQi-HCULwm3jm9Umx07OZTHyc=&sa=X&ei=uE8mTYv-OYP7lwfAk_D5AQ&ved=0CBkQ9QEwAQ

http://www.google.com/imgres?imgurl=http://wwcecpa.com/images/aicpa_logo.gif&imgrefurl=http://wwcecpa.com/&usg=__An2g-jHx2LvnJp-v_zIgb-fH0qg=&h=45&w=138&sz=2&hl=en&start=11&zoom=1&tbnid=K_ELzwxlNzAaaM:&tbnh=30&tbnw=93&ei=r3-kTuj9Isagtwe-ms2nBQ&prev=/search?q=aicpa&um=1&hl=en&sa=N&tbm=isch&um=1&itbs=1

http://www.google.com/imgres?imgurl=http://www.newswire.ca/images/companies/logo_51126.gif&imgrefurl=http://www.newswire.ca/en/releases/archive/January2011/05/c8542.html&usg=__eun23AQ1EeYyR5wyYvMkdNDSk1k=&h=139&w=200&sz=32&hl=en&start=1&zoom=1&tbnid=Sod2pAKGFpcpMM:&tbnh=72&tbnw=104&ei=BYCkTszSMY24tweOz_mOBQ&prev=/search?q=canadian+institute+of+chartered+accountants&um=1&hl=en&sa=N&tbm=isch&um=1&itbs=1


CSA Guidance Research

Popular best practices for securing cloud computing13 Domains of concern– governing &

operating groupingsGuidance > 100k downloads:

cloudsecurityalliance.org/guidance

Ope

ratin

g in

the

Clo

ud

Governance and Enterprise Risk Management

Legal and Electronic Discovery

Compliance and Audit

Information Lifecycle Management

Portability and Interoperability

Security, Bus. Cont,, and Disaster Recovery

Data Center Operations

Incident Response, Notification, Remediation

Application Security

Encryption and Key Management

Identity and Access Management

Virtualization

Cloud Architecture

Governing the

Cloud

16

http://cloudsecurityalliance.org/guidance


CSA Guidance ResearchPopular best practices for securing cloud computing13 Domains of concern

governing & operating groupings

14?

Governance and Enterprise Risk Management

Legal and Electronic Discovery

Compliance and Audit

Information Lifecycle Management

Portability and Interoperability

Security, Bus. Cont,, and Disaster Recovery

Data Center Operations

Incident Response, Notification, Remediation

Application Security

Encryption and Key Management

Identity and Access Management

Virtualization

Cloud Architecture

Ope

ratin

g in

the

Clo

ud

Governing the

Cloud

Transparency

17


18Accepting the GRC Value Solution …Reference Model Readiness??

Source: NIST SP500-291-v1.0, p. 42, Figure 12

Enough???


19“Just not enough, baby …”(Barry White – “Can’t Get Enough of Your Love, Babe”)

Source: NIST SP500-291-v1.0, p. 42, Figure 12

Transparency

Now it’s enough!


SESSION 3 //

Component Descriptions


THE CLOUD CONTROLS MATRIX


Cloud Controls Matrix (CCM)Leadership TeamBecky Swain – EKKO ConsultingPhilip Agcaoili – Cox CommunicationsMarlin Pohlman – EMC, RSAKip Boyle – CSA

V1.0 (Apr 2010), v1.1 (Dec 2010, v1.2 (Aug 2011),V2.0 (2012)

Controls baselined and mapped to:COBIT BITS Shared AssessmentsHIPAA/HITECH Act Jericho ForumISO/IEC 27001-2005 NERC CIPNISTSP800-53FedRAMPPCI DSSv2.0

22


What is the CCM?First ever baseline control framework specifically designed for managing risk in the Cloud Supply Chain:– Addressing the inter and intra-organizational challenges of

persistent information security by clearly delineating control ownership.

– Providing an anchor point and common language for balanced measurement of security and compliance postures.

– Providing the holistic adherence to the vast and ever evolving landscape of global data privacy regulations and security standards.

Serves as the basis for new industry standards and certifications.

23


Optimal & Holistic Compliance

24


CCM v1.1 Industry Participation

This grass roots movement continues to grow with over 100 volunteer industry experts in

the recent release of v1.2!

25


CCM – 11 Domains26


CCM – 98 Controls27


CCM – 98 Controls (cont.)28

Control Matrix >> Guidance >> ISO

31


Cloud Supply Chain – Information Security Risks

You can outsource business capability or function but you cannot outsource accountability for information security do your due diligence to identify and address…– Control Gaps (Shared Control)

• Information Security (Access Controls, Vulnerability & Patch Management)

• Security Architecture• Data Governance (Lifecycle Management)• Release Management (Change Control)• Facility Security

– Control Dependencies• Corporate Governance• Incident Response• Resiliency (BCM & DR)• Risk & Compliance Management

32


THE CONSENSUS ASSESSMENT INITIATIVE


Consensus AssessmentsInitiative Questionnaire (CAIQ)

34


Consensus Assessment Initiative

A cloud supply chain risk management and due diligence questionnaire~ 200 yes/no questions that map directly to the CCM, and thus, in turn, to many industry standards.can be used by both CSPs for self-assessment or by potential customers for the following purposes– to identify the presence of security controls and practices for cloud

offerings– procurement negotiation– contract inclusion– to quantify SLAsFor potential customers, the CAIQ is intended to be part of an initial assessment followed by further clarifying questions of the provider as it is applicable to their particular needs. v1.1 available as of Sept 2011; v1.2 underway to map to CCM v1.2

35


CAIQ Guiding PrinciplesThe following are the principles that the working group utilized as guidance when developing the CAIQ:

The questionnaire is organized using CSA 13 governing & operating domains divided into “control areas” within CSA’s Control Matrix structureQuestions are to assist both cloud providers in general principles of cloud security and clients in vetting cloud providers on the security of their offering and company security profile CAIQ not intended to duplicate or replace existing industry security assessments but to contain questions unique or critical to the cloud computing model in each control areaEach question should be able to be answered yes or noIf a question can’t be answered yes or no then it was separated into two or more questions to allow yes or no answers.Questions are intended to foster further detailed questions to provider by client specific to client’s cloud security needs. This was done to limit number of questions to make the assessment feasible and since each client may have unique follow-on questions or may not be concerned with all “follow-on questions

36


The CAIQ Questionnaire37


CAIQ QuestionnaireControl Group, Control Group ID (CGID) and Control Identifier (CID) all map the CAIQ question being asked directly to the CCM control that is being addressed.Relevant compliance and standards are mapped line by line to the CAIQ, which, in turn, also map to the CCM. The CAIQ v1.1 maps to the following compliance areas – HIPPA, ISO 27001, COBIT, SP800_53, FedRAMP, PCI_DSS, BITS and GAPP. V1.2 will additionally include mappings to Jericho Forum and NERC CIP.Each question can be answered by a provider with a yes or no answer.

38


Sample Questions to Vendors

39

Compliance - Independent Audits

CO-02CO-02a - Do you allow tenants to view your SAS70 Type II/SSAE 16 SOC2/ISAE3402 or similar third party audit reports?CO-02b - Do you conduct network penetration tests of your cloud service infrastructure regularly as prescribed by industry best practices and guidance? CO-02c - Do you conduct application penetration tests of your cloud service infrastructure regularly as prescribed by industry best practices and guidance? CO-02d - Do you conduct internal audits regularly as prescribed by industry best practices and guidance? CO-02e - Do you conduct external audits regularly as prescribed by industry best practices and guidance? CO-02f - Are the results of the network penetration tests available to tenants at their request? CO-02g - Are the results of internal and external audits available to tenants at their request?

Data Governance - Classification

DG-02DG-02a - Do you provide a capability to identify virtual machines via policy tags/metadata (ex. Tags can be used to limit guest operating systems from booting/instanciating/transporting data in the wrong country, etc.?)DG-02b - Do you provide a capability to identify hardware via policy tags/metadata/hardware tags (ex. TXT/TPM, VN-Tag, etc.)?DG-02c - Do you have a capability to use system geographic location as an authentication factor? DG-02d - Can you provide the physical location/geography of storage of a tenant’s data upon request?DG-02e - Do you allow tenants to define acceptable geographical locations for data routing or resource instantiation?


CLOUDAUDIT


CloudAudit ObjectivesProvide a common interface and namespace that allows cloud computing providers to automate collection of Audit, Assertion, Assessment, and Assurance Artifacts (A6) of their operating environments Allow authorized consumers of services and concerned parties to do likewise via an open, extensible and secure interface and methodology.

41


What CloudAudit DoesProvide a structure for organizing assertions and supporting documentation for specific controls across different compliance frameworks in a way that simplifies discovery by humans and tools.– Define a namespace that can support diverse

frameworks– Express compliance frameworks in that namespace– Define the mechanisms for requesting and

responding to queries relating to specific controls– Integrate with portals and AAA systems

42


How CloudAudit Works

Utilize security automation capabilities with existing tools/protocols/frameworks via a standard, open and extensible set of interfacesKeep it simple, lightweight and easy to implement; offer primitive definitions & language structure using HTTP(S) first at a very basic levelAllow for extension and elaboration by providers and choice of trusted assertion validation sources, checklist definitions, etc.

43


Context for CloudAuditCloudAudit is not designed to validate or attest “compliance” Automates collection and presentation of data supporting queries using a common set of namespaces aligned CSA Cloud Control MatrixArtifacts are accessible by a human operating a web browser or a tool capable of utilizing CloudAudit over HTTP(S).The consumers of this information are internal & external auditors, compliance teams, risk managers, security teams, etc. & in the longer term, brokers

44


Aligned to CSA Control Matrix

Officially folded CloudAudit under the Cloud Security Alliance in October, 2010First efforts aligned to compliance frameworks as established by CSA Control Matrix:– PCI DSS– NIST 800-53– HIPAA– COBIT– ISO 27002Incorporate CSA’s CAI and additional CompliancePacksExpand alignment to “infrastructure” and “operations” -centric views also

45


What Was Delivered in v1.0

The first release of CloudAudit provides for the scoped capability for providers to store evidentiary data in well-defined namespaces aligned to the 5 CSA Control Matrix Mappings (PCI, HIPAA, NIST800-53, ISO27002,COBIT)*The data in these namespaces is arbitrary and can be named and file-typed as such, so we need a way of dealing with what can be one to hundreds of supporting files, the contents of some of which are actually URIs to other locations

* Update v1.1 packaging available to include CSA CCM Updates


Current Discussions*Stack Providers with whom we have discussed CloudAudit:– VMware, Citrix, Microsoft, OpenStackCloud Service Providers with whom we have discussed CloudAudit:– AWS, Google, Microsoft, Terremark, Savvis, RackspaceTool (GRC) solution providers with whom we are discussing CloudAudit Implementation:– Agiliance, RSAAudit/Standards associations with whom we are discussing CloudAudit:– ISACA, ODCA, BITS, ISO, Open Group, DMTF, IETF

* NOTE: Discussions do not imply commitment to proceed or intent to support

47


What’s On The 6 Month Roadmap

Extend ATOM in manifest.xml to provide for timestamps, signatures and version control [need XML/ATOM expertise] Version control and change notification in conjunction with……Architecture for registry services [cloudaudit.net] and extensions of such (public and/or private)Implementation architecture for “atomic queries” (e.g. “PCI Compliant,” or “SAS-70 Certified” Expand On Specific CloudAudit Use Cases:– CloudAudit for Federal Government– CloudAudit for Cloud Providers– CloudAudit for Auditors/AssessorsIntensify and clarify connection between CloudAudit and the CTP

48


CloudAudit – How it Works49


Manifest.xml

Structured listing of control contentsCan be extended to provide contextual informationPrimarily aimed at tool consumptionIn Atom format

50


CloudAudit –Manifest.xml Example

51


index.html/default.jsp/etc.

Index.html is for dumb browser consumption– Typically, the direct human user use caseIt can be omitted if directory browsing is enabled (not recommended)It contains JavaScript to look for the manifest.xml file, parse it, and render it as HTML.If no manifest.xml exists, it should list the directory contents relevant to the control in question

52


Atom Specification (RFC4287)

http://www.ietf.org/rfc/rfc4287.txtAtom is an XML-based document format that describes lists of related information known as "feeds". Feeds are composed of a number of items, known as "entries", each with an extensible set of attached metadata. For example, each entry has a title. The primary use case that Atom addresses is the syndication of Web content such as weblogs and news headlines to Web sites as well as directly to user agents.

53

http://www.ietf.org/rfc/rfc4287.txt


Sample Implementation –CSA Compliance Pack

54



55



56



57


CLOUD TRUST PROTOCOL


As visibility is lost …• Where is the data?• Who can see the data?• Who has seen the data?• Is data untampered?• Where is processing performed?• How is processing configured?• Does backup happen? How? Where?

Why a CloudTrust Protocol?Information Assurance is Cloud-Complicated … “Clouds are cloudy”

Amazon

Google

Requirements

Services

… Security, compliance, and value are lost as well

Microsoft

59


Cloud ProcessingThree Big Obstacles to Value Capture

• Lack of standards

• Lack of portability

• Lack of transparencycontrols …, compliance …, sustained payoff …, reliability …, liability …, confidentiality …, privacy …,

Compliance issues

• PCI DSS • HIPAA • ITAR• ISO27001 • HITECH in

ARRA 2009• DIACAP

• HMG InfosecStandard 2

• GLBA • NIST 800-53 and FISMA and FedRAMP

• U.K. Manual of Protective Security

• FRCP • SAS70• SSAE16

60


Absent Transparency … Some Big Problems For example, … without transparency …• No confirmed chain of custody for information• No way to conduct investigative forensics• Little confidence in the ability to detect

attempts or occurrences of illegal disclosure• Little capability to discover or enforce

configurations• No ability to monitor operational access or

service management actions (e.g., change management, patch management, vulnerability management, …)

61


Relationship between Transparency and Elastic Payoff Potential based on Deployment Model

Private Community Hybrid Public

Potential Elastic Benefit Transparency in Deployment

Cloud Deployment Model

Seeking the best (realistic) enterprise cloud strategy on this risk/reward axis

62


Transparency Restores Information Assurance Working with a “glass cloud” delivers the elastic benefits of the cloud

Amazon

Google

Requirements

Services

Microsoft

As visibility is gained …• Configurations are known and verified• Data exposure and use is collected

and reported• Access permissions are discovered

and validated• Processing and data locations are

exposed• Compliance evidence can be gathered

and analyzed• Processing risks and readiness

become known … Security, compliance, and value are captured as well

63

Thoughtful progression …inevitable conclusion

Reclaim transpare

ncy

Continuous

monitoring (with a purpose)

Simple, dynamic informati

on request

and response

CloudTrust Protocol

64

CloudTrust Protocol (CTP) to deliverTransparency-as-a-Service (TaaS)

65


The CTP Today (V2.0)66


Only 23 in total in

the entire

protocol!

Elements of Transparency in the CTP v2.0• 6 Types

– Initiation– Policy

Introduction– Provider

assertions– Provider

notifications– Evidence

requests– Client

extensions

• Families– Configuration– Vulnerabilities–Anchoring– Audit log– Service Management– Service Statistics

• Elements– Geographic– Platform– Process

67


CloudTrust Protocol PathwaysMapping the Elements of Transparency in DeploymentAdmin and

Ops Specs Transparency Requests Extensions

Assertions Evidence Affirmations

Configuration definition: 20

Security capabilities and operations: 17

Configuration and vulnerabilities: 3,4,5,6,7

Anchoring: 8, 9, 10(geographic, platform, process)

Session start: 1Session end: 2Alerts: 18

Users: 19Anchors: 21Quotas: 22Alert conditions: 23

Violation: 11Audit: 12Access: 13Incident log: 14Config./control: 15Stats: 16

Consumer/provider negotiated: 24

CloudAudit.org SCAPSCAP Sign/sealing

23 1

68


CloudTrust Protocol (CTP) Sample 69


• Syntax Based on XML Traditional RESTful

web service over HTTP

CloudTrust Protocol V2.0

Legend: New in V2.0 SCAP / XCCDF query &

response structure

70


Elastic Characteristics of the CTP

71


Multiple Styles of ImplementationThe CTP is machine and human readable

72


Scope of a TaaS Implementation of CTPEnterprise or Client-specific

73


74CTP Transaction Response Codes

CTP Transaction Response Codes

HTTP Response Code Meaning

200 ‘OK’ (with data) or ‘YES’

204 Request received, but cloud vendor chooses not to respond

401 Unauthorized request

404 ‘NO’

Example XML Document Types

Mimetype Descriptionctp/resources+xml A list of all IT resources

ctp/resource+xml Details of one resource

ctp/resourcecount+xml Count of all resources to date

ctp/update+xml When the resources were last updated

ctp/tags+xml A list of all tags

ctp/tag+xml Details of one tag


75Current Configuration Discovery/ReportingEoT 3

Description

Poll the Cloud provider for details of current configuration data, within the provider’s inventory of technology (real and virtual) being used on behalf of the cloud consumer. Resource configuration information is returned using the Extensible Configuration Checklist Description Format (XCCDF) and Open Vulnerability and Assessment (OVAL) languages, within the Common Configuration Enumeration (CCE) specifications.

Method GET

URL https://cloudtrust.csc.com/ctp/[custID]/resources/cce/[platformID]

Querystring

tag= Filter by tag

OS= Filter by operating system

loc= Filter by location

start= The number of the first resource to return

end= The number of the last resource to return

Returns

200 OK and XML data 204 Decline to respond401 Unauthorized404 Not Found


CTP Implementation ArchitectureConfiguration Item Relationships

TaaS (CTP) U/I and service director

CloudTrustManagement Base

(CTMB)

Automated Manual

Cloud Providers

IBM

Amazon

CSC

CTP request & response stack

Identification, authorization, accounting, flow control, CTMB interface, response and reporting

CTP request /response translation, packaging, and brokering

CTP request queuing and execution in a conforming cloud

Salesforce

Others …Google

MicrosoftSavvis

RE

RE RE

RE

RE

The storage of user authorizations and credentials, request status, result histories, specifications, and commentary; management of the CTMB

(RE) CTP Response

EngineCloud that

acknowledges CTP(CTP conforming)

Cloud Consumer

Legend Cloud consumer

or service broker Cloud provider

76

Transparency-as-a-Service (TaaS)Turn on the lights you need … when you need them

Authorized TaaS Users

CloudTrust Protocol (CTP) Elements of Transparency1 23

• What does my cloud computing configuration look like right now?

• Where are my data and processing being performed?

• Who has access to my data now?

• What vulnerabilities exist in my cloud configuration?

• What audit events have occurred in my cloud configuration?• Who has had access

to my data?. . . . . .

CTUIHost (Cloud)

Transparency-as-a-Service(TaaS)

CTP

Salesforce

CTPMicrosoft

CTPAmazon

CTP Others …

Google

CTPCTUI CTP

77


The CSA CTP Working Group AgendaMoving toward CTP V3.0

• CTMB structure/schema• Trust package correlation with

all contributing (traditional) security services

• EoT extension technique– Characteristics of specification– Degree of automation– API

• Priority/relative value of each Element of Transparency

• SLA foundation• Transparency operator training

and operations monitoring

• Degree of automatic correlation with other elements of GRC stack

• Final namespace• Identity store for transparency

service authorizations; IAM for federated or “chained” identity needs across multiple cloud service providers

• Evidence Request category “integrity and liability verification technique”– Attest to the content, provenance,

and imputability of the response (with legal import)

– Transmission integrity not sufficient; storage integrity not sufficient; require legal liability of intent to provide response as delivered

• E.g, Surety AbsoluteProof, (Kinamik Secure Audit Vault)

• Look for opportunities to join the working group!

• Ask CSA for help in pilot implementations!

• Get started now!

78


SESSION 4 //Where and How to BeginConnections to Other CSA Initiatives


80Using the GRC StackMaking the Stack Pack Approach Work for You

Easy to get startedMany successful combinationsBenefits accrue with each stack pack additionMultiple alternatives to application and deploymentMapped across multiple compliance mandates


81GRC Stack Pack Combinations that Deliver a Payoff

GRC Stack Payoff Combinations Other CSA Related

• CSA STAR (Security, Trust and Assurance Registry)• Public Registry of Cloud Provider self assessments• Leverages GRC Stack Projects

– Consensus Assessments Initiative Questionnaire– Provider may substitute documented Cloud Controls

Matrix compliance• Voluntary industry action promoting transparency• Free market competition to provide quality

assessments• Available October 2011

Security, Trust, and Assurance Registry (CSA STAR)

82


Security, Trust, and Assurance Registry (CSA STAR)

83

Encourage transparency of security practices within cloud providersDocuments the security controls provided by various cloud computing offeringsFree and open to all cloud providersOption to use data/report based on CCM or the CAIQ

Expose

control claims

Compete to impro

ve GRC

capabilities

GRC Stack

STAR Listing Process

• Provider fills out CAIQ or customizes CCM

• Uploads document at /star• CSA performs basic verification

• Authorized listing from provider• Delete SPAM, “poisoned” listing• Basic content accuracy check

• CSA digitally signs and posts at /star

84

FAQ

• Where? www.cloudsecurityalliance.org/star/ • Help? Special LinkedIn support group and private mailbox

moderated by CSA volunteers, online next week• Costs? Free to post, free to use• Is this a new hacker threat vector? No, it is

responsible disclosure of security practices• Will CSA police STAR? Initial verification and

maintenance of “Abuse” mailbox • Do listings expire? Yes, 1 year limit• Full FAQ to be posted at /star next week

85

http://www.cloudsecurityalliance.org/star/

Why not certification or 3rd party assessment?• Complex to do certification right

– Many uses of cloud, many customer needs– Different risk profiles for each

• CSA supporting broad industry consortia and standards bodies– ISO, ITU-T– Common Assurance Maturity Model (CAMM – 3rd Party assessment)– GRC Stack aligns with common requirements (e.g. PCI/DSS, HIPAA,

FedRAMP, 27001, CoBIT, etc) • Self assessment & transparency complements

all– STAR could be part of SSAE 16 SOC II report (SAS 70 replacement)

86

Is CSA STAR temporary or the ultimate assurance solution? • Neither• Permanent effort to drive transparency, competition,

innovation and self regulation with agility – crowdsourcing cloud security

• Does not provide automation, 3rd party assessment, relative/absolute scoring, real-time controls monitoring, etc

• Ultimate assurance is real time GRC (enabled by CloudAudit) complemented by CSA STAR and 3rd party attestation. Will look to solution providers to deliver this integration

87


88

CSA certification criteria and seal program for cloud providersInitial focus on secure & interoperable identity in the cloud, and its alignment with data encryptionAssemble with existing standardsReference models & Proof of conceptOutline responsibilities for Identity Providers, Enterprises, Cloud Providers, Consumers www.cloudsecurityalliance.org/trustedcloud.html

Trusted Cloud Initiative (TCI)

http://www.cloudsecurityalliance.org/trustedcloud.html

http://www.cloudsecurityalliance.org/trustedcloud.html


TCI Mission“To create a Trusted Cloud reference architecture for cloud use cases that

leverage cloud delivery models (SaaS, PaaS, IaaS) in the context of operational models (Public, Private, Hybrid) to deliver a secure and

trusted cloud service.”

89


Holistic approach around controls…

90

https://cloudsecurityalliance.org/research/projects/cloud-controls-matrix-ccm/




… and Architecture best practices

91





Reference model structure

92


How to use the architecture?

93



94



95


Use Cases and Patterns


96


CAMM

The Common Assurance Maturity Model (CAMM) is designed to provide trustworthiness (safety, security and reliability) of the supply chain working within and across the Internet in the new information world. It offers the following benefits to customer and service provider organizations:

97


CAMM ObjectivesPurpose– Provide a framework to provide the necessary transparency in attesting the Information Assurance Maturity of a third party (e.g. Cloud provider).– Allow the publication of results to be performed in an open and transparent manner, without the mandatory need for third party audit functions.– Allow for data processors to demonstratively publicise their attention to Information Assurance over other suppliers that may not take it as seriously.– Avoid the subjective and bespoke arrangements that customers of such services are currently faced with.

Method– Utilise existing standards such as ISO 27001, BS 25999, NIST SP 800-53, etc to develop a series of control questions specific to the organisation.– Responses to such questions (and the subsequent detail) to be published and available.– Output to also include a score that details the providers Common Assurance Maturity score

98

Business Assurance

Provides a genuine USP to organisations

that have higher levels of information

risk maturity

Risk management maturity is open for

stakeholders to view, using appropriate

language and detail.

CAMM is built on existing standards, so need for massive re-investment.

Measures maturity against defined controls areas, with particular focus on

key controls.

A business benefit that creates consumer

trust that is both meaningful and understandable

99CAMM: New business assurance barometer

Third Party Assurance Centre

Maturity

Maturity

Maturity

Third party requesting access

Cloud provider

Internal hosting provider

Risk Appetite

1. Business sets level of risk they are willing to tolerate (number of levels

depending on the data). Maturity will include CAMM plus possible bespoke

modules. 2.Level of risk management maturity is

communicated to business partners (and

possible partners)

3. Evidence of compliance may be uploaded to central repository that can

be used by numerous customers.

4. Leverage existing expenditure and remove need for duplicate verification (note: May remove audit requirement altogether)

100How it Works: A Simplified View


SESSION 5 //GRC Stack Evolution and Administration How to Learn MoreOpen Mic for Q&A


GRC Stack Planned Evolutions

Executive Director

Board Steering Committee

Membership

CorporateIndividual

Affiliate

Chapters

EducationResearch

. . .

. . .

Security Guidance for Critical Areas of Cloud

Computing

Cloud Controls Matrix (CCM)

Consensus Assessments Initiative Questionnaire (CAIQ)

GRC Stack(CCM, CAIQ,

CloudAudit, CTP)

CSA Security, Trust, & Assurance Registry

(STAR)


CCSK

PCI

GRC Stack

Research Director

Legal perspectives and alterations…a

Special competencies …

Working Groups

102


103The GRC Stack Evolution Plan

• Content• Timeframe

Evolution 1

What is the current expansion/evolution plan for the GRC stack?


104

What’s Happening Now?A great time to move

the security ecosystem forward in the cloud

Research Work Groups Underway CCM update CAIQ update CloudAudit update CloudTrust Protocol update and integration into CSA GRC

stack• Trusted Cloud Initiative• CloudSIRT Cloud data governance Cloud metrics• Security as a service (SecaaS)

Education• CCSK update• GRC stack training• PCI compliance in the cloud

Legend Current planned

sources of evolution for the GRC stack


105

of AM presentation

questions & dialogue

http://www.google.com/imgres?imgurl=http://www.dryeyeinfo.org/question%20key.jpg&imgrefurl=http://www.dryeyeinfo.org/Dry_Eye_FAQ.htm&usg=__y8ZrTLQAXFsifj54Y8nFcPxyzsM=&h=91&w=91&sz=2&hl=en&start=7&zoom=1&tbnid=lyhQjKgvHRJzmM:&tbnh=79&tbnw=79&ei=ZpRRTtquH8L00gG5h-mFBw&prev=/search?q=question+key&hl=en&sa=N&gbv=2&tbm=isch&itbs=1


106

Cloud Security Alliance: Industry Efforts to Secure Cloud ComputingA Workshop on the CSA Governance, Risk, and Compliance (GRC) StackJim Reavis, CSA Executive DirectorRon Knode (CSC), Marlin Pohlman (EMC), Kip Boyle (…), Becky Swain (…), John Yeoh (CSA)October 2011


PM SESSIONSSESSION 9 //Connections and applications of GRC stack components in other initiatives (inside and outside the CSA)


THANK YOU

the grc stack ( v2.0) understanding and applying the csa grc stack for payoffs and protection

Documents

cloud grc stack

grc stack v2

csa grc v2

cloud security alliance

grc stack integration

grc stack fit

csa grc stackthe

traditional cloud