RSA CSA GRC Stack Update for the Atlanta CSA Chapter by Phil Agcaoili

1. RSA: Cloud Security AllianceGRC Stack Update Cloud Security Alliance, Atlanta Chapter Phil Agcaoili, Cox Communications Dennis Hurst, HP March 2011

2. Cloud ComputingNIST Definition UPDATED (Jan 2011) – National Institute of Standards and Technology (NIST) Special Publication 800-145 (Draft) Model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) Rapidly provisioned and released with minimal management effort or service provider interaction Composed of 5 essential characteristics, 3 service models, and 4 deployment models. Source: http://www.nist.gov/itl/csd/cloud-020111.cfm

3. Cloud Computing5 Essential Characteristics On-demand tenant self-service model for provisioning computing capabilities (server time, network storage, etc.) Broad network access with capabilities over the network accessible by standard mechanisms and mobile platforms Resource pooling through dynamically assigned physical and virtual capabilities delivered in a multi-tenant model and location independent Rapid elasticity of provisioned resources automatically or manually adjusted aligned with service level flexibility and needs Measured service to monitor, control and report on transparent resource optimization

4. Cloud Computing3 Service Models Software as a Service (SaaS) Capability made available to tenant (or consumer) to use provider’s applications running on cloud infrastructure, accessible via web browser, mobile apps, and system interfaces. Examples: Salesforce.com, Drop Box, Box.net, Google Docs, WebEx Platform as a Service (PaaS) Capability made available to tenant to deploy tenant owned (created or acquired) applications using programming languages and tools supported by provider. Examples: Microsoft Azure, Amazon Web Services, Bungee Connect Infrastructure as a Service (IaaS) / Datacenter as a Service (DaaS) Capability made available to tenant to provision processing, storage, networks or other fundamental computing resources to host and run tenant’s applications. Examples: Rackspace, Terremark (Verizon), Savvis, AT&T

7. What is Different about Cloud?

8. What is Different about Cloud?

9. What is Different about Cloud?

10. Proposal for Atlanta Chapter Objective #1: Cloud Security Contract Template Vendor and Customer Needs: A simple, but uniform security contract and questionnaire/checklist Benefits: Standard/uniform customer response Minimizes unique customer requests Provide basic security attestation and assurance

11. What is Different about Cloud?

12. What is Different about Cloud?

13. Cloud Controls Matrix

15. Philip Agcaoili – Cox Communications

16. Marlin Pohlman – EMC, RSA

17. Kip Boyle – CSAV1.1 Released Dec 2010 Rated as applicable to S-P-I with Cloud Provider / Tenant Delineation Controls baselined and mapped to: COBIT HIPAA / HITECH Act ISO/IEC 27001-2005 NISTSP800-53 FedRAMP PCI DSSv2.0 BITS Shared Assessments GAPP

19. Addison Lawrence – Dell

20. Akira Shibata – NTT DATA Corp

21. Andy Dancer

22. Anna Tang – Cisco Systems, Inc.

23. April Battle – MITRE

24. ChandrasekarUmpathy

25. Chris Brenton – Dell

26. Dale Pound – SAIC

27. Daniel Philpott – Tantus Technologies

28. Dr. Anton Chuvakin – Security Warrior Consulting

29. Elizabeth Ann Wickham – L47 Consulting Limited

30. Gary Sheehan – Advanced Server Mgmt Group, Inc.

31. Georg Heß

32. Georges Ataya Solvay – Brussels School of Economics & Mgmt

33. Glen Jones – Cisco Systems, Inc.

34. Greg Zimmerman – Jefferson Wells

35. Guy Bejerano - LivePerson

36. Henry Ojo – Kamhen Services Ltd,

37. Jakob Holm Hansen – Neupart A/S

38. Joel Cort – Xerox Corporation

39. John DiMaria – HISPI

40. John Sapp – McKesson Healthcare, HISPI

41. Joshua Schmidt – Vertafore, Inc.

42. KarthikAmrutesh – Ernst and Young LLP

43. Kelvin Arcelay – Arcelay& Associates

44. Kyle Lai – KLC Consulting, Inc.

45. Larry Harvey – Cisco Systems, Inc.

46. Laura Kuiper – Cisco Systems, Inc.

47. Lisa Peterson – Progressive Insurance

48. Lloyd Wilkerson – Robert Half International

49. Marcelo Gonzalez – Banco Central Republica Argentina

50. Mark Lobel – PricewaterhouseCoopers LLP

51. Meenu Gupta – Mittal Technologies

52. Mike Craigue, Ph.D. – Dell

53. MS Prasad, Exec Dir CSA India

54. Niall BrowneI – LiveOps

55. Patrick Sullivan

56. Patty Williams – Symetra Financial

57. Paul Stephen – Ernst and Young LLP

58. Phil Genever-Watling - Dell

59. Philip Richardson – Logicalis UK Ltd

60. PritamBankar – Infosys Technologies Ltd.

61. RamesanRamani – Paramount Computer Systems

62. Steve Primost

63. TaiyeLambo – eFortresses, Inc .

64. Tajeshwar Singh

65. Thej Mehta – KPMG LLP

66. Thomas Loczewski – Ernst and Young GmbH, Germany

67. Vincent Samuel – KPMG LLP

68. Yves Le Roux – CA Technologies

70. Comprised of a set of policies and processes (internal controls) affecting the way Cloud services are directed, administered or controlled.

71. Aligned to Information Security regulatory rules and industry accepted guidance.

73. Cloud Controls Matrix11 Domains 1. Compliance (CO) 2. Data Governance (DG) 3. Facility Security (FS) 4. Human Resources (HR) 5. Information Security (IS) 6. Legal (LG) 7. Operations Management (OM) 8. Risk Management (RI) 9. Release Management (RM) 10. Resiliency (RS) 11.Security Architecture (SA)

75. CO02 – Independent Audits

76. CO03 – Third Party Audits

77. CO04 – Contact / Authority Maintenance

78. CO05 – Information System Regulatory Mapping

81. DG02 – Classification

82. DG03 – Handling / Labeling / Security Policy

83. DG04 – Retention Policy

84. DG05 – Secure Disposal

85. DG06 – Non-Production Data

86. DG07 – Information Leakage

88. RI02 – Assessments

89. RI03 – Mitigation / Acceptance

90. RI04 – Business / Policy Change Impacts

92. RS02 – Impact Analysis

93. RS03 – Business Continuity Planning

94. RS04 – Business Continuity Testing

95. RS05 – Environmental Risks

96. RS06 – Equipment Location

97. RS07 – Equipment Power Failures

99. HR02 – Employment Agreements

101. RM02 – Production Changes

102. RM03 – Quality Testing

103. RM04 – Outsourced Development

105. OP02 – Documentation

106. OP03 – Capacity / Resource Planning

108. SA02 – User ID Credentials

109. SA03 – Data Security / Integrity

110. SA04 – Application Security

111. SA05 – Data Integrity

112. SA06 – Production / Non-Production Environments

113. SA07 – Remote User Multi-Factor Authentication

114. SA08 – Network Security

115. SA09 – Segmentation

116. SA10 – Wireless Security

117. SA11 – Shared Networks

118. SA12 – Clock Synchronization

119. SA13 – Equipment Identification

120. SA14 – Audit Logging / Intrusion Detection

122. FS02 – User Access

123. FS03 – Controlled Access Points

124. FS04 – Secure Area Authorization

125. FS05 – Unauthorized Persons Entry

126. FS06 – Off-Site Authorization

127. FS07 – Off-Site Equipment

129. IS02 – Management Support / Involvement

130. IS03 – Policy

131. IS04 – Baseline Requirements

132. IS05 – Policy Reviews

133. IS06 – Policy Enforcement

134. IS07 – User Access Policy

135. IS08 – User Access Restriction / Authorization

136. IS09 – User Access Revocation

137. IS10 – User Access Reviews

138. IS11 – Training / Awareness

139. IS12 – Industry Knowledge / Benchmarking

140. IS13 – Roles / Responsibilities

141. IS14 – Management Oversight

142. IS15 – Segregation of Duties

143. IS16 – User Responsibility

144. IS17 – Workspace

145. IS18 – Encryption

146. IS19 – Encryption Key Management

147. IS20 – Vulnerability / Patch Management

148. IS21 – Anti-Virus / Malicious Software

149. IS22 – Incident Management

150. IS23 – Incident Reporting

151. IS24 – Incident Response Legal Preparation

152. IS25 – Incident Response Metrics

153. IS26 – Acceptable Use

154. IS27 – Asset Returns

155. IS28 – eCommerce Transactions

156. IS29 – Audit Tools Access

157. IS30 – Diagnostic / Configuration Ports Access

158. IS31 – Network Services

159. IS32 – Portable / Mobile Devices

160. IS33 – Source Code Access Restriction

162. Consensus Assessment Initiative Research tools and processes to perform shared assessments of cloud providers Lightweight “common assessment criteria” concept Integrated with Controls Matrix Ver 1 CAI Questionnaire released Oct 2010, approx 140 provider questions to identify presence of security controls or practices

164. Aaron Benson – Novell

165. Ken Biery – Verizon Business

166. Kristopher Fador – Bank of America

167. David Gochenaur – Aon Corporation

168. Jesus Molina – Fujitsu

169. John Nootens – AMA Association

170. HemmaPrafullchandra – Hytrust

171. GorkaSadowski – Log Logic

172. Richard Schimmel – Bank of America

173. Patrick Vowles – RSA

175. Jason Witty – Bank of America

176. Marlin Pohlman – EMC, RSA

178. CSA guidance

179. Industry experts

180. Align questions with the CSA Cloud Controls Matrix

181. Release 1.0 question-set publically

182. Integrate into CloudAudit.org framework

184. CloudAudit

185. CloudAudit Provide a common interface and namespace that allows cloud computing providers to automate the Audit, Assertion, Assessment, and Assurance (A6) of their environments Allow authorized consumers of services to do likewise via an open, extensible and secure interface and methodology.

186. CloudAuditObjective A structure for organizing assertions and supporting documentation for specific controls across different compliance frameworks in a way that simplifies discovery by humans and tools. Define a namespace that can support diverse frameworks Express five critical compliance frameworks in that namespace Define the mechanisms for requesting and responding to queries relating to specific controls Integrate with portals and AAA systems

187. CloudAuditAligned to Cloud Controls Matrix First efforts aligned to compliance frameworks as established by CSA Control Matrix: PCI DSS HIPAA COBIT ISO/IEC 27001-2005 NISTSP800-53 Incorporate CSA’s CAI and additional CompliancePacks Expand alignment to “infrastructure” and “operations” -centric views also

188. CloudAuditSample Implementation CSA Compliance Pack

189. CloudAuditSample Implementation (cont.) CSA Compliance Pack

190. CloudAuditSample Implementation (cont.) CSA Compliance Pack

191. CloudAuditRelease Deliverables Contains all Compliance Packs, documentation and scripts needed to begin implementation of CloudAudit Working with Service Providers and Tool Vendors for Adoption Officially folded CloudAudit under the Cloud Security Alliance in October, 2010 http://www.cloudaudit.org/CloudAudit_Distribution_20100815.zip

192. CloudAuditRelease Deliverables (cont.) Request Flow for Users & Tools

193. CloudAuditRelease Deliverables (cont.) index.html/default.jsp/etc. Index.html is for dumb browser consumptions Typically, the direct human user use case It can be omitted if directory browsing is enabled It contains JavaScript to look for the manifest.xml file, parse it, and display it as HTML. If no manifest.xml exists, it should list the directory contents relevant to the control in question

194. CloudAuditRelease Deliverables (cont.) manifest.xml Structured listing of control endpoints contents Can be extended to provide contextual information Primarily aimed at tool consumption In Atom format

195. CSA GRC Stack

196. CSA GRC Stack Bringing it all together to peel back the layers of control ownership and address concerns for trusted Cloud adoption. Provider Assertions Private, Community & Public Clouds Control Requirements

198. Appropriate assessment criteria; and

199. Relevant control objectives and timely access to necessary supporting data.

200. CSA GRC Stack provides a toolkit for enterprises, cloud providers, security solution providers, IT auditors and other key stakeholders to instrument and assess both private and public clouds against industry established best practices, standards and critical compliance requirements.

201. Integrated suite of 3 CSA initiatives: CloudAudit, Cloud Controls Matrix (CCM) and Consensus Assessments Initiative Questionnaire (CAIQ).

204. ISO/IEC JTC 1 SC 27 (“SC 27”) WG 1, 4 and 5 in Study Period in the area of Cloud Computing Security and Privacy with active CSA representation

205. European Network and Information Security Agency (ENISA)

206. Common Assurance Maturity Model (CAMM)

207. American Institute of Certified Public Accountants (AICPA)

208. Statement on Standards for Attestation Engagements (SSAE) No. 16 SOC 2 – Service Organization Controls over Security, Confidentiality, Processing Integrity, Availability, and Privacy

209. National Institute of Standards and Technology (NIST)

211. Health Information Trust Alliance (HITRUST)

212. Unified Compliance Framework (UCF)

213. Information Systems Audit and Control Association (ISACA)

214. BITS Shared Assessments SIG/AUP + TG Participation

216. About the Cloud Security Alliance Global, not-for-profit organization Almost 18,000 individual members, 80 corporate members Building best practices and a trusted cloud ecosystem Agile philosophy, rapid development of applied research GRC: Balance compliance with risk management Reference models: build using existing standards Identity: a key foundation of a functioning cloud economy Champion interoperability Advocacy of prudent public policy “To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.”

217. Contact Help us secure cloud computing www.cloudsecurityalliance.org info@cloudsecurityalliance.org LinkedIn: www.linkedin.com/groups?gid=1864210 Twitter: @cloudsa

218. Thank You