Enterprise end-users are becoming more reliant on cloud computing applications and virtualized environments, in general, to enable the sharing of information with one another more quickly. And while some companies are being cautious with their moves to the cloud, limiting the kinds of information stored and exchanged there, others are taking some risks. What can executives do to better plan and implement security best practices in the cloud? We speak with some experts.
Secure Computing Magazine - SC World Congress 2/7 eConference - Keynote: Securing the cloud
1. Keynote address: Securing the cloudJuly 28, 2011 Phil Agcaoili Cloud Security Alliance, Co-founding member CSA Cloud Controls Matrix (CCM), Inventor and co-author CSA GRC Stack , Co-founder and committee co-chair CSA Atlanta Chapter, Founder and Chapter Officer
2. 2 Customers of Cloud Enterprises – large scale services Outsource whole-sale IT services such as payroll, HR/benefits, CRM, help desk/service desk, etc. Startups — developers using Web at scale Web-based business, SaaS, collaboration services, widget providers, mobile services, and social networking Small businesses — using SaaS Online businesses, online presence, collaboration, and enterprise integration Enterprises — developers and one-off projects R&D projects, quick promotions, widgets, online collaboration, partner integration, social networking, and new business ventures Firms — with compute intensive tasks Overnight ad placement or transportation calculations “If you move your data centre to a cloud provider, it will cost a tenth of the cost.” – Brian Gammage, Gartner Fellow “Using cloud infrastructures saves 18% to 29% before considering that you no longer need to buy for peak capacity” - George Reese, founder Valtira and enStratus “Web service providers offer APIs that enable developers to exploit functionality over the Internet, rather than delivering full-blown applications.” - Infoworld
3. 3 “In the Cloud, step one is trusting, and that's not security — that's hope.” - Andrew Walls, Gartner Group You cannot outsource responsibility.
4. 4 Top Threats of Cloud Computing CSA Research Study Findings: Shared Technology Vulnerabilities Data Loss/Data Leakage Malicious Insiders Interception or Hijacking of Traffic Insecure APIs Account/Service Hijacking Nefarious Use of Service HTTP://CLOUDSECURITYALLIANCE.ORG/TOPTHREATS
5. 5 Cloud Security = Loss of Control Loss of Direct access - In the Cloud you are at least one step removed Multi-tenancy – not an issue in private computing, no shared devices or services Commingling – will your data be mixed in with other clients? How will it be segregated? Resource Pooling – how will resource conflicts be resolved? Who gets first response? Ineffective data deletion – if you change providers does your data get destroyed? Unintentional destruction? Legal snafus/data exhaust – if Company A has their data subpoenaed and your data is also on the same device, what happens to your data? Traditional Security ModelNew Security Model
6. 6 Moving to the Cloud Assess the business Assess the culture Assess the value Understand your data Understand your services Understand your processes Understand the cloud resources Identify candidate data Identify candidate services Identify candidate processes Create a governance strategy Bind candidate services to data and processes Relocate services, processes, and information Implement security Implement governance Implement operations Create a security strategy
7. 7 Secure Adoption of the Cloud Understand the threats and the risks CSA Guidance Identify the asset for the cloud deployment Evaluate the asset Map the asset to potential cloud deployment models Evaluate potential cloud service models and providers Sketch the potential data flow https://wiki.cloudsecurityalliance.org/guidance Mitigating the risks Legal contracts and SLAs with Cloud Service Providers (CSPs) CSA Atlanta Chapter Project 2 – Contractual Guidance (coming soon) Audits, Attestations, and Certifications for Cloud Trust and Assurance ISO 27001 Certification Amazon ISO 27001 SAS 70 Type II FISMA moderate Authority to Operate HIPAA - Current customer deployments Whitepaper describes the specifics http://aws.amazon.com/security AICPA SSAE 16 (SOC 1, 2, and 3) / ISAE 3402 Replaced SAS 70 as of June 2011 CSA STAR (coming soon) and CSA GRC Stack standards usage Microsoft Office 365 (formerly BPOS) ISO27K to CSA CCM Mapping http://www.microsoft.com/download/en/details.aspx?id=26647 CloudAudit Cloud Controls Matrix (CCM) Consensus Assessments Initiative Questionnaire (CAIQ) Cloud Trust Protocol (CTP)
8. CSA Governance, Risk, and Compliance (CSA GRC) Stack Provider Assertions Suite of tools, best practices and enabling technology Consolidate industry research & simplify GRC in the cloud For cloud providers, enterprises, solution providers and audit/compliance Controls Framework, Questionnaire and Continuous Controls Monitoring Automation Simplifies customer and cloud provider attestation to accelerate cloud adoption https://cloudsecurityalliance.org/grc-stack Private & Public Clouds Control Requirements
9.
10. ISO/IEC JTC 1 SC 27 (“SC 27”) WG 1, 4 and 5 in Study Period in the area of Cloud Computing Security and Privacy
14. Statement on Standards for Attestation Engagements (SSAE) No. 16 SOC 2 – Service Organization Controls over Security, Confidentiality, Processing Integrity, Availability, and Privacy
25. The CSA Atlanta Chapter Project and Its Value Fill the CAIQ out so that it addresses effectively all general legal and risk management issues (i.e., issues not limited to a specific business sector or region) that should arise in the due diligence process. Provide for supporting narrative complementing the yes/no answers to all questions. The value to vendors is that they can write only once (and then update) a single, comprehensive set of answers to due diligence questions. Prospective customers can use the yes/no answers to make instantaneous vendor comparisons, and then drill deeper into the related narratives.
26. 12 Legal and Contract Issues with Cloud “Many cloud providers appear reluctant to negotiate contracts, as the premise of their core model is a highly leveraged approach. The starting point contractually often favors the vendor, resulting in a potential misalignment with user requirements.” Gartner 9 Security Areas to Include in CSP-related Contract: Security Data privacy conditions Uptime guarantees Service-level agreement (SLA) penalties SLA penalty exclusions Business continuity and disaster recovery Suspension of service Termination Liability
27. philA’s Approach to Using the CSA GRC Stack Pre-sales - Use CAI Questionnaire Contracts (MSA) – Attach CAIQ + CCM Post Sales Assurance and Continuous Compliance – Use CloudAudit to verify contract and pre-sales assertions *CSA STAR will support this approach in an official manner.
28. 14 Cloud Back Out Plan Considerations Include provisions for transition assistance requiring the vendor to assist you with transition to a new vendor. Require the return or secure destruction of all data held by vendor. Have right to verify compliance. Transition period may last from 30 days to 6 months.
29. 15 Summary Adopt Cloud that works for you Understand the risks Know your limits Conduct due diligence Use available Cloud Trust and Assurance tools Work with your Legal and Procurement teams to ensure contractual obligations exist and are met
30. 16 About the Cloud Security Alliance Global, not-for-profit organization Over 22,000 individual members, 100 corporate members Building good practices and a trusted cloud ecosystem Agile philosophy, rapid development of applied research GRC: Balance compliance with risk management Reference models: build using existing standards Identity: a key foundation of a functioning cloud economy Champion interoperability Advocacy of prudent public policy “To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.”
31. 17 Questions and Answers… HTTP://CLOUDSECURITYALLIANCE.ORGhttp://cloudsecurityalliance.org/cmhttp://cloudsecurityalliance.org/grc-stackhttps://wiki.cloudsecurityalliance.org/guidancehttp://cloudsecurityalliance.org/topthreatshttp://AICPA.ORG/SOC/http://www.opencloudmanifesto.org http://www.opengroup.org/jericho http://www.nist.gov/itl/cloud/index.cfm http://www.microsoft.com/download/en/details.aspx?id=26647http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment CSA LinkedIn: www.linkedin.com/groups?gid=1864210 Many thanks to: Jon Neiditz, Nelson Mullins Riley & Scarborough, for leading the development of the CSA Atlanta Chapter Project 2 (Contractual Guidance) and for some of the material used in today’s presentation. David Barton, UHY LLP, for some of the material used in today’s presentation. Phil Agcaoili Twitter: hacksec