RSA: CSA GRC Stack Update for the CSA Atlanta Chapter

RSA: Cloud Security AllianceGRC Stack Update

Cloud Security Alliance, Atlanta ChapterPhil Agcaoili, Cox Communications

Dennis Hurst, HPMarch 2011

Cloud ComputingNIST Definition

• UPDATED (Jan 2011) – National Institute of Standards and Technology (NIST) Special Publication 800-145 (Draft)

• Model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services)

• Rapidly provisioned and released with minimal management effort or service provider interaction

• Composed of 5 essential characteristics, 3 service models, and 4 deployment models.

• Source: http://www.nist.gov/itl/csd/cloud-020111.cfm

Cloud Computing5 Essential Characteristics

• On-demand tenant self-service model for provisioning computing capabilities (server time, network storage, etc.)

• Broad network access with capabilities over the network accessible by standard mechanisms and mobile platforms

• Resource pooling through dynamically assigned physical and virtual capabilities delivered in a multi-tenant model and location independent

• Rapid elasticity of provisioned resources automatically or manually adjusted aligned with service level flexibility and needs

• Measured service to monitor, control and report on transparent resource optimization

Cloud Computing3 Service Models• Software as a Service (SaaS)

• Capability made available to tenant (or consumer) to use provider’s applications running on cloud infrastructure, accessible via web browser, mobile apps, and system interfaces.

• Examples: Salesforce.com, Drop Box, Box.net, Google Docs, WebEx

• Platform as a Service (PaaS)

• Capability made available to tenant to deploy tenant owned (created or acquired) applications using programming languages and tools supported by provider.

• Examples: Microsoft Azure, Amazon Web Services, Bungee Connect

• Infrastructure as a Service (IaaS) / Datacenter as a Service (DaaS)

• Capability made available to tenant to provision processing, storage, networks or other fundamental computing resources to host and run tenant’s applications.

• Examples: Rackspace, Terremark (Verizon), Savvis, AT&T

Cloud Computing4 Deployment Models

(1) PRIVATE(2)

COMMUNITY(3)PUBLIC

ACCESSIBILITYSingle

Organization

Shared with Common Interests /

Requirements

General Public / Large Industry

MANAGEMENTOrganization or

Third PartyOrganization or

Third PartyCloud Provider

HOSTOn or Off Premise

On or Off Premise

(4) HYBRID

• Composition of 2 or more deployment models that remain unique entities

• Bound together by standardized or proprietary technology enabling data and application portability

Cloud ComputingSecurity: Largest Barrier to Adoption

What is Different about Cloud?

SERVICE OWNER SaaS PaaS IaaS

Data Joint Tenant Tenant

Application Joint Joint Tenant

Compute Provider Joint Tenant

Storage Provider Provider Joint

Network Provider Provider Joint

Physical Provider Provider Provider

Proposal for Atlanta Chapter Objective #1: Cloud Security Contract Template

• Vendor and Customer Needs:

• A simple, but uniform security contract and questionnaire/checklist

• Benefits:

• Standard/uniform customer response

• Minimizes unique customer requests

• Provide basic security attestation and assurance

Cloud Controls Matrix

• V1.1 Released Dec 2010

• Rated as applicable to S-P-I with Cloud Provider / Tenant Delineation

• Controls baselined and mapped to:• COBIT• HIPAA / HITECH Act• ISO/IEC 27001-2005• NISTSP800-53• FedRAMP• PCI DSSv2.0• BITS Shared Assessments• GAPP

Leadership Team• Becky Swain – Cisco Systems, Inc.• Philip Agcaoili – Cox

Communications• Marlin Pohlman – EMC, RSA• Kip Boyle – CSA

Cloud Controls MatrixGlobal Industry Contribution

• Kyle Lai – KLC Consulting, Inc.• Larry Harvey – Cisco Systems, Inc.• Laura Kuiper – Cisco Systems, Inc.• Lisa Peterson – Progressive Insurance• Lloyd Wilkerson – Robert Half International• Marcelo Gonzalez – Banco Central Republica

Argentina• Mark Lobel – PricewaterhouseCoopers LLP• Meenu Gupta – Mittal Technologies• Mike Craigue, Ph.D. – Dell• MS Prasad, Exec Dir CSA India • Niall BrowneI – LiveOps• Patrick Sullivan• Patty Williams – Symetra Financial• Paul Stephen – Ernst and Young LLP• Phil Genever-Watling - Dell• Philip Richardson – Logicalis UK Ltd• PritamBankar – Infosys Technologies Ltd.• RamesanRamani – Paramount Computer Systems• Steve Primost• TaiyeLambo – eFortresses, Inc .• Tajeshwar Singh• Thej Mehta – KPMG LLP• Thomas Loczewski – Ernst and Young GmbH,

Germany• Vincent Samuel – KPMG LLP• Yves Le Roux – CA Technologies• HISPI membership (Release ISO Review Body)

• AdalbertoAfonso A Navarro F do Valle – Deloitte LLP• Addison Lawrence – Dell• Akira Shibata – NTT DATA Corp• Andy Dancer• Anna Tang – Cisco Systems, Inc.• April Battle – MITRE• ChandrasekarUmpathy• Chris Brenton – Dell• Dale Pound – SAIC• Daniel Philpott – Tantus Technologies• Dr. Anton Chuvakin – Security Warrior Consulting• Elizabeth Ann Wickham – L47 Consulting Limited• Gary Sheehan – Advanced Server Mgmt Group, Inc.• Georg Heß• Georges Ataya Solvay – Brussels School of Economics &

Mgmt• Glen Jones – Cisco Systems, Inc.• Greg Zimmerman – Jefferson Wells• Guy Bejerano - LivePerson• Henry Ojo – Kamhen Services Ltd,• Jakob Holm Hansen – Neupart A/S• Joel Cort – Xerox Corporation• John DiMaria – HISPI• John Sapp – McKesson Healthcare, HISPI• Joshua Schmidt – Vertafore, Inc.• KarthikAmrutesh – Ernst and Young LLP• Kelvin Arcelay – Arcelay& Associates

Cloud Controls MatrixCharacteristics

• Objective measure to monitor activities and then take corrective action to accomplish organizational goals.

• Comprised of a set of policies and processes (internal controls) affecting the way Cloud services are directed, administered or controlled.

• Aligned to Information Security regulatory rules and industry accepted guidance.

• Controls reflect the intent of the CSA Guidance as applied to existing patterns of Cloud execution.

Cloud Controls MatrixOptimal & Holistic Compliance

Bridging Regulatory Governance And Practical Compliance

Cloud Controls Matrix11 Domains

1. Compliance (CO)

2. Data Governance (DG)

3. Facility Security (FS)

4. Human Resources (HR)

5. Information Security (IS)

6. Legal (LG)

7. Operations Management (OM)

8. Risk Management (RI)

9. Release Management (RM)

10. Resiliency (RS)

11.Security Architecture (SA)

Cloud Controls Matrix98 Controls

Compliance• CO01 – Audit Planning• CO02 – Independent Audits• CO03 – Third Party Audits• CO04 – Contact / Authority Maintenance• CO05 – Information System Regulatory

Mapping• CO06 – Intellectual Property Data Governance

• DG01 – Ownership / Stewardship• DG02 – Classification• DG03 – Handling / Labeling / Security

Policy• DG04 – Retention Policy• DG05 – Secure Disposal• DG06 – Non-Production Data• DG07 – Information Leakage• DG08 – Risk Assessments

Legal• LG01 - Non-Disclosure

Agreements• LG02 - Third Party

Agreements

Risk Management• RI01 – Program• RI02 – Assessments• RI03 – Mitigation / Acceptance• RI04 – Business / Policy Change

Impacts• RI05 – Third Party Access

Cloud Controls Matrix98 Controls (cont.)

Release Management• RM01 – New Development /

Acquisition• RM02 – Production Changes• RM03 – Quality Testing• RM04 – Outsourced Development• RM05 – Unauthorized Software

Installations

Resiliency• RS01 – Management Program• RS02 – Impact Analysis• RS03 – Business Continuity Planning• RS04 – Business Continuity Testing• RS05 – Environmental Risks• RS06 – Equipment Location• RS07 – Equipment Power Failures• RS08 – Power / Telecommunications

Operational Management• OP01 – Policy• OP02 – Documentation• OP03 – Capacity / Resource Planning• OP04 – Equipment Maintenance

Human Resources• HR01 – Background

Screening• HR02 – Employment

Agreements• HR03 – Employment

Termination

Security Architecture• SA01 – Customer Access Requirements• SA02 – User ID Credentials• SA03 – Data Security / Integrity• SA04 – Application Security• SA05 – Data Integrity• SA06 – Production / Non-Production

Environments• SA07 – Remote User Multi-Factor

Authentication• SA08 – Network Security• SA09 – Segmentation• SA10 – Wireless Security• SA11 – Shared Networks• SA12 – Clock Synchronization• SA13 – Equipment Identification• SA14 – Audit Logging / Intrusion Detection• SA15 – Mobile Code

Facility Security• FS01 – Policy• FS02 – User Access• FS03 – Controlled Access

Points• FS04 – Secure Area

Authorization• FS05 – Unauthorized Persons

Entry• FS06 – Off-Site Authorization• FS07 – Off-Site Equipment• FS08 – Asset Management

Information Security• IS01 – Management Program• IS02 – Management Support /

Involvement• IS03 – Policy• IS04 – Baseline Requirements• IS05 – Policy Reviews• IS06 – Policy Enforcement• IS07 – User Access Policy• IS08 – User Access Restriction /

Authorization• IS09 – User Access Revocation• IS10 – User Access Reviews• IS11 – Training / Awareness• IS12 – Industry Knowledge /

Benchmarking• IS13 – Roles / Responsibilities• IS14 – Management Oversight• IS15 – Segregation of Duties• IS16 – User Responsibility

• IS17 – Workspace• IS18 – Encryption• IS19 – Encryption Key Management• IS20 – Vulnerability / Patch

Management• IS21 – Anti-Virus / Malicious Software• IS22 – Incident Management• IS23 – Incident Reporting• IS24 – Incident Response Legal

Preparation• IS25 – Incident Response Metrics• IS26 – Acceptable Use• IS27 – Asset Returns• IS28 – eCommerce Transactions• IS29 – Audit Tools Access• IS30 – Diagnostic / Configuration Ports

Access• IS31 – Network Services• IS32 – Portable / Mobile Devices• IS33 – Source Code Access Restriction• IS34 – Utility Programs Access

Consensus Assessment Initiative

Consensus Assessment Initiative• Research tools and processes to

perform shared assessments of cloud providers

• Lightweight “common assessment criteria” concept

• Integrated with Controls Matrix

• Ver 1 CAI Questionnaire released Oct 2010, approx 140 provider questions to identify presence of security controls or practices

Consensus Assessment InitiativeTeam

Contributors• Matthew Becker – Bank of America• Aaron Benson – Novell• Ken Biery – Verizon Business• Kristopher Fador – Bank of America• David Gochenaur – Aon Corporation • Jesus Molina – Fujitsu• John Nootens – AMA Association• HemmaPrafullchandra – Hytrust• GorkaSadowski – Log Logic• Richard Schimmel – Bank of America• Patrick Vowles – RSA• Kenneth Zoline – IBM

Leaders• Laura Posey – Microsoft• Jason Witty – Bank of

America• Marlin Pohlman – EMC, RSA• Earle Humphreys – ITEEx

Editor• Christofer Hoff – Cisco

Consensus Assessment InitiativeApproach

• Build “cloud-specific” question-set

• CSA guidance

• Industry experts

• Align questions with the CSA Cloud Controls Matrix

• Release 1.0 question-set publically

• Integrate into CloudAudit.org framework

• Post to CloudSecurityAlliance.org

Consensus Assessment Initiative Questionnaire (CAIQ) – 148 Qs

CloudAudit

• Provide a common interface and namespace that allows cloud computing providers to automate the Audit, Assertion, Assessment, and Assurance (A6) of their environments

• Allow authorized consumers of services to do likewise via an open, extensible and secure interface and methodology.

CloudAuditObjective• A structure for organizing assertions and

supporting documentation for specific controls across different compliance frameworks in a way that simplifies discovery by humans and tools.

• Define a namespace that can support diverse frameworks

• Express five critical compliance frameworks in that namespace

• Define the mechanisms for requesting and responding to queries relating to specific controls

• Integrate with portals and AAA systems

CloudAuditAligned to Cloud Controls Matrix• First efforts aligned to compliance frameworks as

established by CSA Control Matrix:

• PCI DSS

• HIPAA

• COBIT

• ISO/IEC 27001-2005

• NISTSP800-53

• Incorporate CSA’s CAI and additional CompliancePacks

• Expand alignment to “infrastructure” and “operations”

-centric views also

CloudAuditSample Implementation

CSA Compliance Pack

CloudAuditSample Implementation (cont.)

CSA Compliance Pack

CloudAuditSample Implementation (cont.)

CSA Compliance Pack

CloudAuditRelease Deliverables

• Contains all Compliance Packs, documentation and scripts needed to begin implementation of CloudAudit

• Working with Service Providers and Tool Vendors for Adoption

• Officially folded CloudAudit under the Cloud Security Alliance in October, 2010

• http://www.cloudaudit.org/CloudAudit_Distribution_20100815.zip

CloudAuditRelease Deliverables (cont.)

Request Flow for Users & Tools

index.html/default.jsp/etc.

• Index.html is for dumb browser consumptions

• Typically, the direct human user use case

• It can be omitted if directory browsing is enabled

• It contains JavaScript to look for the manifest.xml file, parse it, and display it as HTML.

• If no manifest.xml exists, it should list the directory contents relevant to the control in question

manifest.xml

• Structured listing of control endpoints contents

• Can be extended to provide contextual information

• Primarily aimed at tool consumption

• In Atom format

CSA GRC Stack

• Bringing it all together to peel back the layers of control ownership and address concerns for trusted Cloud adoption.

Control Requirements

Provider Assertions

Private, Community

& Public Clouds

Private, Community

& Public Clouds

CSA GRC Stack• Whether implementing private, public or hybrid clouds, the shift to

compute as a service presents new challenges across the spectrum of Governance, Risk Management and Compliance (GRC) requirements – success dependent upon:

• Appropriate assessment criteria; and

• Relevant control objectives and timely access to necessary supporting data.

• CSA GRC Stack provides a toolkit for enterprises, cloud providers, security solution providers, IT auditors and other key stakeholders to instrument and assess both private and public clouds against industry established best practices, standards and critical compliance requirements.

• Integrated suite of 3 CSA initiatives: CloudAudit, Cloud Controls Matrix (CCM) and Consensus Assessments Initiative Questionnaire (CAIQ).

• Available now for free download at: www.cloudsecurityalliance.org/grcstack.zip

CSA GRC StackBringing it all together…

CSA GRC StackIndustry Collaboration & Support• International Organization for Standards (ISO)

• ISO/IEC JTC 1 SC 27 (“SC 27”) WG 1, 4 and 5 in Study Period in the area of Cloud Computing Security and Privacy with active CSA representation

• European Network and Information Security Agency (ENISA)

• Common Assurance Maturity Model (CAMM)

• American Institute of Certified Public Accountants (AICPA)

• Statement on Standards for Attestation Engagements (SSAE) No. 16 SOC 2 – Service Organization Controls over Security, Confidentiality, Processing Integrity, Availability, and Privacy

• National Institute of Standards and Technology (NIST)

• Consolidated feedback on Federal Risk and Authorization Management Program (FedRAMP)

CSA GRC StackIndustry Collaboration & Support (cont.)

• Inverse Control Framework Mappings

• Health Information Trust Alliance (HITRUST)

• Unified Compliance Framework (UCF)

• Information Systems Audit and Control Association (ISACA)

• BITS Shared Assessments SIG/AUP + TG Participation

• Information Security Forum (ISF)

About the Cloud Security Alliance

About the Cloud Security Alliance• Global, not-for-profit organization• Almost 18,000 individual members, 80

corporate members• Building best practices and a trusted cloud

ecosystem• Agile philosophy, rapid development of applied

research• GRC: Balance compliance with risk management• Reference models: build using existing standards• Identity: a key foundation of a functioning cloud

economy• Champion interoperability• Advocacy of prudent public policy

“To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud

Computing to help secure all other forms of computing.”

Contact

• Help us secure cloud computing

• www.cloudsecurityalliance.org

• info@cloudsecurityalliance.org

• LinkedIn: www.linkedin.com/groups?gid=1864210

• Twitter: @cloudsa

www.cloudsecurityalliance.org

Thank You

RSA: CSA GRC Stack Update for the CSA Atlanta Chapter

Documents

RSA Archer GRC - Common Criteria Portal Archer ST v1... · RSA Archer GRC Platform 6.1 Security Target Version 1.0 5 August 2016 Prepared for: 13200 Metcalf Avenue, Suite 300 Overland

The RSA GRC Reference Architecture

Use of CSA GRC Stack and Semantic Technologies to Enhance ... › csri › plan › H24-symposium › pdf › 01... · Use of CSA GRC Stack and Semantic Technologies to Enhance Trust

RSA Archer GRC Platform Application builder Tailor RSA Archer GRC solutions to your unique methodologies and build on-demand applications through point-and-click configuration

White Paper RSA Archer GRC Reference Architecture

SOLUTION BRIEF RSA ARCHER IGNITION PROGRAM · RSA Archer Platform installation services, enable your organization to quickly stand up your GRC program environment and begin utilizing

The RSA GRC Reference Architecture...Version: June 2013 Page 1 The RSA GRC Reference Architecture Abstract This paper is a primer on the RSA GRC Reference Architecture – a visual

BUILDING THE RISK BASED AUDIT PLAN SPEAKERS: CAROLYN SAINT, VICE PRESIDENT, INTERNAL AUDIT, 7-ELEVEN PATRICK POTTER, GRC STRATEGIST, RSA MELISSA BAYER,

GRC Krawangan GRC Kepala Kolom GRC Cover Menaragrcbangunpersada.com/wp-content/uploads/2014/11/Product-Catalogu… · grc kubah grc lisplank grc cladding grc kepala kolom grc cover

RSA Archer GRC Summit 2012 Program Guide - Dell EMC thank you for your support of RSA Archer GRC Summit 2012; it’s your commitment to ... • GRC Application Showcase– 6 th Floor,

Assessing Risks in the Cloud · BCM/DR, financial viability, employee vetting ... •CSA Congress, Nov 16-17, Orlando •CSA Summit RSA, Feb 27 2012, San Francisco ... Presentation

GRC Annual Meeting & GEA GeoExpo+ - GRC Sponsorships

We Implement GRC Solutions Using Oracle GRC Applications Oracle Independent Consultants Oracle GRC Professionals 5/1/2015We Implement GRC Solutions Using

Welcome to our newsletter CIO Survey Privacy compliance · GRC seminar together with RSA On 12 May 2016, KPMG will host a Governance, Risk and Compliance (GRC) seminar at KPMG Front

Taking Command of Your GRC Journey - blogs.rsa.com · WHITE PAPER TAKING COMMAND OF YOUR GRC JOURNEY WITH RSA® ARCHER® Inspire Everyone to Own Risk ABSTRACT Organizations must implement

ComplyTec | Cybersecurity | Cyber attacks |GRC | Identity ......POLICY PROGRAM MANAGEMENT RSA Archer Policy Program Management provides the framework to help organizations establish

GRC TO INTEGRATED RISK MANAGEMENT · grc to integrated risk management looking around the corner hassan al-helo rsa archer @rsasecurity @rsa_archer. ... it & security risk management

GRC Program Best Practices & Lessons Learned - · PDF fileGRC Program Best Practices & Lessons Learned Carl Sawicki, American Express Kathleen Randall, RSA Archer Steps to Establishing

NEW BOUNDARIES - The Straits Times...Jul 25, 2015 · Marsiling-Yew Tee GRC Sembawang GRC Nee Soon GRC Ang Mo Kio GRC Pasir Ris-Punggol GRC Tampines GRC East Coast GRC Aljunied GRC

GRC Annual Meeting - GRC Sponsorships