SecaaS_V1_0.pdf - Cloud Security Alliance · Lenin Aboagye: Apollo Group Inc., Ravikanth Anisingaraju: Nexus Informatics, Dave Asprey: Trend Micro, Karim Benzidane, Aaron Bryson:

Defined Categories of Service 2011

Copyright © 2011 Cloud Security Alliance 2

CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE 2011

Introduction

The permanent and official location for the Cloud Security Alliance Security as a Service research is:

https://cloudsecurityalliance.org/research/working-groups/security-as-a-service/

© 2011 Cloud Security Alliance.

All rights reserved. You may download, store, display on your computer, view, print, and link to the Cloud Security Alliance “Security as a Service” at https://cloudsecurityalliance.org/wp-content/uploads/2011/09/SecaaS_V1_0.pdf subject to the following: (a) the Guidance may be used solely for your personal, informational, non-commercial use; (b) the Guidance may not be modified or altered in any way; (c) the Guidance may not be redistributed; and (d) the trademark, copyright or other notices may not be removed. You may quote portions of the Guidance as permitted by the Fair Use provisions of the United States Copyright Act, provided that you attribute the portions to the Cloud Security Alliance “Security as a Service” Version 1.0 (2011).

https://cloudsecurityalliance.org/research/working-groups/security-as-a-service/

https://cloudsecurityalliance.org/wp-content/uploads/2011/09/SecaaS_V1_0.pdf

https://cloudsecurityalliance.org/wp-content/uploads/2011/09/SecaaS_V1_0.pdf



Table of Contents

Introduction.................................................................................................................................................2

Foreword......................................................................................................................................................4

Acknowledgments......................................................................................................................................5

Executive Summary ...................................................................................................................................7

Category 1: Identity and Access Management ….................................................................................8

Category 2: Data Loss Prevention..........................................................................................................10

Category 3: Web Security........................................................................................................................12

Category 4: Email Security......................................................................................................................14

Category 5: Security Assessments.........................................................................................................16

Category 6: Intrusion Management.......................................................................................................18

Category 7: Security Information and Event Management (SIEM)..................................................20

Category 8: Encryption...........................................................................................................................22

Category 9: Business Continuity and Disaster Recovery...................................................................24

Category 10: Network Security..............................................................................................................26



Foreword

Welcome to the Cloud Security Alliance’s “Security as a Service,” Version 1.0. This is one of many research deliverables CSA will release in 2011.

There is currently a lot of work regarding the security of the cloud and data in the cloud, but until now there has been limited research into the provision of security services in an elastic cloud model that scales as the client requirements change. This paper is the initial output from research into how security can be provided as a service (SecaaS).

Also, we encourage you to download and review our flagship research, “Security Guidance for Critical Areas of Focus in Cloud Computing,” which you can download at: http://www.cloudsecurityalliance.org/guidance Best Regards, Jerry Archer Alan Boehme Dave Cullinane Nils Puhlmann Paul Kurtz Jim Reavis

The Cloud Security Alliance Board of Directors

http://www.cloudsecurityalliance.org/guidance

http://www.cloudsecurityalliance.org/guidance



Acknowledgments

Co-chairs

Kevin Fielder: GE, Cameron Smith: Zscaler

Working Group Leaders

Runa Desai Delal: Agama Consulting, Ulrich Lang: ObjectSecurity, Atul Shah: Microsoft, Aaron Bryson: Cisco, Mark Hahn: TCB Technologies, Wolfgang Kandek: Qualys, John Hearton: Secure Mission Solutions, Justin Foster: Trend Micro, Ben Chung: HP, Jens Laundrup: Emagined Security, Geoff Webb: Credant Technologies, Kevin Fielder: GE, Cameron Smith: Zscaler, Ken Owens: Savvis

Steering Committee

Scott Chasin: McAfee, Kevin Fielder: GE Global, Patrick Harding: Ping Indentity, John Hearton: Secure Mission Solutions, Bernd Jager: Colt, Joe Knape: AT&T, Marlin Pohlman: EMC, Jim Reavis: Cloud Security Alliance, Archie Reed: HP, J.R. Santos: Cloud Security Alliance, Cameron Smith: Zscaler, Michael Sutton: Zscaler, Brian Todd: ING

SecaaS Members

Lenin Aboagye: Apollo Group Inc., Ravikanth Anisingaraju: Nexus Informatics, Dave Asprey: Trend Micro, Karim Benzidane, Aaron Bryson: Cisco, Ben Chung: HP, Joel Cort: Xerox, Ricardo Costa: ESTG, Runa Desai Dalal: Agama Consulting, Jeff Finch: Interoute, Justin Foster: Trend Micro, Matthew Gardiner: CA Technologies, Suptrotik Ghose: Microsoft, Mark Hahn: TCB Technologies, Jeff Huegel: AT&T, Wolfgank Kandek: Qualys, Tuhin Kumar, Vijay Kumar Teki: HCL Technologies, Taiye Lambo: eFortresses, Jens Laundrup: Emagined Security, David Lingenfelter: Fiberlink, Drew Maness: Technicolor, Ken Owens: Savvis, Naynesh Patel: Simeio Solutions, Mike Qu, Kanchanna Ramasamy Balraj, Atul Shah: Microsoft, Said Tabet: EMC, Hassan Takabi: University of Pittsburgh, Danielito Vizcayno: E*Trade, Geoff Webb: Credant Technologies, Arnold Webster: EC-Council University, Nick Yoo: McKesson Corp.

Contributors

Jim Beadel: AT&T, Cheng-Yin Lee: CSA, Jie Wang: Converging Stream Technologies, Inc, Kapil Assudani: HCSC, Valmiki Mukherjee: (ISC)2, JP Morgenthal: Smartronix Cloud Security Alliance DC Chapter, Vladimir Jirasek: Nokia, Amol Godbole: Cisco Systems, Tuhin Kumar: Oracle Corp., Martin Lee: Symantec.cloud, Andrey Dulkin: Cyber-Ark Software, John Hearton: Secure Mission Solutions, Nandakumar: Novell, Bernd Jaeger: Colt Technology Services, Tyson Macaulay: Bell Canada, Lenin Aboagye: Apollo Group, David Treece: Edgile, Benzidane Karim: NTIQual, Atul Shah: Microsoft, Mark Hahn: TCB Technologies, Inc., Bradley Anstis: M86 Security, JD Hascup: Weyerhaeuser, Balaji Ramamoorthy: TCG, Hassan Takabi: University of Pittsburgh, Henry St. Andre: inContact, Faud Khan: TwelveDot, Inc., MS Prasad: Rediffmail, Gaurav Godhwani: Student, Ang Puay Young, Singapore Ministry of Health Holdings, Ted Skinner, Harris Corporation

http://www.linkedin.com/company/ec-council?trk=ppro_cprof



CSA Staff

Jim Reavis: Executive Director, J.R. Santos: Research Director, John Yeoh: Research Analyst, Amy Van Antwerp: Technical Writer/Editor, Kendall Scoboria: Graphic Designer, Evan Scoboria: Web Developer



Executive Summary

Cloud Computing represents one of the most significant shifts in information technology many of us are likely to see in our lifetimes. Reaching the point where computing functions as a utility has great potential, promising innovations we cannot yet imagine. Customers are both excited and nervous at the prospects of Cloud Computing. They are excited by the opportunities to reduce capital costs. They are excited for a chance to divest infrastructure management and focus on core competencies. Most of all, they are excited by the agility offered by the on-demand provisioning of computing resources and the ability to align information technology with business strategies and needs more readily. However, customers are also very concerned about the security risks of Cloud Computing and the loss of direct control over the security of systems for which they are accountable. Vendors have attempted to satisfy this demand for security by offering security services in a cloud platform, but because these services take many forms, they have caused market confusion and complicated the selection process. This has led to limited adoption of cloud based security services thus far. However, the future looks bright for SecaaS, with Gartner predicting that cloud-based security service us will more than triple in many segments by 2013. To aid both cloud customers and cloud providers, CSA has embarked on a new research project to provide greater clarity on the area of Security as a Service. Security as a Service refers to the provision of security applications and services via the cloud either to cloud-based infrastructure and software or from the cloud to the customers’ on-premise systems. This will enable enterprises to make use of security services in new ways, or in ways that would not be cost effective if provisioned locally. Numerous security vendors are now leveraging cloud-based models to deliver security solutions. This shift has occurred for a variety of reasons, including greater economies of scale and streamlined delivery mechanisms. Consumers are increasingly faced with evaluating security solutions, which do not run on-premises. Consumers need to understand the unique nature of cloud-delivered security offerings so they can evaluate the offerings and understand if they will meet their needs. Based on survey results collected from prominent consumers of cloud services, the following security service categories are of most interest to experienced industry consumers and security professionals:

Identity and Access Management (IAM)

Data Loss Prevention (DLP)

Web Security Email Security

Security Assessments Intrusion Management Security Information

and Event Management (SIEM)

Encryption Business Continuity

and Disaster Recovery Network Security



CORE FUNCTIONALITIES

Provisioning/de-provisioning of accounts (of both cloud & on-premise applications and resources)

Authentication (multiple forms and factors) Directory services Directory synchronization (multilateral as required) Federated SSO Web SSO (e granular access enforcement & session

management - different from Federated SSO) Authorization (both user and application/system) Authorization token management and provisioning User profile & entitlement management (both user and

application/system) Support for policy& regulatory compliance monitoring

and/or reporting Federated Provisioning of Cloud Applications Self-Service request processing, like password reset, setting

up challenge questions, request for role/resource etc. Privileged user management/privileged user password

management Policy management (incl. authorization management, role

management, compliance policy management) Role Based Access Controls (RBAC) (Where supported by the

underlying system/service)

Category #1: Identity and Access Management (IAM) Description: Identity and Access Management (IAM) should provide controls for assured identities and access management.

IAM includes people, processes, and systems that are used to manage access to enterprise resources by assuring the identity of an entity is verified and is granted the correct level of access based on this assured identity. Audit logs of activity such as successful and failed authentication and access attempts should be kept by the application / solution.

Class: Protective/Preventative

SERVICES Includes: User Centric ID Provider, Federated IDs, Web-SSO, Identity Provider, Authorization Management Policy Provider, Electronic Signature, Device Signature, User Managed Access Related Services: DLP, SIEM

Related Technologies and Standards: SAML, SPML, XACML, (MOF/ECORE), OAuth, OpenID, Active Directory Federated Services (ADFS2), WS-Federation

Service Model: SaaS, PaaS

CSA Domains (v2.1): 4, 12

OPTIONAL FEATURES

Support for DLP Granular Activity Auditing broken down by individual Segregation of duties based on identity entitlement Compliance-centric reporting

THREATS ADDRESSED

Identity theft Unauthorized access Privilege escalation Insider threat Non-repudiation Excess privileges / excessive

access Delegation of authorizations /

entitlements Fraud

CHALLENGES

Lack of standards and vendor lock-in Identity theft Unauthorized access Privilege escalation

Continued on the following page…



REFERENCE EXAMPLES (Products and vendors. Non-exhaustive list)

Cloud CA Arcot Webfort CyberArk Software Privileged

Identity Manager Novell Cloud Security Services ObjectSecurity OpenPMF

(authorization policy automation, for private cloud only)

Symplified

Non-Cloud Novell Identity Manager Oracle Identity Manager Oracle Access Manager Suite

Continued from the previous page…

REFERENCES / ADDITIONAL RESOURCES

https://cloudsecurityalliance.org/guidance/csaguide-dom12-v2.10.pdf CSA Silicon Valley cloud authorization policy automation presentation:

http://www.objectsecurity.com/en-resources-video-20110208-webinar-79898734.htm (Alternate download: http://www.objectsecurity.com/en-contact-resources.html)

CHALLENGES

Insider threat Non-Repudiation Least privilege / need-to-know Segregation of administrative (provider) vs. end user (client)

interface and access Delegation of authorizations/entitlements Attacks on Identity Services such as DDoS Eavesdropping on Identity Service messaging (Non-

Repudiation) Password management (communication, retrieval) – Different

requirements across clients Resource hogging with unauthorized provisioning Complete removal of identity information at the end of the

life cycle Real-time provisioning and de-provisioning Lack of interoperable representation of entitlement

information Dynamic trust propagation and development of trusted

relationships among service providers Transparency: security measures must be available to the

customers to gain their trust. Developing a user centric access control where user requests

to service providers are bundled with their identity and entitlement information

Interoperability with existing IT systems and existing solutions with minimum changes

Dynamically scale up and down; scale to hundreds of millions of transactions for millions of identities and thousands of connections in a reasonable time

Privacy preservation across multiple tenants Multi-jurisdictional regulatory requirements

https://cloudsecurityalliance.org/guidance/csaguide-dom12-v2.10.pdf

http://www.objectsecurity.com/en-resources-video-20110208-webinar-79898734.htm

http://www.objectsecurity.com/en-contact-resources.html




Data labeling and classification Identification of Sensitive Data Predefined policies for major regulatory statues Context Detection Heuristics Structured Data Matching (data-at-rest) SQL regular expression detection Traffic Spanning (data-in-motion) detection Real Time User Awareness Security Level Assignment Custom Attribute Lookup Automated Incident Response Signing of Data Cryptographic data protection and access control Machine readable policy language

Category #2: Data Loss Prevention Description: Data Loss Prevention is the monitoring, protecting, and verifying the security of data at rest, in motion and in use both in the cloud and on-premises.

DLP services offer protection of data usually by running as some sort of client on desktops / servers and running rules around what can be done. Where these differ from broad rules like “No FTP” or “No uploads” to web sites, etc. is the level to which the services understand data. A few examples of policies you can specify are “No documents with numbers that look like credit cards can be emailed,” “Anything saved to USB storage is automatically encrypted and can only be unencrypted on another office owned machine with a correctly installed DLP client,” and “Only clients with functioning DLP software can open files from the fileserver,” etc.

Within the cloud, DLP services could be offered as something that is provided as part of the build, such that all servers built for that client get the DLP software installed with an agreed set of rules deployed.

Class: Preventative

SERVICES Includes: Encryption, Meta-data tagging, Data Identification, Multi-lingual fingerprinting, Data leakage detection, Policy management and classification, Transparent data encryption, Policy controlled data access, storage and transportation, Dynamic data masking Related Services: IAM

Related Technologies and Standards: SAML, SPML, XACML, (MOF/ECORE), ESG


THREATS ADDRESSED

Data loss/leakage Unauthorized access Malicious compromises of data

integrity Data sovereignty issues Regulatory sanctions and fines

OPTIONAL FEATURES

Rate domains Smart Response (integrated remediation workflow) Automated event escalation Automated false positive signature compensation Unstructured Data Matching File / directory integrity via hashing Integration with Intrusion Detection Systems Multiple Language Pack Data privacy Chain of evidence services to support investigations and

prosecutions





Cloud BlueCoat IBM Imperva Oracle Reconnex RSA Symantec/Vontu WebSens Zscaler

Non-Cloud Digital Guardian Palisade Systems PacketSure Symantec Protection Suite

Enterprise Edition

CHALLENGES

Data may be stolen from the datacenter virtually or even physically

Data could be misused by the datacenter operator or others employees with access

Compliance requires certifying cloud stack at all levels repeatedly

Data sovereignty issues reduce customer rights with regard to governments

Encrypted Data Performance when analyzing and monitoring large / heavily

accessed data sets False negatives / false positives (tuning) Rule base may be complex to manage Outside of ‘known’ items such as credit card numbers and

social security numbers, data can only be classified with detailed input from the end user

Lack of data classification standards Ensuring customer data segregation when multiple tenants

present

REFERENCES

http://www.technewsworld.com/story/66562.html http://www.datalossbarometer.com/14945.htm http://community.websense.com/blogs/websense-media-coverage/archive/2010/07/20/channel-

insider-websense-plans-to-tap-microsoft-channel-cloud-dlp-innovatin-in-the-present-and-future.aspx http://www.asiacloudforum.com/content/vmmare-embeds-rsa-dlp-virtual-environments http://searchsecuritychannel.techtarget.com/news/1374080/Partner-Engage-2009-VARs-dish-on-DLP-

implementation-and-the-cloud http://infinite-identities.blogspot.com/2009/12/next-cloud-security-frontier-dlp-for.html


http://www.technewsworld.com/story/66562.html

http://www.datalossbarometer.com/14945.htm

http://community.websense.com/blogs/websense-media-coverage/archive/2010/07/20/channel-insider-websense-plans-to-tap-microsoft-channel-cloud-dlp-innovatin-in-the-present-and-future.aspx

http://community.websense.com/blogs/websense-media-coverage/archive/2010/07/20/channel-insider-websense-plans-to-tap-microsoft-channel-cloud-dlp-innovatin-in-the-present-and-future.aspx

http://www.asiacloudforum.com/content/vmmare-embeds-rsa-dlp-virtual-environments

http://searchsecuritychannel.techtarget.com/news/1374080/Partner-Engage-2009-VARs-dish-on-DLP-implementation-and-the-cloud

http://searchsecuritychannel.techtarget.com/news/1374080/Partner-Engage-2009-VARs-dish-on-DLP-implementation-and-the-cloud

http://infinite-identities.blogspot.com/2009/12/next-cloud-security-frontier-dlp-for.html




Web Filtering Malware, Spyware & Bot Network analyzer and blocking Phishing site blocker Instant Messaging Scanning Email Security Bandwidth management/traffic control Data Loss Prevention Fraud Prevention Web Access Control Backup SSL (decryption / hand off) Usage policy enforcement

Category #3: Web Security Description: Web Security is real-time protection offered either on-premise through software/appliance installation or via the cloud by proxying or redirecting web traffic to the cloud provider.

This provides an added layer of protection on top of things like AV to prevent malware from entering the enterprise via activities such as web browsing. Policy rules around the types of web access and the times this is acceptable can also be enforced via these technologies.

Class: Protective, detective, reactive

SERVICES Includes: Email Server, Anti-virus, Anti-spam, Web Filtering, Web Monitoring, Vulnerability Management, Anti-phishing Related Services: Firewalls, Proxy, DLP, Email Security

Related Technologies and Standards: HTTP/HTTPS, RuleML, XML, PHP, anti-virus



THREATS ADDRESSED

Keyloggers Domain Content Malware Spyware Bot Network Phishing Virus Bandwidth consumption Data Loss Prevention Spam

OPTIONAL FEATURES

Rate domains Categorize websites by URL/IP address Rate sites by user requests Transparent updating of user mistakes Categorize and rate websites as needed Categorize websites for policy enforcement Recognize multiple languages Categorize top-level domains Block downloads with spoofed file extensions Strip potential spyware downloads from high-risk sites

CHALLENGES

Constantly evolving threats Insider circumvention of web security Compromise of the web filtering service by proxy Potentially higher cost of real time monitoring Lack of features vs. premise based solutions Lack of policy granularity and reporting Relinquishing control Encrypted traffic





Cloud BlueCoat RSA TrendMicro Websense zScaler

Non-Cloud Barracuda BlueCoat Cisco McAfee Symantec Watchguard


http://www.technewsworld.com/story/66562.html BT case study:

http://www.globalservices.bt.com/static/assets/pdf/case_studies/EN_NEW/edinburgh_cc_web_security_case_study.pdf

W3C Web Security FAQ: http://www.w3.org/Security/Faq/

OWASP: https://www.owasp.org/index.php/Main_Page


http://www.technewsworld.com/story/66562.html




http://www.w3.org/Security/Faq/

https://www.owasp.org/index.php/Main_Page




Accurate filtering to block spam and phishing Deep protection against viruses and spyware before they

enter the enterprise perimeter Flexible policies to define granular mail flow and encryption Rich, interactive and correlate real-time reporting Deep content scanning to enforce policies Option to encrypt some / all emails based on policy Integration with various email server solutions

Category #4: Email Security Description: Email Security should provide control over inbound and outbound email, thereby protecting the organization from phishing, malicious attachments, enforcing corporate polices such as acceptable use and spam, and providing business continuity options.

In addition, the solution should allow for policy-based encryption of emails, as well as integrating with various email server solutions.

Digital signatures enabling identification and non-repudiation are also features of many email security solutions.

Class: Protective, detective, reactive

SERVICES Includes: Content security, Anti-virus/Anti-malware, Spam filtering, Email encryption, DLP for outbound email, Web mail, Anti-phishing Related Services: DLP, Web Security, Business Continuity

Related Technologies and Standards: SMTP (ESMTP, SMTPS), IMAP, POP, MIME, S/MIME, PGP

Service Model: SaaS


THREATS ADDRESSED

Phishing Intrusion Malware Spam Address spoofing

OPTIONAL FEATURES

Secure archiving Web-mail interface Full integration with in-house identity system (LDAP, Active

Directory, etc.) Mail encryption, signing & time-stamping Flexible integration Data Loss Prevention (DLP) for SMTP and webmail E-discovery Email system backup (e.g., stores mails on cloud provider

infrastructure until customer systems restored IDS / IPS for the mail servers Digital signatures

CHALLENGES

Portability Storage Use of unauthorized webmail for business purposes Management of logs and access to logs Ensuring no access to emails by cloud provider staff





Cloud Barracuda Networks Gmail for Domains (Google

Apps) McAfee Message Labs / Symantec Cloud Microsoft Cloud Services Postini (Google) TrendMicro Zscaler Email Security

Non-Cloud Postini Symantec WebSense


http://www.eweek.com/c/a/Messaging-and-Collaboration/SAAS-Email-From-Google-Microsoft-Proves-Cost-Effective-For-Up-to-15K-Seats/

http://www.symanteccloud.com/datasheet/Technical_doc_Ext_Web_Global.pdf










Governance — process by which policies are set and decision making is executed

Risk Management — process for ensuring that important business processes and behaviors remain within the tolerances associated with those policies and decisions

Compliance — process of adherence to policies and decisions. Policies can be derived from internal directives, procedures and requirements, or external laws, regulations, standards and agreements.

Technical Compliance Audits - automated auditing of configuration settings in devices, operating systems, databases, and applications.

Application Security Assessments - automated auditing of custom applications

Vulnerability Assessments - automated probing of network devices, computers and applications for known vulnerabilities and configuration issues

Penetration Testing - exploitation of vulnerabilities and configuration issues to gain access to a an environment, network or computer, typically requiring manual assistance

Security / risk rating - assessment of the overall security / vulnerability of the systems being tested, e.g. based on the OWASP Risk Rating Methodology

Category #5: Security Assessment Description: Security assessments are third-party audits of cloud services or assessments of on-premises systems via cloud-provided solutions based on industry standards.

Traditional security assessments for infrastructure and applications and compliance audits are well defined and supported by multiple standards such as NIST, ISO, and CIS. A relatively mature toolset exists, and a number of tools have been implemented using the SaaS delivery model. In the SaaS delivery model, subscribers get the typical benefits of this cloud computing variant - elasticity, negligible setup time, low administration overhead, and pay-per-use with low initial investments.

While not the focus of this effort, additional challenges arise when these tools are used to audit cloud environments. Multiple organizations, including the CSA, have been working on the guidelines to help organizations understand the additional challenges:

• Virtualization awareness of the tool, frequently necessary for IaaS platform auditing • Support for common web frameworks in PaaS applications • Compliance Controls for IaaS, PaaS, and SaaS platforms • Standardized questionnaires for XaaS environments, that help address:

o What should be tested in a cloud environment? o How does one assure data isolation in a multi-tenant environment? o What should appear in a typical infrastructure vulnerability report? Is it

acceptable to use results provided by cloud provider? Class: Detective

SERVICES Includes: Internal and / or external penetration test, Application penetration test, Host and guest assessments, Firewall / IPS (security components of the infrastructure) assessments, Virtual infrastructure assessment Related Services: Intrusion Management

Related Technologies and Standards: SCAP (FDCC), CVSS, CVE, CWE, SCAP, CYBEX

Service Model: SaaS, PaaS, IaaS






Cloud Agiliance Core Security Modulo Qualys Veracode WhiteHat

Non-Cloud Agiliance Archer Cenzic Core Security eEye HP Immunity Modulo nCircle Rapid7 Saint Symantec Tenable

THREATS ADDRESSED

Inaccurate inventory Lack of continuous monitoring Lack of correlation information Lack of complete auditing Failure to meet/prove adherence

to Regulatory/Standards Compliance

Insecure / vulnerable configurations

Insecure architectures Insecure processes / processes

not being followed

OPTIONAL FEATURES

SI/EM Integration Physical security assessments

CHALLENGES

Standards are on different maturity levels in the various sections

Certification & Accreditation Boundary definition for any assessments Skills of tester(s) / assessors Accuracy Inconsistent ratings from different individuals / vendors Typically limited to known vulnerabilities


CSA Guidance: https://cloudsecurityalliance.org/research/projects/

https://cloudsecurityalliance.org/grcstack.html Gartner - GRC definition:

http://blogs.gartner.com/french_caldwell/2010/01/12/we-come-to-kill-grc-not-to-praise-it/

NIST (800-146): http://csrc.nist.gov/publications/drafts/800-146/Draft-NIST-SP800-146.pdf

http://www.owasp.org/images/5/56/OWASP_Testing_Guide_v3.pdf

ENISA Information Assurance: http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-information-assurance-framework

BSI Cornerstones cloud Computing (in German): https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Mindestanforderungen/Eckpunktepapier-Sicherheitsempfehlungen-CloudComputing-Anbieter.pdf

CAMM-common-assurance.com http://objectsecurity-mds.blogspot.com/2009/06/model-

driven-security-accreditation.html http://www.oceg.org/


https://cloudsecurityalliance.org/research/projects/

https://cloudsecurityalliance.org/grcstack.html



http://csrc.nist.gov/publications/drafts/800-146/Draft-NIST-SP800-146.pdf

http://csrc.nist.gov/publications/drafts/800-146/Draft-NIST-SP800-146.pdf



http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-information-assurance-framework

http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-information-assurance-framework

https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Mindestanforderungen/Eckpunktepapier-Sicherheitsempfehlungen-CloudComputing-Anbieter.pdf



http://objectsecurity-mds.blogspot.com/2009/06/model-driven-security-accreditation.html

http://objectsecurity-mds.blogspot.com/2009/06/model-driven-security-accreditation.html

http://www.oceg.org/




General Identification of intrusions and policy violations Automatic or manual remediation actions Coverage for:

Workloads Virtualization Layer (VMM/Hypervisor) Management Plane Cloud and other APIs

Updates to address new vulnerabilities, exploits and policies

Network Security (NBA, NIPS/NIDS or HIPS/HIDS using network) Deep Packet Inspection using one or more of the following

techniques: statistical, behavioral, signature, heuristic

System/Behavioral One or more of: System Call Monitoring System/Application Log Inspection Integrity Monitoring OS (Files, Registry, Ports, Processes,

Installed Software, etc) Integrity Monitoring VMM/Hypervisor VM Image Repository Monitoring


Cloud Alert Logic Threat Manager Arbor Peakflow X Check Point - Security Gateway

Virtual Edition Cloudleverage Cloud

IPS/firewall

Category #6: Intrusion Management Description: Intrusion Management is the process of using pattern recognition to detect and react to statistically unusual events. This may include reconfiguring system components in real time to stop / prevent an intrusion.

The methods of intrusion detection, prevention, and response in physical environments are mature; however, the growth of virtualization and massive multi-tenancy is creating new targets for intrusion and raises many questions about the implementation of the same protection in cloud environments.

Examples of how cloud-based Intrusion Management could be offered include:

• Provided by the Cloud Service Provider • Provided by a third-party (routing traffic through a SecaaS) • Hybrid SaaS with third-party management and host-based or virtual appliances running

in the cloud consumer's context

Class: Detective, protective, reactive

SERVICES Includes: Packet Inspection, Detection, Prevention, IR Related Services: Web Security, Secure Cloud & Virtualization Security

Related Technologies and Standards: DPI, Event correlation and pattern recognition

Service Model: SaaS, PaaS, IaaS

CSA Domains (v2.1): 13

THREATS ADDRESSED

Intrusion Malware




REFERENCE EXAMPLES Cloud Cymtec Scout eEye Digital Security Blink IBM Proventia McAfee - Host Intrusion

Prevention Sourcefire - 3D System StoneGate - Virtual IPS Symantec Critical System

Protection Symantec Endpoint Protection Trend Micro Deep Security Trend Micro Threat Detection

Appliance TrustNet iTrust SaaS Intrusion

Detection XO Enterprise Cloud Security

Non-Cloud AIDE CA-eTrust Intrusion Detection Check Point IPS Cerero - Top Layer IPS Cetacea Networks - OrcaFlow Cisco Guard / IPS Detector DeepNines - BBX e-Cop - Cyclops Enterasys - IPS HP S IPS Intrusion – SecureNet / Host iPolicy Juniper Networks IDP Lancope - StealthWatch McAfee - Network Intrusion

Prevention OSSEC Q1 Labs - QRadar Radware - DefensePro Samhain SoftSphere Technologies HIPS StillSecure - Strata Guard StoneGate - IPS Suricata Symantec Network Security

OPTIONAL FEATURES

Central Reporting SIEM Integration Administrator Notification Customization of policy (automatic or manual) Mapping to cloud-layer tenancy Cloud sourcing information to reduce false positives and

improve coverage Remote storage or transmission of integrity information, to

prevent local evasion

CHALLENGES

General Challenges: Proliferation of SSL required by deployment in public clouds

adds complexity or blocks visibility to network-based IDS/IPS Complexity and immaturity of Intrusion Management for APIs Lack of tools to manage instance-to-instance relationships Wire speed with full malware / attack coverage performance

not meeting expectations

Specific to Cloud Consumers: Current lack of virtual SPAN ports in public cloud providers

for typical deployment of NIDS or NBA Current lack of network-edge TAP interfaces for public cloud

and virtual private cloud for typical deployment of NIPS Inability to utilize hypervisor (vSwitch/vNIC) introspection Latency, resiliency and bandwidth concerns with proxying

network traffic through virtual appliances or 3rd party services Privacy concerns of service-based security Short lived instances (HIDS/HIPS logs can be lost) Performance limitations with network traffic in a shared

environment Ownership / managing access to monitoring equipment and

data

Specific to Cloud Service Providers: Policy management in a multi-tenant environment Policy management for application-layer multi-tenancy (SaaS,

some PaaS services such as Microsoft SQL Azure) Complexity of deployment and configuration


Cloud Security Alliance Guidance: https://cloudsecurityalliance.org/guidance/csaguide-dom12-v2.10.pdf NIST Guide to Intrusion Detection and Prevention Systems (IDPS):

http://csrc.nist.gov/publications/nistpubs/800-94/SP800-94.pdf Intrusion Detection: http://en.wikipedia.org/wiki/Intrusion_detection_system Intrusion Prevention: http://en.wikipedia.org/wiki/Intrusion_prevention_system


https://cloudsecurityalliance.org/guidance/csaguide-dom12-v2.10.pdf

http://csrc.nist.gov/publications/nistpubs/800-94/SP800-94.pdf

http://en.wikipedia.org/wiki/Intrusion_detection_system

http://en.wikipedia.org/wiki/Intrusion_prevention_system




Real time log /event collection, de-duplication, normalization, aggregation and visualization

Log normalization Real-time event correlation Forensics support Compliance reporting & support IR support Email anomaly detection Reporting Flexible data retention periods and policies management,

compliance policy management)

Category #7: Security Information & Event Management (SIEM) Description: Security Information and Event Management (SIEM) systems accept (via push or pull mechanisms) log and event information. This information is then correlated and analyzed to provide real-time reporting and alerting on incidents / events that may require intervention. The logs are likely to be kept in a manner that prevents tampering to enable their use as evidence in any investigations.

Class: Detective

SERVICES

Includes: Log management, Event correlation, Security/Incident response, Scalability, Log and Event Storage, Interactive searching and parsing of log data, Logs immutable (for legal investigations) Related Services: Architectural considerations, Compliance reporting, Software inventory, Non-traditional correlation, On-traditional monitoring, Database monitoring, Request fulfillment

Related Technologies and Standards: FIPS 140-2 compliant, Common Event Format (CEF), Common Event Expression (CEE), IF-MAP (TCG)


CSA Domains (v2.1): 2, 3, 4, 5, 7, 9, 12

THREATS ADDRESSED

Abuse and Nefarious Use Insecure Interfaces and APIs Malicious Insiders Shared Technology Issues Data Loss and Leakage Account or Service Hijacking Unknown Risk Profile Fraud

OPTIONAL FEATURES

Heuristic controls Specialized systems Physical log monitoring Access control system monitoring Physical security integration (cameras, alarms, phone, etc.) Integration with call / ticketing system

CHALLENGES

Standardization of log formats Timing lag caused by translations from native log formats Unwillingness of providers to share logs Scaling for high volumes Identification and visualization of key information Usable, segregated by client interface

REFERENCES

http://www.darkreading.com/security-monitoring/167901086/security/security-management/228000206/cloud-creates-siem-blind-spot.html

http://securecloudreview.com/2010/08/service-provider-of-tomorrow-part-9-as-the-cloud-thrives-siem-will-suffer/










AccellOps Alien Vault (OSSIM) ArcSight ESM eIQnetworks Loglogic netForensics nFX One Novell Cloud Security Services /

E-Sentinel OSSIM Prelude-SIEM Q1 Labs Quest Software RSA/EMC enVision SenSage Solar Winds Log and Event

Manager Splunk

REFERENCES

http://en.wikipedia.org/wiki/Security_information_and_event_management

http://en.wikipedia.org/wiki/Security_event_manager




http://en.wikipedia.org/wiki/Security_event_manager




Data protection (at rest and in motion) Data validation Message Authentication Message/data integrity Data Time-stamping (digital notary) Identity validation (certificates to identify IT

assets/endpoints) Code Signing Forgery detection Identity validation (digital signatures) Digital Fingerprinting Forensic protection (hashing of log files and evidence) Pseudorandom number generation Data Destruction (throw away the key!) Key/certificate generation and management

Category #8: Encryption Description: Encryption is the process of obfuscating/encoding data (usually referred to as plain text) using cryptographic algorithms the product of which is encrypted data (usually referred to as ciphertext). Only the intended recipient or system that is in possession of the correct key can decode (unencrypt) this ciphertext. In the case of one-way cryptographic functions, a digest or hash is created instead.

Encryption systems typically consist of an algorithm(s) that are computationally difficult (or infeasible) to break, along with the processes and procedures to manage encryption and decryption, hashing, digital signatures, certificate generation and renewal, key exchange, etc. Each part is effectively useless without the other, e.g. the best algorithm is easy to “crack” if an attacker can access the keys due to weak processes.

Class: Protective

SERVICES Includes: VPN services, Encryption Key Management, Virtual Storage Encryption, Communications Encryption, Application Encryption, Database Encryption, digital signatures, Integrity validation Related Services: VM Architecture, Hardware protection, Software-based protection, remote access validation

Related Technologies and Standards: FIPS 140-2, IPSEC, SSL, Hashing, and algorithms , Symetric and Asymetric Cryptography

Service Model: PaaS, SaaS, IaaS


THREATS ADDRESSED

Failure to meet Regulatory Compliance requirements

Mitigating insider and external threats to data

Intercepted clear text network traffic

Clear text data on stolen / disposed of hardware

Reducing the risk or and potentially enabling cross-border business opportunities

OPTIONAL FEATURES

Searching encrypted data Sorting encrypted data Identity based encryption Data integrity Mechanism to ensure secure removal of customer data when

term / contract terminated Identity assurance (e.g., the parties involved are who they

claim to be)

CHALLENGES

Risk of compromised keys Searching and/or sorting of encrypted data





Cloud Credant Cypher Cloud enStratus Novaho Perpecsys ProtectV SecureCloud SurePassID Vormetric

Non-Cloud Crypo.com Sendinc


http://www.eweek.com/c/a/Security/IBM-Uncovers-Encryption-Scheme-That-Could-Improve-Cloud-Security-Spam-Filtering-135413/

https://cloudsecurityalliance.org/csaguide.pdf “Implementing and Developing Cloud Computing

Applications” by David E.Y. Sarna http://www.ctoedge.com/content/new-approach-enteprise-

data-security-tokenization http://arstechnica.com/tech-policy/news/2009/09/your-

secrets-live-online-in-databases-of-ruin.ars CSA discussion forums : “The Illegality of Exporting

Personal Data into the Cloud. Is the following Hypothesis the Answer? Does the following Hypothesis Handle the Objection?” http://www.linkedin.com/e/-njv39e-gmdp90wv-1m/vaq/23764306/1864210/36300812/view_disc/

“IETF RFC 5246”. The Transport Layer Security (TLS) Protocol Version 1.2: http://tools.ietf.org/rfc/rfc5246.txt

“SP 800-57 Recommendation for Key Management” NIST, January 2011: http://csrc.nist.gov/publications/nistpubs/ 800-57/sp800-57-Part1-revised2_Mar08-2007.pdf

http://csrc.nist.gov/publications/nistpubs/800-57/SP800-57-Part2.pdf http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_PART3_key-management_Dec2009.pdf

“SP 800-131A Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths” NIST, January 2011: http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf

ISO/TR (2010). “ISO TR-14742:2010 Financial Services - Recommendations on Cryptographic Algorithms and their Use.” ISO.

Ferguson, N., Schneier, B., and Kohno T., (2010). “Cryptography Engineering: Design Principles and Practical Applications.” New York: John Wiley and Sons.


THREATS ADDRESSED

Reducing perceived risks and thus enabling Cloud's Adoption by government

CHALLENGES

Separation of duties between data owners, administrators and cloud service providers

Legal issues Federated trust between providers




https://cloudsecurityalliance.org/csaguide.pdf

http://www.ctoedge.com/content/new-approach-enteprise-data-security-tokenization

http://www.ctoedge.com/content/new-approach-enteprise-data-security-tokenization

http://arstechnica.com/tech-policy/news/2009/09/your-secrets-live-online-in-databases-of-ruin.ars

http://arstechnica.com/tech-policy/news/2009/09/your-secrets-live-online-in-databases-of-ruin.ars

http://www.linkedin.com/e/-njv39e-gmdp90wv-1m/vaq/23764306/1864210/36300812/view_disc/



http://tools.ietf.org/rfc/rfc5246.txt

http://csrc.nist.gov/publications/nistpubs/800-57/SP800-57-Part2.pdf%20http:/csrc.nist.gov/publications/nistpubs/800-57/sp800-57_PART3_key-management_Dec2009.pdf



http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf

http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf




Flexible infrastructure Secure backup Monitored operations Third party service connectivity Replicated infrastructure components Replicated data (core / critical systems) Data and/or application recovery Alternate sites of operation Tested and measured processes and operations to ensure Geographically distributed data centers / infrastructure Network survivability

Category #9: Business Continuity and Disaster Recovery Description: Business Continuity and Disaster Recovery are the measures designed and implemented to ensure operational resiliency in the event of any service interruptions.

BCDR provides flexible and reliable failover for required services in the event of any service interruptions, including those caused by natural or man-made disasters or disruptions. Cloud-centric BCDR makes use of the cloud’s flexibility to minimize cost and maximize benefits. For example, a tenant could make use of low specification guest machines to replicate applications and data to the cloud, but with the provision to quickly ramp up the CPU and RAM, etc. of these machines in a BCDR scenario.

Class: Reactive, Protective, Detective

SERVICES Includes: File recovery provider, File backup provider, Cold site, Warm site, Hot site, Insurance, Business partner agreements, Replication (e.g. Databases) Related Services: Fail-back to live systems, Encryption of data in transit, Encryption of data at rest, Field level encryption, Realm-based access control

Related Technologies and Standards:

ISO/IEC 24762:2008, BS25999

Service Model: IaaS, SaaS


THREATS ADDRESSED

Natural disaster Fire Power outage Terrorism/sabotage Data corruption Data deletion Pandemic/biohazard

OPTIONAL FEATURES

Support for BC and DR compliance monitoring and/or reporting or testing flexible infrastructure

Authorized post disaster privileged account management Enable DR Policy management (incl. authorization

management, role management, compliance management)

CHALLENGES

Over-centralization of data Lack of approved and tested policies, processes, and

procedures Legal constraints on transportation of data outside affected

region Network connectivity failures Identification of Recovery Time Objectives / Recovery Point

Objectives / SLAs Agreed definition between vendor and client of what DR /

BCP means Security – Data in multiple locations





Cloud Atmos Decco Digital Parallels Quantix Rackspace

Non-Cloud IBM Iron Mountain Sunguard


NIST SP 800-34 ISO/IEC-27031 http://en.wikipedia.org/wiki/Disaster_recovery http://www.silicon.com/management/cio-

insights/2010/09/30/cloud-computing-is-it-ready-for-disaster-recovery-39746406/

http://blogs.forrester.com/rachel_dines/11-08-29-disaster_recovery_meet_the_cloud

http://www.usenix.org/event/hotcloud10/tech/full_papers/Wood.pdf


http://en.wikipedia.org/wiki/Disaster_recovery

http://www.silicon.com/management/cio-insights/2010/09/30/cloud-computing-is-it-ready-for-disaster-recovery-39746406/












Data Threats Access Control Threats Access and Authentication controls Security Gateways (firewalls, WAF, SOA/API, VPN) Security Products (IDS/IPS, Server Tier Firewall, File

Integrity Monitoring, DLP, Anti-Virus, Anti-Spam Security Monitoring and IR DoS protection/mitigation Secure “base services” like DNS and/or DNSSEC, DHCP,

NTP, RAS, OAuth, SNMP, Management network segmentation and security

Traffic / netflow monitoring Integration with Hypervisor layer

Category #10: Network Security Description: Network Security consists of security services that allocate access, distribute, monitor, and protect the underlying resource services.

Architecturally, network security provides services that address security controls at the network in aggregate or specifically addressed at the individual network of each underlying resource.

In a cloud / virtual environment network security is likely to be provided by virtual devices alongside traditional physical devices. Tight integration with the hypervisor to ensure full visibility of all traffic on the virtual network layer is key.

Class: Detective, protective, reactive

SERVICES Includes: Firewall (perimeter and server tier), Web application firewall, DDOS protection/mitigation, DLP, IR management, IDS / IPS Related Services: Identity and Access Management, Data Loss Prevention, Web Security, Intrusion Management, Security Information and Event Management, and Encryption

Related Technologies and Standards: Service Model: IaaS, SaaS, PaaS

CSA Domains (v2.1): 7,8,9,10,13

THREATS ADDRESSED

Data Threats Access Control Threats Application Vulnerabilities Cloud Platform Threats Regulatory, Compliance & Law

Enforcement

OPTIONAL FEATURES

Log correlation/ Secure and Immutable Logging Secure data encryption at rest Performance monitoring of the network Real-time alerting Change Management

CHALLENGES

Micro-borders (instead of traditional clearly defined network boundaries the borders between tenant networks can be dynamic and potentially blurred in a large scale virtual / cloud environment)

Virtual Segmentation of Physical Servers Limited visibility of inter-VM traffic





Cloud CloudFlare HP IBM

Imperva - Incapsula McAfee Rackspace Stonesoft Symantec

Non-Cloud HP IBM McAfee Snort Symantec

REFERENCES / ADDITIONAL RESOURCES CSA Intel Cloud Security Reference Architecture:

http://software.intel.com/en-us/articles/Cloud-Security-Reference-Architecture-Guide/ http://www.intel.com/content/dam/doc/reference-architecture/cloud-computing-enhanced-cloud-security-hytrust-vmware-architecture.pdf

ENISA Cloud Computing Risk Assessment: http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment

CHALLENGES

Non-standard API’s Management of many virtual networks / VLAN in a complex

environment – reliant on providers policies and procedures Separation of production and non-production environments Logical and Virtual Segregation of Customer

Network/Systems/Data


http://software.intel.com/en-us/articles/Cloud-Security-Reference-Architecture-Guide/

http://software.intel.com/en-us/articles/Cloud-Security-Reference-Architecture-Guide/

http://www.intel.com/content/dam/doc/reference-architecture/cloud-computing-enhanced-cloud-security-hytrust-vmware-architecture.pdf



http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment

http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment

Documents

SecaaS_V1_0.pdf - Cloud Security Alliance · Lenin Aboagye: Apollo Group Inc., Ravikanth Anisingaraju: Nexus Informatics, Dave Asprey: Trend Micro, Karim Benzidane, Aaron Bryson: