CSA & GRC Stack

© 2011 Cloud Security Alliance, Inc. All rights reserved.

Cloud Security

Alliance &

GRC Stack

Materials by Cloud Security Alliance.org ©

& PCI in the cloud training, created by SecurityWarrior LLC for Cloud Security Alliance ,

& Prof. Kai Hwang, University of Southern California

Presented to Triad ISSA, NC January 26, 2012

Valdez Ladd, ISSA Raleigh, NC 2012

1


About the Cloud Security Alliance

Global, not-for-profit organization

Building best practices and a trusted cloud

ecosystem

Comprehensive research and tools

Certificate of Cloud Security Knowledge (CCSK)

www.cloudsecurityalliance.org

2

https://cloudsecurityalliance.org/


Presentation Outline

Introduction

What this class is about, prerequisites, how to benefit

Cloud basics

PCI DSS + cloud scenario for example

Cloud Security Alliance toolsets: Control Matrix,

Consensus Assessments, etc.,

Conclusions and action items

3


Cloud? 4


NIST Definition of Cloud Computing

“Cloud computing is a model for enabling convenient, on-demand

network access to a shared pool of configurable computing resources

that can be rapidly provisioned and released with minimal management

effort or service provider interaction. “

5 5


5 Essential Cloud

Characteristics

1. On-demand self-service

2. Broad network access

3. Resource pooling

– Location independence

4. Rapid elasticity

5. Measured service

6 6


3 Cloud Service Models

1. Cloud Software as a Service (SaaS)

– Use provider’s applications over a network

2. Cloud Platform as a Service (PaaS)

– Deploy customer-created applications to a cloud

3. Cloud Infrastructure as a Service (IaaS)

– Rent processing, storage, network capacity, and other

fundamental computing resources

To be considered “cloud” they must be deployed on

top of cloud infrastructure that has the essential

characteristics

7


4 Cloud Deployment Models

Private cloud

Enterprise owned or leased

Community cloud

Shared infrastructure for specific community

Public cloud <- our focus in this class!

Sold to the public, mega-scale infrastructure

Hybrid cloud Composition of two or more clouds

8 8



7 Common Cloud

Characteristics

1. Massive scale

2. Homogeneity

3. Virtualization

4. Resilient computing

5. Low cost software

6. Geographic distribution

7. Service orientation

1

10


All of this TOGETHER: The Cloud

Community

Cloud Private

Cloud Public Cloud

Hybrid Clouds

Deployment

Models

Service

Models

Essential

Characteristics

Common

Characteristics

Software as a

Service (SaaS)

Platform as a

Service (PaaS)

Infrastructure as a

Service (IaaS)

Resource Pooling

Broad Network Access Rapid Elasticity

Measured Service

On Demand Self-Service

Low Cost Software

Virtualization Service Orientation

Advanced Security

Homogeneity

Massive Scale Resilient Computing

Geographic Distribution

11 11


Example IaaS//

Amazon Cloud

Amazon cloud components

– Elastic Compute Cloud (EC2)

• Run your own or Amazon’s OS “instances”

– Simple Storage Service (S3)

– SimpleDB

– Other services

12 12


Example PaaS//

Google App Engine

Create, deploy and run applications

NO control (or, in fact, even visibility) of OS

Use SDK to

develop the

applications

Run “natively”

in the cloud

13


Example SaaS//

Salesforce

Well-known SaaS CRM application

Cloud CRM + a lot more applications

14 14


Example P/IaaS //

Azure

Source: Microsoft Presentation, A Lap Around Windows Azure, Manuvir Das

15 15


Service Model Architectures

Cloud Infrastructure

IaaS

PaaS

SaaS

Infrastructure as a Service (IaaS)

Architectures

Platform as a Service (PaaS)

Architectures

Software as a Service

(SaaS)

Architectures


SaaS


PaaS

SaaS


IaaS

PaaS


PaaS


IaaS

16 16


18

Security: Barrier to Adoption?


19

What is Different about Cloud?


Security Relevant Cloud

Components

Cloud Provisioning Services

Cloud Data Storage Services

Cloud Processing Infrastructure

Cloud Support Services

Cloud Network and Perimeter Security

Elastic Elements: Storage, Processing, and

Virtual Networks

20 20


21


SERVICE OWNER SaaS PaaS IaaS

Data Joint Tenant Tenant

Application Joint Joint Tenant

Compute Provider Joint Tenant

Storage Provider Provider Joint

Network Provider Provider Joint

Physical Provider Provider Provider


22



23



CSA Cloud “Threats”

1. Abuse & Nefarious Use of Cloud Computing

2. Insecure Interfaces & APIs

3. Malicious Insiders

4. Shared Technology Issues

5. Data Loss or Leakage

6. Account or Service Hijacking

7. Unknown Risk Profile

24


ENISA Cloud Computing Risk

Assessment http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment

1. Loss of governance

2. Lock-in

3. Isolation failure

4. Compliance risks

5. Management interface compromise

6. Data protection

7. Insecure or incomplete data deletion

8. Malicious insider

25


Cloud “Threats” – Top 3

1. Authentication abuse

2. Operations breakdown

3. Misuse of cloud-specific technology

26


FBI Takes Cloud Away 27


While we are “in the cloud”

Here are some additional

CSA/cloud security resources…

28


CSA GRC Stack

Bringing it all together to peel back the layers of control ownership and

address concerns for trusted Cloud adoption.

29

Control

Requirements

Provider

Assertions

Private,

Community &

Public Clouds


CSA CloudAudit

Open standard and API to automate

provider audit assertions

Change audit from data gathering to data analysis

Necessary to provide audit & assurance at the

scale demanded by cloud providers

Uses Cloud Controls Matrix as controls namespace

Use to instrument cloud for continuous controls

monitoring

30


CSA Cloud Controls Matrix 31

Controls derived from

guidance

Mapped to familiar

frameworks: ISO 27001,

COBIT, PCI, HIPAA

Rated as applicable to

SaaS/PaaS/IaaS

Customer vs Provider role

Help bridge the “cloud gap”

for IT & IT auditors https://cloudsecurityalliance.org/research/projects/cloud-controls-matrix-ccm/

https://cloudsecurityalliance.org/research/projects/cloud-controls-matrix-ccm/








32

Next?


Thanks for Your Review!

Acknowledgement to Dr. Anton Chuvakin,

SecurityWarrior LLC for Cloud Security Alliance, Cloud Security

Alliance.org,

Materials by Cloud Security Alliance.org ©

& PCI in the cloud training, created by

for Triad ISSA, NC

January 26, 2012

Valdez Ladd, ISSA Raleigh, NC 2011

33


34