Governing in the Cloud

Governing in the CloudRolf Frydenberg

Joymount AS, Senior Advisor

February 9, 2011

Cloud Security Alliance, Norway Chapter

Agenda

• Cloud Security Alliance – general and Norway• CSA Cloud Security Guidance• NIST Cloud Definition Framework• Governance and Enterprise Risk Management• Legal and Electronic Discovery• Compliance and Audit• Information Lifecycle Management• Portability and Interoperability• Other CSA Domains – Operations• Cloud Controls Matrix• CSA GRC Stack


About the Cloud Security Alliance• Global, not-for-profit organization• Over 16,000 individual members, 80 corporate

members• Building best practices and a trusted cloud

ecosystem• Agile philosophy, rapid development of applied

research• GRC: Balance compliance with risk management• Reference models: build using existing standards• Identity: a key foundation of a functioning cloud

economy• Champion interoperability• Advocacy of prudent public policy

“To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud

Computing to help secure all other forms of computing.”


What We Did in 2010

• Threat Research: Top Threats to Cloud Computing; announced at RSA 2010, shared technology vulnerabilities, data loss/leakage, malicious insiders, insecure APIs, etc.

• Certificate of Cloud Security Knowledge; released Sep 1 2010, web-based test for competency in CSA Guidance

• Trusted Cloud Initiative; Cloud security reference architecture, secure and interoperable identity in the cloud, responsibilities for identity providers

• Cloud Controls Matrix Tool; 98 controls derived from guidance, mapped to ISO 27001, COBIT, PCI DSS, HIPAA

• Consensus Assessment Initiative; research tool and processes to assess cloud providers, V 1 released Oct 2010 with 140 provider questions

• Cloud Audit; Open standard and API to automate provider audit assertions, uses CCM, www.cloudaudit.org

• CSA GRC Stack; suite of tools, best practices, enabling technology, simplify GRC in the cloud

http://www.cloudaudit.org/


Plans for 2011

• CSA Guidance Research; V3 target for Q3 2011; best practices

• CSA GRC Stack; Expand, pilot projects, embed in providers and products

• Trusted Cloud Initiative; Release reference architecture and certifications

• CloudCERT; Consensus research, best practices

• CCSK; Role-specific training, hands-on lab

• CCM; V 2 target 1H 2011; increase mappings, fine tune controls, ISO engagement

• Cloud Metrics Research; Metrics for each of the 98 controls in CCM; create baseline capability

• Security as a Service; Define it, solution categories, guidance, align with other CSA research


CSA Norway Chapter

• Established in October 2010• 80 individual members (Feb 2011)• Board of six directors elected Oct 2011:

• Rolf Frydenberg, Joymount (president)• Geir-Arild Engh Hellesvik, KPMG (secretary)• Lars Egil Sætrang, Promon (treasurer)• Helge Skrivervik, Team Mellvik• Tor Andre Breivikås, Teleplan• Chunming Rong, University of Stavanger

• First Members’ Meeting in December 2010 (Private vs Public Cloud)

• Second Members’ Meeting in February 2011 (Compliance in the Cloud)

• Co-op seminar planned with Dataforeningen (Norwegian Computing Society)


CSA Guidance Research

CSA Guidance 2.1 > 100k downloads:

cloudsecurityalliance.org/guidance

Governance and Enterprise Risk Management

Legal and Electronic Discovery

Compliance and Audit

Information Lifecycle Management

Portability and Interoperability

Security, Bus. Cont,, and Disaster Recovery

Data Center Operations

Incident Response, Notification, Remediation

Application Security

Encryption and Key Management

Identity and Access Management

Virtualization

Cloud Architecture

Op

erat

ing

in

th

e C

lou

d

Go

vernin

g th

e Clo

ud

http://cloudsecurityalliance.org/guidance

http://cloudsecurityalliance.org/guidance

Cloud Reference Architecture (According to NIST)


Governance and Enterprise Risk Management

• Develop robust information security guidance regardless of the service or delivery model

• Review information security governance structures and processes, as well as security controls; include the vendor’s complete supply chain!

• Collaborative governance and risk management as part of development, deployment and operation of services

• Methods and metrics for measuring performance and effectiveness of security management

• Determine risk exposure before detailed requirements• Risk Management through valuation of assets, identification

of threats and vulnerabilities; management acceptance of risk levels and options (control, avoid, transfer, accept)

• Cloud vendors should include measures and controls to assist customers in their Risk Management


Legal and Electronic Discovery

• Mutual understanding of each other’s roles and responsibilities related to e-discovery, litigation, searches, etc.

• Plan for both expected and unexpected termination of agreement

• Agreement must allow customer and/or third party to monitor service provider’s performance and test for vulnerabilities

• In many cases there is a requirement to know – down to physical disk – where data is stored

• Customer must ensure it retains ownership of all data it stores on behalf of its customers and employees


Compliance and Audit

• The provider’s standard terms and conditions many not address your compliance needs

• Make sure you have the right and access capabilities to perform audits

• Determine whether you are subject to compliance regulations with specific Cloud Computing requirements

• Analyze the impact of regulations regarding data security on use of Cloud Computing

• Require that the cloud provider has at least a roadmap for ISO/IEC 27001 compliance

• CSA has called for the whole industry to be ISO/IEC 27002 compliant

• When selecting an external auditor, ensure he has Cloud Computing knowledge and experience


Information Lifecycle Management

• Understand how data integrity is maintained and how compromise of integrity is detected and communicated

• Ensure specific identification of all controls used during the lifecycle of the data

• Understand circumstances under which storage can be seized by a third party or government entity, and require advance notification of and such action

• Use a “Default Deny All” policy for all data, applied to all cloud provider personnel and subcontractors, as well as third parties; often also preferable to use for your own employees as well

• Identify trust boundaries throughout the IT architecture and abstraction layers

• Understand how encryption and key management are handled on multi-tenant storage and other multi-tenant components of the service


Portability and Interoperability

• Substituting cloud providers is in virtually all cases a negative transaction for at least one party; plan for this from the outset

• Document the security architecture, configuration and controls

• IaaS: Understand how virtual machine images can be captured and ported; identify and eliminate provider-specific extensions to VM environment

• PaaS: Use platform components with standard syntax, open APIs and open standards; understand how tools and services like backup/restore, monitoring, logging and audit would transfer to a new vendor

• SaaS: Perform regular data extractions to a format that is usable without the current SaaS provider; Understand any custom tools that are developed and configured specially


Other CSA Domains: Operations

• Security, Business Continuity, Disaster Recovery

• Data Center Operations

• Incident Response, Notification, Remediation

• Application Security

• Encryption and Key Management

• Identity and Access Management

• Virtualization


Cloud Controls Matrix Tool• Controls derived from

guidance

• Rated as applicable to S-P-I

• Customer vs Provider role

• Mapped to ISO 27001, COBIT, PCI, HIPAA

• Help bridge the gap for IT & IT auditors


CSA GRC Stack• Recent News: CSA GRC Stack

– on your USB drive

• Suite of tools, best practices and enabling technology

• Consolidate industry research & simplify GRC in the cloud

• For cloud providers, enterprises, solution providers and audit/compliance

www.cloudsecurityalliance.org/grcstack Control Requirements

Provider Assertions

Private & Public Clouds

Private & Public Clouds

http://www.cloudsecurityalliance.org/grcstack

Thanks for listening!Rolf Frydenberg, [email protected]

CSA Norway & Joymount AS

Technology

Governing in the Cloud