Losing Control to the Cloud

How to Gain Comfort in Using the Cloud

by Jason Falciola, GCIH, GAWN!Technical Account Manager, Northeast October 20th 2010

Agenda

  What Perspective does Qualys bring to this discussion? −  Security & Compliance Software as a Service (SaaS) provider since 1999 −  Continuously expanding platform to address evolving challenges

  Rapid Market and Technology Changes   The Security & Compliance Conundrum   Cloud Definition   Cloud Questions   Reliance on Existing Frameworks   Tackling the Cloud   Moving Forward   Q&A

COMPANY CONFIDENTIAL 1!

Private Clouds"

SaaS" PaaS IaaS"

Internet"


Technology and Market Trends "Cloud Computing a disruptive technology

  Accelerated Industry " Consolidation

  Moving toward thin clients and a Data Center centric model

  Security moving into the " Infrastructure and toward " Cloud Services

QualysGuard Service"

“In our February 2010 survey of 518 business technology pros, security

concerns again led the list of reasons not to use cloud services, while on the roster

of drivers, 77% cited cost savings.”

-‐-‐ InformaPon Week

hSp://www.informaPonweek.com/news/security/management/showArPcle.jhtml?arPcleID=224202319

Survey Says… (Information Week)

Key Findings: • Sixty percent (60%) more survey respondents are willing to use soaware as a service (SaaS) for sensiPve data than are willing to use tradiPonal outsourcing.

• The quesPonnaire is the most common form of external party risk assessment, with half of the quesPonnaires based on industry-‐standard frameworks and the other half being organizaPonally unique.

Recommenda1ons: • Develop internal experPse on external risk assessment, and on the contractual clauses that address security, privacy, regulatory compliance, conPnuity and disaster recovery.

• Take an organized approach to SaaS and public cloud purchases, and build a team and processes to work with the business to address all security, compliance, integraPon and contractual needs so that a decision can be made on whether a potenPal seller can meet those requirements.

-‐-‐ Gartner “Assessment Prac1ces for Cloud, SaaS and Partner Risks”, April 2010

hSp://www.gartner.com/DisplayDocument?doc_cd=175916

Survey Says… (Gartner)

Agenda




Security & Compliance Conundrum "Having to address the New and Old Challenges

  New and multiplying attack vectors   Authentication still an!

unresolved issue   Security & compliance

silos, fragmented tools & data

  Lack of enterprise/agency wide visibility and policy enforcement!


Private Clouds

SaaS PaaS/ IaaS

Regulations, Industry Standards, Internal Policies

PCI HIPAA SOX FISMA NERC

FFIEC

Agenda




What is the Cloud? Definition

8

Defini1on:

“The cloud is a model for enabling convenient, on-‐demand network access to a shared pool of configurable compuPng resources (e.g., networks, servers, storage, applicaPons, and services) that can be rapidly provisioned and released with minimal management effort or service provider interacPon”

– NIST Informa,on Technology Laboratory

What is the Cloud? Essentials

9

Five Essential Characteristics:!

1.  On-demand, self-service – Ability to unilaterally provision computing capabilities

2.  Broad network access – Available over the network and accessed through standard mechanisms that promote heterogonous thin or thick client platforms

3.  Resource pooling – Resources are pooled to serve multiple consumers using a multi tenant model (location independence)

4.  Rapid elasticity – capabilities can be rapidly and elastically provisioned

5.  Measured service – Resource usage can be monitored, controlled and reported

What is the Cloud? Service Models

Three Service Models 1.  Software As A Service (SaaS) – Managed application/service where customers

consume application resources as needed, without impact to internal computing resources. Security provided by cloud vendor

2.  Platform as a Service (PaaS) - Developers build and manage their own custom applications on top of platform provided by the cloud vendor. Application and data security managed by cloud customer.

3.  Infrastructure as a Service (IaaS) - Cloud vendor provides storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software which can include operating systems and applications. Cloud vendor protects infrastructure, but operating systems, applications, and content is managed and secured by the cloud consumer.

10

Key Takeaway - The lower down the stack the cloud service provider goes, the more security capabilities and management enterprises are responsible for.

What is the Cloud? Deployment Models

Four Deployment Models 1.  Public: Made available to the general public or large industry group and is

owned by an organization selling cloud services.

2.  Private: Operated solely for a single or group of organizations isolated among peers. May be managed by the organization or a third party and may exist on-premise or off-premise.

3.  Community: Shared by several organizations and supports a specific community that has shared concerns. May be managed by the organization or a third party and may exist on-premise or off-premise.

4.  Hybrid: Composed of two or more clouds (Private, Community, or Public) that remain unique, but are bound together standardized or proprietary technology that enables data and application portability (cloud bursting for load balancing between clouds).

11

What is the Cloud? Visual Definition

Agenda




Cloud Questions

 New technology combined with un-proven vendors / service providers

  Innovative technology in the hands of the users  Data leaving the perimeter  Growing number of third parties requiring

connectivity  Control validation changes to trust   Transparency limited to what you know  Challenging to report Risk back to the business

Critical Challenges for Security Professionals

Security Program

Ques1onnaires On-‐Site Review Third Party

15!

Security Budgets

Staffing/ Resources

Reduce Confusion

Audit Activities and Costs

 Up to 5 man days of work to complete  Hotel  Transportation  Any Corrective Actions  Hidden costs (e.g., require pen test, out of

office work, regulatory)  What would the average cost be

Multiple Reviews

Cloud User

SaaS SP 1

IaaS SP

SaaS SP 2

PaaS SP

SaaS SP 3

SaaS SP 4

 No standard  Scalability  After the fact  Custom

Reviews

S-P-I Framework

IaaS Infrastructure as a Service

You build security in

You “RFP” security in

PaaS Plajorm as a Service

SaaS Soaware as a Service

Source: hSp://www.cloudsecurityalliance.org

Agenda




Existing Frameworks in Use

 Security Questionnaires  OnSite Review   ISO 27002  SAS-70 Type II  SysTrust  PCI  Third Party Penetration Test

Agenda




Available Resources for Cloud Users – NIST & ENISA  NIST − Cloud Definition − SCAP – Security Content Automation Protocol!

http://scap.nist.gov − Continuous Monitoring!

 ENISA − Report: “Cloud Computing: Benefits,!

Risks and Recommendations for !Information Security”

−  http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment

Available Resources (cont’d)" - Cloud Security Alliance (CSA)  Cloud Security Alliance − CSA Guide − Research Papers!

 Initiatives in Progress/Released − CSA Guidance V2.1 – Released Dec 2009!

http://cloudsecurityalliance.org/guidance/csaguide.v2.1.pdf

− CSA Top Threats Research – Released March 2010 − CSA Cloud Controls Matrix – Released April 2010 − Trusted Cloud Initiative – Release Q4 2010 − CSA Cloud Metrics Working Group − Consensus Assessment Initiative

Available Resources (cont’d) "- CSA Guidance Research

Guidance > 100k downloads: cloudsecurityalliance.org/guidance

Governance and Enterprise Risk Management

Legal and Electronic Discovery

Compliance and Audit

Information Lifecycle Management

Portability and Interoperability

Security, Bus. Cont,, and Disaster Recovery

Data Center Operations

Incident Response, Notification, Remediation

Application Security

Encryption and Key Management

Identity and Access Management

Virtualization

Cloud Architecture

Ope

ratin

g in

the

Clo

ud

Governing the

Cloud

Available Resources (cont’d) "– CSA Cloud Controls Matrix Tool

  Controls derived from guidance

  Rated as applicable to S-P-I   Customer vs Provider role  Mapped to ISO 27001,

COBIT, PCI, HIPAA   Help bridge the gap for IT & IT

auditors between existing controls and cloud controls

www.cloudsecurityalliance.org/cm.html

Available Resources (cont’d) – CAMM, Shared Assessments  Common Assurance Maturity Model (CAMM)!

 Shared Assessments − Target Data Tracker − Self Information Gathering (SIG) – Level I, Level II − AUP – Agreed upon Procedures − Business Continuity Questions, Privacy

Questions, Other tools − Mapped to ISO 27002:2005, COBIT 4.0 / 4.1,

PCI 1.1 / 1.2, FFIEC

Available Resources (cont’d) – Jericho Forum Cloud Cube Model

Available Resources (cont’d) – Jericho Forum Self-Assessment

29

Proprietary, Blended Approach

PCI

CoBIT

ISO-‐27001

CAMM

ENISA

CSA

Recommendation: Use a Proprietary, Blended Approach

 One size does not fit all

 Same if not stronger controls

 Reliance on periodic audits

Agenda




Moving Forward

 Collaborative effort amongst associations required

 Joint Paper with CSA, CloudAudit/A6, ISACA, and ISF

 Hope to include NIST, PCI and BITS  Cloud Users will continue to use

available resources for assessments

Assessing Cloud Security: References

  Cloud Audit / A6 (Automated Audit, Assertion, Assessment, and Assurance API) – Now a project of CSA −  http://www.cloudaudit.org

  Cloud Security Alliance - CSA −  http://www.cloudsecurityalliance.org/

  Common Assurance Maturity Model −  http://common-assurance.com/

  JERICHO Forum −  http://www.opengroup.org/jericho/

  Shared Assessments −  http://www.sharedassessments.org/

  Qualys −  http://www.qualys.com/efficient_ciso - Strategies for the Efficient CISO −  http://www.qualys.com/products/qg_suite/malware_detection/ - Free Tool −  http://www.qualys.com/aurora - Research by iSec Partners

QualysGuard Freemium Services"More than just “free” services – leverage the cloud

www.qualys.com/stopmalware

www.ssllabs.com

https://browsercheck.qualys.com

Other Freemium services in the making: Malware Research Portal HoneyNet Research Portal Automated Generation of IDS Signatures COMPANY CONFIDENTIAL 33!

https://community.qualys.com/docs/DOC-1351

Thank You

Thanks! Q&A?

Jason Falciola, GCIH, GAWN jfalciola AT qualys.com

+1 973-464-5659

http://www.qualys.com