1. © 2011 Cloud Security Alliance, Inc. All rights reserved.
Cloud Security
Alliance &
GRC Stack
Materials by Cloud Security Alliance.org ©
& PCI in the cloud training, created by SecurityWarrior LLC for Cloud Security Alliance ,
& Prof. Kai Hwang, University of Southern California
Presented to Triad ISSA, NC January 26, 2012
Valdez Ladd, ISSA Raleigh, NC 2012
1

2. © 2011 Cloud Security Alliance, Inc. All rights reserved.
About the Cloud Security Alliance
Global, not-for-profit organization
Building best practices and a trusted cloud
ecosystem
Comprehensive research and tools
Certificate of Cloud Security Knowledge (CCSK)
www.cloudsecurityalliance.org
2

3. © 2011 Cloud Security Alliance, Inc. All rights reserved.
Presentation Outline
Introduction
What this class is about, prerequisites, how to benefit
Cloud basics
PCI DSS + cloud scenario for example
Cloud Security Alliance toolsets: Control Matrix,
Consensus Assessments, etc.,
Conclusions and action items
3

4. © 2011 Cloud Security Alliance, Inc. All rights reserved.
Cloud?
4

5. © 2011 Cloud Security Alliance, Inc. All rights reserved.
NIST Definition of Cloud Computing
“Cloud computing is a model for
enabling convenient, on-demand
network access to a shared pool of
configurable computing resources
that can be rapidly provisioned and
released with minimal management
effort or service provider interaction. “
55

6. © 2011 Cloud Security Alliance, Inc. All rights reserved.
5 Essential Cloud
Characteristics
1. On-demand self-service
2. Broad network access
3. Resource pooling
– Location independence
4. Rapid elasticity
5. Measured service
66

7. © 2011 Cloud Security Alliance, Inc. All rights reserved.
3 Cloud Service Models
1. Cloud Software as a Service (SaaS)
– Use provider’s applications over a network
2. Cloud Platform as a Service (PaaS)
– Deploy customer-created applications to a cloud
3. Cloud Infrastructure as a Service (IaaS)
– Rent processing, storage, network capacity, and other
fundamental computing resources
To be considered “cloud” they must be deployed on
top of cloud infrastructure that has the essential
characteristics
7

8. © 2011 Cloud Security Alliance, Inc. All rights reserved.
4 Cloud Deployment Models
Private cloud
Enterprise owned or leased
Community cloud
Shared infrastructure for specific community
Public cloud <- our focus in this class!
Sold to the public, mega-scale infrastructure
Hybrid cloud
Composition of two or more clouds
88

9. © 2011 Cloud Security Alliance, Inc. All rights reserved.

10. © 2011 Cloud Security Alliance, Inc. All rights reserved.
7 Common Cloud
Characteristics
1. Massive scale
2. Homogeneity
3. Virtualization
4. Resilient computing
5. Low cost software
6. Geographic distribution
7. Service orientation
10

11. © 2011 Cloud Security Alliance, Inc. All rights reserved.
All of this TOGETHER: The Cloud
Community
Cloud
Private
Cloud
Public Cloud
Hybrid Clouds
Deployment
Models
Service
Models
Essential
Characteristics
Common
Characteristics
Software as a
Service (SaaS)
Platform as a
Service (PaaS)
Infrastructure as a
Service (IaaS)
Resource Pooling
Broad Network Access Rapid Elasticity
Measured Service
On Demand Self-Service
Low Cost Software
Virtualization Service Orientation
Advanced Security
Homogeneity
Massive Scale Resilient Computing
Geographic Distribution
1111

12. © 2011 Cloud Security Alliance, Inc. All rights reserved.
Example IaaS//
Amazon Cloud
Amazon cloud components
– Elastic Compute Cloud (EC2)
• Run your own or Amazon’s OS “instances”
– Simple Storage Service (S3)
– SimpleDB
– Other services
1212

13. © 2011 Cloud Security Alliance, Inc. All rights reserved.
Example PaaS//
Google App Engine
Create, deploy and run applications
NO control (or, in fact, even visibility) of OS
Use SDK to
develop the
applications
Run “natively”
in the cloud
13

14. © 2011 Cloud Security Alliance, Inc. All rights reserved.
Example SaaS//
Salesforce
Well-known SaaS CRM application
Cloud CRM + a lot more applications
1414

15. © 2011 Cloud Security Alliance, Inc. All rights reserved.
Example P/IaaS //
Azure
Source: Microsoft Presentation, A Lap Around Windows Azure, Manuvir Das
1515

16. © 2011 Cloud Security Alliance, Inc. All rights reserved.
Service Model Architectures
Cloud Infrastructure
IaaS
PaaS
SaaS
Infrastructure as a Service (IaaS)
Architectures
Platform as a Service (PaaS)
Architectures
Software as a Service
(SaaS)
Architectures
Cloud Infrastructure
SaaS
Cloud Infrastructure
PaaS
SaaS
Cloud Infrastructure
IaaS
PaaS
Cloud Infrastructure
PaaS
Cloud Infrastructure
IaaS
1616

17. © 2011 Cloud Security Alliance, Inc. All rights reserved.
18
Security: Barrier to Adoption?

18. © 2011 Cloud Security Alliance, Inc. All rights reserved.
19
What is Different about Cloud?

19. © 2011 Cloud Security Alliance, Inc. All rights reserved.
Security Relevant Cloud
Components
Cloud Provisioning Services
Cloud Data Storage Services
Cloud Processing Infrastructure
Cloud Support Services
Cloud Network and Perimeter Security
Elastic Elements: Storage, Processing, and
Virtual Networks
2020

20. © 2011 Cloud Security Alliance, Inc. All rights reserved.
21
What is Different about Cloud?
SERVICE OWNER SaaS PaaS IaaS
Data Joint Tenant Tenant
Application Joint Joint Tenant
Compute Provider Joint Tenant
Storage Provider Provider Joint
Network Provider Provider Joint
Physical Provider Provider Provider

21. © 2011 Cloud Security Alliance, Inc. All rights reserved.
22
What is Different about Cloud?

22. © 2011 Cloud Security Alliance, Inc. All rights reserved.
23
What is Different about Cloud?

23. © 2011 Cloud Security Alliance, Inc. All rights reserved.
CSA Cloud “Threats”
1. Abuse & Nefarious Use of Cloud Computing
2. Insecure Interfaces & APIs
3. Malicious Insiders
4. Shared Technology Issues
5. Data Loss or Leakage
6. Account or Service Hijacking
7. Unknown Risk Profile
24

24. © 2011 Cloud Security Alliance, Inc. All rights reserved.
ENISA Cloud Computing Risk
Assessment
http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment
1. Loss of governance
2. Lock-in
3. Isolation failure
4. Compliance risks
5. Management interface compromise
6. Data protection
7. Insecure or incomplete data deletion
8. Malicious insider
25

25. © 2011 Cloud Security Alliance, Inc. All rights reserved.
Cloud “Threats” – Top 3
1. Authentication abuse
2. Operations breakdown
3. Misuse of cloud-specific technology
26

26. © 2011 Cloud Security Alliance, Inc. All rights reserved.
FBI Takes Cloud Away
27

27. © 2011 Cloud Security Alliance, Inc. All rights reserved.
While we are “in the cloud”
Here are some additional
CSA/cloud security resources…
28

28. © 2011 Cloud Security Alliance, Inc. All rights reserved.
CSA GRC Stack
Bringing it all together to peel back the
layers of control ownership and
address concerns for trusted Cloud
adoption.
29
Control
Requirements
Provider
Assertions
Private,
Community &
Public Clouds

29. © 2011 Cloud Security Alliance, Inc. All rights reserved.
CSA CloudAudit
Open standard and API to automate
provider audit assertions
Change audit from data gathering to data analysis
Necessary to provide audit & assurance at the
scale demanded by cloud providers
Uses Cloud Controls Matrix as controls namespace
Use to instrument cloud for continuous controls
monitoring
30

30. © 2011 Cloud Security Alliance, Inc. All rights reserved.
CSA Cloud Controls Matrix
31
Controls derived from
guidance
Mapped to familiar
frameworks: ISO 27001,
COBIT, PCI, HIPAA
Rated as applicable to
SaaS/PaaS/IaaS
Customer vs Provider role
Help bridge the “cloud gap”
for IT & IT auditors
https://cloudsecurityalliance.org/research/projects/cloud-controls-matrix-ccm/

31. © 2011 Cloud Security Alliance, Inc. All rights reserved.
32
Next?

32. © 2011 Cloud Security Alliance, Inc. All rights reserved.
Thanks for Your Review!
Acknowledgement to Dr. Anton Chuvakin,
SecurityWarrior LLC for Cloud Security Alliance, Cloud Security
Alliance.org,
Materials by Cloud Security Alliance.org ©
& PCI in the cloud training, created by
for Triad ISSA, NC
January 26, 2012
Valdez Ladd, ISSA Raleigh, NC 2011
33

33. © 2011 Cloud Security Alliance, Inc. All rights reserved.
34