I gave a presentation about recent cloud security developments and how to risk assess a cloud provider at ISACA Scandinavian Conference yesterday. Thanks to Cloud Security Alliance for a lot of input.
Tror du stadig du kan sige nej tak til Web 2.0 og skyen?
Neupart Isaca April 2012
1. Recent
Cloud
Security
Developments
By
Lars
Neupart,
founder
of
Neupart
–
The
ERP
of
Security
2. Program
! Security
Guidance
! The
new
Security
Guidance
for
Critical
Areas
of
Focus
in
Cloud
Computing?
! GRC
Stack
! GRCstack
from
Cloud
Security
Alliance
-‐
what
it
is,
and
how
you
can
benefit
from
it.
! Cloud
Vendor
Risk
Assessments
! How
To
Perform
Cloud
Vendor
Assessments
! CCSK
! An
an
individual
certification:
Certificate
of
Cloud
Security
Knowledge
-‐
3. CSA
Security
Guidance
! CSA
=
Cloud
Security
Alliance
! Version
3
has
been
released
! Provides
practical
direction
for
adopting
the
cloud
paradigm
safely
and
securely.
! Extends
with
use
cases
! 14
Domains
emphasize
security,
stability,
and
privacy,
ensuring
corporate
privacy
in
a
multi-‐tenant
environment.
4. CSA
Guidance
! Section
I:
Cloud
Archiecture
! Section
II:
Governing
in
the
Cloud
! Section
III:
Operating
in
the
Cloud
7. S-‐P-‐I
Framework
You “RFP”
security in
SaaS
Software as a Service
You build
security in
PaaS
Platform as a Service
IaaS
Infrastructure as a Service
8. Section
II.
Governing
in
the
Cloud
! Domain
2:
Governance
and
Enterprise
Risk
Management
! Domain
3:
Legal
Issues:
Contracts
and
Electronic
Discovery
! Domain
4:
Compliance
and
Audit
Management
!
Domain
5:
Information
Management
and
Data
Security
! Domain
6:
Interoperability
and
Portability
9. Section
III.
Operating
in
the
Cloud
! Domain
7:
Traditional
Security,
Business
Continuity,
and
Disaster
Recovery
! Domain
8:
Data
Center
Operations
! Domain
9:
Incident
Response
! Domain
10:
Application
Security
! Domain
11:
Encryption
and
Key
Management
! Domain
12:
Identity,
Entitlement,
and
Access
Management
! Domain
13:
Virtualization
! Domain
14:
Security
as
a
Service
10. CSA
Guidance:
Risk
Based
! CSA
Guidance
recommends
a
risk
based
approach
to
control
selection.
! Also
offers
a
simple
model
11. ! Visit
the
V.3
website
at:
https://cloudsecurityalliance.org/research/
security-‐guidance/
12. ISO
27017
! Guidelines
on
Information
security
controls
for
the
use
of
cloud
computing
services
based
on
ISO/
IEC
27002
! Draft
13. GRCstack
from
CSA
! Achieving
Governance,
Risk
Management
and
Compliance
(GRC)
goals
requires
appropriate
assessment
criteria,
relevant
control
objectives
and
timely
access
to
necessary
supporting
data.
! The
shift
to
compute
as
a
service
presents
new
challenges
across
the
spectrum
of
GRC
requirements.
! To
instrument
and
assess
both
private
and
public
clouds
against
industry
established
best
practices,
standards
and
critical
compliance
requirements.
! A
toolkit
for
enterprises,
cloud
providers,
security
solution
providers,
IT
auditors
and
other
key
stakeholders
14. ! A
look
into
the
CSA
Control
Matrix
! https://cloudsecurityalliance.org/research/
grc-‐stack/
16. Classic
Risk
Assessments
Asset
Hierarchy
Finance
Business
Impact
values
ERP
are
inherited
downward
Finance
DB
Dynamics
AOS
SQL
01
Server
01
Server
02
HP
DL380
Serial
abc0987654321
HP
DL380
Vulnerability
values
Serial
xyz1234567890
are
inherited
upward
Data
Center
A
17. Business
Processes
&
IT
Services
Business Business Business
Impact
Scores
Process 1 Process 2 Inherits
Downwards
IT Services IT Services from
(on premise) vendor, e.g. Vulnerability
Scores
cloud Inherits
Upwards
G R C
18. The
good
news:
! You
can
use
well
known
risk
management
best
practices
(e.g.
ISO
27001
&
ISO
27005)
also
when
assessing
cloud
applications
! ……
with
a
few
notable
differences
19. Difference
#1:
CAI
! Cloud
Security
Alliance
Consensus
Assessments
Initiative
(CAI)
was
launched
to
perform
research,
create
tools
and
create
industry
partnerships
to
enable
cloud
computing
assessments.
! Industry-‐accepted
ways
to
document
what
security
controls
exist
in
IaaS,
PaaS,
and
SaaS
offerings,
providing
security
control
transparency.
! Part
of
GRC
Stack
20. Link
! https://cloudsecurityalliance.org/research/
cai/
21. Difference
#2:
STAR
!
CSA
Security,
Trust
&
Assurance
Registry
(STAR)
! Free,
publicly
accessible
registry
that
documents
the
security
controls
provided
by
various
cloud
computing
offerings.
! Cloud
providers
can
submit
two
different
types
of
reports
to
indicate
their
compliance
with
CSA
best
practices,
the
CAIQ
or
the
CCM.
22. STAR
Links
! Visit
the
CSA
STAR
website
at:
https://cloudsecurityalliance.org/star/
! CSA
STAR
faq:
https://cloudsecurityalliance.org/star/faq/
! Ask
STAR
related
Question
at
our
CSA
STAR
Support
Forum:
http://www.linkedin.com/groups?
home=&gid=4066598
! Watch
the
STAR
briefing
online:
https://cloudsecurityalliance.org/education/online-‐
learning/star-‐registry-‐briefing
25. Not
all
assets
burn
! Recommendation:
The
threats
you’ll
be
assessing
should
depend
on
type
of
asset.
! Using
Cloud
Service
providers
gives
you
other
threats
than
using
own
IT
operations
29. In
the
cloud
or
on
the
ground:
! SecureAware
assesses
risks
to
your
business,
from
own
IT
or
from
vendors
–
also
in
the
cloud
! SecureAware
is
delivered
as
on-‐premise
software
or
SaaS
36. ISACA
Member
offer
Learn
about
cloud
security
&
prepare
for
your
Certificate
of
Cloud
Security
Knowledge
Neupart
is
CSA
training
partner
using
CSA
certified
CCSK-‐instructors.
Oslo
May
31
Copenhagen
June
20
ISACA
Member
Discount
kr.
500,-‐
Sign
up
before
May
15
and
May
31
respectively.
Use
code
ISACA-‐Conf-‐Cph
in
comment
field
in
sign
up
form
at
www.neupart.com
37. Meet
Neupart
Today
PLEASE
GO
TO
THE
NEUPART
SPONSOR
TABLE
TO
PICK
UP
YOUR
CCSK
TRANING
DISCOUNT
CODE
OR
SEE
A
SECUREAWARE
DEMO
About
Neupart:
! ISO
27001
certified
company.
! IT
GRC
all-‐in-‐one
solution
enables
organizations
to
manage
their
IT
risks
and
to
comply
with
IT
security
requirements
-‐
Also
in
the
Cloud!
! “The
ERP
of
Security”
! Get
SecureAware
demo
or
free
trial:
www.neupart.com