The document discusses how to gain comfort using cloud computing. It begins by defining key cloud concepts like deployment models, service models, and characteristics from NIST. It then addresses common questions around security and compliance in the cloud. Existing frameworks are discussed for assessing cloud providers, but they are not standardized and don't scale well. Resources from NIST, ENISA, and the Cloud Security Alliance can help, such as cloud security guidance and continuous monitoring tools. Overall the document provides context around cloud definitions and outlines challenges in securing the cloud while identifying available guidance materials.
Generative AI for Technical Writer or Information Developers
How to Gain Comfort Using Cloud Services
1. How to Gain Comfort in
Using the Cloud
by Jason Falciola, GCIH, GAWN!
Technical Account Manager, Northeast
October 20th 2010
2. Agenda
What Perspective does Qualys bring to this discussion?
− Security & Compliance Software as a Service (SaaS) provider since 1999
− Continuously expanding platform to address evolving challenges
Rapid Market and Technology Changes
The Security & Compliance Conundrum
Cloud Definition
Cloud Questions
Reliance on Existing Frameworks
Tackling the Cloud
Moving Forward
Q&A
COMPANY
CONFIDENTIAL
1!
3. Private
Clouds"
SaaS" PaaS
IaaS"
Internet"
COMPANY
CONFIDENTIAL
2!
Technology and Market Trends"
Cloud Computing a disruptive technology
Accelerated Industry "
Consolidation
Moving toward thin clients
and a Data Center centric model
Security moving into the "
Infrastructure and toward "
Cloud Services
QualysGuard
Service"
4. “In
our
February
2010
survey
of
518
business
technology
pros,
security
concerns
again
led
the
list
of
reasons
not
to
use
cloud
services,
while
on
the
roster
of
drivers,
77%
cited
cost
savings.”
-‐-‐
InformaPon
Week
hSp://www.informaPonweek.com/news/security/management/showArPcle.jhtml?arPcleID=224202319
Survey Says… (Information Week)
5. Key
Findings:
• Sixty
percent
(60%)
more
survey
respondents
are
willing
to
use
soaware
as
a
service
(SaaS)
for
sensiPve
data
than
are
willing
to
use
tradiPonal
outsourcing.
• The
quesPonnaire
is
the
most
common
form
of
external
party
risk
assessment,
with
half
of
the
quesPonnaires
based
on
industry-‐standard
frameworks
and
the
other
half
being
organizaPonally
unique.
Recommenda1ons:
• Develop
internal
experPse
on
external
risk
assessment,
and
on
the
contractual
clauses
that
address
security,
privacy,
regulatory
compliance,
conPnuity
and
disaster
recovery.
• Take
an
organized
approach
to
SaaS
and
public
cloud
purchases,
and
build
a
team
and
processes
to
work
with
the
business
to
address
all
security,
compliance,
integraPon
and
contractual
needs
so
that
a
decision
can
be
made
on
whether
a
potenPal
seller
can
meet
those
requirements.
-‐-‐
Gartner
“Assessment
Prac1ces
for
Cloud,
SaaS
and
Partner
Risks”,
April
2010
hSp://www.gartner.com/DisplayDocument?doc_cd=175916
Survey Says… (Gartner)
6. Agenda
What Perspective does Qualys bring to this discussion?
− Security & Compliance Software as a Service (SaaS) provider since 1999
− Continuously expanding platform to address evolving challenges
Rapid Market and Technology Changes
The Security & Compliance Conundrum
Cloud Definition
Cloud Questions
Reliance on Existing Frameworks
Tackling the Cloud
Moving Forward
Q&A
COMPANY
CONFIDENTIAL
5!
7. Security & Compliance Conundrum "
Having to address the New and Old Challenges
New and multiplying
attack vectors
Authentication still an!
unresolved issue
Security & compliance
silos, fragmented tools
& data
Lack of enterprise/
agency wide visibility
and policy enforcement!
COMPANY
CONFIDENTIAL
6!
Private
Clouds
SaaS
PaaS/
IaaS
Regulations, Industry Standards, Internal Policies
PCI
HIPAA
SOX
FISMA
NERC
FFIEC
8. Agenda
What Perspective does Qualys bring to this discussion?
− Security & Compliance Software as a Service (SaaS) provider since 1999
− Continuously expanding platform to address evolving challenges
Rapid Market and Technology Changes
The Security & Compliance Conundrum
Cloud Definition
Cloud Questions
Reliance on Existing Frameworks
Tackling the Cloud
Moving Forward
Q&A
COMPANY
CONFIDENTIAL
7!
9. What is the Cloud? Definition
8
Defini1on:
“The
cloud
is
a
model
for
enabling
convenient,
on-‐demand
network
access
to
a
shared
pool
of
configurable
compuPng
resources
(e.g.,
networks,
servers,
storage,
applicaPons,
and
services)
that
can
be
rapidly
provisioned
and
released
with
minimal
management
effort
or
service
provider
interacPon”
–
NIST
Informa,on
Technology
Laboratory
10. What is the Cloud? Essentials
9
Five Essential Characteristics:!
1. On-demand, self-service – Ability to unilaterally provision computing
capabilities
2. Broad network access – Available over the network and accessed
through standard mechanisms that promote heterogonous thin or
thick client platforms
3. Resource pooling – Resources are pooled to serve multiple
consumers using a multi tenant model (location independence)
4. Rapid elasticity – capabilities can be rapidly and elastically
provisioned
5. Measured service – Resource usage can be monitored, controlled
and reported
11. What is the Cloud? Service Models
Three Service Models
1. Software As A Service (SaaS) – Managed application/service where customers
consume application resources as needed, without impact to internal computing
resources. Security provided by cloud vendor
2. Platform as a Service (PaaS) - Developers build and manage their own custom
applications on top of platform provided by the cloud vendor. Application and
data security managed by cloud customer.
3. Infrastructure as a Service (IaaS) - Cloud vendor provides storage, networks,
and other fundamental computing resources where the consumer is able to
deploy and run arbitrary software which can include operating systems and
applications. Cloud vendor protects infrastructure, but operating systems,
applications, and content is managed and secured by the cloud consumer.
10
Key Takeaway - The lower down the stack the cloud service provider goes, the
more security capabilities and management enterprises are responsible for.
12. What is the Cloud? Deployment Models
Four Deployment Models
1. Public: Made available to the general public or large industry group and is
owned by an organization selling cloud services.
2. Private: Operated solely for a single or group of organizations isolated among
peers. May be managed by the organization or a third party and may exist on-
premise or off-premise.
3. Community: Shared by several organizations and supports a specific community
that has shared concerns. May be managed by the organization or a third party
and may exist on-premise or off-premise.
4. Hybrid: Composed of two or more clouds (Private, Community, or Public) that
remain unique, but are bound together standardized or proprietary technology
that enables data and application portability (cloud bursting for load balancing
between clouds).
11
14. Agenda
What Perspective does Qualys bring to this discussion?
− Security & Compliance Software as a Service (SaaS) provider since 1999
− Continuously expanding platform to address evolving challenges
Rapid Market and Technology Changes
The Security & Compliance Conundrum
Cloud Definition
Cloud Questions
Reliance on Existing Frameworks
Tackling the Cloud
Moving Forward
Q&A
COMPANY
CONFIDENTIAL
13!
15. Cloud Questions
New technology combined with un-proven
vendors / service providers
Innovative technology in the hands of the users
Data leaving the perimeter
Growing number of third parties requiring
connectivity
Control validation changes to trust
Transparency limited to what you know
Challenging to report Risk back to the business
16. Critical Challenges for Security Professionals
Security
Program
Ques1onnaires
On-‐Site
Review
Third
Party
15!
Security
Budgets
Staffing/
Resources
Reduce
Confusion
17. Audit Activities and Costs
Up to 5 man days of work to complete
Hotel
Transportation
Any Corrective Actions
Hidden costs (e.g., require pen test, out of
office work, regulatory)
What would the average cost be
18. Multiple Reviews
Cloud
User
SaaS
SP
1
IaaS
SP
SaaS
SP
2
PaaS
SP
SaaS
SP
3
SaaS
SP
4
No standard
Scalability
After the fact
Custom
Reviews
19. S-P-I
Framework
IaaS
Infrastructure
as
a
Service
You
build
security
in
You
“RFP”
security
in
PaaS
Plajorm
as
a
Service
SaaS
Soaware
as
a
Service
Source:
hSp://www.cloudsecurityalliance.org
20. Agenda
What Perspective does Qualys bring to this discussion?
− Security & Compliance Software as a Service (SaaS) provider since 1999
− Continuously expanding platform to address evolving challenges
Rapid Market and Technology Changes
The Security & Compliance Conundrum
Cloud Definition
Cloud Questions
Reliance on Existing Frameworks
Tackling the Cloud
Moving Forward
Q&A
COMPANY
CONFIDENTIAL
19!
21. Existing Frameworks in Use
Security Questionnaires
OnSite Review
ISO 27002
SAS-70 Type II
SysTrust
PCI
Third Party Penetration Test
22. Agenda
What Perspective does Qualys bring to this discussion?
− Security & Compliance Software as a Service (SaaS) provider since 1999
− Continuously expanding platform to address evolving challenges
Rapid Market and Technology Changes
The Security & Compliance Conundrum
Cloud Definition
Cloud Questions
Reliance on Existing Frameworks
Tackling the Cloud
Moving Forward
Q&A
COMPANY
CONFIDENTIAL
21!
23. Available Resources for Cloud Users
– NIST & ENISA
NIST
− Cloud Definition
− SCAP – Security Content Automation Protocol!
http://scap.nist.gov
− Continuous Monitoring!
ENISA
− Report: “Cloud Computing: Benefits,!
Risks and Recommendations for !
Information Security”
− http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment
24. Available Resources (cont’d)"
- Cloud Security Alliance (CSA)
Cloud Security Alliance
− CSA Guide
− Research Papers!
Initiatives in Progress/Released
− CSA Guidance V2.1 – Released Dec 2009!
http://cloudsecurityalliance.org/guidance/csaguide.v2.1.pdf
− CSA Top Threats Research – Released March 2010
− CSA Cloud Controls Matrix – Released April 2010
− Trusted Cloud Initiative – Release Q4 2010
− CSA Cloud Metrics Working Group
− Consensus Assessment Initiative
25. Available Resources (cont’d) "
- CSA Guidance Research
Guidance
>
100k
downloads:
cloudsecurityalliance.org/guidance
Governance and Enterprise Risk Management
Legal and Electronic Discovery
Compliance and Audit
Information Lifecycle Management
Portability and Interoperability
Security, Bus. Cont,, and Disaster Recovery
Data Center Operations
Incident Response, Notification, Remediation
Application Security
Encryption and Key Management
Identity and Access Management
Virtualization
Cloud Architecture
OperatingintheCloud
Governingthe
Cloud
26. Available Resources (cont’d) "
– CSA Cloud Controls Matrix Tool
Controls derived from
guidance
Rated as applicable to S-P-I
Customer vs Provider role
Mapped to ISO 27001,
COBIT, PCI, HIPAA
Help bridge the gap for IT & IT
auditors between existing
controls and cloud controls
www.cloudsecurityalliance.org/cm.html
27. Available Resources (cont’d) –
CAMM, Shared Assessments
Common Assurance Maturity Model (CAMM)!
Shared Assessments
− Target Data Tracker
− Self Information Gathering (SIG) – Level I, Level II
− AUP – Agreed upon Procedures
− Business Continuity Questions, Privacy
Questions, Other tools
− Mapped to ISO 27002:2005, COBIT 4.0 / 4.1,
PCI 1.1 / 1.2, FFIEC
30. 29
Proprietary,
Blended
Approach
PCI
CoBIT
ISO-‐27001
CAMM
ENISA
CSA
Recommendation: Use a
Proprietary, Blended Approach
One size does not
fit all
Same if not
stronger controls
Reliance on
periodic audits
31. Agenda
What Perspective does Qualys bring to this discussion?
− Security & Compliance Software as a Service (SaaS) provider since 1999
− Continuously expanding platform to address evolving challenges
Rapid Market and Technology Changes
The Security & Compliance Conundrum
Cloud Definition
Cloud Questions
Reliance on Existing Frameworks
Tackling the Cloud
Moving Forward
Q&A
COMPANY
CONFIDENTIAL
30!
32. Moving Forward
Collaborative effort amongst
associations required
Joint Paper with CSA, CloudAudit/A6,
ISACA, and ISF
Hope to include NIST, PCI and BITS
Cloud Users will continue to use
available resources for assessments
33. Assessing Cloud Security: References
Cloud Audit / A6 (Automated Audit, Assertion, Assessment, and
Assurance API) – Now a project of CSA
− http://www.cloudaudit.org
Cloud Security Alliance - CSA
− http://www.cloudsecurityalliance.org/
Common Assurance Maturity Model
− http://common-assurance.com/
JERICHO Forum
− http://www.opengroup.org/jericho/
Shared Assessments
− http://www.sharedassessments.org/
Qualys
− http://www.qualys.com/efficient_ciso - Strategies for the Efficient CISO
− http://www.qualys.com/products/qg_suite/malware_detection/ - Free Tool
− http://www.qualys.com/aurora - Research by iSec Partners
34. QualysGuard Freemium Services"
More than just “free” services – leverage the cloud
www.qualys.com/stopmalware
www.ssllabs.com
https://browsercheck.qualys.com
Other Freemium services in the making:
Malware Research Portal
HoneyNet Research Portal
Automated Generation of IDS Signatures
COMPANY
CONFIDENTIAL
33!
https://community.qualys.com/docs/DOC-1351