SlideShare una empresa de Scribd logo

CSA & GRC Stack

CloudSecurityAllianceAustralia
CloudSecurityAllianceAustralia

Cloud Security Alliance

TecnologíaEmpresariales
1 de 33
Descargar para leer sin conexión
© 2011 Cloud Security Alliance, Inc. All rights reserved. Cloud Security Alliance & GRC Stack Materials by Cloud Security Alliance.org © & PCI in the cloud training, created by SecurityWarrior LLC for Cloud Security Alliance , & Prof. Kai Hwang, University of Southern California Presented to Triad ISSA, NC January 26, 2012 Valdez Ladd, ISSA Raleigh, NC 2012 1
© 2011 Cloud Security Alliance, Inc. All rights reserved. About the Cloud Security Alliance Global, not-for-profit organization Building best practices and a trusted cloud ecosystem Comprehensive research and tools Certificate of Cloud Security Knowledge (CCSK) www.cloudsecurityalliance.org 2
© 2011 Cloud Security Alliance, Inc. All rights reserved. Presentation Outline Introduction What this class is about, prerequisites, how to benefit Cloud basics PCI DSS + cloud scenario for example Cloud Security Alliance toolsets: Control Matrix, Consensus Assessments, etc., Conclusions and action items 3
© 2011 Cloud Security Alliance, Inc. All rights reserved. Cloud? 4
© 2011 Cloud Security Alliance, Inc. All rights reserved. NIST Definition of Cloud Computing “Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction. “ 55
© 2011 Cloud Security Alliance, Inc. All rights reserved. 5 Essential Cloud Characteristics 1. On-demand self-service 2. Broad network access 3. Resource pooling – Location independence 4. Rapid elasticity 5. Measured service 66
© 2011 Cloud Security Alliance, Inc. All rights reserved. 3 Cloud Service Models 1. Cloud Software as a Service (SaaS) – Use provider’s applications over a network 2. Cloud Platform as a Service (PaaS) – Deploy customer-created applications to a cloud 3. Cloud Infrastructure as a Service (IaaS) – Rent processing, storage, network capacity, and other fundamental computing resources To be considered “cloud” they must be deployed on top of cloud infrastructure that has the essential characteristics 7
© 2011 Cloud Security Alliance, Inc. All rights reserved. 4 Cloud Deployment Models Private cloud Enterprise owned or leased Community cloud Shared infrastructure for specific community Public cloud <- our focus in this class! Sold to the public, mega-scale infrastructure Hybrid cloud Composition of two or more clouds 88
© 2011 Cloud Security Alliance, Inc. All rights reserved.
© 2011 Cloud Security Alliance, Inc. All rights reserved. 7 Common Cloud Characteristics 1. Massive scale 2. Homogeneity 3. Virtualization 4. Resilient computing 5. Low cost software 6. Geographic distribution 7. Service orientation 10
© 2011 Cloud Security Alliance, Inc. All rights reserved. All of this TOGETHER: The Cloud Community Cloud Private Cloud Public Cloud Hybrid Clouds Deployment Models Service Models Essential Characteristics Common Characteristics Software as a Service (SaaS) Platform as a Service (PaaS) Infrastructure as a Service (IaaS) Resource Pooling Broad Network Access Rapid Elasticity Measured Service On Demand Self-Service Low Cost Software Virtualization Service Orientation Advanced Security Homogeneity Massive Scale Resilient Computing Geographic Distribution 1111
© 2011 Cloud Security Alliance, Inc. All rights reserved. Example IaaS// Amazon Cloud Amazon cloud components – Elastic Compute Cloud (EC2) • Run your own or Amazon’s OS “instances” – Simple Storage Service (S3) – SimpleDB – Other services 1212
© 2011 Cloud Security Alliance, Inc. All rights reserved. Example PaaS// Google App Engine Create, deploy and run applications NO control (or, in fact, even visibility) of OS Use SDK to develop the applications Run “natively” in the cloud 13
© 2011 Cloud Security Alliance, Inc. All rights reserved. Example SaaS// Salesforce Well-known SaaS CRM application Cloud CRM + a lot more applications 1414
© 2011 Cloud Security Alliance, Inc. All rights reserved. Example P/IaaS // Azure Source: Microsoft Presentation, A Lap Around Windows Azure, Manuvir Das 1515
© 2011 Cloud Security Alliance, Inc. All rights reserved. Service Model Architectures Cloud Infrastructure IaaS PaaS SaaS Infrastructure as a Service (IaaS) Architectures Platform as a Service (PaaS) Architectures Software as a Service (SaaS) Architectures Cloud Infrastructure SaaS Cloud Infrastructure PaaS SaaS Cloud Infrastructure IaaS PaaS Cloud Infrastructure PaaS Cloud Infrastructure IaaS 1616
© 2011 Cloud Security Alliance, Inc. All rights reserved. 18 Security: Barrier to Adoption?
© 2011 Cloud Security Alliance, Inc. All rights reserved. 19 What is Different about Cloud?
© 2011 Cloud Security Alliance, Inc. All rights reserved. Security Relevant Cloud Components Cloud Provisioning Services Cloud Data Storage Services Cloud Processing Infrastructure Cloud Support Services Cloud Network and Perimeter Security Elastic Elements: Storage, Processing, and Virtual Networks 2020
© 2011 Cloud Security Alliance, Inc. All rights reserved. 21 What is Different about Cloud? SERVICE OWNER SaaS PaaS IaaS Data Joint Tenant Tenant Application Joint Joint Tenant Compute Provider Joint Tenant Storage Provider Provider Joint Network Provider Provider Joint Physical Provider Provider Provider
© 2011 Cloud Security Alliance, Inc. All rights reserved. 22 What is Different about Cloud?
© 2011 Cloud Security Alliance, Inc. All rights reserved. 23 What is Different about Cloud?
© 2011 Cloud Security Alliance, Inc. All rights reserved. CSA Cloud “Threats” 1. Abuse & Nefarious Use of Cloud Computing 2. Insecure Interfaces & APIs 3. Malicious Insiders 4. Shared Technology Issues 5. Data Loss or Leakage 6. Account or Service Hijacking 7. Unknown Risk Profile 24
© 2011 Cloud Security Alliance, Inc. All rights reserved. ENISA Cloud Computing Risk Assessment http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment 1. Loss of governance 2. Lock-in 3. Isolation failure 4. Compliance risks 5. Management interface compromise 6. Data protection 7. Insecure or incomplete data deletion 8. Malicious insider 25
© 2011 Cloud Security Alliance, Inc. All rights reserved. Cloud “Threats” – Top 3 1. Authentication abuse 2. Operations breakdown 3. Misuse of cloud-specific technology 26
© 2011 Cloud Security Alliance, Inc. All rights reserved. FBI Takes Cloud Away 27
© 2011 Cloud Security Alliance, Inc. All rights reserved. While we are “in the cloud” Here are some additional CSA/cloud security resources… 28
© 2011 Cloud Security Alliance, Inc. All rights reserved. CSA GRC Stack Bringing it all together to peel back the layers of control ownership and address concerns for trusted Cloud adoption. 29 Control Requirements Provider Assertions Private, Community & Public Clouds
© 2011 Cloud Security Alliance, Inc. All rights reserved. CSA CloudAudit Open standard and API to automate provider audit assertions Change audit from data gathering to data analysis Necessary to provide audit & assurance at the scale demanded by cloud providers Uses Cloud Controls Matrix as controls namespace Use to instrument cloud for continuous controls monitoring 30
© 2011 Cloud Security Alliance, Inc. All rights reserved. CSA Cloud Controls Matrix 31 Controls derived from guidance Mapped to familiar frameworks: ISO 27001, COBIT, PCI, HIPAA Rated as applicable to SaaS/PaaS/IaaS Customer vs Provider role Help bridge the “cloud gap” for IT & IT auditors https://cloudsecurityalliance.org/research/projects/cloud-controls-matrix-ccm/
© 2011 Cloud Security Alliance, Inc. All rights reserved. 32 Next?
© 2011 Cloud Security Alliance, Inc. All rights reserved. Thanks for Your Review! Acknowledgement to Dr. Anton Chuvakin, SecurityWarrior LLC for Cloud Security Alliance, Cloud Security Alliance.org, Materials by Cloud Security Alliance.org © & PCI in the cloud training, created by for Triad ISSA, NC January 26, 2012 Valdez Ladd, ISSA Raleigh, NC 2011 33
© 2011 Cloud Security Alliance, Inc. All rights reserved. 34

Recomendados

Democratizing IT Automation in a Multi-Cloud World
Democratizing IT Automation in a Multi-Cloud WorldDemocratizing IT Automation in a Multi-Cloud World
Democratizing IT Automation in a Multi-Cloud World
Enterprise Management Associates
 
CSA Security Guidance Cloud Computing v3.0
CSA Security Guidance Cloud Computing v3.0CSA Security Guidance Cloud Computing v3.0
CSA Security Guidance Cloud Computing v3.0
CloudSecurityAllianceAustralia
 
Cloud Governance Framework - Required Cloud Sourcing Capabilities
Cloud Governance Framework - Required Cloud Sourcing CapabilitiesCloud Governance Framework - Required Cloud Sourcing Capabilities
Cloud Governance Framework - Required Cloud Sourcing Capabilities
SusanneT
 
Cloud computing-security-issues
Cloud computing-security-issuesCloud computing-security-issues
Cloud computing-security-issues
Aleem Mohammed
 
Global Mandate to Secure Cloud Computing
Global Mandate to Secure Cloud ComputingGlobal Mandate to Secure Cloud Computing
Global Mandate to Secure Cloud Computing
CloudSecurityAllianceAustralia
 
Chap 6 cloud security
Chap 6 cloud securityChap 6 cloud security
Chap 6 cloud security
Raj Sarode
 
Cloud security
Cloud security Cloud security
Cloud security
Mohamed Shalash
 
Cloud Security 101 by Madhav Chablani
Cloud Security 101 by Madhav ChablaniCloud Security 101 by Madhav Chablani
Cloud Security 101 by Madhav Chablani
OWASP Delhi
 

Recomendados

Democratizing IT Automation in a Multi-Cloud World
Democratizing IT Automation in a Multi-Cloud WorldDemocratizing IT Automation in a Multi-Cloud World
Democratizing IT Automation in a Multi-Cloud World
Enterprise Management Associates
 
CSA Security Guidance Cloud Computing v3.0
CSA Security Guidance Cloud Computing v3.0CSA Security Guidance Cloud Computing v3.0
CSA Security Guidance Cloud Computing v3.0
CloudSecurityAllianceAustralia
 
Cloud Governance Framework - Required Cloud Sourcing Capabilities
Cloud Governance Framework - Required Cloud Sourcing CapabilitiesCloud Governance Framework - Required Cloud Sourcing Capabilities
Cloud Governance Framework - Required Cloud Sourcing Capabilities
SusanneT
 
Cloud computing-security-issues
Cloud computing-security-issuesCloud computing-security-issues
Cloud computing-security-issues
Aleem Mohammed
 
Global Mandate to Secure Cloud Computing
Global Mandate to Secure Cloud ComputingGlobal Mandate to Secure Cloud Computing
Global Mandate to Secure Cloud Computing
CloudSecurityAllianceAustralia
 
Chap 6 cloud security
Chap 6 cloud securityChap 6 cloud security
Chap 6 cloud security
Raj Sarode
 
Cloud security
Cloud security Cloud security
Cloud security
Mohamed Shalash
 
Cloud Security 101 by Madhav Chablani
Cloud Security 101 by Madhav ChablaniCloud Security 101 by Madhav Chablani
Cloud Security 101 by Madhav Chablani
OWASP Delhi
 
Sukumar Nayak-Detailed-Cloud Risk Management and Audit
Sukumar Nayak-Detailed-Cloud Risk Management and AuditSukumar Nayak-Detailed-Cloud Risk Management and Audit
Sukumar Nayak-Detailed-Cloud Risk Management and Audit
Sukumar Nayak
 
4.5.cloud security
4.5.cloud security4.5.cloud security
4.5.cloud security
DrRajapraveenkN
 
Cloud Computing Security Issues in Infrastructure as a Service”
Cloud Computing Security Issues in Infrastructure as a Service”Cloud Computing Security Issues in Infrastructure as a Service”
Cloud Computing Security Issues in Infrastructure as a Service”
Vivek Maurya
 
SaaS Challenges & Security Concerns
SaaS Challenges & Security ConcernsSaaS Challenges & Security Concerns
SaaS Challenges & Security Concerns
Kannan Subbiah
 
Security As A Service In Cloud(SECaaS)
Security As A Service In Cloud(SECaaS)Security As A Service In Cloud(SECaaS)
Security As A Service In Cloud(SECaaS)
أحلام انصارى
 
Multitenant, Dedicated or Hybrid - Which cloud to choose?
Multitenant, Dedicated or Hybrid - Which cloud to choose?Multitenant, Dedicated or Hybrid - Which cloud to choose?
Multitenant, Dedicated or Hybrid - Which cloud to choose?
RapidScale
 
Keys to success and security in the cloud
Keys to success and security in the cloudKeys to success and security in the cloud
Keys to success and security in the cloud
Scalar Decisions
 
Scaling the Cloud - Cloud Security
Scaling the Cloud - Cloud SecurityScaling the Cloud - Cloud Security
Scaling the Cloud - Cloud Security
Bill Burns
 
glenn_amblercloud_security_ncc_event_22-may-2012_v1 (9)
glenn_amblercloud_security_ncc_event_22-may-2012_v1 (9)glenn_amblercloud_security_ncc_event_22-may-2012_v1 (9)
glenn_amblercloud_security_ncc_event_22-may-2012_v1 (9)
Glenn Ambler
 
Evaluation Of The Data Security Methods In Cloud Computing Environments
Evaluation Of The Data Security Methods In Cloud Computing EnvironmentsEvaluation Of The Data Security Methods In Cloud Computing Environments
Evaluation Of The Data Security Methods In Cloud Computing Environments
ijfcstjournal
 
Introduction to Cloud Computing and Security
Introduction to Cloud Computing and SecurityIntroduction to Cloud Computing and Security
Introduction to Cloud Computing and Security
Oran Epelbaum
 
Cloud Security: A New Perspective
Cloud Security: A New PerspectiveCloud Security: A New Perspective
Cloud Security: A New Perspective
Wen-Pai Lu
 
Microsoft Private Cloud Strategy
Microsoft Private Cloud StrategyMicrosoft Private Cloud Strategy
Microsoft Private Cloud Strategy
Amit Gatenyo
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
AWS User Group Bengaluru
 
DAM 2018 Review, What's next 2019 ?
DAM 2018 Review, What's next 2019 ?DAM 2018 Review, What's next 2019 ?
DAM 2018 Review, What's next 2019 ?
Activo Consulting
 
CCSK Certificate of Cloud Computing Knowledge - overview
CCSK Certificate of Cloud Computing Knowledge - overviewCCSK Certificate of Cloud Computing Knowledge - overview
CCSK Certificate of Cloud Computing Knowledge - overview
Peter HJ van Eijk
 
Cloud Security ("securing the cloud")
Cloud Security ("securing the cloud")Cloud Security ("securing the cloud")
Cloud Security ("securing the cloud")
Vic Winkler
 
Cloud Services: Types of Cloud
Cloud Services: Types of CloudCloud Services: Types of Cloud
Cloud Services: Types of Cloud
Dr. Sunil Kr. Pandey
 
Security & Privacy In Cloud Computing
Security & Privacy In Cloud ComputingSecurity & Privacy In Cloud Computing
Security & Privacy In Cloud Computing
saurabh soni
 
Cloud Computing Security Issues
Cloud Computing Security Issues Cloud Computing Security Issues
Cloud Computing Security Issues
Discover Cloud Computing
 
Cloud Security Alliance's GRC Stack Overview
Cloud Security Alliance's GRC Stack OverviewCloud Security Alliance's GRC Stack Overview
Cloud Security Alliance's GRC Stack Overview
Valdez Ladd MBA, CISSP, CISA,
 
5787355.ppt
5787355.ppt5787355.ppt
5787355.ppt
ahmad21315
 

Más contenido relacionado

La actualidad más candente

Sukumar Nayak-Detailed-Cloud Risk Management and Audit
Sukumar Nayak-Detailed-Cloud Risk Management and AuditSukumar Nayak-Detailed-Cloud Risk Management and Audit
Sukumar Nayak-Detailed-Cloud Risk Management and Audit
Sukumar Nayak
 
Cloud Computing Security Issues in Infrastructure as a Service”
Cloud Computing Security Issues in Infrastructure as a Service”Cloud Computing Security Issues in Infrastructure as a Service”
Cloud Computing Security Issues in Infrastructure as a Service”
Vivek Maurya
 
glenn_amblercloud_security_ncc_event_22-may-2012_v1 (9)
glenn_amblercloud_security_ncc_event_22-may-2012_v1 (9)glenn_amblercloud_security_ncc_event_22-may-2012_v1 (9)
glenn_amblercloud_security_ncc_event_22-may-2012_v1 (9)
Glenn Ambler
 
Microsoft Private Cloud Strategy
Microsoft Private Cloud StrategyMicrosoft Private Cloud Strategy
Microsoft Private Cloud Strategy
Amit Gatenyo
 

La actualidad más candente (20)

Sukumar Nayak-Detailed-Cloud Risk Management and Audit
Sukumar Nayak-Detailed-Cloud Risk Management and AuditSukumar Nayak-Detailed-Cloud Risk Management and Audit
Sukumar Nayak-Detailed-Cloud Risk Management and Audit
 
4.5.cloud security
4.5.cloud security4.5.cloud security
4.5.cloud security
 
Cloud Computing Security Issues in Infrastructure as a Service”
Cloud Computing Security Issues in Infrastructure as a Service”Cloud Computing Security Issues in Infrastructure as a Service”
Cloud Computing Security Issues in Infrastructure as a Service”
 
SaaS Challenges & Security Concerns
SaaS Challenges & Security ConcernsSaaS Challenges & Security Concerns
SaaS Challenges & Security Concerns
 
Security As A Service In Cloud(SECaaS)
Security As A Service In Cloud(SECaaS)Security As A Service In Cloud(SECaaS)
Security As A Service In Cloud(SECaaS)
 
Multitenant, Dedicated or Hybrid - Which cloud to choose?
Multitenant, Dedicated or Hybrid - Which cloud to choose?Multitenant, Dedicated or Hybrid - Which cloud to choose?
Multitenant, Dedicated or Hybrid - Which cloud to choose?
 
Keys to success and security in the cloud
Keys to success and security in the cloudKeys to success and security in the cloud
Keys to success and security in the cloud
 
Scaling the Cloud - Cloud Security
Scaling the Cloud - Cloud SecurityScaling the Cloud - Cloud Security
Scaling the Cloud - Cloud Security
 
glenn_amblercloud_security_ncc_event_22-may-2012_v1 (9)
glenn_amblercloud_security_ncc_event_22-may-2012_v1 (9)glenn_amblercloud_security_ncc_event_22-may-2012_v1 (9)
glenn_amblercloud_security_ncc_event_22-may-2012_v1 (9)
 
Evaluation Of The Data Security Methods In Cloud Computing Environments
Evaluation Of The Data Security Methods In Cloud Computing EnvironmentsEvaluation Of The Data Security Methods In Cloud Computing Environments
Evaluation Of The Data Security Methods In Cloud Computing Environments
 
Introduction to Cloud Computing and Security
Introduction to Cloud Computing and SecurityIntroduction to Cloud Computing and Security
Introduction to Cloud Computing and Security
 
Cloud Security: A New Perspective
Cloud Security: A New PerspectiveCloud Security: A New Perspective
Cloud Security: A New Perspective
 
Microsoft Private Cloud Strategy
Microsoft Private Cloud StrategyMicrosoft Private Cloud Strategy
Microsoft Private Cloud Strategy
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
 
DAM 2018 Review, What's next 2019 ?
DAM 2018 Review, What's next 2019 ?DAM 2018 Review, What's next 2019 ?
DAM 2018 Review, What's next 2019 ?
 
CCSK Certificate of Cloud Computing Knowledge - overview
CCSK Certificate of Cloud Computing Knowledge - overviewCCSK Certificate of Cloud Computing Knowledge - overview
CCSK Certificate of Cloud Computing Knowledge - overview
 
Cloud Security ("securing the cloud")
Cloud Security ("securing the cloud")Cloud Security ("securing the cloud")
Cloud Security ("securing the cloud")
 
Cloud Services: Types of Cloud
Cloud Services: Types of CloudCloud Services: Types of Cloud
Cloud Services: Types of Cloud
 
Security & Privacy In Cloud Computing
Security & Privacy In Cloud ComputingSecurity & Privacy In Cloud Computing
Security & Privacy In Cloud Computing
 
Cloud Computing Security Issues
Cloud Computing Security Issues Cloud Computing Security Issues
Cloud Computing Security Issues
 

Similar a CSA & GRC Stack

Effectively and Securely Using the Cloud Computing Paradigm
Effectively and Securely Using the Cloud Computing ParadigmEffectively and Securely Using the Cloud Computing Paradigm
Effectively and Securely Using the Cloud Computing Paradigm
fanc1985
 
Keys-to-Success-and-Security-in-the-Cloud
Keys-to-Success-and-Security-in-the-CloudKeys-to-Success-and-Security-in-the-Cloud
Keys-to-Success-and-Security-in-the-Cloud
patmisasi
 
Presentation on Effectively and Securely Using the Cloud Computing Paradigm v26
Presentation on Effectively and Securely Using the Cloud Computing Paradigm v26Presentation on Effectively and Securely Using the Cloud Computing Paradigm v26
Presentation on Effectively and Securely Using the Cloud Computing Paradigm v26
Bill Annibell
 
Presentation On Effectively And Securely Using The Cloud Computing Paradigm V26
Presentation On Effectively And Securely Using The Cloud Computing Paradigm V26Presentation On Effectively And Securely Using The Cloud Computing Paradigm V26
Presentation On Effectively And Securely Using The Cloud Computing Paradigm V26
TT L
 
Securing Your CI Pipeline with HashiCorp Vault - P2
Securing Your CI Pipeline with HashiCorp Vault - P2Securing Your CI Pipeline with HashiCorp Vault - P2
Securing Your CI Pipeline with HashiCorp Vault - P2
Ashnikbiz
 
McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB) - POC Report
McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB) - POC ReportMcAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB) - POC Report
McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB) - POC Report
Iftikhar Ali Iqbal
 

Similar a CSA & GRC Stack (20)

Cloud Security Alliance's GRC Stack Overview
Cloud Security Alliance's GRC Stack OverviewCloud Security Alliance's GRC Stack Overview
Cloud Security Alliance's GRC Stack Overview
 
5787355.ppt
5787355.ppt5787355.ppt
5787355.ppt
 
CSA Atlanta Chapter Meeting Q1'2013 and RSA Conference 2013 CSA Announcements
CSA Atlanta Chapter Meeting Q1'2013 and RSA Conference 2013 CSA AnnouncementsCSA Atlanta Chapter Meeting Q1'2013 and RSA Conference 2013 CSA Announcements
CSA Atlanta Chapter Meeting Q1'2013 and RSA Conference 2013 CSA Announcements
 
CCSK, cloud security framework, Indonesia
CCSK, cloud security framework, IndonesiaCCSK, cloud security framework, Indonesia
CCSK, cloud security framework, Indonesia
 
Oracle Keynote Cloud Expo 11-04-09
Oracle Keynote Cloud Expo 11-04-09Oracle Keynote Cloud Expo 11-04-09
Oracle Keynote Cloud Expo 11-04-09
 
Effectively and Securely Using the Cloud Computing Paradigm
Effectively and Securely Using the Cloud Computing ParadigmEffectively and Securely Using the Cloud Computing Paradigm
Effectively and Securely Using the Cloud Computing Paradigm
 
3245224.ppt
3245224.ppt3245224.ppt
3245224.ppt
 
Oracle Cloud Computing Strategy
Oracle Cloud Computing StrategyOracle Cloud Computing Strategy
Oracle Cloud Computing Strategy
 
Gitex journey to the cloud
Gitex journey to the cloudGitex journey to the cloud
Gitex journey to the cloud
 
Security Building Blocks of the IBM Cloud Computing Reference Architecture
Security Building Blocks of the IBM Cloud Computing Reference ArchitectureSecurity Building Blocks of the IBM Cloud Computing Reference Architecture
Security Building Blocks of the IBM Cloud Computing Reference Architecture
 
Keys-to-Success-and-Security-in-the-Cloud
Keys-to-Success-and-Security-in-the-CloudKeys-to-Success-and-Security-in-the-Cloud
Keys-to-Success-and-Security-in-the-Cloud
 
Presentation on Effectively and Securely Using the Cloud Computing Paradigm v26
Presentation on Effectively and Securely Using the Cloud Computing Paradigm v26Presentation on Effectively and Securely Using the Cloud Computing Paradigm v26
Presentation on Effectively and Securely Using the Cloud Computing Paradigm v26
 
Presentation On Effectively And Securely Using The Cloud Computing Paradigm V26
Presentation On Effectively And Securely Using The Cloud Computing Paradigm V26Presentation On Effectively And Securely Using The Cloud Computing Paradigm V26
Presentation On Effectively And Securely Using The Cloud Computing Paradigm V26
 
Cloud Ecosystems A Perspective
Cloud Ecosystems A PerspectiveCloud Ecosystems A Perspective
Cloud Ecosystems A Perspective
 
Lucw lsec-securit-20110907-4-final-5
Lucw lsec-securit-20110907-4-final-5Lucw lsec-securit-20110907-4-final-5
Lucw lsec-securit-20110907-4-final-5
 
Securing Your CI Pipeline with HashiCorp Vault - P2
Securing Your CI Pipeline with HashiCorp Vault - P2Securing Your CI Pipeline with HashiCorp Vault - P2
Securing Your CI Pipeline with HashiCorp Vault - P2
 
Cloud Computing
Cloud ComputingCloud Computing
Cloud Computing
 
A Detailed Analysis of the Issues and Solutions for Securing Data in Cloud
A Detailed Analysis of the Issues and Solutions for Securing Data in CloudA Detailed Analysis of the Issues and Solutions for Securing Data in Cloud
A Detailed Analysis of the Issues and Solutions for Securing Data in Cloud
 
McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB) - POC Report
McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB) - POC ReportMcAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB) - POC Report
McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB) - POC Report
 
Implementing security groups in open stack
Implementing security groups in open stackImplementing security groups in open stack
Implementing security groups in open stack
 

Último

Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Último (20)

Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 

CSA & GRC Stack

  • 1. © 2011 Cloud Security Alliance, Inc. All rights reserved. Cloud Security Alliance & GRC Stack Materials by Cloud Security Alliance.org © & PCI in the cloud training, created by SecurityWarrior LLC for Cloud Security Alliance , & Prof. Kai Hwang, University of Southern California Presented to Triad ISSA, NC January 26, 2012 Valdez Ladd, ISSA Raleigh, NC 2012 1
  • 2. © 2011 Cloud Security Alliance, Inc. All rights reserved. About the Cloud Security Alliance Global, not-for-profit organization Building best practices and a trusted cloud ecosystem Comprehensive research and tools Certificate of Cloud Security Knowledge (CCSK) www.cloudsecurityalliance.org 2
  • 3. © 2011 Cloud Security Alliance, Inc. All rights reserved. Presentation Outline Introduction What this class is about, prerequisites, how to benefit Cloud basics PCI DSS + cloud scenario for example Cloud Security Alliance toolsets: Control Matrix, Consensus Assessments, etc., Conclusions and action items 3
  • 4. © 2011 Cloud Security Alliance, Inc. All rights reserved. Cloud? 4
  • 5. © 2011 Cloud Security Alliance, Inc. All rights reserved. NIST Definition of Cloud Computing “Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction. “ 55
  • 6. © 2011 Cloud Security Alliance, Inc. All rights reserved. 5 Essential Cloud Characteristics 1. On-demand self-service 2. Broad network access 3. Resource pooling – Location independence 4. Rapid elasticity 5. Measured service 66
  • 7. © 2011 Cloud Security Alliance, Inc. All rights reserved. 3 Cloud Service Models 1. Cloud Software as a Service (SaaS) – Use provider’s applications over a network 2. Cloud Platform as a Service (PaaS) – Deploy customer-created applications to a cloud 3. Cloud Infrastructure as a Service (IaaS) – Rent processing, storage, network capacity, and other fundamental computing resources To be considered “cloud” they must be deployed on top of cloud infrastructure that has the essential characteristics 7
  • 8. © 2011 Cloud Security Alliance, Inc. All rights reserved. 4 Cloud Deployment Models Private cloud Enterprise owned or leased Community cloud Shared infrastructure for specific community Public cloud <- our focus in this class! Sold to the public, mega-scale infrastructure Hybrid cloud Composition of two or more clouds 88
  • 9. © 2011 Cloud Security Alliance, Inc. All rights reserved.
  • 10. © 2011 Cloud Security Alliance, Inc. All rights reserved. 7 Common Cloud Characteristics 1. Massive scale 2. Homogeneity 3. Virtualization 4. Resilient computing 5. Low cost software 6. Geographic distribution 7. Service orientation 10
  • 11. © 2011 Cloud Security Alliance, Inc. All rights reserved. All of this TOGETHER: The Cloud Community Cloud Private Cloud Public Cloud Hybrid Clouds Deployment Models Service Models Essential Characteristics Common Characteristics Software as a Service (SaaS) Platform as a Service (PaaS) Infrastructure as a Service (IaaS) Resource Pooling Broad Network Access Rapid Elasticity Measured Service On Demand Self-Service Low Cost Software Virtualization Service Orientation Advanced Security Homogeneity Massive Scale Resilient Computing Geographic Distribution 1111
  • 12. © 2011 Cloud Security Alliance, Inc. All rights reserved. Example IaaS// Amazon Cloud Amazon cloud components – Elastic Compute Cloud (EC2) • Run your own or Amazon’s OS “instances” – Simple Storage Service (S3) – SimpleDB – Other services 1212
  • 13. © 2011 Cloud Security Alliance, Inc. All rights reserved. Example PaaS// Google App Engine Create, deploy and run applications NO control (or, in fact, even visibility) of OS Use SDK to develop the applications Run “natively” in the cloud 13
  • 14. © 2011 Cloud Security Alliance, Inc. All rights reserved. Example SaaS// Salesforce Well-known SaaS CRM application Cloud CRM + a lot more applications 1414
  • 15. © 2011 Cloud Security Alliance, Inc. All rights reserved. Example P/IaaS // Azure Source: Microsoft Presentation, A Lap Around Windows Azure, Manuvir Das 1515
  • 16. © 2011 Cloud Security Alliance, Inc. All rights reserved. Service Model Architectures Cloud Infrastructure IaaS PaaS SaaS Infrastructure as a Service (IaaS) Architectures Platform as a Service (PaaS) Architectures Software as a Service (SaaS) Architectures Cloud Infrastructure SaaS Cloud Infrastructure PaaS SaaS Cloud Infrastructure IaaS PaaS Cloud Infrastructure PaaS Cloud Infrastructure IaaS 1616
  • 17. © 2011 Cloud Security Alliance, Inc. All rights reserved. 18 Security: Barrier to Adoption?
  • 18. © 2011 Cloud Security Alliance, Inc. All rights reserved. 19 What is Different about Cloud?
  • 19. © 2011 Cloud Security Alliance, Inc. All rights reserved. Security Relevant Cloud Components Cloud Provisioning Services Cloud Data Storage Services Cloud Processing Infrastructure Cloud Support Services Cloud Network and Perimeter Security Elastic Elements: Storage, Processing, and Virtual Networks 2020
  • 20. © 2011 Cloud Security Alliance, Inc. All rights reserved. 21 What is Different about Cloud? SERVICE OWNER SaaS PaaS IaaS Data Joint Tenant Tenant Application Joint Joint Tenant Compute Provider Joint Tenant Storage Provider Provider Joint Network Provider Provider Joint Physical Provider Provider Provider
  • 21. © 2011 Cloud Security Alliance, Inc. All rights reserved. 22 What is Different about Cloud?
  • 22. © 2011 Cloud Security Alliance, Inc. All rights reserved. 23 What is Different about Cloud?
  • 23. © 2011 Cloud Security Alliance, Inc. All rights reserved. CSA Cloud “Threats” 1. Abuse & Nefarious Use of Cloud Computing 2. Insecure Interfaces & APIs 3. Malicious Insiders 4. Shared Technology Issues 5. Data Loss or Leakage 6. Account or Service Hijacking 7. Unknown Risk Profile 24
  • 24. © 2011 Cloud Security Alliance, Inc. All rights reserved. ENISA Cloud Computing Risk Assessment http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment 1. Loss of governance 2. Lock-in 3. Isolation failure 4. Compliance risks 5. Management interface compromise 6. Data protection 7. Insecure or incomplete data deletion 8. Malicious insider 25
  • 25. © 2011 Cloud Security Alliance, Inc. All rights reserved. Cloud “Threats” – Top 3 1. Authentication abuse 2. Operations breakdown 3. Misuse of cloud-specific technology 26
  • 26. © 2011 Cloud Security Alliance, Inc. All rights reserved. FBI Takes Cloud Away 27
  • 27. © 2011 Cloud Security Alliance, Inc. All rights reserved. While we are “in the cloud” Here are some additional CSA/cloud security resources… 28
  • 28. © 2011 Cloud Security Alliance, Inc. All rights reserved. CSA GRC Stack Bringing it all together to peel back the layers of control ownership and address concerns for trusted Cloud adoption. 29 Control Requirements Provider Assertions Private, Community & Public Clouds
  • 29. © 2011 Cloud Security Alliance, Inc. All rights reserved. CSA CloudAudit Open standard and API to automate provider audit assertions Change audit from data gathering to data analysis Necessary to provide audit & assurance at the scale demanded by cloud providers Uses Cloud Controls Matrix as controls namespace Use to instrument cloud for continuous controls monitoring 30
  • 30. © 2011 Cloud Security Alliance, Inc. All rights reserved. CSA Cloud Controls Matrix 31 Controls derived from guidance Mapped to familiar frameworks: ISO 27001, COBIT, PCI, HIPAA Rated as applicable to SaaS/PaaS/IaaS Customer vs Provider role Help bridge the “cloud gap” for IT & IT auditors https://cloudsecurityalliance.org/research/projects/cloud-controls-matrix-ccm/
  • 31. © 2011 Cloud Security Alliance, Inc. All rights reserved. 32 Next?
  • 32. © 2011 Cloud Security Alliance, Inc. All rights reserved. Thanks for Your Review! Acknowledgement to Dr. Anton Chuvakin, SecurityWarrior LLC for Cloud Security Alliance, Cloud Security Alliance.org, Materials by Cloud Security Alliance.org © & PCI in the cloud training, created by for Triad ISSA, NC January 26, 2012 Valdez Ladd, ISSA Raleigh, NC 2011 33
  • 33. © 2011 Cloud Security Alliance, Inc. All rights reserved. 34