1. Governing in the Cloud Rolf Frydenberg Joymount AS, Senior Advisor February 9, 2011
2. Agenda Cloud Security Alliance – general and Norway CSA Cloud Security Guidance NIST Cloud Definition Framework Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Other CSA Domains – Operations Cloud Controls Matrix CSA GRC Stack
3. About the Cloud Security Alliance Global, not-for-profit organization Over 16,000 individual members, 80 corporate members Building best practices and a trusted cloud ecosystem Agile philosophy, rapid development of applied research GRC: Balance compliance with risk management Reference models: build using existing standards Identity: a key foundation of a functioning cloud economy Champion interoperability Advocacy of prudent public policy “To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.”
4. What We Did in 2010 Threat Research: Top Threats to Cloud Computing; announced at RSA 2010, shared technology vulnerabilities, data loss/leakage, malicious insiders, insecure APIs, etc. Certificate of Cloud Security Knowledge; released Sep 1 2010, web-based test for competency in CSA Guidance Trusted Cloud Initiative; Cloud security reference architecture, secure and interoperable identity in the cloud, responsibilities for identity providers Cloud Controls Matrix Tool; 98 controls derived from guidance, mapped to ISO 27001, COBIT, PCI DSS, HIPAA Consensus Assessment Initiative; research tool and processes to assess cloud providers, V 1 released Oct 2010 with 140 provider questions Cloud Audit; Open standard and API to automate provider audit assertions, uses CCM, www.cloudaudit.org CSA GRC Stack; suite of tools, best practices, enabling technology, simplify GRC in the cloud
5. Plans for 2011 CSA Guidance Research; V3 target for Q3 2011; best practices CSA GRC Stack; Expand, pilot projects, embed in providers and products Trusted Cloud Initiative; Release reference architecture and certifications CloudCERT; Consensus research, best practices CCSK; Role-specific training, hands-on lab CCM; V 2 target 1H 2011; increase mappings, fine tune controls, ISO engagement Cloud Metrics Research; Metrics for each of the 98 controls in CCM; create baseline capability Security as a Service; Define it, solution categories, guidance, align with other CSA research
6. CSA Norway Chapter Established in October 2010 80 individual members (Feb 2011) Board of six directors elected Oct 2011: Rolf Frydenberg, Joymount (president) Geir-Arild EnghHellesvik, KPMG (secretary) Lars Egil Sætrang, Promon (treasurer) Helge Skrivervik, Team Mellvik Tor Andre Breivikås, Teleplan ChunmingRong, University of Stavanger First Members’ Meeting in December 2010 (Private vs Public Cloud) Second Members’ Meeting in February 2011 (Compliance in the Cloud) Co-op seminar planned with Dataforeningen (Norwegian Computing Society)
7. CSA Guidance Research Cloud Architecture Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Governing the Cloud Information Lifecycle Management Portability and Interoperability Security, Bus. Cont,, and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Operating in the Cloud Encryption and Key Management CSA Guidance 2.1 > 100k downloads: cloudsecurityalliance.org/guidance Identity and Access Management Virtualization
9. Governance and Enterprise Risk Management Develop robust information security guidance regardless of the service or delivery model Review information security governance structures and processes, as well as security controls; include the vendor’s complete supply chain! Collaborative governance and risk management as part of development, deployment and operation of services Methods and metrics for measuring performance and effectiveness of security management Determine risk exposure before detailed requirements Risk Management through valuation of assets, identification of threats and vulnerabilities; management acceptance of risk levels and options (control, avoid, transfer, accept) Cloud vendors should include measures and controls to assist customers in their Risk Management
10. Legal and Electronic Discovery Mutual understanding of each other’s roles and responsibilities related to e-discovery, litigation, searches, etc. Plan for both expected and unexpected termination of agreement Agreement must allow customer and/or third party to monitor service provider’s performance and test for vulnerabilities In many cases there is a requirement to know – down to physical disk – where data is stored Customer must ensure it retains ownership of all data it stores on behalf of its customers and employees
11. Compliance and Audit The provider’s standard terms and conditions many not address your compliance needs Make sure you have the right and access capabilities to perform audits Determine whether you are subject to compliance regulations with specific Cloud Computing requirements Analyze the impact of regulations regarding data security on use of Cloud Computing Require that the cloud provider has at least a roadmap for ISO/IEC 27001 compliance CSA has called for the whole industry to be ISO/IEC 27002 compliant When selecting an external auditor, ensure he has Cloud Computing knowledge and experience
12. Information Lifecycle Management Understand how data integrity is maintained and how compromise of integrity is detected and communicated Ensure specific identification of all controls used during the lifecycle of the data Understand circumstances under which storage can be seized by a third party or government entity, and require advance notification of and such action Use a “Default Deny All” policy for all data, applied to all cloud provider personnel and subcontractors, as well as third parties; often also preferable to use for your own employees as well Identify trust boundaries throughout the IT architecture and abstraction layers Understand how encryption and key management are handled on multi-tenant storage and other multi-tenant components of the service
13. Portability and Interoperability Substituting cloud providers is in virtually all cases a negative transaction for at least one party; plan for this from the outset Document the security architecture, configuration and controls IaaS: Understand how virtual machine images can be captured and ported; identify and eliminate provider-specific extensions to VM environment PaaS: Use platform components with standard syntax, open APIs and open standards; understand how tools and services like backup/restore, monitoring, logging and audit would transfer to a new vendor SaaS: Perform regular data extractions to a format that is usable without the current SaaS provider; Understand any custom tools that are developed and configured specially
14. Other CSA Domains: Operations Security, Business Continuity, Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization
15. Cloud Controls Matrix Tool Controls derived from guidance Rated as applicable to S-P-I Customer vs Provider role Mapped to ISO 27001, COBIT, PCI, HIPAA Help bridge the gap for IT & IT auditors
16. CSA GRC Stack Recent News: CSA GRC Stack – on your USB drive Suite of tools, best practices and enabling technology Consolidate industry research & simplify GRC in the cloud For cloud providers, enterprises, solution providers and audit/compliance www.cloudsecurityalliance.org/grcstack Provider Assertions Private & Public Clouds Control Requirements