O documento discute a Cloud Security Alliance (CSA) e aspectos relacionados à segurança na nuvem. A CSA é uma associação sem fins lucrativos que promove as melhores práticas de segurança na nuvem através de educação, pesquisa e iniciativas locais. O documento também aborda aspectos jurídicos como contratos e responsabilidade civil na nuvem, bem como tendências como BYOD, Security as a Service e padronização global.
4. O que é a computação em nuvem (1)
“Cloud computing is a model for enabling ubiquitous,
convenient, on-demand network access to a shared pool of
configurable computing resources (e.g., networks, servers,
storage, applications, and services) that can be rapidly
provisioned and released with minimal management effort
or service provider interaction. This cloud model promotes
availability and is composed of five essential characteristics,
three service models, and four deployment models.”
In “NIST Cloud Computing Standards Roadmap - Special Publication 500‐291”
fonte: sxc.hu
4
5. O que é a computação em nuvem (2)
In “Security Guidance for Critical Areas of Focus in Cloud Computing v3”
fonte: sxc.hu
5
7. Cloud Security Alliance (CSA)
– Associação sem fins lucrativos
– Reúne pessoas físicas e empresas
– Oficializada em dezembro de 2008
– +35mil membros, +130 membros corporativos
– Presente em 23 países através de 30 Chapters
locais (setembro/2012)
7
8. Missão
“Promover a utilização
Picture source: sxc.hu
das melhores práticas
para fornecer garantia
de segurança dentro de
Cloud Computing, e
oferecer educação
sobre os usos de Cloud
Computing para ajudar
a proteger todas as
outras formas de
computação.”
8
9. CSA Brasil
• Segundo Chapter oficial
da CSA
– Oficializado em 27 de
Maio de 2010
• Segue Missão e
Objetivos da CSA Global
– Promover a Segurança
em Cloud Computing
– Promover pesquisas e
iniciativas locais
9
10. Educação
https://cloudsecurityalliance.org/education
• Certificação “Certificate • Treinamento
of Cloud Security – CCSK training
Knowledge (CCSK)” – PCI Cloud training
– Exame online – GRC Stack training
– Custo de USD $295.
https://ccsk.cloudsecurityalliance.org
10
12. Iniciativa de pesquisa: Security Guidance for
Critical Areas of Focus in Cloud Computing
– Estabelece um guia de recomendações para
adoptação segura e estavél das operações na
nuvem;
– Redifine dominios desde a ultima versão de forma
a enfatizar segurança, estabilidade e privacidade;
– Estabelece recomendações práticas e
requerimentos que podem ser mensurados e
auditados.
https://cloudsecurityalliance.org/research/security-guidance/
12
13. Iniciativa de pesquisa: CSA Security, Trust &
Assurance Registry (STAR)
– Registro gratuito e de acesso público dos controles
de segurança de diversos provedores de Cloud
Computing;
– Relatórios de auto-avaliação sobre compliance
com as melhores práticas publicadas pela CSA;
– Ajuda os usuários a avaliarem a segurança dos
provedores de Cloud.
https://cloudsecurityalliance.org/star/
13
14. Iniciativa de pesquisa: White Paper - Adoção de
computação em Nuvem e suas motivações
“Este documento destaca algumas das motivações mais
comumente apontadas como justificativas para a adoção de
Computação em Nuvem, bem como alguns dos aspectos a serem
considerados quanto a cada uma destas motivações. Com este
documento a CSA Brazil Chapter pretende contribuir com gestores
e tomadores de decisão quanto à decisão sobre a adoção de
Computação em Nuvem em suas organizações.”
– Uelinton Santos, Luiz Augusto Amelotti, Filipe Villar, Eduardo
Fedorowicz
https://chapters.cloudsecurityalliance.org/brazil/2012/08/17/white-
paper-adocao-de-computacao-em-nuvem-e-suas-motivacoes/
14
16. Conceito
Contrato de prestação de serviços em que
uma empresa/pessoa física (PROVEDOR)
permite o uso de seus recursos
computacionais (rede, servidores, espaço
em disco, aplicações) por um CLIENTE.
fonte: sxc.hu
16
18. Contratos
Local dos dados
Backups e
recuperação de
CLÁUSULAS desastres
NECESSÁRIAS
Data retention
Quem vai ter
acesso e qual fonte: sxc.hu
tipo
18
19. Contratos
Requisitos de
segurança e TI
Auditoria
externa
CLÁUSULAS
NECESSÁRIAS
Criptografia dos
dados
Tempo de
resposta para fonte: sxc.hu
recuperação
19
20. Contratos
Destino dos dados
com o fim do
contrato
Notificação sobre
invasão/exposição
CLÁUSULAS
NECESSÁRIAS
Terceiros podem
ter acesso aos
dados?
Provedor pode fonte: sxc.hu
utilizar os dados?
20
22. Responsabilidade Civil:
Código Civil
"Art. 927. Aquele que, por ato ilícito (arts. 186 e
187), causar dano a outrem, fica obrigado a repará-
lo.
Parágrafo único. Haverá obrigação de reparar o
dano, independentemente de culpa, nos casos
especificados em lei, ou quando a atividade
normalmente desenvolvida pelo autor do dano
implicar, por sua natureza, risco para os direitos de
outrem." fonte: sxc.hu
22
23. Responsabilidade Civil:
Código de Defesa do Consumidor
"Art. 14. O fornecedor de serviços responde,
independentemente da existência de culpa, pela
reparação dos danos causados aos consumidores
por defeitos relativos à prestação dos serviços,
bem como por informações insuficientes ou
inadequadas sobre sua fruição e riscos".
fonte: sxc.hu
23
24. Responsabilidade Civil:
Problema Jurisprudencial
Suspensão
preventiva de
conteúdo
STJ - Resp 1.316.921/RJ
fonte: sxc.hu
24
26. Responsabilidade Civil:
Problema Jurisprudencial
Procedimento
extrajudicial
Suspensão
Preventiva Análise da
Reclamação
Reclamação Resposta
(24 h)
26 26
27. Responsabilidade Civil:
Problema Jurisprudencial
Se o provedor não fizer a
suspensão preventiva
Responde solidariamente
com o autor da ofensa
27 27
28. Problemas Práticos:
Extinção Unilateral no Contrato
Se você deixar de cumprir ou a Apple suspeitar que você
deixou de cumprir quaisquer disposições deste
Contrato, a Apple, a seu exclusivo critério, sem aviso a
você, poderá: (i) rescindir o presente Contrato e/ou sua
Conta, e você permanecerá responsável por todos os
montantes devidos sob sua Conta até e incluindo a data
da rescisão e/ou (ii) revogar a licença do software, e/ou
(iii) impedir o acesso ao Serviço iTunes (ou qualquer
parte dele).”
28
29. Problemas Práticos:
Exclusão de Responsabilidade
"You, and not Dropbox, are responsible for
maintaining and protecting all of your stuff.
Dropbox will not be liable for any loss or
corruption of your stuff, or for any costs or
expenses associated with backing up or restoring
any of your stuff”.
29
30. Problemas Práticos:
Acionar Empresa Estrangeira
Art. 88, Código de Processo Civil: "É competente a
autoridade judiciária brasileira quando:
(…)
III - a ação se originar de fato ocorrido ou de ato
praticado no Brasil."
30
32. BYOD
• Múltiplos dispositivos
• Acesso remoto aos Dados
• Guarda de Dados
• Múltiplas regras de
segurança
• Dispositivos de terceiros
fonte: sxc.hu
32
33. Security as a Service (SecaaS)
• Security Solutions
fornecidas como e para
as Cloud Computing
– Novas soluções
– Novos paradigmas
– Dependencia dos Cloud
providers
fonte: sxc.hu
33
34. Global Regulatory Framework
• Padronização de ofertas
de Cloud Computing
• Padronização da
Segurança em Cloud
Computing
– “Trusted Cloud”
– Assessement & Audit
fonte: sxc.hu
34
35. Global Regulatory Framework
• ISO/IEC working drafts
– ISO/IEC 27017 – Guidelines
on information security
controls for the use of
cloud computing services
based on ISO/IEC 27002
– ISO/IEC 27018 - Code of
practice for data protection
controls for public cloud
computing services
fonte: sxc.hu
35
36. Previsão do Tempo
• Muitas nuvens a frente
• Sujeito a chuvas e
trovoadas esporádicas
• Tenha sempre um
guarda-chuva próximo
fonte: Wikimedia Commons
36
37. Contato
• Anchises de Paula - adepaula@Verisign.com
• André Serralheiro - serralheiro@gmail.com
• Walter Capanema - contato@waltercapanema.com.br
• Cloud Security Alliance
https://www.cloudsecurityalliance.org
• Cloud Security Alliance
https://chapters.cloudsecurityalliance.org/brazil
• Twitter - @csabr
• Fan Page - https://www.facebook.com/CSA.CapituloBrasil
37
Picture source: http://www.sxc.huAnchises:equisitostecnicos de forma correta e segura a cloudo Walter tocariana parte dos apetosjuridicos (requsitos, leis, relaçoesempresa/consumidor)Idéia... Talvezpodíamostambémfocarnaquestão de aspectosjurídicos, compliance e padrõesqueestãosurgindo. Podemosfalarsobre o projeto STAR da CSA, que visa criar um baseline e um self-assessement p/ osprovedores de cloud, e tambémmencionar o surgimento da norma ISO.
Sumário: A crescentepopularização do conceito de Cloud Computing e suaadoçãopelasempresasresultananecessidade de normatização epadronização da qualidade e segurançadessa nova tecnologia. Éimperativoque as empresas, antes de celebrarqualquercontrato arespeito de talserviço, conheçam as regrastecnológicas e científicas,bemcomoosseusdireitos e devereslegais.Nestaapresentação, pretendemosdiscutir a necessidade de seestabeleceremnormastécnicas/científicas e regrasjurídicasparaapoiaras empresas no processo de contratação de serviçosbaseadosnanuvem,assimcomoapresentar as principaisiniciativas e projetosexistentesnestafrente.
Source: “NIST Cloud Computing Standards Roadmap - Special Publication 500‐291”
Essential Characteristics: On-demand self-service. A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service’s provider. Broad network access. Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, laptops, and personal digital assistants [PDAs]). Resource pooling. The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a sense of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). Examples of resources include storage, processing, memory, network bandwidth, and virtual machines. Rapid elasticity. Capabilities can be rapidly and elastically provisioned, in some cases automatically, to quickly scale out and rapidly released to quickly scale in. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be purchased in any quantity at any time. Measured Service. Cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported, providing transparency for both the provider and consumer of the utilized service. Service Models: Cloud Software as a Service (SaaS). The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through a thin client interface such as a Web browser (e.g., Web-based email). The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited userspecific application configuration settings. Cloud Platform as a Service (PaaS). The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly application hosting environment configurations. Cloud Infrastructure as a Service (IaaS). The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, deployed applications, and possibly limited control of select networking components (e.g., host firewalls).Deployment Models: Private cloud. The cloud infrastructure is operated solely for an organization. It may be managed by the organization or a third party and may exist on premise or off premise. Community cloud. The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be managed by the organizations or a third party and may exist on premise or off premise. Public cloud. The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services. Hybrid cloud. The cloud infrastructure is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds).
O Objetivo principal do capítulobrasileiroépromover o conhecimentoemSegurançapara Cloud Computing, através da divulgação das iniciativas da CSA (incluindo a tradução do material produzidopela CSA ) e promoveriniciativaslocais e a produção de conteúdo original, comopesquisas e artigos.
A CSA fornece a Certificação “Certificate of Cloud Security Knowledge (CCSK)”baseadanosrelatórios "Security Guidance for Critical Areas of Focus in Cloud Computing, V3” da CSA e "Cloud Computing: Benefits, Risks and Recommendations for Information Security" da ENISA (European Network and Information Security Agency)O Exameéfeito online. Maisinformaçõesem https://ccsk.cloudsecurityalliance.org
Neste slide estãolistadas as diversasiniciativas de pesquisaexistentesatualmente (Setembro/2012) na CSA.Osprincipaisdestaquessão:CSA Security Guidance, uma das iniciativaspioneiras no mercado de desenvolver um guiaespecíficosobresegurançaem Cloud Computing, queestáautalementenaterceiraedição. Cometarqueexisteumainiciativa de tradução do guiaparaportugues.Projeto STAR da CSA, que visa criar um baseline e um self-assessement p/ osprovedores de cloud, e tambémmencionar o surgimento da norma ISO.Participação com ABNT naconstrução da norma ISO…
The CSA guidance as it enters its third edition seeks to establish a stable, secure baseline for cloud operations. This effort provides a practical, actionable road map to managers wanting to adopt the cloud paradigm safely and securely. Domains have been rewritten to emphasize security, stability and privacy, ensuring corporate privacy in a multi-tenant environment.In the third edition, the guidance assumes a structural maturity in parallel with multinational cloud standards development in both structure and content. Version 3 extends the content included in previous versions with practical recommendations and requirements that can be measured and audited. CSA industry expert authors have endeavored to present a working product that is measured and balanced between the interests of cloud providers and tenants. Controls focus on the preservation of tenant data ownership integrity while embracing the concept of a shared physical infrastructure. Guidance Version 3 incorporates lessons learned from the CSA GRC Stack and Trusted Cloud Initiative and ties in the various CSA activities into one comprehensive C-level best practice. The Security Guidance V.3 will serve as the gateway to emerging standards being developed in the world’s standards organization and is designed to serve as an executive-level primer to any organization seeking a secure, stable transition to hosting their business operations in the cloud.
The Cloud Security Alliance (CSA) announces the launch of a new initiative to encourage transparency of security practices within cloud providers. The CSA Security, Trust & Assurance Registry (STAR) is a free, publicly accessible registry that documents the security controls provided by various cloud computing offerings, thereby helping users assess the security of cloud providers they currently use or are considering contracting with.CSA STAR is open to all cloud providers, and allows them to submit self assessment reports that document compliance to CSA published best practices. The searchable registry will allow potential cloud customers to review the security practices of providers, accelerating their due diligence and leading to higher quality procurement experiences. CSA STAR represents a major leap forward in industry transparency, encouraging providers to make security capabilities a market differentiator.CSA STAR will be online in Q4 of 2011. Cloud providers can submit two different types of reports to indicate their compliance with CSA best practices:The Consensus Assessments Initiative Questionnaire (CAIQ), which provides industry-accepted ways to document what security controls exist in IaaS, PaaS, and SaaS offerings. The questionnaire (CAIQ) provides a set of over 140 questions a cloud consumer and cloud auditor may wish to ask of a cloud provider. Providers may opt to submit a completed Consensus Assessments Initiative Questionnaire.The Cloud Controls Matrix (CCM), which provides a controls framework that gives detailed understanding of security concepts and principles that are aligned to the Cloud Security Alliance guidance in 13 domains. As a framework, the CSA CCM provides organizations with the needed structure, detail and clarity relating to information security tailored to the cloud industry. Providers may choose to submit a report documenting compliance with Cloud Controls Matrix.
Picture source: Verisign Brand CenterRisk of multiple devices to access data on cloud computing serversData accessdata at restDifferent security procedures Third-party devices – might mean lack of control
Picture source: Verisign Brand CenterRisk of multiple devices to access data on cloud computing serversData accessdata at restDifferent security procedures Third-party devices – might mean lack of control
Picture source: Verisign Brand CenterRisk of multiple devices to access data on cloud computing serversData accessdata at restDifferent security procedures Third-party devices – might mean lack of control
Picture source: Verisign Brand CenterRisk of multiple devices to access data on cloud computing serversData accessdata at restDifferent security procedures Third-party devices – might mean lack of control
Picture source: Verisign Brand CenterRisk of multiple devices to access data on cloud computing serversData accessdata at restDifferent security procedures Third-party devices – might mean lack of control
Picture source: Verisign Brand CenterRisk of multiple devices to access data on cloud computing serversData accessdata at restDifferent security procedures Third-party devices – might mean lack of control
Picture source: Verisign Brand CenterRisk of multiple devices to access data on cloud computing serversData accessdata at restDifferent security procedures Third-party devices – might mean lack of control
Picture source: Verisign Brand CenterRisk of multiple devices to access data on cloud computing serversData accessdata at restDifferent security procedures Third-party devices – might mean lack of control
Picture source: Verisign Brand CenterRisk of multiple devices to access data on cloud computing serversData accessdata at restDifferent security procedures Third-party devices – might mean lack of control
mas da omissão do provedor de acesso, uma vez notificado pela vítima
Até que tenha tempo hábil para apreciar a veracidade das alegações, e confirmando-as, exclua definitivamente o perfil ou, tendo-as por infundadas, restabeleça seu livre acesso.O provedor não pode postergar por prazo indeterminado a análise.
Picture source: Verisign Brand CenterRisk of multiple devices to access data on cloud computing serversData accessdata at restDifferent security procedures Third-party devices – might mean lack of control
Reference: www.cloudsecurityalliance.org/secaas.htmlNumerous security vendors are now leveraging cloud based models to deliver security solutions. This shift has occurred for a variety of reasons including greater economies of scale and streamlined delivery mechanisms. Regardless of the motivations for offering such services, consumers are now faced with evaluating security solutions which do not run on premises. Consumers need to understand the unique nature of cloud delivered security offerings so that they are in a position to evaluate the offerings and to understand if they will meet their needs.
Fonte da imagem: http://www.sxc.huStandard Cloud offeringsStandard security procedures
Fonte da imagem: http://www.sxc.huStandard Cloud offeringsStandard security procedures
Fonte da imagem: http://commons.wikimedia.org/wiki/File:NWS-IMET-deployed.jpg