Assessing the Security of Cloud SaaS Solutions

Assessing the Security of
Cloud SaaS Solutions
Matthew Theobald
Cybersecurity Architect

Schneider Electric 2– Digital Services Transformation – Matthew Theobald – January 2015
Agenda
1.  Introduction
2.  Cloud Security Standards
3.  Trust in the Cloud
4.  Privacy in the Cloud
5.  Exercise – Assessing Security of a Cloud SaaS Solution

INTRODUCTION

Control System Data
in the Cloud
● ICS vendors are beginning to develop cloud SaaS (Software as a
Service) solutions to store and analyze control system data
● Driven by need to collect, cleanse, store, analyze and report on large
volumes of data from multiple sources, in a cost-effective manner
● Through analysis, this data can be turned into information to quantify,
improve and optimize business processes
● Examples
● Cloud Historian
● Remote Monitoring
● Asset Management
● Smart Buildings

Difficulty Assessing Cloud
SaaS Solutions
● Cloud provider’s security controls must be assessed at multiple
layers:
● Facilities (physical security)
● Network infrastructure (network security)
● IT systems (system security)
● Information and applications (application security)
● People (for example, separation of duties between development and
production)
● Process (for example, change management and incident response)
● Biggest obstacle to assessing the security of a Cloud SaaS solution is a
lack of transparency on the part of the Cloud Provider

Term Definition
Cloud Provider An organization or entity responsible for making a
service available to interested parties - for example, an
ICS vendor providing a Cloud Historian service
Cloud Consumer An organization that maintains a business relationship
with, and uses services from, a Cloud Provider – for
example, an asset owner that has subscribed to and
uses an ICS vendor’s Cloud Historical service
Definitions

CLOUD SECURITY STANDARDS

ISO/IEC
ISO/IEC 27001 Information technology -- Security techniques --
Information security management systems -- Requirements
● Provides requirements for an information security management
system (ISMS), which is a systematic approach to keep information assets
secure
● Auditable
ISO/IEC 27002 Information technology -- Security techniques -- Code of
practice for information security controls
● Provides best practice recommendations for use by those responsible for
those initiating, implementing or maintaining an ISMS

Cloud Security Alliance
CSA Cloud Controls Matrix
● First ever baseline control framework specifically designed for Cloud
supply chain risk management
● Backbone of CSA’s Cloud Certification framework (more later)
● 16 control areas, 133 controls
● Controls mapped to 32 other security standards, regulations, and controls
frameworks including ISO 27001 and 27002, ISACA COBIT, FedRAMP,
NERC CIP, NIST SP800-53, 95/46/EC, HIPAA, PCI DSS

NIST
NIST SP 800-53 Rev. 4 Security and Privacy Controls for Federal
Information Systems and Organizations
NIST SP 800-161 (Draft) Supply Chain Risk Management Practices for
Federal Information Systems and Organizations

TRUST IN THE CLOUD

Trust
● Lack of Cloud Provider transparency inhibits Governance, Risk
Management, and Compliance (GRC)
● Difficult to monitor and audit supply chains necessary for the company’s
consistent performance and growth
● Difficult to identify and understand
exposure to risk and the capability
to manage risk
● Challenge for a Cloud Consumer to
show auditors that the organization
is in compliance with industry
security / privacy standards and
regulations

The higher up the Service Model stack, the
more security the Cloud Provider is
responsible for implementing and managing
Build It In
RFP /
Contract
It In

General Approach
•  Network segmentation and
segregation
•  Boundary protection
•  Firewall policy
•  Defense in depth
•  Authentication and
authorization
•  Monitoring and auditing
•  etc.
NIST 800-82
IEC-62443
NIST 800-53

Cloud Certifications
● Provide transparency and visibility to cloud customers
● Deliver compliance-supporting data and artifacts
ISO/IEC
27001
CSA STAR
SSAE-16 SOC 2

SSAE-16 SOC 2 Report
● Reports on the design (Type I) and operating effectiveness (Type II)
of a service organization’s controls as they relate to security,
availability, processing integrity, confidentiality, and privacy
of a system

CSA STAR (Security, Trust
& Assurance Registry)
● Goal is to improve transparency and assurance in the cloud
● Searchable, publicly accessible registry to allow cloud customers to
review the security practices of providers, accelerating their due
diligence and leading to higher quality procurement experiences
● Helps customers to assess the security of Cloud Providers
● Based on a multilayered structure defined by Open Certification
Framework Working Group

CSA STAR

CSA STAR Self-Assessment
● Voluntary
● Based on:
● Cloud Control Matrix
● Consensus Assessments Initiative Questionnaire

CSA STAR

CSA STAR Certification
● Rigorous third party independent assessment of a cloud
provider’s security
● Measures cloud provider’s capability levels
● No formal approach
● Reactive approach
● Proactive approach
● Improvement based approach
● Optimising approach

CSA STAR Certification
● Leverages the requirements of:
● ISO 27001:2013
● CSA Cloud Control Matrix
● Ensures the scope, processes and objectives are “fit for
purpose”

CSA STAR

CSA STAR Attestation
● Provides a framework for performing assessments
of cloud service providers using SOC 2
engagements supplemented by criteria in the CSA
Cloud Control Matrix
● Typically, Cloud Providers acquire a CSA
Attestation, 27001 certification, and SOC 2 Type II
certification at the same time since so many of the
criteria are common between the three

CSA STAR

CSA CAI Questionnaire
● Consensus Assessments Initiative Questionnaire
● Provides a set of questions a cloud consumer can ask of a
cloud provider about their security controls
● Questions can be tailored to suit each unique cloud consumer’s
evidentiary requirements
● Questions mapped to the compliance requirements in Cloud
Control Matrix

PRIVACY IN THE CLOUD

PII and Personal Information
● PII (Personally Identifiable Information)
● Information that can identify an individual (name, date
of birth, etc.)
● Personal information
● Information that does not directly identify an individual,
but is deemed sensitive by social mores è race,
religion, shopping habits

Privacy vs Security
● Privacy governs how PII should be used, shared, and retained
● Security restricts access to the sensitive data and protects
confidentiality/integrity during collection, storage, and transmission
Privacy in ICS
● Information primarily Business Sensitive / Confidential
● Biggest privacy impact is Identity / Account stores
● Full name
● Email address
● Etc.

Privacy Standards and
Regulations
● FTC Consent Decrees
● Designate individuals to be accountable for the information security program
● Identify risks to personal information
● Design, implement and test reasonable safeguards to control risk
● EU Data Protection Directive (95/46/EC)
● Data controller (cloud customer) “must implement appropriate technical and
organizational measures to protect personal data against …. all unlawful
forms of processing…”
● Processing of data by a data processor (cloud provider) must be governed
by a contract or legal act binding the processor to the controller
● Cross-border data transfer out of the EEA prohibited unless the third
country in question ensures an adequate level of protection

Regulations
● US/EU Safe Harbor
● Allows US companies to register their certification that they meet the EU
Data Protection requirements
● Take reasonable precautions to protect personal information
● Onward Transfer Principle
● PIPEDA Principles for the Protection of Personal Data (Canada)
● An organization is responsible for personal information in its possession or
control, including information that has been transferred to a third party
(cloud provider) for processing

Regulations
● NIST SP800-53 Rev. 4 Appendix J “Privacy Control Catalog”
● ISO/IEC 27018 Information technology -- Security techniques -- Code
of practice for PII protection in public cloud acting as PII processors
● HIPAA Health Insurance Portability and Accountability Act
● PCI DSS Payment Card Industry Data Security Standard

Privacy Policy
● Cloud Provider should have a strong Privacy Policy that specifies the
following for personal information:
● Collection
● Usage
● Storage
● Release
● Retention
● Deletion
● Cloud Provider should provide Privacy Notice to Cloud Consumer
upon demand

EXERCISE
Assessing the Security of a Cloud SaaS Solution

Network Segmentation
and Zoning
IEC 62443-3-3 Requirement Impact
SR 5.1 – Network Segmentation The network with access to the Cloud Provider’s
application should be logically or physically
segmented from the (critical) control system
network
SR 5.2 – Zone boundary protection Access to the Cloud Provider’s application must
take place via a zone and conduit designed for
this purpose
SR 5.2 – Zone boundary protection The Cloud Provider’s security and access controls
must fulfill the requirements of the asset owner’s
zone and conduit security policy designed to
meet the target Security Level

Data Integrity and
Confidentiality
SR 3.1 – Communication integrity
SR 4.1 – Information confidentiality
The confidentiality and integrity of all network
communication between the asset owner’s
system and the Cloud Provider’s system must be
protected via cryptographic means
SR 3.4 – Software and information
integrity
SR 4.1 – Information confidentiality
The confidentiality and integrity of data at rest
must be protected by the Cloud Provider using
strong access and/or cryptographic
controls

Data Integrity and
Confidentiality
Control Group Consensus Assessment Question(s)
Interoperability &
Portability
Standardized Network
Protocols
Can data import, data export and service management be
conducted over secure (e.g., non-clear text and authenticated),
industry accepted standardized network protocols?
Do you provide consumers (tenants) with documentation
detailing the relevant interoperability and portability network
protocol standards that are involved?
Application &
Interface Security
Data Integrity
Are data input and output integrity routines (i.e.,
reconciliation and edit checks) implemented for application
interfaces and databases to prevent manual or systematic
processing errors or corruption of data?

Multi-Tenancy
● Def.
● Resources and services used by multiple cloud consumers are
physically collocated, but logically separated – for example, data
from multiple cloud consumers are stored in the same database, or on the
same server, and security controls keep the data logically separated
● To Cloud Providers
● Enables economies of scale, availability, management, segmentation,
isolation, and operational efficiency
● To Cloud Consumers
● Implies a need for security controls, at different layers, to ensure logical
separation

Encrypting Data At Rest
in Cloud SaaS
● Typical cloud guidance
● Cloud Consumer (tenant) generates encryption key, encrypts and
decrypts data en-route to/from the Cloud SaaS Provider
● Cloud SaaS encryption hurdles
● SaaS is not just storage – need to validate, estimate, aggregate, search,
sort, and analyze
● Cloud Consumer (tenant) should control their own encryption keys
● Encryption keys should never be stored alongside the encrypted data
● Extremely important to manage encryption keys securely

Data Integrity and
Confidentiality
Audit Assurance &
Compliance
Information System
Regulatory Mapping
Do you have the ability to logically segment or encrypt
customer data such that data may be produced for a single
tenant only, without inadvertently accessing another tenant's
data?
Do you have capability to recover data for a specific
customer in the case of a failure or data loss?
Encryption & Key
Management
Encryption
Do you encrypt tenant data at rest (on disk/storage) within your
environment?
Do you support tenant-generated encryption keys or
permit tenants to encrypt data to an identity without access to a
public key certificate (e.g. identity-based encryption)?
Do you have documentation establishing and defining your
encryption management policies, procedures and guidelines?

Data Integrity and
Confidentiality
Encryption & Key
Management
Storage and Access
Are your encryption keys maintained by the cloud consumer
or a trusted key management provider?
Do you store encryption keys in the cloud?
Do you have separate key management and key usage duties?
Supply Chain
Management,
Transparency and
Accountability
Data Quality and
Integrity
Do you inspect and account for data quality errors and
associated risks, and work with your cloud supply-chain
partners to correct them?
Do you design and implement controls to mitigate and contain
data security risks through proper separation of duties, role-
based access, and least-privileged access for all
personnel within your supply chain?

Identity and Account
Management
SR 1.3 – Account management Ideally the asset owner should manage accounts
centrally and the cloud provider should federate
against the asset owner’s identity store, or the
cloud provider can provide an application
account store
SR 1.5 – Authenticator management
SR 1.7 – Strength of password-
based authentication
SR 1.11 – Unsuccessful login
attempts
The asset owner must be able to customize
account and password policies when
managing accounts in the Cloud Provider’s
application account store

Management
Identity & Access
Management
User ID Credentials
Do you support use of, or integration with, existing customer-
based Single Sign On (SSO) solutions to your service?
Do you use open standards to delegate authentication
capabilities to your tenants?
Do you support identity federation standards (SAML,
SPML, WS-Federation, etc.) as a means of authenticating/
authorizing users?
Do you provide tenants with strong (multifactor) authentication
options (digital certs, tokens, biometrics, etc.) for user access?
Do you allow tenants to use third-party identity assurance
services?

Management
Identity & Access
Management
User ID Credentials
Do you support the ability to force password changes upon first
logon?
Do you support password (minimum length, age, history,
complexity) and account lockout (lockout threshold, lockout
duration) policy enforcement?
Do you allow tenants/customers to define password and account
lockout policies for their accounts?
Do you have mechanisms in place for unlocking accounts that
have been locked out (e.g., self-service via email, defined
challenge questions, manual unlock)?

Auditing and Monitoring
SR 6.2 – Continuous monitoring The Cloud Provider must continuously monitor
their system and use common security industry
practices and tools (a SIEM, for example) to
detect and respond to security breaches in a
timely manner
SR 6.1 – Audit log accessibility The Cloud Provider must provide the capability for
an asset owner to access tenant-specific audit
log reports
SR 2.8 – Auditable events It should be possible to export tenant-specific
audit logs from the Cloud Provider into a centrally
managed audit trail on the asset owner's system
where they can be further analyzed by standard log
analysis tools such as a SIEM

Security Incident
Management, E-
Discovery & Cloud
Forensics
Incident Management
Do you have a documented security incident response plan?
Do you integrate customized tenant requirements into your
security incident response plans?
Do you publish a roles and responsibilities document
specifying what you vs. your tenants are responsible for during
security incidents?
Have you tested your security incident response plans in the
last year?
Security Incident
Management, E-
Discovery & Cloud
Forensics
Incident Reporting
Does your security information and event management (SIEM)
system merge data sources (app logs, firewall logs, IDS logs,
physical access logs, etc.) for granular analysis and alerting?
Does your logging and monitoring framework allow isolation of
an incident to specific tenants?

Security Incident
Management, E-
Discovery & Cloud
Forensics
Incident Response
Legal Preparation
Does your incident response plan comply with industry standards
for legally admissible chain-of-custody management
processes and controls?
Does your incident response capability include the use of legally
admissible forensic data collection and analysis techniques?
Are you capable of supporting litigation holds (freeze of data
from a specific point in time) for a specific tenant without
freezing other tenant data?
Do you enforce and attest to tenant data separation when
producing data in response to legal subpoenas?

(Custom) Do you provide the capability for a customer (tenant) to access
their audit logs via a visual or programmatic interface?
Do you provide the capability for a customer (tenant) to export
their audit logs in an industry standard format such that the logs
may be analyzed by the customer’s organization using industry
standard log analysis tools such as a SIEM?

Legal Compliance
Audit Assurance &
Compliance
Information System
Regulatory Mapping
Do you have the capability to restrict the storage of customer
data to specific countries or geographic locations?
Data Security &
Information Lifecycle
Management
Data Inventory / Flows
Can you ensure that data does not migrate beyond a defined
geographical residency?
Datacenter Security
Secure Area
Authorization
Do you allow tenants to specify which of your geographic
locations their data is allowed to move into/out of (to address
legal jurisdictional considerations based on where data is stored
vs. accessed)?

Summary
● Assessing the security of a Cloud SaaS solution can be daunting
● Certifications provide transparency and visibility into the Cloud
Provider’s security controls
● Delivers evidence-based confidence and compliance-supporting data and
artifacts
● Cloud Providers that are not certified can be assessed using the
Consensus Assessments Initiative Questionnaire
TRUST

Assessing the Security of Cloud SaaS Solutions

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Similar a Assessing the Security of Cloud SaaS Solutions

Similar a Assessing the Security of Cloud SaaS Solutions (20)

Más de Digital Bond

Más de Digital Bond (20)

Último

Último (20)

Assessing the Security of Cloud SaaS Solutions