The document discusses assessing the security of cloud SaaS solutions. It covers cloud security standards like ISO 27001, CSA Cloud Controls Matrix, and CSA STAR certification. Trust in the cloud is difficult due to lack of transparency from cloud providers. The document provides approaches for evaluating a cloud provider's security controls, privacy practices, and data protection. It also includes sample questions from the CSA consensus assessment initiative to assess these areas for a specific cloud SaaS solution.
2. Schneider Electric 2– Digital Services Transformation – Matthew Theobald – January 2015
Agenda
1. Introduction
2. Cloud Security Standards
3. Trust in the Cloud
4. Privacy in the Cloud
5. Exercise – Assessing Security of a Cloud SaaS Solution
3. Schneider Electric 3– Digital Services Transformation – Matthew Theobald – January 2015
INTRODUCTION
4. Schneider Electric 4– Digital Services Transformation – Matthew Theobald – January 2015
Control System Data
in the Cloud
● ICS vendors are beginning to develop cloud SaaS (Software as a
Service) solutions to store and analyze control system data
● Driven by need to collect, cleanse, store, analyze and report on large
volumes of data from multiple sources, in a cost-effective manner
● Through analysis, this data can be turned into information to quantify,
improve and optimize business processes
● Examples
● Cloud Historian
● Remote Monitoring
● Asset Management
● Smart Buildings
5. Schneider Electric 5– Digital Services Transformation – Matthew Theobald – January 2015
Difficulty Assessing Cloud
SaaS Solutions
● Cloud provider’s security controls must be assessed at multiple
layers:
● Facilities (physical security)
● Network infrastructure (network security)
● IT systems (system security)
● Information and applications (application security)
● People (for example, separation of duties between development and
production)
● Process (for example, change management and incident response)
● Biggest obstacle to assessing the security of a Cloud SaaS solution is a
lack of transparency on the part of the Cloud Provider
6. Schneider Electric 6– Digital Services Transformation – Matthew Theobald – January 2015
Term Definition
Cloud Provider An organization or entity responsible for making a
service available to interested parties - for example, an
ICS vendor providing a Cloud Historian service
Cloud Consumer An organization that maintains a business relationship
with, and uses services from, a Cloud Provider – for
example, an asset owner that has subscribed to and
uses an ICS vendor’s Cloud Historical service
Definitions
7. Schneider Electric 7– Digital Services Transformation – Matthew Theobald – January 2015
CLOUD SECURITY STANDARDS
8. Schneider Electric 8– Digital Services Transformation – Matthew Theobald – January 2015
ISO/IEC
ISO/IEC 27001 Information technology -- Security techniques --
Information security management systems -- Requirements
● Provides requirements for an information security management
system (ISMS), which is a systematic approach to keep information assets
secure
● Auditable
ISO/IEC 27002 Information technology -- Security techniques -- Code of
practice for information security controls
● Provides best practice recommendations for use by those responsible for
those initiating, implementing or maintaining an ISMS
9. Schneider Electric 9– Digital Services Transformation – Matthew Theobald – January 2015
Cloud Security Alliance
CSA Cloud Controls Matrix
● First ever baseline control framework specifically designed for Cloud
supply chain risk management
● Backbone of CSA’s Cloud Certification framework (more later)
● 16 control areas, 133 controls
● Controls mapped to 32 other security standards, regulations, and controls
frameworks including ISO 27001 and 27002, ISACA COBIT, FedRAMP,
NERC CIP, NIST SP800-53, 95/46/EC, HIPAA, PCI DSS
10. Schneider Electric 10– Digital Services Transformation – Matthew Theobald – January 2015
NIST
NIST SP 800-53 Rev. 4 Security and Privacy Controls for Federal
Information Systems and Organizations
NIST SP 800-161 (Draft) Supply Chain Risk Management Practices for
Federal Information Systems and Organizations
11. Schneider Electric 11– Digital Services Transformation – Matthew Theobald – January 2015
TRUST IN THE CLOUD
12. Schneider Electric 12– Digital Services Transformation – Matthew Theobald – January 2015
Trust
● Lack of Cloud Provider transparency inhibits Governance, Risk
Management, and Compliance (GRC)
● Difficult to monitor and audit supply chains necessary for the company’s
consistent performance and growth
● Difficult to identify and understand
exposure to risk and the capability
to manage risk
● Challenge for a Cloud Consumer to
show auditors that the organization
is in compliance with industry
security / privacy standards and
regulations
13. Schneider Electric 13– Digital Services Transformation – Matthew Theobald – January 2015
The higher up the Service Model stack, the
more security the Cloud Provider is
responsible for implementing and managing
Build It In
RFP /
Contract
It In
14. Schneider Electric 14– Digital Services Transformation – Matthew Theobald – January 2015
General Approach
• Network segmentation and
segregation
• Boundary protection
• Firewall policy
• Defense in depth
• Authentication and
authorization
• Monitoring and auditing
• etc.
NIST 800-82
IEC-62443
NIST 800-53
15. Schneider Electric 15– Digital Services Transformation – Matthew Theobald – January 2015
Cloud Certifications
● Provide transparency and visibility to cloud customers
● Deliver compliance-supporting data and artifacts
ISO/IEC
27001
CSA STAR
SSAE-16 SOC 2
16. Schneider Electric 16– Digital Services Transformation – Matthew Theobald – January 2015
SSAE-16 SOC 2 Report
● Reports on the design (Type I) and operating effectiveness (Type II)
of a service organization’s controls as they relate to security,
availability, processing integrity, confidentiality, and privacy
of a system
17. Schneider Electric 17– Digital Services Transformation – Matthew Theobald – January 2015
CSA STAR (Security, Trust
& Assurance Registry)
● Goal is to improve transparency and assurance in the cloud
● Searchable, publicly accessible registry to allow cloud customers to
review the security practices of providers, accelerating their due
diligence and leading to higher quality procurement experiences
● Helps customers to assess the security of Cloud Providers
● Based on a multilayered structure defined by Open Certification
Framework Working Group
18. Schneider Electric 18– Digital Services Transformation – Matthew Theobald – January 2015
CSA STAR
19. Schneider Electric 19– Digital Services Transformation – Matthew Theobald – January 2015
CSA STAR Self-Assessment
● Voluntary
● Based on:
● Cloud Control Matrix
● Consensus Assessments Initiative Questionnaire
20. Schneider Electric 20– Digital Services Transformation – Matthew Theobald – January 2015
21. Schneider Electric 21– Digital Services Transformation – Matthew Theobald – January 2015
CSA STAR
22. Schneider Electric 22– Digital Services Transformation – Matthew Theobald – January 2015
CSA STAR Certification
● Rigorous third party independent assessment of a cloud
provider’s security
● Measures cloud provider’s capability levels
● No formal approach
● Reactive approach
● Proactive approach
● Improvement based approach
● Optimising approach
23. Schneider Electric 23– Digital Services Transformation – Matthew Theobald – January 2015
CSA STAR Certification
● Leverages the requirements of:
● ISO 27001:2013
● CSA Cloud Control Matrix
● Ensures the scope, processes and objectives are “fit for
purpose”
24. Schneider Electric 24– Digital Services Transformation – Matthew Theobald – January 2015
CSA STAR
25. Schneider Electric 25– Digital Services Transformation – Matthew Theobald – January 2015
CSA STAR Attestation
● Provides a framework for performing assessments
of cloud service providers using SOC 2
engagements supplemented by criteria in the CSA
Cloud Control Matrix
● Typically, Cloud Providers acquire a CSA
Attestation, 27001 certification, and SOC 2 Type II
certification at the same time since so many of the
criteria are common between the three
26. Schneider Electric 26– Digital Services Transformation – Matthew Theobald – January 2015
CSA STAR
27. Schneider Electric 27– Digital Services Transformation – Matthew Theobald – January 2015
CSA CAI Questionnaire
● Consensus Assessments Initiative Questionnaire
● Provides a set of questions a cloud consumer can ask of a
cloud provider about their security controls
● Questions can be tailored to suit each unique cloud consumer’s
evidentiary requirements
● Questions mapped to the compliance requirements in Cloud
Control Matrix
28. Schneider Electric 28– Digital Services Transformation – Matthew Theobald – January 2015
PRIVACY IN THE CLOUD
29. Schneider Electric 29– Digital Services Transformation – Matthew Theobald – January 2015
PII and Personal Information
● PII (Personally Identifiable Information)
● Information that can identify an individual (name, date
of birth, etc.)
● Personal information
● Information that does not directly identify an individual,
but is deemed sensitive by social mores è race,
religion, shopping habits
30. Schneider Electric 30– Digital Services Transformation – Matthew Theobald – January 2015
Privacy vs Security
● Privacy governs how PII should be used, shared, and retained
● Security restricts access to the sensitive data and protects
confidentiality/integrity during collection, storage, and transmission
Privacy in ICS
● Information primarily Business Sensitive / Confidential
● Biggest privacy impact is Identity / Account stores
● Full name
● Email address
● Etc.
31. Schneider Electric 31– Digital Services Transformation – Matthew Theobald – January 2015
Privacy Standards and
Regulations
● FTC Consent Decrees
● Designate individuals to be accountable for the information security program
● Identify risks to personal information
● Design, implement and test reasonable safeguards to control risk
● EU Data Protection Directive (95/46/EC)
● Data controller (cloud customer) “must implement appropriate technical and
organizational measures to protect personal data against …. all unlawful
forms of processing…”
● Processing of data by a data processor (cloud provider) must be governed
by a contract or legal act binding the processor to the controller
● Cross-border data transfer out of the EEA prohibited unless the third
country in question ensures an adequate level of protection
32. Schneider Electric 32– Digital Services Transformation – Matthew Theobald – January 2015
Privacy Standards and
Regulations
● US/EU Safe Harbor
● Allows US companies to register their certification that they meet the EU
Data Protection requirements
● Take reasonable precautions to protect personal information
● Onward Transfer Principle
● PIPEDA Principles for the Protection of Personal Data (Canada)
● An organization is responsible for personal information in its possession or
control, including information that has been transferred to a third party
(cloud provider) for processing
33. Schneider Electric 33– Digital Services Transformation – Matthew Theobald – January 2015
Privacy Standards and
Regulations
● NIST SP800-53 Rev. 4 Appendix J “Privacy Control Catalog”
● ISO/IEC 27018 Information technology -- Security techniques -- Code
of practice for PII protection in public cloud acting as PII processors
● HIPAA Health Insurance Portability and Accountability Act
● PCI DSS Payment Card Industry Data Security Standard
34. Schneider Electric 34– Digital Services Transformation – Matthew Theobald – January 2015
Privacy Policy
● Cloud Provider should have a strong Privacy Policy that specifies the
following for personal information:
● Collection
● Usage
● Storage
● Release
● Retention
● Deletion
● Cloud Provider should provide Privacy Notice to Cloud Consumer
upon demand
35. Schneider Electric 35– Digital Services Transformation – Matthew Theobald – January 2015
EXERCISE
Assessing the Security of a Cloud SaaS Solution
36. Schneider Electric 36– Digital Services Transformation – Matthew Theobald – January 2015
Network Segmentation
and Zoning
IEC 62443-3-3 Requirement Impact
SR 5.1 – Network Segmentation The network with access to the Cloud Provider’s
application should be logically or physically
segmented from the (critical) control system
network
SR 5.2 – Zone boundary protection Access to the Cloud Provider’s application must
take place via a zone and conduit designed for
this purpose
SR 5.2 – Zone boundary protection The Cloud Provider’s security and access controls
must fulfill the requirements of the asset owner’s
zone and conduit security policy designed to
meet the target Security Level
37. Schneider Electric 37– Digital Services Transformation – Matthew Theobald – January 2015
Data Integrity and
Confidentiality
IEC 62443-3-3 Requirement Impact
SR 3.1 – Communication integrity
SR 4.1 – Information confidentiality
The confidentiality and integrity of all network
communication between the asset owner’s
system and the Cloud Provider’s system must be
protected via cryptographic means
SR 3.4 – Software and information
integrity
SR 4.1 – Information confidentiality
The confidentiality and integrity of data at rest
must be protected by the Cloud Provider using
strong access and/or cryptographic
controls
38. Schneider Electric 38– Digital Services Transformation – Matthew Theobald – January 2015
Data Integrity and
Confidentiality
Control Group Consensus Assessment Question(s)
Interoperability &
Portability
Standardized Network
Protocols
Can data import, data export and service management be
conducted over secure (e.g., non-clear text and authenticated),
industry accepted standardized network protocols?
Do you provide consumers (tenants) with documentation
detailing the relevant interoperability and portability network
protocol standards that are involved?
Application &
Interface Security
Data Integrity
Are data input and output integrity routines (i.e.,
reconciliation and edit checks) implemented for application
interfaces and databases to prevent manual or systematic
processing errors or corruption of data?
39. Schneider Electric 39– Digital Services Transformation – Matthew Theobald – January 2015
Multi-Tenancy
● Def.
● Resources and services used by multiple cloud consumers are
physically collocated, but logically separated – for example, data
from multiple cloud consumers are stored in the same database, or on the
same server, and security controls keep the data logically separated
● To Cloud Providers
● Enables economies of scale, availability, management, segmentation,
isolation, and operational efficiency
● To Cloud Consumers
● Implies a need for security controls, at different layers, to ensure logical
separation
40. Schneider Electric 40– Digital Services Transformation – Matthew Theobald – January 2015
Encrypting Data At Rest
in Cloud SaaS
● Typical cloud guidance
● Cloud Consumer (tenant) generates encryption key, encrypts and
decrypts data en-route to/from the Cloud SaaS Provider
● Cloud SaaS encryption hurdles
● SaaS is not just storage – need to validate, estimate, aggregate, search,
sort, and analyze
● Cloud Consumer (tenant) should control their own encryption keys
● Encryption keys should never be stored alongside the encrypted data
● Extremely important to manage encryption keys securely
41. Schneider Electric 41– Digital Services Transformation – Matthew Theobald – January 2015
Data Integrity and
Confidentiality
Control Group Consensus Assessment Question(s)
Audit Assurance &
Compliance
Information System
Regulatory Mapping
Do you have the ability to logically segment or encrypt
customer data such that data may be produced for a single
tenant only, without inadvertently accessing another tenant's
data?
Do you have capability to recover data for a specific
customer in the case of a failure or data loss?
Encryption & Key
Management
Encryption
Do you encrypt tenant data at rest (on disk/storage) within your
environment?
Do you support tenant-generated encryption keys or
permit tenants to encrypt data to an identity without access to a
public key certificate (e.g. identity-based encryption)?
Do you have documentation establishing and defining your
encryption management policies, procedures and guidelines?
42. Schneider Electric 42– Digital Services Transformation – Matthew Theobald – January 2015
Data Integrity and
Confidentiality
Control Group Consensus Assessment Question(s)
Encryption & Key
Management
Storage and Access
Are your encryption keys maintained by the cloud consumer
or a trusted key management provider?
Do you store encryption keys in the cloud?
Do you have separate key management and key usage duties?
Supply Chain
Management,
Transparency and
Accountability
Data Quality and
Integrity
Do you inspect and account for data quality errors and
associated risks, and work with your cloud supply-chain
partners to correct them?
Do you design and implement controls to mitigate and contain
data security risks through proper separation of duties, role-
based access, and least-privileged access for all
personnel within your supply chain?
43. Schneider Electric 43– Digital Services Transformation – Matthew Theobald – January 2015
Identity and Account
Management
IEC 62443-3-3 Requirement Impact
SR 1.3 – Account management Ideally the asset owner should manage accounts
centrally and the cloud provider should federate
against the asset owner’s identity store, or the
cloud provider can provide an application
account store
SR 1.5 – Authenticator management
SR 1.7 – Strength of password-
based authentication
SR 1.11 – Unsuccessful login
attempts
The asset owner must be able to customize
account and password policies when
managing accounts in the Cloud Provider’s
application account store
44. Schneider Electric 44– Digital Services Transformation – Matthew Theobald – January 2015
Identity and Account
Management
Control Group Consensus Assessment Question(s)
Identity & Access
Management
User ID Credentials
Do you support use of, or integration with, existing customer-
based Single Sign On (SSO) solutions to your service?
Do you use open standards to delegate authentication
capabilities to your tenants?
Do you support identity federation standards (SAML,
SPML, WS-Federation, etc.) as a means of authenticating/
authorizing users?
Do you provide tenants with strong (multifactor) authentication
options (digital certs, tokens, biometrics, etc.) for user access?
Do you allow tenants to use third-party identity assurance
services?
45. Schneider Electric 45– Digital Services Transformation – Matthew Theobald – January 2015
Identity and Account
Management
Control Group Consensus Assessment Question(s)
Identity & Access
Management
User ID Credentials
Do you support the ability to force password changes upon first
logon?
Do you support password (minimum length, age, history,
complexity) and account lockout (lockout threshold, lockout
duration) policy enforcement?
Do you allow tenants/customers to define password and account
lockout policies for their accounts?
Do you have mechanisms in place for unlocking accounts that
have been locked out (e.g., self-service via email, defined
challenge questions, manual unlock)?
46. Schneider Electric 46– Digital Services Transformation – Matthew Theobald – January 2015
Auditing and Monitoring
IEC 62443-3-3 Requirement Impact
SR 6.2 – Continuous monitoring The Cloud Provider must continuously monitor
their system and use common security industry
practices and tools (a SIEM, for example) to
detect and respond to security breaches in a
timely manner
SR 6.1 – Audit log accessibility The Cloud Provider must provide the capability for
an asset owner to access tenant-specific audit
log reports
SR 2.8 – Auditable events It should be possible to export tenant-specific
audit logs from the Cloud Provider into a centrally
managed audit trail on the asset owner's system
where they can be further analyzed by standard log
analysis tools such as a SIEM
47. Schneider Electric 47– Digital Services Transformation – Matthew Theobald – January 2015
Auditing and Monitoring
Control Group Consensus Assessment Question(s)
Security Incident
Management, E-
Discovery & Cloud
Forensics
Incident Management
Do you have a documented security incident response plan?
Do you integrate customized tenant requirements into your
security incident response plans?
Do you publish a roles and responsibilities document
specifying what you vs. your tenants are responsible for during
security incidents?
Have you tested your security incident response plans in the
last year?
Security Incident
Management, E-
Discovery & Cloud
Forensics
Incident Reporting
Does your security information and event management (SIEM)
system merge data sources (app logs, firewall logs, IDS logs,
physical access logs, etc.) for granular analysis and alerting?
Does your logging and monitoring framework allow isolation of
an incident to specific tenants?
48. Schneider Electric 48– Digital Services Transformation – Matthew Theobald – January 2015
Auditing and Monitoring
Control Group Consensus Assessment Question(s)
Security Incident
Management, E-
Discovery & Cloud
Forensics
Incident Response
Legal Preparation
Does your incident response plan comply with industry standards
for legally admissible chain-of-custody management
processes and controls?
Does your incident response capability include the use of legally
admissible forensic data collection and analysis techniques?
Are you capable of supporting litigation holds (freeze of data
from a specific point in time) for a specific tenant without
freezing other tenant data?
Do you enforce and attest to tenant data separation when
producing data in response to legal subpoenas?
49. Schneider Electric 49– Digital Services Transformation – Matthew Theobald – January 2015
Auditing and Monitoring
Control Group Consensus Assessment Question(s)
(Custom) Do you provide the capability for a customer (tenant) to access
their audit logs via a visual or programmatic interface?
Do you provide the capability for a customer (tenant) to export
their audit logs in an industry standard format such that the logs
may be analyzed by the customer’s organization using industry
standard log analysis tools such as a SIEM?
50. Schneider Electric 50– Digital Services Transformation – Matthew Theobald – January 2015
Legal Compliance
Control Group Consensus Assessment Question(s)
Audit Assurance &
Compliance
Information System
Regulatory Mapping
Do you have the capability to restrict the storage of customer
data to specific countries or geographic locations?
Data Security &
Information Lifecycle
Management
Data Inventory / Flows
Can you ensure that data does not migrate beyond a defined
geographical residency?
Datacenter Security
Secure Area
Authorization
Do you allow tenants to specify which of your geographic
locations their data is allowed to move into/out of (to address
legal jurisdictional considerations based on where data is stored
vs. accessed)?
51. Schneider Electric 51– Digital Services Transformation – Matthew Theobald – January 2015
Summary
● Assessing the security of a Cloud SaaS solution can be daunting
● Certifications provide transparency and visibility into the Cloud
Provider’s security controls
● Delivers evidence-based confidence and compliance-supporting data and
artifacts
● Cloud Providers that are not certified can be assessed using the
Consensus Assessments Initiative Questionnaire
TRUST