neupart isaca april 2012

Recent Cloud Security

Developments By Lars Neupart, founder of Neupart – The ERP of Security

Program

!   Security Guidance !   The new Security Guidance for Critical Areas of Focus in Cloud

Computing?

!   GRC Stack ! GRCstack from Cloud Security Alliance -‐ what it is, and how you

can benefit from it.

!   Cloud Vendor Risk Assessments !   How To Perform Cloud Vendor Assessments

!   CCSK !   An an individual certification: Certificate of Cloud Security

Knowledge -‐

CSA Security Guidance

!   CSA = Cloud Security Alliance !   Version 3 has been released !   Provides practical direction for adopting the cloud paradigm safely and securely. !   Extends with use cases !   14 Domains emphasize security, stability, and privacy, ensuring corporate privacy in a

multi-‐tenant environment.

CSA Guidance

!   Section I: Cloud Archiecture !   Section II: Governing in the Cloud !   Section III: Operating in the Cloud

Section I. Cloud Architecture

!   Domain 1: Cloud Computing Architectural Framework

PaaS Platform as a Service

You build security in

You “RFP” security in

S-‐P-‐I Framework

PaaS Platform as a Service

IaaS Infrastructure as a Service

SaaS Software as a Service

Section II. Governing in the Cloud

!   Domain 2: Governance and Enterprise Risk Management

!   Domain 3: Legal Issues: Contracts and Electronic Discovery

!   Domain 4: Compliance and Audit Management

!   Domain 5: Information Management and Data Security

!   Domain 6: Interoperability and Portability

Section III. Operating in the Cloud !   Domain 7: Traditional Security, Business Continuity,

and Disaster Recovery !   Domain 8: Data Center Operations !   Domain 9: Incident Response !   Domain 10: Application Security !   Domain 11: Encryption and Key Management !   Domain 12: Identity, Entitlement, and Access

Management !   Domain 13: Virtualization !   Domain 14: Security as a Service

CSA Guidance: Risk Based

!   CSA Guidance recommends a risk based approach to control selection.

!   Also offers a simple model

!   Visit the V.3 website at: https://cloudsecurityalliance.org/research/security-‐guidance/

ISO 27017

!   Guidelines on Information security controls for the use of cloud computing services based on ISO/IEC 27002

!   Draft

GRCstack from CSA

!   Achieving Governance, Risk Management and Compliance (GRC) goals requires appropriate assessment criteria, relevant control objectives and timely access to necessary supporting data.

!   The shift to compute as a service presents new challenges across the spectrum of GRC requirements.

!   To instrument and assess both private and public clouds against industry established best practices, standards and critical compliance requirements.

!   A toolkit for enterprises, cloud providers, security solution providers, IT auditors and other key stakeholders

!   A look into the CSA Control Matrix !   https://cloudsecurityalliance.org/research/

grc-‐stack/

Cloud Vendor Risk Assessments – how to do it

Classic Risk Assessments

Business Impact values are inherited downward

Vulnerability values are inherited upward

Server 01

SQL 01

HP DL380 Serial xyz1234567890

Data Center A

Finance DB

ERP

Dynamics AOS

HP DL380 Serial abc0987654321

Server 02

Finance Asset Hierarchy

Business Processes & IT Services

Business Process 1

IT Services (on premise)

Business Process 2

IT Services from vendor, e.g.

cloud

Business Impact Scores Inherits Downwards

Vulnerability Scores Inherits Upwards

G R C

The good news:

!   You can use well known risk management best practices (e.g. ISO 27001 & ISO 27005) also when assessing cloud applications

!   …… with a few notable differences

Difference #1: CAI

!   Cloud Security Alliance Consensus Assessments Initiative (CAI) was launched to perform research, create tools and create industry partnerships to enable cloud computing assessments.

!   Industry-‐accepted ways to document what security controls exist in IaaS, PaaS, and SaaS offerings, providing security control transparency.

!   Part of GRC Stack

Link

! https://cloudsecurityalliance.org/research/cai/

Difference #2: STAR

!   CSA Security, Trust & Assurance Registry (STAR)

!   Free, publicly accessible registry that documents the security controls provided by various cloud computing offerings.

!   Cloud providers can submit two different types of reports to indicate their compliance with CSA best practices, the CAIQ or the CCM.

STAR Links

!   Visit the CSA STAR website at: https://cloudsecurityalliance.org/star/

!   CSA STAR faq: https://cloudsecurityalliance.org/star/faq/

!   Ask STAR related Question at our CSA STAR Support Forum: http://www.linkedin.com/groups?home=&gid=4066598

!   Watch the STAR briefing online: https://cloudsecurityalliance.org/education/online-‐learning/star-‐registry-‐briefing

ISO 27005 = Threat Based Risk Mngt

Example Threat Catalogue

Screen from SecureAware Risk TNG

Not all assets burn

!   Recommendation: The threats you’ll be assessing should depend on type of asset.

!   Using Cloud Service providers gives you other threats than using own IT operations

Business Impact Assessments


Vulnerability Assessments


Shortcut: Probability Assesment

In the cloud or on the ground:

!   SecureAware assesses risks to your business, from own IT or from vendors – also in the cloud

!   SecureAware is delivered as on-‐premise software or SaaS

www.cloudsecurityalliance.org Copyright © 2012 Cloud Security Alliance

What is the CCSK?

CCSK – the Cer*ficate of Cloud Security Knowledge •  Industry’s first user cer.fica.on program for secure cloud compu.ng •  Based on CSA’s body of knowledge •  Complimentary to popular IT Security & Audit user accredita.ons and

user cer.fica.ons •  Suitable for a wide variety of professions that must be concerned with

cloud compu.ng •  Self study or classroom instruc.on •  Online, web-‐based examina.on •  www.cloudsecurityalliance.org/cer.fyme

Show your knowledge of the next genera3on of informa3on technology!


What is the CCSK Body of Knowledge?

Based upon two industry leading whitepapers •  Security Guidance for Cri.cal Areas of Focus in Cloud Compu.ng

•  Current test based upon Version 2.1 of Guidance •  hMp://www.cloudsecurityalliance.org/guidance/csaguide.v2.1.pdf •  70% of test ques.ons based upon this document

•  ENISA’s report “Cloud Compu.ng: Benefits, Risks and Recommenda.ons for Informa.on Security”.

•  hMp://www.enisa.europa.eu/act/rm/files/deliverables/cloud-‐compu.ng-‐risk-‐assessment

•  20% of test ques.ons based upon this document •  Final 10% of Test Ques.ons are applied knowledge based upon both

documents above •  Prepara.on guide available

•  hMps://cloudsecurityalliance.org/CCSK-‐prep.pdf


Taking the CCSK Examination

CCSK – On Demand, 24 hours a day •  Online web-‐based examina.on, no appointment necessary •  50 ques.ons in the examina.on •  60 minutes to complete the examina.on •  80% correct answers required to successfully complete the test •  Two chances with a test token •  Test available at hMps://ccsk.cloudsecurityalliance.org/ •  FAQ at

hMps://cloudsecurityalliance.org/educa.on/cer.ficate-‐of-‐cloud-‐security-‐knowledge/ccsk-‐faq/


Preparing for the CCSK

CCSK Self Study •  Review body knowledge a^er consul.ng prepara.on guide

•  hMps://cloudsecurityalliance.org/CCSK-‐prep.pdf •  Study with a colleague •  Form study groups in a CSA chapter

•  hMps://cloudsecurityalliance.org/chapters/

CCSK Classroom Instruc*on •  Classes offered worldwide through training partners •  CCSK Basic 1 Day course covers everything needed to pass CCSK •  CCSK Plus includes Basic plus addi.onal 1 Day lab exercises •  Find training partners and training schedule here:

hMps://cloudsecurityalliance.org/educa.on/training/


CCSK – Set yourself apart

Become an early adopter of the future of IT Security •  For cloud service providers, informa.on security experts, IT

professionals, IT audit & governance – everyone! •  Enhance your exper.se with proven knowledge from the broadest

best prac.ces developed in the industry •  Differen.ate your resume from the crowd

•  www.cloudsecurityalliance.org/cer.fyme

ISACA Member offer

Learn about cloud security & prepare for your Certificate of Cloud Security Knowledge Neupart is CSA training partner using CSA certified CCSK-‐instructors. Oslo May 31 Copenhagen June 20 ISACA Member Discount kr. 500,-‐ Sign up before May 15 and May 31 respectively. Use code ISACA-‐Conf-‐Cph in comment field in sign up form at www.neupart.com

Meet Neupart Today

PLEASE GO TO THE NEUPART SPONSOR TABLE TO PICK UP YOUR CCSK TRANING DISCOUNT CODE OR SEE A SECUREAWARE DEMO About Neupart: !   ISO 27001 certified company. !   IT GRC all-‐in-‐one solution enables

organizations to manage their IT risks and to comply with IT security requirements -‐ Also in the Cloud!

!   “The ERP of Security” !   Get SecureAware demo or free trial:

www.neupart.com

neupart isaca april 2012

Documents