neupart isaca april 2012
DESCRIPTION
I gave a presentation about recent cloud security developments and how to risk assess a cloud provider at ISACA Scandinavian Conference yesterday. Thanks to Cloud Security Alliance for a lot of input.TRANSCRIPT
Recent Cloud Security
Developments By Lars Neupart, founder of Neupart – The ERP of Security
Program
! Security Guidance ! The new Security Guidance for Critical Areas of Focus in Cloud
Computing?
! GRC Stack ! GRCstack from Cloud Security Alliance -‐ what it is, and how you
can benefit from it.
! Cloud Vendor Risk Assessments ! How To Perform Cloud Vendor Assessments
! CCSK ! An an individual certification: Certificate of Cloud Security
Knowledge -‐
CSA Security Guidance
! CSA = Cloud Security Alliance ! Version 3 has been released ! Provides practical direction for adopting the cloud paradigm safely and securely. ! Extends with use cases ! 14 Domains emphasize security, stability, and privacy, ensuring corporate privacy in a
multi-‐tenant environment.
CSA Guidance
! Section I: Cloud Archiecture ! Section II: Governing in the Cloud ! Section III: Operating in the Cloud
Section I. Cloud Architecture
! Domain 1: Cloud Computing Architectural Framework
PaaS Platform as a Service
You build security in
You “RFP” security in
S-‐P-‐I Framework
PaaS Platform as a Service
IaaS Infrastructure as a Service
SaaS Software as a Service
Section II. Governing in the Cloud
! Domain 2: Governance and Enterprise Risk Management
! Domain 3: Legal Issues: Contracts and Electronic Discovery
! Domain 4: Compliance and Audit Management
! Domain 5: Information Management and Data Security
! Domain 6: Interoperability and Portability
Section III. Operating in the Cloud ! Domain 7: Traditional Security, Business Continuity,
and Disaster Recovery ! Domain 8: Data Center Operations ! Domain 9: Incident Response ! Domain 10: Application Security ! Domain 11: Encryption and Key Management ! Domain 12: Identity, Entitlement, and Access
Management ! Domain 13: Virtualization ! Domain 14: Security as a Service
CSA Guidance: Risk Based
! CSA Guidance recommends a risk based approach to control selection.
! Also offers a simple model
! Visit the V.3 website at: https://cloudsecurityalliance.org/research/security-‐guidance/
ISO 27017
! Guidelines on Information security controls for the use of cloud computing services based on ISO/IEC 27002
! Draft
GRCstack from CSA
! Achieving Governance, Risk Management and Compliance (GRC) goals requires appropriate assessment criteria, relevant control objectives and timely access to necessary supporting data.
! The shift to compute as a service presents new challenges across the spectrum of GRC requirements.
! To instrument and assess both private and public clouds against industry established best practices, standards and critical compliance requirements.
! A toolkit for enterprises, cloud providers, security solution providers, IT auditors and other key stakeholders
! A look into the CSA Control Matrix ! https://cloudsecurityalliance.org/research/
grc-‐stack/
Cloud Vendor Risk Assessments – how to do it
Classic Risk Assessments
Business Impact values are inherited downward
Vulnerability values are inherited upward
Server 01
SQL 01
HP DL380 Serial xyz1234567890
Data Center A
Finance DB
ERP
Dynamics AOS
HP DL380 Serial abc0987654321
Server 02
Finance Asset Hierarchy
Business Processes & IT Services
Business Process 1
IT Services (on premise)
Business Process 2
IT Services from vendor, e.g.
cloud
Business Impact Scores Inherits Downwards
Vulnerability Scores Inherits Upwards
G R C
The good news:
! You can use well known risk management best practices (e.g. ISO 27001 & ISO 27005) also when assessing cloud applications
! …… with a few notable differences
Difference #1: CAI
! Cloud Security Alliance Consensus Assessments Initiative (CAI) was launched to perform research, create tools and create industry partnerships to enable cloud computing assessments.
! Industry-‐accepted ways to document what security controls exist in IaaS, PaaS, and SaaS offerings, providing security control transparency.
! Part of GRC Stack
Link
! https://cloudsecurityalliance.org/research/cai/
Difference #2: STAR
! CSA Security, Trust & Assurance Registry (STAR)
! Free, publicly accessible registry that documents the security controls provided by various cloud computing offerings.
! Cloud providers can submit two different types of reports to indicate their compliance with CSA best practices, the CAIQ or the CCM.
STAR Links
! Visit the CSA STAR website at: https://cloudsecurityalliance.org/star/
! CSA STAR faq: https://cloudsecurityalliance.org/star/faq/
! Ask STAR related Question at our CSA STAR Support Forum: http://www.linkedin.com/groups?home=&gid=4066598
! Watch the STAR briefing online: https://cloudsecurityalliance.org/education/online-‐learning/star-‐registry-‐briefing
ISO 27005 = Threat Based Risk Mngt
Example Threat Catalogue
Screen from SecureAware Risk TNG
Not all assets burn
! Recommendation: The threats you’ll be assessing should depend on type of asset.
! Using Cloud Service providers gives you other threats than using own IT operations
Business Impact Assessments
Screen from SecureAware Risk TNG
Vulnerability Assessments
Screen from SecureAware Risk TNG
Shortcut: Probability Assesment
In the cloud or on the ground:
! SecureAware assesses risks to your business, from own IT or from vendors – also in the cloud
! SecureAware is delivered as on-‐premise software or SaaS
www.cloudsecurityalliance.org Copyright © 2012 Cloud Security Alliance
What is the CCSK?
CCSK – the Cer*ficate of Cloud Security Knowledge • Industry’s first user cer.fica.on program for secure cloud compu.ng • Based on CSA’s body of knowledge • Complimentary to popular IT Security & Audit user accredita.ons and
user cer.fica.ons • Suitable for a wide variety of professions that must be concerned with
cloud compu.ng • Self study or classroom instruc.on • Online, web-‐based examina.on • www.cloudsecurityalliance.org/cer.fyme
Show your knowledge of the next genera3on of informa3on technology!
www.cloudsecurityalliance.org Copyright © 2012 Cloud Security Alliance
What is the CCSK Body of Knowledge?
Based upon two industry leading whitepapers • Security Guidance for Cri.cal Areas of Focus in Cloud Compu.ng
• Current test based upon Version 2.1 of Guidance • hMp://www.cloudsecurityalliance.org/guidance/csaguide.v2.1.pdf • 70% of test ques.ons based upon this document
• ENISA’s report “Cloud Compu.ng: Benefits, Risks and Recommenda.ons for Informa.on Security”.
• hMp://www.enisa.europa.eu/act/rm/files/deliverables/cloud-‐compu.ng-‐risk-‐assessment
• 20% of test ques.ons based upon this document • Final 10% of Test Ques.ons are applied knowledge based upon both
documents above • Prepara.on guide available
• hMps://cloudsecurityalliance.org/CCSK-‐prep.pdf
www.cloudsecurityalliance.org Copyright © 2012 Cloud Security Alliance
Taking the CCSK Examination
CCSK – On Demand, 24 hours a day • Online web-‐based examina.on, no appointment necessary • 50 ques.ons in the examina.on • 60 minutes to complete the examina.on • 80% correct answers required to successfully complete the test • Two chances with a test token • Test available at hMps://ccsk.cloudsecurityalliance.org/ • FAQ at
hMps://cloudsecurityalliance.org/educa.on/cer.ficate-‐of-‐cloud-‐security-‐knowledge/ccsk-‐faq/
www.cloudsecurityalliance.org Copyright © 2012 Cloud Security Alliance
Preparing for the CCSK
CCSK Self Study • Review body knowledge a^er consul.ng prepara.on guide
• hMps://cloudsecurityalliance.org/CCSK-‐prep.pdf • Study with a colleague • Form study groups in a CSA chapter
• hMps://cloudsecurityalliance.org/chapters/
CCSK Classroom Instruc*on • Classes offered worldwide through training partners • CCSK Basic 1 Day course covers everything needed to pass CCSK • CCSK Plus includes Basic plus addi.onal 1 Day lab exercises • Find training partners and training schedule here:
hMps://cloudsecurityalliance.org/educa.on/training/
www.cloudsecurityalliance.org Copyright © 2012 Cloud Security Alliance
CCSK – Set yourself apart
Become an early adopter of the future of IT Security • For cloud service providers, informa.on security experts, IT
professionals, IT audit & governance – everyone! • Enhance your exper.se with proven knowledge from the broadest
best prac.ces developed in the industry • Differen.ate your resume from the crowd
• www.cloudsecurityalliance.org/cer.fyme
ISACA Member offer
Learn about cloud security & prepare for your Certificate of Cloud Security Knowledge Neupart is CSA training partner using CSA certified CCSK-‐instructors. Oslo May 31 Copenhagen June 20 ISACA Member Discount kr. 500,-‐ Sign up before May 15 and May 31 respectively. Use code ISACA-‐Conf-‐Cph in comment field in sign up form at www.neupart.com
Meet Neupart Today
PLEASE GO TO THE NEUPART SPONSOR TABLE TO PICK UP YOUR CCSK TRANING DISCOUNT CODE OR SEE A SECUREAWARE DEMO About Neupart: ! ISO 27001 certified company. ! IT GRC all-‐in-‐one solution enables
organizations to manage their IT risks and to comply with IT security requirements -‐ Also in the Cloud!
! “The ERP of Security” ! Get SecureAware demo or free trial:
www.neupart.com