nist cloud computing forum and workshop viii dr. jesus luna garcia cloud security alliance (europe)
TRANSCRIPT
NIST Cloud Computing Forum and Workshop VIII
Leveraging the potential of Cloud security SLAs
Dr. Jesus Luna Garcia
Cloud Security Alliance (Europe)
NIST Cloud Computing Forum and Workshop VI I IJu ly 2015
Agenda
• Cloud Security SLAs (secSLAs)• Good-enough security through secSLAs• SecSLA automation• Summary
NIST Cloud Computing Forum and Workshop VI I IJu ly 2015
How do you choose a Cloud Service Provider (CSP)?
• Performance• Price• Reputation
What about security (and privacy)?
Service-related:
NIST Cloud Computing Forum and Workshop VI I IJu ly 2015
Cloud Service Level Agreements
• A cloud SLA is a documented agreement between the cloud service provider (CSP) and cloud service customer that identifies services and associated quality levels (i.e., cloud service level objectives or SLOs).
• Security specification in cloud SLAs (secSLAs) aims to provide useful/measurable (security) information to Customers.
• Despite their advocated advantages, most cloud SLAs/secSLAs are offered on a “take it, or leave it” manner.
• How Cloud customers can benefit from Cloud secSLAs?
NIST Cloud Computing Forum and Workshop VI I IJu ly 2015
Good-enough Cloud security through secSLAs“[…] everything should be made as secure as necessary, but not
securer.”Sandhu, 2003
• Realizing adequate levels of IT security is typically related to risk management activities.
• Preliminary research based on Cloud-Adapted Risk Management Framework (CRMF, draft NIST SP 800-173).
NIST Cloud Computing Forum and Workshop VI I IJu ly 2015
1-Impact analysis
2-Elicit security
requirements
3-Select Cloud arch.
4-Assess available
CSPs
5-Select CSP and
negotiate secSLA
6-Monitor CSP and
own controls
Baseline & tailored SLOs
CSP specific and own SLO’s
SecS
LA a
gree
d
Cloud secSLA
NIST Cloud Computing Forum and Workshop VI I IJu ly 2015
1-Impact analysis
2-Elicit security
requirements
3-Select Cloud arch.
4-Assess available
CSPs
5-Select CSP and
negotiate secSLA
6-Monitor CSP and
own controls
Baseline & tailored SLOs
CSP specific and own SLO’s
SecS
LA a
gree
d
Cloud secSLA
Risk AssessmentStep 1 – Impact analysis.
Step 2 – Risk assessment.
NIST Cloud Computing Forum and Workshop VI I IJu ly 2015
1-Impact analysis
2-Elicit security
requirements
3-Select Cloud arch.
4-Assess available
CSPs
5-Select CSP and
negotiate secSLA
6-Monitor CSP and
own controls
Baseline & tailored SLOs
CSP specific and own SLO’s
SecS
LA a
gree
d
Cloud secSLA
Risk TreatmentStep 3 – Select the Cloud architecture.
Step 4 – Assess CSP options. Negotiate additional security controls with CSP. Identify security controls under the consumer’s responsibility.
NIST Cloud Computing Forum and Workshop VI I IJu ly 2015
1-Impact analysis
2-Elicit security
requirements
3-Select Cloud arch.
4-Assess available
CSPs
5-Select CSP and
negotiate secSLA
6-Monitor CSP and
own controls
Baseline & tailored SLOs
CSP specific and own SLO’s
SecS
LA a
gree
d
Cloud secSLA
Risk ControlStep 5 – Select CSP. Draft a SLA.
Step 6 – Monitor the CSP (secSLA) and customer-side controls.
NIST Cloud Computing Forum and Workshop VI I IJu ly 2015
Interested on this topic?
“Leveraging the Potential of Cloud Security Service Level Agreements through Standards”
Jesus Luna, Neeraj Suri, Michaela Iorga, Anil Karmel
IEEE Cloud Computing, 2015
NIST Cloud Computing Forum and Workshop VIII
(putting all the secSLA pieces together)
Automating good-enough Cloud
secSLAs
NIST Cloud Computing Forum and Workshop VI I IJu ly 2015
European Project SPECS
CeRICT, Italy (coordinator)
TUD, Germany
IeAT, Romania
CSA, United Kingdom
XLAB, Slovenia
EISI, Ireland
FP7-ICT-10-610795
Project Start: 1/11/2013Project Type: STREPDuration: 30 Months
NIST Cloud Computing Forum and Workshop VI I IJu ly 2015
SPECS SecaaS based on secSLAs
Provisions security services to Customers
Manages the secSLA life cycle (negotiation, monitoring and enforcement)
Ongoing integration into products like EMC’s ViPR.
NIST Cloud Computing Forum and Workshop VI I IJu ly 2015
Leveraging and contributing to standards
NIST Cloud Computing Forum and Workshop VI I IJu ly 2015
Machine-readable (XML) secSLA specification
NIST Cloud Computing Forum and Workshop VIII
It’s showtime!
SPECS Demo
NIST Cloud Computing Forum and Workshop VI I IJu ly 2015
Summary: Are we there yet?• Standards (vocabularies,
metrics, …), and best practices (making Cloud SLAs usable for SMEs).
• ISO/IEC 19086 Parts 1-4• Cloud secSLAs in supply
chains/multi-cloud systems.• Certifications or SLA’s or both?
NIST Cloud Computing Forum and Workshop VI I IJu ly 2015
Questions?
• Give us your opinion about secSLAs:https://www.surveymonkey.com/r/SPECS_SLA
• Help us secure Cloud computing:– http://www.cloudsecurityalliance.org – [email protected]– SPECS: http://www.specs-project.eu/
NIST Cloud Computing Forum and Workshop VI I I19
NIST Cloud Computing Forum and Workshop VI I IJu ly 2015
(Some) Cloud barriers
The lack of transparency of
some CSPs or brokers
Lack of clarity in contracts
Cloud security not easy to
understand for SME’s