using the csa control matrix and iso 27017 controls to...
TRANSCRIPT
![Page 1: Using the CSA Control Matrix and ISO 27017 controls to ...docbox.etsi.org/Workshop/2012/201201_SECURITYWORKSHOP/3... · Using the CSA Control Matrix and ISO 27017 controls to facilitate](https://reader034.vdocument.in/reader034/viewer/2022051010/5a9f40007f8b9a0d158c9fcf/html5/thumbnails/1.jpg)
Using the CSA Control Matrix and ISO
27017 controls to facilitate regulatory
compliance in the cloud
Marlin Pohlman Ph.D.Marlin Pohlman Ph.D.CISA, CISM, CGEIT, CISSP, PE, HITRUST CSV
Co-Chair: CSA CCM, CSA CAIQ, CSA Cloud Audit
CoEditor: ISO 27017 & ITU-T FG Cloud x. srfctse
Co-Chair/Founder, CSA GRC Stack
Chief Governance Officer, EMC CTO Office
www.cloudsecurityalliance.org
Copyright © 2010 Cloud Security Alliance
![Page 2: Using the CSA Control Matrix and ISO 27017 controls to ...docbox.etsi.org/Workshop/2012/201201_SECURITYWORKSHOP/3... · Using the CSA Control Matrix and ISO 27017 controls to facilitate](https://reader034.vdocument.in/reader034/viewer/2022051010/5a9f40007f8b9a0d158c9fcf/html5/thumbnails/2.jpg)
Cloud adds the concept of Supply Chain
Each member does
what they do best
2
Harmony in
Specialization
![Page 3: Using the CSA Control Matrix and ISO 27017 controls to ...docbox.etsi.org/Workshop/2012/201201_SECURITYWORKSHOP/3... · Using the CSA Control Matrix and ISO 27017 controls to facilitate](https://reader034.vdocument.in/reader034/viewer/2022051010/5a9f40007f8b9a0d158c9fcf/html5/thumbnails/3.jpg)
Chains are only as strong as the weakest link
3
GRC Insures the
integrity of the
chain
![Page 4: Using the CSA Control Matrix and ISO 27017 controls to ...docbox.etsi.org/Workshop/2012/201201_SECURITYWORKSHOP/3... · Using the CSA Control Matrix and ISO 27017 controls to facilitate](https://reader034.vdocument.in/reader034/viewer/2022051010/5a9f40007f8b9a0d158c9fcf/html5/thumbnails/4.jpg)
CSA GRC Stack
Family of 4 research projects:• Cloud Controls Matrix (CCM)
• Consensus Assessments Initiative Questionnaire (CAIQ)
• Cloud Trust Protocol (CTP)• Cloud Trust Protocol (CTP)
• Cloud Audit
Tools for governance, risk and compliance management.
Enabling automation and continuous monitoring of GRC.
4
www.cloudsecurityalliance.org
Copyright © 2010 Cloud Security Alliance
![Page 5: Using the CSA Control Matrix and ISO 27017 controls to ...docbox.etsi.org/Workshop/2012/201201_SECURITYWORKSHOP/3... · Using the CSA Control Matrix and ISO 27017 controls to facilitate](https://reader034.vdocument.in/reader034/viewer/2022051010/5a9f40007f8b9a0d158c9fcf/html5/thumbnails/5.jpg)
Cloud Controls Matrix (CCM)
5
www.cloudsecurityalliance.org
Copyright © 2010 Cloud Security Alliance
![Page 6: Using the CSA Control Matrix and ISO 27017 controls to ...docbox.etsi.org/Workshop/2012/201201_SECURITYWORKSHOP/3... · Using the CSA Control Matrix and ISO 27017 controls to facilitate](https://reader034.vdocument.in/reader034/viewer/2022051010/5a9f40007f8b9a0d158c9fcf/html5/thumbnails/6.jpg)
What is the CCM?
• First ever baseline control framework specifically designed for managing risk in the Cloud Supply Chain:– Addressing the inter and intra-organizational challenges of
persistent information security by clearly delineating control ownership.
– Providing an anchor point and common language for balanced measurement of security and compliance balanced measurement of security and compliance postures.
– Providing the holistic adherence to the vast and ever evolving landscape of global data privacy regulations and security standards.
• Serves as the basis for new industry standards and certifications.
6
www.cloudsecurityalliance.org
Copyright © 2010 Cloud Security Alliance
![Page 7: Using the CSA Control Matrix and ISO 27017 controls to ...docbox.etsi.org/Workshop/2012/201201_SECURITYWORKSHOP/3... · Using the CSA Control Matrix and ISO 27017 controls to facilitate](https://reader034.vdocument.in/reader034/viewer/2022051010/5a9f40007f8b9a0d158c9fcf/html5/thumbnails/7.jpg)
CCM – 11 Domains
7
www.cloudsecurityalliance.org
Copyright © 2010 Cloud Security Alliance
![Page 8: Using the CSA Control Matrix and ISO 27017 controls to ...docbox.etsi.org/Workshop/2012/201201_SECURITYWORKSHOP/3... · Using the CSA Control Matrix and ISO 27017 controls to facilitate](https://reader034.vdocument.in/reader034/viewer/2022051010/5a9f40007f8b9a0d158c9fcf/html5/thumbnails/8.jpg)
CCM – 98 Controls
8
www.cloudsecurityalliance.org
Copyright © 2010 Cloud Security Alliance
![Page 9: Using the CSA Control Matrix and ISO 27017 controls to ...docbox.etsi.org/Workshop/2012/201201_SECURITYWORKSHOP/3... · Using the CSA Control Matrix and ISO 27017 controls to facilitate](https://reader034.vdocument.in/reader034/viewer/2022051010/5a9f40007f8b9a0d158c9fcf/html5/thumbnails/9.jpg)
CCM – 98 Controls (cont.)
9
www.cloudsecurityalliance.org
Copyright © 2010 Cloud Security Alliance
![Page 10: Using the CSA Control Matrix and ISO 27017 controls to ...docbox.etsi.org/Workshop/2012/201201_SECURITYWORKSHOP/3... · Using the CSA Control Matrix and ISO 27017 controls to facilitate](https://reader034.vdocument.in/reader034/viewer/2022051010/5a9f40007f8b9a0d158c9fcf/html5/thumbnails/10.jpg)
CCM – 98 Controls (cont.)
10
www.cloudsecurityalliance.org
Copyright © 2010 Cloud Security Alliance
![Page 11: Using the CSA Control Matrix and ISO 27017 controls to ...docbox.etsi.org/Workshop/2012/201201_SECURITYWORKSHOP/3... · Using the CSA Control Matrix and ISO 27017 controls to facilitate](https://reader034.vdocument.in/reader034/viewer/2022051010/5a9f40007f8b9a0d158c9fcf/html5/thumbnails/11.jpg)
CCM – 98 Controls (cont.)
11
www.cloudsecurityalliance.org
Copyright © 2010 Cloud Security Alliance
![Page 12: Using the CSA Control Matrix and ISO 27017 controls to ...docbox.etsi.org/Workshop/2012/201201_SECURITYWORKSHOP/3... · Using the CSA Control Matrix and ISO 27017 controls to facilitate](https://reader034.vdocument.in/reader034/viewer/2022051010/5a9f40007f8b9a0d158c9fcf/html5/thumbnails/12.jpg)
An Unified Compliance Approach
Bridging Regulatory Governance And Practical Compliance
12
![Page 13: Using the CSA Control Matrix and ISO 27017 controls to ...docbox.etsi.org/Workshop/2012/201201_SECURITYWORKSHOP/3... · Using the CSA Control Matrix and ISO 27017 controls to facilitate](https://reader034.vdocument.in/reader034/viewer/2022051010/5a9f40007f8b9a0d158c9fcf/html5/thumbnails/13.jpg)
Consensus Assessments
Initiative Questionnaire (CAIQ)
13
www.cloudsecurityalliance.org
Copyright © 2010 Cloud Security Alliance
![Page 14: Using the CSA Control Matrix and ISO 27017 controls to ...docbox.etsi.org/Workshop/2012/201201_SECURITYWORKSHOP/3... · Using the CSA Control Matrix and ISO 27017 controls to facilitate](https://reader034.vdocument.in/reader034/viewer/2022051010/5a9f40007f8b9a0d158c9fcf/html5/thumbnails/14.jpg)
What is the CAIQ?
• Cloud Supply Chain risk management and due
diligence questionnaire (148 questions)
– Enables 1 or more Cloud service providers to
demonstrate compliance with the CSA CCM.
– Forms the basis for establishing Cloud specific
14
– Forms the basis for establishing Cloud specific
Service Level Objectives that can be incorporated
into supplier agreements.
• AICPA SSAE 16 SOC 2 Normative Qualification
Questionnaire.
www.cloudsecurityalliance.org
Copyright © 2010 Cloud Security Alliance
![Page 15: Using the CSA Control Matrix and ISO 27017 controls to ...docbox.etsi.org/Workshop/2012/201201_SECURITYWORKSHOP/3... · Using the CSA Control Matrix and ISO 27017 controls to facilitate](https://reader034.vdocument.in/reader034/viewer/2022051010/5a9f40007f8b9a0d158c9fcf/html5/thumbnails/15.jpg)
CloudAudit Protocol
• Provides an open, extensible and secure interface for automation of Audit, Assertion, Assessment, and Assurance (A6) of cloud computing environments
• A structure for organizing assertions and supporting documentation for specific controls across different compliance frameworks in a way that simplifies discovery by humans and tools.
15
discovery by humans and tools.– Define a namespace that can support diverse frameworks.
– Expressed in namespace – CSA CCM, ISO/IEC 27001, COBIT, HIPAA, NIST SP 800-53, PCI DSS.
– Defines the mechanisms for requesting and responding to queries relating to specific controls.
– Integrates with portals and AAA systems.
www.cloudsecurityalliance.org
Copyright © 2010 Cloud Security Alliance
![Page 16: Using the CSA Control Matrix and ISO 27017 controls to ...docbox.etsi.org/Workshop/2012/201201_SECURITYWORKSHOP/3... · Using the CSA Control Matrix and ISO 27017 controls to facilitate](https://reader034.vdocument.in/reader034/viewer/2022051010/5a9f40007f8b9a0d158c9fcf/html5/thumbnails/16.jpg)
Sample Implementation –CSA Compliance Pack
16
www.cloudsecurityalliance.org
Copyright © 2010 Cloud Security Alliance
![Page 17: Using the CSA Control Matrix and ISO 27017 controls to ...docbox.etsi.org/Workshop/2012/201201_SECURITYWORKSHOP/3... · Using the CSA Control Matrix and ISO 27017 controls to facilitate](https://reader034.vdocument.in/reader034/viewer/2022051010/5a9f40007f8b9a0d158c9fcf/html5/thumbnails/17.jpg)
Sample Implementation –CSA Compliance Pack
17
www.cloudsecurityalliance.org
Copyright © 2010 Cloud Security Alliance
![Page 18: Using the CSA Control Matrix and ISO 27017 controls to ...docbox.etsi.org/Workshop/2012/201201_SECURITYWORKSHOP/3... · Using the CSA Control Matrix and ISO 27017 controls to facilitate](https://reader034.vdocument.in/reader034/viewer/2022051010/5a9f40007f8b9a0d158c9fcf/html5/thumbnails/18.jpg)
CloudAudit – How it Works
18www.cloudsecurityalliance.org
Copyright © 2010 Cloud Security Alliance
![Page 19: Using the CSA Control Matrix and ISO 27017 controls to ...docbox.etsi.org/Workshop/2012/201201_SECURITYWORKSHOP/3... · Using the CSA Control Matrix and ISO 27017 controls to facilitate](https://reader034.vdocument.in/reader034/viewer/2022051010/5a9f40007f8b9a0d158c9fcf/html5/thumbnails/19.jpg)
CloudAudit –Manifest.xml Example
19
www.cloudsecurityalliance.org
Copyright © 2010 Cloud Security Alliance
![Page 20: Using the CSA Control Matrix and ISO 27017 controls to ...docbox.etsi.org/Workshop/2012/201201_SECURITYWORKSHOP/3... · Using the CSA Control Matrix and ISO 27017 controls to facilitate](https://reader034.vdocument.in/reader034/viewer/2022051010/5a9f40007f8b9a0d158c9fcf/html5/thumbnails/20.jpg)
DMTF – CADF (Cloud Audit Data Federation)Cloud Audit Data Federation Resource Model
Resource
ComputeNetwork Storage DataService
Example Instance
is-a Relationship
NetworkNode
Router
Repository
* Machine
ProcessingNode
Initiator
… … ConfigurationRepository
User
PrivilegedUser
Application
Workload
CRMService
BSSService
… … … …
Node Description
20
Node Description
Network Represents the logical resources that interconnect computer systems, terminals, and other equipment allowing information to be exchanged. (general, compiled definition)* A realized entity that is capable of providing Network Addresses, routing rules, mapping tables, and network access limits. (as defined by CMWG)
Compute Represents the logical resources that are used to perform logical operations or calculations on data
Storage Represents the logical constructs that represent storage containers
Service Represents the logical sets of functions, packaged into a single entity, that provide access to and add value to cloud resources.
Data Represents the logical named sets of information that are referenced and managed by services.
Initiator Separate Taxonomy. Classifies the initiator (human or non-human entities) that of event actions
![Page 21: Using the CSA Control Matrix and ISO 27017 controls to ...docbox.etsi.org/Workshop/2012/201201_SECURITYWORKSHOP/3... · Using the CSA Control Matrix and ISO 27017 controls to facilitate](https://reader034.vdocument.in/reader034/viewer/2022051010/5a9f40007f8b9a0d158c9fcf/html5/thumbnails/21.jpg)
Elements of Transparency in the CTP
6 TYPES
Initiation
Policy introduction ELEMENTS
On
ly 2
3 i
n e
nti
re p
roto
col
FAMILIES
Configuration
Vulnerabilities
CloudTrust Protocol Orientation
Provider assertions
Provider notifications
EVIDENCE REQUESTS
Client extensions
Geographic
Platform
Process On
ly 2
3 i
n e
nti
re p
roto
col
Vulnerabilities
ANCHORING
Audit log
Service Management
Service Statistics
![Page 22: Using the CSA Control Matrix and ISO 27017 controls to ...docbox.etsi.org/Workshop/2012/201201_SECURITYWORKSHOP/3... · Using the CSA Control Matrix and ISO 27017 controls to facilitate](https://reader034.vdocument.in/reader034/viewer/2022051010/5a9f40007f8b9a0d158c9fcf/html5/thumbnails/22.jpg)
CloudTrust Protocol PathwaysMapping the Elements of Transparency in Deployment
Admin& Ops
Specs Transparency Requests Extensions
Assertions Evidence Affirmations
Configuration
definition: 20
Security capabilities and
operations: 17
Configuration &
vulnerabilities: 3,4,5,6,7
Anchoring: 8, 9, 10
(geographic,
platform, process)
CloudTrust Protocol Orientation
Session
start: 1
Session end:
2
Alerts: 18
Users: 19
Anchors: 21
Quotas: 22
Alert conditions:
23
Violation: 11
Audit: 12
Access: 13
Incident log: 14
Config/control: 15
Stats: 16
Consumer/provider
negotiated: 24
2323 11
CloudAudit.org SCAPSCAP Sign / sealing
![Page 23: Using the CSA Control Matrix and ISO 27017 controls to ...docbox.etsi.org/Workshop/2012/201201_SECURITYWORKSHOP/3... · Using the CSA Control Matrix and ISO 27017 controls to facilitate](https://reader034.vdocument.in/reader034/viewer/2022051010/5a9f40007f8b9a0d158c9fcf/html5/thumbnails/23.jpg)
CloudTrust Protocol V2.0
Syntax• Based on XML
• Traditional RESTful web
service over HTTP
CloudTrust Protocol Orientation
![Page 24: Using the CSA Control Matrix and ISO 27017 controls to ...docbox.etsi.org/Workshop/2012/201201_SECURITYWORKSHOP/3... · Using the CSA Control Matrix and ISO 27017 controls to facilitate](https://reader034.vdocument.in/reader034/viewer/2022051010/5a9f40007f8b9a0d158c9fcf/html5/thumbnails/24.jpg)
RESTful Web
Service
RESTful Web
Service
RESTfulWeb
Service
Multiple Styles of ImplementationThe CTP is machine and human readable
RESTful Web
Service
RESTful Web
Service
Trust Trust
RESTfulWeb
Service
Cloud Provider
Cloud Consumer
OUT-OF-BAND
ServiceService
Trust
Evidence (Elements of
transparency)
Trust
Evidence (Elements of
transparency)
Cloud Provider
CloudTrustProtocol Service
Cloud Consumer
Trust
Evidence (Elements of
transparency)
Trust
Evidence (Elements of
transparency)CloudTrust
Protocol Service
IN-BAND
![Page 25: Using the CSA Control Matrix and ISO 27017 controls to ...docbox.etsi.org/Workshop/2012/201201_SECURITYWORKSHOP/3... · Using the CSA Control Matrix and ISO 27017 controls to facilitate](https://reader034.vdocument.in/reader034/viewer/2022051010/5a9f40007f8b9a0d158c9fcf/html5/thumbnails/25.jpg)
Legal and Electronic Discovery
The highest risk of conducting e-discovery in the cloud are:
• The loss/alteration of data and associated metadata
• The potential violation of international data privacy laws by illegally disclosing data
in the jurisdiction in which the cloud is located
• The unintentional waiver of the attorney-client privilege by co-mingling data or
disclosing attorney client communications to third parties
• The failure to properly and timely implement and monitor litigation holds
Companies can manage the risk of altering metadata and the risk of violating Companies can manage the risk of altering metadata and the risk of violating
international data privacy laws by insisting the service agreement with their cloud
provider require that:
• None of the company’s data may be stored outside the United States
• Provide a detailed mechanism for how the cloud will implement litigation holds
• Address how metadata will be created and stored in the cloud environment
![Page 26: Using the CSA Control Matrix and ISO 27017 controls to ...docbox.etsi.org/Workshop/2012/201201_SECURITYWORKSHOP/3... · Using the CSA Control Matrix and ISO 27017 controls to facilitate](https://reader034.vdocument.in/reader034/viewer/2022051010/5a9f40007f8b9a0d158c9fcf/html5/thumbnails/26.jpg)
Obligatory Predicates & SLA Supply Chain
OBLIGATION
The requirement to do what is imposed
by law, promise, or contract; a duty.
In its general and most extensive sense,
obligation is synonymous with duty. In
a more technical meaning, it is a tie
which binds us to pay or to do
26
which binds us to pay or to do
something agreeably to the laws and
customs of the country in which the
obligation is made. The term obligation
also signifies the instrument or writing
by which the contract is witnessed. And
in another sense, an obligation still
subsists, although the civil obligation is
said to be a bond containing a penalty.
![Page 27: Using the CSA Control Matrix and ISO 27017 controls to ...docbox.etsi.org/Workshop/2012/201201_SECURITYWORKSHOP/3... · Using the CSA Control Matrix and ISO 27017 controls to facilitate](https://reader034.vdocument.in/reader034/viewer/2022051010/5a9f40007f8b9a0d158c9fcf/html5/thumbnails/27.jpg)
Obligatory Predicates can also address
Jurisdictional issues in the cloud
1. <rdf:Property rdf:ID=”value”>
2. <rdfs:domain rdf:resources=”Asset”/>
3. <rdfs:range rdf:resources=&xsd:integer/>
4. </rdf:Property>
5. <rdf:Property rdf:ID=”depends”>
6. <rdfs:domain rdf:resources=”Asset”/>
7. <rdfs:range rdf:resources=”Asset”/>
8. </rdf:Property>
9. <rdf:Property rdf:ID=”contains”>
10. <rdfs:domain rdf:resources=”Asset”/>
11. <rdfs:range rdf:resources=”Asset”/>
12. <rdf:Property rdf:ID=”subjecttoObligation”>
27
12. <rdf:Property rdf:ID=”subjecttoObligation”>
13. <rdfs:domain rdf:resources=”Asset”/>
14. <rdfs:range rdf:resources=”Obligation”/>
15. <rdf:Property rdf:ID=”Predicate”>
16. <rdfs:domain rdf:resources=”Asset”/>
17. <rdfs:range rdf:resources=”Resource”/>
18. <rdf:Property rdf:ID=”Constraint”>
19. <rdfs:domain rdf:resources=”Asset”/>
20. <rdfs:range rdf:resources=”Value”/>
21. <rdf:Property rdf:ID=”supportUsage”>
22. <rdfs:domain rdf:resources=”Asset”/>
23. <rdfs:range rdf:resources=”CaseLaw”/>
24. </rdf:Property>
![Page 28: Using the CSA Control Matrix and ISO 27017 controls to ...docbox.etsi.org/Workshop/2012/201201_SECURITYWORKSHOP/3... · Using the CSA Control Matrix and ISO 27017 controls to facilitate](https://reader034.vdocument.in/reader034/viewer/2022051010/5a9f40007f8b9a0d158c9fcf/html5/thumbnails/28.jpg)
ISO 27017 Coordinated Editorial Activity
ISO 27017
Control
Standard
28
ITU-T
X.srfctse
StandardITU-T FG SG17
Cloud-I-0465
Requirement
Document
FedRamp
2012
Controls
Security requirements and framework
of cloud based telecommunication
service environment
![Page 29: Using the CSA Control Matrix and ISO 27017 controls to ...docbox.etsi.org/Workshop/2012/201201_SECURITYWORKSHOP/3... · Using the CSA Control Matrix and ISO 27017 controls to facilitate](https://reader034.vdocument.in/reader034/viewer/2022051010/5a9f40007f8b9a0d158c9fcf/html5/thumbnails/29.jpg)
ISO 27017 Work In Progress
29
![Page 30: Using the CSA Control Matrix and ISO 27017 controls to ...docbox.etsi.org/Workshop/2012/201201_SECURITYWORKSHOP/3... · Using the CSA Control Matrix and ISO 27017 controls to facilitate](https://reader034.vdocument.in/reader034/viewer/2022051010/5a9f40007f8b9a0d158c9fcf/html5/thumbnails/30.jpg)
ISO 27017 Example: Obligatory Predicates
CSA Control Matrix RS-08
ISO 27017:11.7.2
30
ITU-T FG SG17
Cloud-I-0465
Requirement
Document
Req 8.12
Agreements on
information transfer and
forensic traceability
![Page 31: Using the CSA Control Matrix and ISO 27017 controls to ...docbox.etsi.org/Workshop/2012/201201_SECURITYWORKSHOP/3... · Using the CSA Control Matrix and ISO 27017 controls to facilitate](https://reader034.vdocument.in/reader034/viewer/2022051010/5a9f40007f8b9a0d158c9fcf/html5/thumbnails/31.jpg)
ISO 27017 Example: Virtualization Security
CSA Control Matrix IS-34
FedRAMP SC-30
31
FedRAMP SC-30
X.srfctse: Security requirements and framework of cloud
based telecommunication service environment
7.1 Security Vulnerabilities in Virtualization
ISO 27017 A.13.6.4
Secure Virtual Machine
![Page 32: Using the CSA Control Matrix and ISO 27017 controls to ...docbox.etsi.org/Workshop/2012/201201_SECURITYWORKSHOP/3... · Using the CSA Control Matrix and ISO 27017 controls to facilitate](https://reader034.vdocument.in/reader034/viewer/2022051010/5a9f40007f8b9a0d158c9fcf/html5/thumbnails/32.jpg)
27017 Appendix B: Minimum Baseline
32
SECURITY CONTROL SELECTION
Organizations (CSU, CSP IaaS, PaaS, SaaS) must meet the minimum
security requirements in this standard by selecting the
appropriate security controls and assurance requirement
![Page 33: Using the CSA Control Matrix and ISO 27017 controls to ...docbox.etsi.org/Workshop/2012/201201_SECURITYWORKSHOP/3... · Using the CSA Control Matrix and ISO 27017 controls to facilitate](https://reader034.vdocument.in/reader034/viewer/2022051010/5a9f40007f8b9a0d158c9fcf/html5/thumbnails/33.jpg)
Thank you for your Time and Attention
Questions ?
Marlin Pohlman
+1.503.662.2245
33