1.11k likes | 1.43k Views
THE GRC STACK ( V2.0) Understanding and applying the CSA GRC stack for payoffs and protection. A learning workshop from the CSA. CSA Organization & Operation Where does the GRC Stack fit in?. Board. Steering Committee. Executive Director. Membership. Working Groups. Research Director.
E N D
THE GRC STACK (V2.0)Understanding and applying the CSA GRC stack for payoffs and protection A learning workshop from the CSA
CSA Organization & OperationWhere does the GRC Stack fit in? Board Steering Committee Executive Director Membership Working Groups Research Director Individual Corporate Research Education Affiliate CCSK Security Guidance for Critical Areas of Cloud Computing GRC Stack(CCM, CAIQ, CloudAudit, CTP) . . . PCI Cloud Controls Matrix (CCM) CSA Security, Trust, & Assurance Registry (STAR) Chapters GRC Stack . . . Consensus Assessments Initiative Questionnaire (CAIQ) Trusted Cloud Initiative Special competencies … We are here today … We are here today …
SESSION 1 // Why a cloud GRC stack?The GRC stack value equation
The “big rocks” of cloud security, trust, and controlTake care of the big rocks first …
From CSA Top Threats Research: Trust:Lack of Provider transparency, impacts Governance, Risk Management, Compliance, and the capture of real value Data: Leakage, Loss or Storage in unfriendly geography Insecure Cloud software Malicious use of Cloud services Account/Service Hijacking Malicious Insiders Cloud-specific attacks Key Cloud Security Problems 6
Cloud Adoption ObstaclesPlanning often neglects Information Risk Management Transition & Transformation • Traditional • Enterprise strategy • Business function (workload) adaptation to cloud delivery • Technical architecture • Network connections • Application standards • Interoperability • “Buying time” for current compliance programs • … • Concept of Operations • Neglected but Necessary • IT and IT risk governance • Traditional sourcing? • Cloud? • Private? Community? Public? Hybrid? • Traditional + cloud? • How measured? • Security policy • Uniform across all delivery methods? • Cloud adjusted? • Private? Community? Public? Hybrid? • Risk/compliance management standards/benchmarks • Cloud adjusted? • Private? Community? Public? Hybrid?
The Value Equation in the Cloud • Security Service + Transparency Service = • Compliance & Trust VALUE Captured • delivering evidence-based confidence … • with compliance-supporting data & artifacts … • using the best virtualization and cloud technologies … • within quality processes … • operated by trainedand certified staffand partners …
The Roots of the Value Equation in the Cloud Impact • The “Rebound Effect” between security & interoperability • Information risk management transition & transformation planning • Policy • Governance • Compliance & Risk Management Thresholds • Business model • Downstream application of reclaimed transparency
The GRC StackSolving the Value Equation in the Cloud GRC Stack Evidence and Assurance Needs and Claims Payoffs andProtection ComplianceandTrust Security Requirementsand Capabilities Security Transparencyand Visibility VALUE Captured Payoffs Delivering evidence-based confidence… with compliance-supporting data & artifacts.
SESSION 2 // GRC Stack Overview “The Stack Packs”
The CSA GRC Stack • A suite of four integrated and reinforcing CSA initiatives (the “stack packages”) • The Stack Packs • Cloud Controls Matrix • Consensus Assessments Initiative • Cloud Audit • CloudTrust Protocol • Designed to support cloud consumers and cloud providers • Prepared to capture value from the cloud as well as support compliance and control within the cloud
A Complete Cloud Security Governance, Risk, and Compliance (GRC) Stack
CSA GRC Value Equation Contributions for Consumers and Providers • Individually useful • Collectively powerful • Productive way to reclaim end-to-end information risk management capability What control requirements should I have as a cloud consumer or cloud provider? How do I ask about the control requirements that are satisfied (consumer) or express my claim of control response (provider)? How do I announce and automate my claims of audit support for all of the various compliance mandates and control obligations? How do I know that the controls I need are working for me now (consumer)? How do I provide actual security and transparency of service to all of my cloud users (provider)? Dynamic (continuous) monitoring and transparency Static claims & assurances
A Headstart for Control and ComplianceForged by the Global Marketplace; Ready for All Professional • Legend • In place • Offered Deliver “continuous monitoring” required by A&A methodologies SSAE SOC2 control assessment criteria
CSA Guidance Research • Popular best practices for securing cloud computing • 13 Domains of concern • governing & operating groupings Cloud Architecture Governance and Enterprise Risk Management Legal and Electronic Discovery Governing the Cloud Compliance and Audit Information Lifecycle Management Portability and Interoperability Security, Bus. Cont,, and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Operating in the Cloud Encryption and Key Management Identity and Access Management Virtualization Guidance > 100k downloads: cloudsecurityalliance.org/guidance
CSA Guidance Research • Popular best practices for securing cloud computing • 13 Domains of concern • governing & operating groupings Cloud Architecture Transparency Governance and Enterprise Risk Management Legal and Electronic Discovery Governing the Cloud Compliance and Audit Information Lifecycle Management Portability and Interoperability 14? Security, Bus. Cont,, and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Operating in the Cloud Application Security Encryption and Key Management Identity and Access Management Virtualization
Accepting the GRC Value Solution …Reference Model Readiness?? ? ? Enough? Source: NIST SP500-291-v1.0, p. 42, Figure 12
“Just not enough, baby …”(Barry White – “Can’t Get Enough of Your Love, Babe”) Now it’s enough! Transparency Source: NIST SP500-291-v1.0, p. 42, Figure 12
SESSION 3 // Component Descriptions
Cloud Controls Matrix (CCM) Leadership Team Becky Swain – EKKO Consulting Philip Agcaoili – Cox Communications Marlin Pohlman – EMC, RSA Kip Boyle – CSA V1.0 (Apr 2010), v1.1 (Dec 2010, v1.2 (Aug 2011), V2.0 (2012) Controls baselined and mapped to: COBIT BITS Shared Assessments HIPAA/HITECH Act Jericho Forum ISO/IEC 27001-2005 NERC CIP NISTSP800-53 FedRAMP PCI DSSv2.0
What is the CCM? • First ever baseline control framework specifically designed for managing risk in the Cloud Supply Chain: • Addressing the inter and intra-organizational challenges of persistent information security by clearly delineating control ownership. • Providing an anchor point and common language for balanced measurement of security and compliance postures. • Providing the holistic adherence to the vast and ever evolving landscape of global data privacy regulations and security standards. • Serves as the basis for new industry standards and certifications.
CCM v1.1 Industry Participation This grass roots movement continues to grow with over 100 volunteer industry experts in the recent release of v1.2!
Cloud Supply Chain – Information Security Risks • You can outsource business capability or function but you cannot outsource accountability for information security do your due diligence to identify and address… • Control Gaps (Shared Control) • Information Security (Access Controls, Vulnerability & Patch Management) • Security Architecture • Data Governance (Lifecycle Management) • Release Management (Change Control) • Facility Security • Control Dependencies • Corporate Governance • Incident Response • Resiliency (BCM & DR) • Risk & Compliance Management
Consensus Assessment Initiative • A cloud supply chain risk management and due diligence questionnaire • ~ 200 yes/no questions that map directly to the CCM, and thus, in turn, to many industry standards. • can be used by both CSPs for self-assessment or by potential customers for the following purposes • to identify the presence of security controls and practices for cloud offerings • procurement negotiation • contract inclusion • to quantify SLAs For potential customers, the CAIQ is intended to be part of an initial assessment followed by further clarifying questions of the provider as it is applicable to their particular needs. • v1.1 available as of Sept 2011; v1.2 underway to map to CCM v1.2
CAIQ Guiding Principles The following are the principles that the working group utilized as guidance when developing the CAIQ: • The questionnaire is organized using CSA 13 governing & operating domains divided into “control areas” within CSA’s Control Matrix structure • Questions are to assist both cloud providers in general principles of cloud security and clients in vetting cloud providers on the security of their offering and company security profile • CAIQ not intended to duplicate or replace existing industry security assessments but to contain questions unique or critical to the cloud computing model in each control area • Each question should be able to be answered yes or no • If a question can’t be answered yes or no then it was separated into two or more questions to allow yes or no answers. • Questions are intended to foster further detailed questions to provider by client specific to client’s cloud security needs. This was done to limit number of questions to make the assessment feasible and since each client may have unique follow-on questions or may not be concerned with all “follow-on questions
CAIQ Questionnaire • Control Group, Control Group ID (CGID) and Control Identifier (CID) all map the CAIQ question being asked directly to the CCM control that is being addressed. • Relevant compliance and standards are mapped line by line to the CAIQ, which, in turn, also map to the CCM. The CAIQ v1.1 maps to the following compliance areas – HIPPA, ISO 27001, COBIT, SP800_53, FedRAMP, PCI_DSS, BITS and GAPP. V1.2 will additionally include mappings to Jericho Forum and NERC CIP. • Each question can be answered by a provider with a yes or no answer.
41 CloudAuditObjectives • Provide a common interface and namespace that allows cloud computing providers to automate collection of Audit, Assertion, Assessment, and Assurance Artifacts (A6) of their operating environments • Allow authorized consumers of services and concerned parties to do likewise via an open, extensible and secure interface and methodology.
42 What CloudAudit Does • Provide a structure for organizing assertions and supporting documentation for specific controls across different compliance frameworks in a way that simplifies discovery by humans and tools. • Define a namespace that can support diverse frameworks • Express compliance frameworks in that namespace • Define the mechanisms for requesting and responding to queries relating to specific controls • Integrate with portals and AAA systems
43 How CloudAudit Works • Utilize security automation capabilities with existing tools/protocols/frameworks via a standard, open and extensible set of interfaces • Keep it simple, lightweight and easy to implement; offer primitive definitions & language structure using HTTP(S) first at a very basic level • Allow for extension and elaboration by providers and choice of trusted assertion validation sources, checklist definitions, etc.
44 Context for CloudAudit • CloudAudit is not designed to validate or attest “compliance” • Automates collection and presentation of data supporting queries using a common set of namespaces aligned CSA Cloud Control Matrix • Artifacts are accessible by a human operating a web browser or a tool capable of utilizing CloudAudit over HTTP(S). • The consumers of this information are internal & external auditors, compliance teams, risk managers, security teams, etc. & in the longer term, brokers
45 Aligned to CSA Control Matrix • Officially folded CloudAudit under the Cloud Security Alliance in October, 2010 • First efforts aligned to compliance frameworks as established by CSA Control Matrix: • PCI DSS • NIST 800-53 • HIPAA • COBIT • ISO 27002 • Incorporate CSA’s CAI and additional CompliancePacks • Expand alignment to “infrastructure” and “operations” -centric views also
What Was Delivered in v1.0 • The first release of CloudAuditprovides for the scoped capability for providers to store evidentiary data in well-defined namespaces aligned to the 5 CSA Control Matrix Mappings (PCI, HIPAA, NIST800-53, ISO27002,COBIT)* • The data in these namespaces is arbitrary and can be named and file-typed as such, so we need a way of dealing with what can be one to hundreds of supporting files, the contents of some of which are actually URIs to other locations * Update v1.1 packaging available to include CSA CCM Updates
47 Current Discussions* • Stack Providers with whom we have discussed CloudAudit: • VMware, Citrix, Microsoft, OpenStack • Cloud Service Providers with whom we have discussed CloudAudit: • AWS, Google, Microsoft, Terremark, Savvis, Rackspace • Tool (GRC) solution providers with whom we are discussing CloudAudit Implementation: • Agiliance, RSA • Audit/Standards associations with whom we are discussing CloudAudit: • ISACA, ODCA, BITS, ISO, Open Group, DMTF, IETF * NOTE: Discussions do not imply commitment to proceed or intent to support
48 What’s On The 6 Month Roadmap • Extend ATOM in manifest.xml to provide for timestamps, signatures and version control [need XML/ATOM expertise] • Version control and change notification in conjunction with… • …Architecture for registry services [cloudaudit.net] and extensions of such (public and/or private) • Implementation architecture for “atomic queries” (e.g. “PCI Compliant,” or “SAS-70 Certified” • Expand On Specific CloudAudit Use Cases: • CloudAudit for Federal Government • CloudAuditfor Cloud Providers • CloudAuditfor Auditors/Assessors • Intensify and clarify connection between CloudAudit and the CTP
50 Manifest.xml • Structured listing of control contents • Can be extended to provide contextual information • Primarily aimed at tool consumption • In Atom format