Compliance in Public Cloud & CSA Framework

Compliance in the Public Cloud
and the
Cloud Security Alliance's
Open Certification Framework
Dr David Ross
CISO, Bridge Point Communications
Founding Director, Cloud Security Alliance Australia Chapter

• Security issues encountered with cloud services
• Trust Issues
• Governance, Compliance, Control, Assurance and Certification
• Open Certification Framework
– STAR Certification
– STAR Attestation
2
A collaboration of a number of security experts
from the Cloud Security Alliance in Australia

Security issues encountered with cloud services
• #1 The Cloud Consumer assumes the Cloud Service is “secure” without
understanding the contract.
– Real Example: Cloud Service includes “automatic backup service that copies customer data
to an external backup service, providing a further level of security to customer data …
stored for 3 months after being made … can be extended to up to 7 years if required”
• Perfectly legitimate, but there are 2 meanings for “secure” here
– By default, the backup is overwritten after 3 months … no restores over 3 months old!
– The backups go to a third party … with whom you have no contract for handling your data!
– The backups are … NOT encrypted!
3
Copyright © 2013 Bridge Point Communications

• #2 Insecure management or administration interfaces
– Real Example: Cloud Service uses insecure, clear-text protocol (HTTP) for
remote administration logins.
– The username and password are transmitted in clear-text and may be
intercepted by a network sniffer, relay, server logs, proxy or firewall logs, or
a man-in-the-middle attack to provide credentials for a subsequent attack.
4

• #3 No separation of duties, detection of abuse, or escalation of privilege
– Real Example: Cloud Service Systems Administrator has access to all layers,
from Application down to Physical hardware.
– The entire security of the Cloud Consumers’ data relies on the integrity and
expertise of a single person with no checks or balances to prevent malicious
or accidental compromise of security controls. The Systems Administrator
can do anything with the hosts, networks, and storage … including the audit
trails that detail just what has been done.
5

Issues particular to cloud services in the GRC space
• #4 Weak, vague, or one-sided SLAs and contracts
– Real Example: “The following list presents an overview of some of the audits
and assessments that the” Cloud Service “undergoes on a regular basis”...
– The Cloud Service did indeed undergo regular audits … but only held
certifications for two of the five in their list in that year.
– Difference between ‘undergo audits’ and ‘meet requirements’.
– Require certification
6

Impacts on the typical IT governance model
• Require a trust relationship with the Cloud Service Provider
• Require indirect administrative and contractual controls over the CSP in
place of the direct controls over in-house infrastructure and personnel
• Require transparency and assurance of the CSP operations
• Therefore -> Require independent verification of CSP assertions
7

What are the Trust Issues?
8
( I just ordered this from zazzle.com.au )

What are the Trust Issues?
• Will the CSP be transparent about governance and operational issues?
• Will the user be considered compliant?
• Does the user know what legislation applies?
• Will a lack of standards drive unexpected
obsolescence?
• Is cloud really better at security than
traditional IT solution?
9
Copyright © 2013 Cloud Security Alliance

A new Governance Model
• Users need to understand the shift in the balance of responsibility and
accountability for key functions such as governance and control over
data and IT operations, ensuring compliance with laws and regulations.
• Cloud computing requires a new model for assessing organisational risks
related to security and resilience.
10

Assurance
• Consumers do not have simple, cost effective ways to evaluate and
compare their providers’ resilience, data protection capabilities and
service portability.
11

Certification Challenges
• Provide a globally relevant certification to reduce duplication of efforts
• Address localised, national-state and regional compliance needs
• Address industry specific requirements
• Address different assurance requirements
• Address “certification staleness”
– assure provider is still secure after “point in time” certification
• Do all of the above while recognising the dynamic and fast changing world
that is cloud
12

Certification Challenges
This gap of trust mainly lies down in the difficulties of cloud users in addressing
fundamental assurance issues with cloud providers, such as:
• Understanding legal compliance and contractual liabilities,
• Defining and allocating responsibilities
• Enforcing accountability
• Translating requirements into cloud language/controls/checks
• Identifying means for an ex-ante analysis assessment of cloud services and for a
• Continuous monitoring of cloud service contract execution
13

How do we build Trust and Transparency?
• The Cloud Security Alliance’s Open Certification Framework for cloud
services
14

The Cloud Security Alliance’s Open Certification Framework
• Daniele Catteddu, CSA Managing Director EMEA
• Open Certification Framework for cloud services
• Announced 9May2012 Frankfurt (DE),detail 20Aug2012 Edinburgh (UK)
15

The Cloud Security Alliance (CSA)
• Global, not-for-profit organisation
• Over 40,000 individual members, more than
160 corporate members, over 60 chapters
• Building best practices and a trusted cloud
ecosystem
• Agile philosophy, rapid development of
applied research
16
The Cloud Security Alliance
– not-for-profitorganisation
with a mission…
“To promote the use of
best practices for providing
security assurance within
Cloud Computing, and
provide education on the
uses of Cloud Computing to
help secure all other forms
of computing.”

Open Certification Framework Vision Statement
• The CSA Open Certification Framework is an industry initiative to allow
global, accredited, trusted certification of cloud providers.
• The CSA Open Certification Framework is a program for flexible, incremental
and multi-layered cloud provider certification according to the Cloud
Security Alliance’s industry leading security guidance and control objectives.
• The program will integrate with popular third-party assessment and
attestation statements developed within the public accounting community
to avoid duplication of effort and cost.
~Jim Reavis & Daniele Catteddu; CSA~
17

OCF: The structure
• The open certification
framework is structured
on 3 LEVELs of TRUST,
each one of them
providing an incremental
level of visibility and
transparency into the
operations of the Cloud
Service Provider and a
higher level of assurance
to the Cloud consumer.
18

OCF Governance
19
Copyright © 2013 Cloud
Security Alliance

OCF Level 1: CSA STAR Registry
• CSA STAR (Security, Trust and Assurance Registry)
• Public Registry of Cloud Provider self assessments
• Based on Consensus Assessments Initiative Questionnaire
• Provider may substitute documented Cloud Controls Matrix compliance
• Voluntary industry action promoting transparency
• Free market competition to provide quality assessments
• Provider may elect to provide assessments from third parties
• Available since October 2011
20

OCF Level 2:
21
Certification

What is STAR Certification?
• Continuous monitoring of cloud service contract execution
• STAR CERTIFICATION evaluates the efficiency of an organization’s ISMS and ensures the scope,
processes and objectives are “Fit for Purpose.”
• Help organizations prioritize areas for improvement and lead them towards business excellence.
• Enables effective comparison across other organizations in the applicable sector.
• Focused on the strategic & operational business benefits as well as effective partnership relationships.
• Based upon the Plan, Do, Check, Act (PDCA) approach and the controls outlined in the Cloud Controls
Matrix (CCM)
• Enables the auditor to assess a company’s performance, on long-term sustainability and risks, in
addition to ensuring they are SLA driven, allowing senior management to quantify and measure
improvement year on year.
22

The Cloud Security Alliance’s STAR Certification
• The concept of the scheme is to use to the ISO/IEC 27001:2005 certification
integrated with the CSA Cloud Control Matrix (CCM) as additional or
compensating controls as applicable and the organisation’s own internal
requirements or specifications to assess how advanced their systems are.
• The scheme will be compliant with ISO 17021 and ISO 27006.
• Will be open to all 3rd party Certified Bodies (CB)
• Will be an additional scheme to the CB organisations internal ISO 27001
scheme requirements. It is not meant to be a replacement.
23

PDCA Model for an ISMS
24

STAR Certification
25

STAR Certification: the role of CCM
• The CCM is specifically designed to provide fundamental security
principles to guide cloud vendors and to assist prospective cloud
customers in assessing the overall security risk of a cloud provider.
• The Cloud Controls Matrix is meant to be integrated into the assessment
by the auditor, referencing the applicable CCM control to the associated
ISO 27001 controls (SOA) The output will be the result of the overall
performance of the organization within the scope of certification.
26

Benefits of STAR Certification
Sales and Marketing Benefits:
• Added to the current management system.
• A ISO 27001 certification plus a STAR certificate as evidence of both compliance and
performance to both suppliers, customers and other interested parties.
• The ability to benchmark your organization’s performance and gauge your
improvement from year to year.
• An independently validated report from an external Certified Body (CB) body which
can be used to demonstrate an organisation’s progress & performance levels.
• Exclusive to the STAR Registry.
27

Strategic Benefits:
• A 360º enhanced assessment giving senior management full visibility to evaluate the effectiveness of
both their management system and the roles and responsibilities of personnel within the organisation.
• A flexible assessment that can be tailored through the Statement of Applicability. This guarantees the
results and measurements of assessments are both relevant and necessary in helping organisations
manage their business.
• A comprehensive business report that goes beyond a usual assessment report and gives a strategic and
accurate overview of an organisations performance to enabling senior management to the identify
action areas needed.
• A set of improvement targets to encourage an organisation to move beyond compliance toward
continued improvement.
28

Operational Benefits:
• Scalable to organisations of all sizes. Provides information that allows you to know
where they are now and measure any improvements, internally benchmark their
sites and potentially externally benchmark their supply chain to stimulate healthy
competition.
• A visual representation of the status of a business and instantly highlights where the
strengths, weaknesses, allowing clients to maximize resources, improve operational
efficiencies and reduce costs
• Independent reassurance to prove to senior management where the risks, threats,
opportunities lie within a business
29

OCF Level 2:
30
Attestation

What is STAR Attestation?
Star Attestation (through the type 2 SOC attestation examination) helps companies meet the assessment
and reporting needs of the majority of users of cloud services, when the criteria for the engagement are
supplemented by the criteria in the CSA Cloud Controls Matrix (CCM). This assessment:
• Is based on a mature attest standard
• Allows for immediate adoption of the CCM as additional criteria and the flexibility to update the
criteria as technology and market requirements change
• Does not require the use of any criteria that were not designed for, or readily accepted by cloud
providers
• Provides for robust reporting on the service provider’s description of its system, and on the service
provider’s controls, including a description of the service auditor’s tests of controls in a format very
similar to the now obsolete SAS 70 reporting format, and current SSAE 16 (SOC 1) reporting, thereby
facilitating market acceptance
31

AICPA SOC Reporting Options
32

STAR Attestation
• SOC 2SM Report
• If the report will be used by customers and/or stakeholders to gain
confidence and place trust in a service organisation’s system:
• Need to understand the details of processing and controls at your
organisation, the tests performed & results of those tests?
33

SOC 2 (AT 101): Key strengths
• AT 101 is a mature attest standard (it serves as the standard for SOC 2 and
SOC 3 reporting )
• Provides for robust reporting on the service provider’s description of its
system, and on the service provider’s controls, including a description of the
service auditor’s tests of controls in a format very similar to the now
obsolete SAS 70 reporting format, and current SSAE 16 (SOC 1) reporting,
thereby facilitating market acceptance
• Evaluation over a period of time rather than a point in time
• Recognition with an AICPA Logo
34

Contact
Help Us Secure Cloud Computing:
• www.cloudsecurityalliance.org
• https://chapters.cloudsecurityalliance.org/australia/
• http://www.linkedin.com/groups?gid=3966724
• Archie Reed archer@hp.com
• David Ross David_Ross@bridgepoint.com.au
35

Compliance in Public Cloud & CSA Framework

More Related Content

What's hot (19)

Similar to Compliance in Public Cloud & CSA Framework (20)

Recently uploaded (20)

Compliance in Public Cloud & CSA Framework