4. Who am I?
• Michael A. Davis
– CEO of Savid Technologies
– Speaker
• Blackhat, Defcon, CanSecWest, Toorcon, Hack In The Box
– Open Source Software Developer
• Snort
• Nmap
• Dsniff
• Savid Technologies
– Risk Assessments, IT Security Consulting, Audit and Compliance
7. Where we got our data
» June 2012 Survey
» Over 300 Security & Audit Professionals
» Follow-up Interviews
» Wide Variety Of Industries
– Financial
– Healthcare
– Legal
– Actual Cloud Users!
10. Key Trust Issues
•Transparency & visibility from providers
•Compatible laws across jurisdictions
•Data sovereignty
•Incomplete standards
•True multi-tenant technologies & architecture
•Incomplete Identity Mgt implementations
•Consumer awareness & engagement
How do you gracefully “lose control” of IT and have
greater confidence in its security?
11. Vendor Management Isn’t Enough
» IT is predominately the one performing the
reviews
» Security Team doesn’t get involved till after
integration
» Vendor Management isn’t technical enough
» Legal doesn’t know what to include in contracts
» IT is also reviewing contracts
31% of respondents have no idea if their
controls are effective compared to the cloud
12. SSAE16 What?
• Replaces SAS70
• Attestation based
• SOC 1 vs SOC 2/Type I and Type II
– SOC1 Is just financial controls
• SOC 2 Requires Coverage in 5 Key Areas
– Security
– Availability
– Processing integrity
– Confidentiality
– Privacy of personal information
• Omission is ok if it “Is Not Applicable”
– System Description is Key
• You Have to read these!
14. Migrating to the Cloud
• Shared
Responsibility
• Strategy
• Education
• Architecture /
Framework
• Due Diligence
15. Vulnerability Scans and Pen Tests
• Commonly confused terms
• Only 35% of respondents perform them
• Not applicable in many cases
• Most providers don’t allow it
– Or require scheduling of it
• What if it is a private network or behind an application?
• Do you assess the application or the infrastructure?
16. What about Encryption?
• Data Encryption is YOUR responsibility
• Many PaaS and IaaS Providers can’t support
it/don’t
• What is the real benefit?
• Whole Disk Encryption is useful if theft of VM is
concern
• Data In transit and rest is vital (not the OS)
• SaaS apps need customer support
• Ask for our report on Cloud Encryption
17. About the Cloud Security Alliance
• Global, not-for-profit organization
• Over 33,000 individual members, 150 corporate
members, 60 chapters
• Building best practices and a trusted cloud ecosystem
– Research
– Education
– Certification
– Advocacy of prudent public policy
• Innovation, Transparency, GRC, Identity
“To promote the use of best practices for providing security assurance within Cloud
Computing, and provide education on the uses of Cloud Computing to help
secure all other forms of computing.”
18. Global Efforts
• Europe
– Proposed EU Data Privacy Regulation
– EC European Cloud Partnership
• US Federal government
– NIST
– FedRAMP
• APAC
• Standards bodies
– ISO SC 27
– ITU-T FG 17
– DMTF, PCI Standards Council
19. CSA STAR Registry
• CSA STAR (Security, Trust and Assurance Registry)
• Public Registry of Cloud Provider self assessments
• Based on Consensus Assessments Initiative
Questionnaire
– Provider may substitute documented Cloud Controls
Matrix compliance
• Voluntary industry action promoting transparency
• Security as a market differentiator
• www.cloudsecurityalliance.org/star
21. One Size Doesn’t Fit All
Minimum Moderate Ideal
Review SSAE16 Everything in previous
category
Everything in previous
category
Ask for proof (patch
verification, av update, etc)
Security Questionnaire
(CSA’s or your own)
Technical audit after major
app refresh or
infrastructure change
Review Legal Contracts
(Notification clauses,
breach disclosures, etc)
Speak to customers Annual Pen Test
Quarterly Vuln Scans for
IaaS and PaaS
Speak to providers’
engineers or security team
Annual Technical Audit by
internal or 3rd party
Quarterly app vuln scans
for SaaS and PaaS
Will my provider be transparent about how they manage their systems, organization governance, etc?Will I be considered compliant?Do I know where my data is?Will a lack of standards drive unexpected obsolescence? Is my provider really better at security than me?Are the hackers waiting for me in the cloud?Will I get fired?How can we gracefully “lose control” of IT
Understand the Shared Responsibility between provider and customerHave a Strategy to say yes to cloud for business units, find the “low hanging fruit” for cloud adoptionEducate yourself and your teams on what cloud isHave Architecture/Frameworks that enable flexibility in adding, changingDue Diligence – know your provider, your provider’s providers
We are the leading vendor neutral organization focused on solving the trust issues with cloud computing. We have dozens of active research projects, training, the world’s only user certification for cloud security and a public repository of provider security assessments. Like the cloud itself, we are agile, and are seeking to drive innovation, industry transparency, GRC and a more advanced & holistic view of identities in the cloud.
In Europe, a new data privacy regulation is being proposed to replace the patchwork of laws created by the 1995 directive. This will drive greater uniformity. The EC ECP is planning to harmonize requirements from member governments as cloud consumersIn the US gov’t, NIST has taken the lead in developing federal cloud requirements, which are being implemented within FedRAMP, which allows agencies to share risk assessments rather than doing their own redundant assessmentsAPAC is taking the lead in the investment into data center and cloud infrastructureMany SDOs have a cloud security roadmap, we have a mentioned a few of the most relevant and impactfulISO SC 27 has 2 standardsITU-T has an ambitious roadmap to implement automated cloud securityDMTF – OVF Open Virtualization FormatPCI now has a cloud working group
The CSA Security, Trust & Assurance Registry (STAR) is a free, publicly accessible registry that documents the security controls provided by various cloud computing offerings, thereby helping users assess the security of cloud providers they currently use or are considering contracting with.CSA STAR is open to all cloud providers, and allows them to submit self assessment reports that document compliance to CSA published best practices. The searchable registry will allow potential cloud customers to review the security practices of providers, accelerating their due diligence and leading to higher quality procurement experiences. CSA STAR represents a major leap forward in industry transparency, encouraging providers to make security capabilities a market differentiator.