Transcript PowerPoint Presentation - Cloud Security Alliance

Trusted Cloud Initiative Work Group Session
Copyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.org
Copyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.org
Use Case
End User to Cloud
Enterprise to Cloud to End User
Enterprise to Cloud
Description
Applications running on the cloud
and accessed by end users
Applications running in the public
cloud and accessed by employees
and customers
Cloud applications integrated with
internal capabilities
Copyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.org
Define protections that enable trust in the cloud.
Develop cross-platform capabilities and patterns for proprietary and open-source providers.
Will facilitate trusted and efficient access, administration and resiliency to the customer/consumer.
Provide direction to secure information that is protected by regulations.
The Architecture must facilitate proper and efficient governance, identification, authentication,
authorization, administration and auditability.
Centralize security policy, maintenance operation and oversight functions.
Access to information must be secure yet still easy to obtain.
Delegate or Federate access control where appropriate.
Must be easy to adopt and consume, supporting the design of security patterns.
The Architecture must be elastic, flexible and resilient supporting multi-tenant, multi-landlord platforms
The Architecture must address and support multiple levels of protection, including network, operating
system, and application security needs.
Copyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.org
Use the breadth of the Cloud Security Alliance



Adjacent initiatives will be a focus for the TCI mandate
Built upon “pillars” from the Cloud Security Alliance
Provide an end-to-end security specification for cloud security
Use the depth of the Cloud Security Alliance membership


Members have credibility from the top of the application to the “bare metal”
GRC and interoperability
Enable a vendor neutral reference architecture specification

All vendor products that enable an end-to-end security platform will be used
Provide a exemplary reference set of implementations


Global examples so that any country can implement the architecture to their requirements
Show examples of standards and how they can be implemented across products
Open source initiative

Where the TCI supports implementation under its direction the implementation is open source
Note: The TCI Reference Architecture is not the same as the Cloud Computing Architectural Framework
(Domain 1 of the Security Guidance for Critical Areas of Focus in Cloud Computing V2.1)
Copyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.org
CSA
Controls
Matrix
Copyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.org
CSA
Controls
Matrix
Copyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.org
Business
Operation
Support
Services
Information
Technology
Operation &
Support
Presentation Services
Security and
Risk
Management
Application Services
Information Services
Infrastructure Services
(SABSA)
(ITIL)
(TOGAF)
Copyright © 2011 Cloud Security Alliance
(Jericho)
www.cloudsecurityalliance.org
Reference Architecture
Version 2.0 (pending changes)
Guiding Principles
q Define protections that enable trust in the cloud.
q Develop cross-platform capabilities and patterns for proprietary and open-source providers.
q Will facilitate trusted and efficient access, administration and resiliency to the customer/consumer.
q Provide direction to secure information that is protected by regulations.
q The Architecture must facilitate proper and efficient identification, authentication, authorization,
administration and auditability.
q Centralize security policy, maintenance operation and oversight functions.
q Access to information must be secure yet still easy to obtain.
Business Operation
Support Services
(BOSS)
Information Technology
Operation & Support
(ITOS)
Presentation Services
Presentation Modality
Consumer Service Platform
q Delegate or Federate access control where appropriate.
q Must be easy to adopt and consume, supporting the design of security patterns
Compliance
q The Architecture must be elastic, flexible and resilient supporting multi-tenant, multi-landlord platforms
q The architecture must address and support multiple levels of protection, including network, operating
system, and application security needs.
Audit Planning
Independent
Audits
High Level Use Cases
Third-Party
Audits
Internal
Audits
Information System Regulatory
Mapping
Intellectual Property Protection
Data
Classification
Handling / Labeling /
Security Policy
Rules for Information
Leakage Prevention
Clear Desk Policy
Plan
Management
Test
Management
Architectrure
Governance
PMO
Operational Risk
Management
Program
Mgmnt
Project
Mgmnt
Segregation
of Duties
Contractors
Employee
Termination
Background
Screening
Roles and
Responsibilities
Business Continuity
Planning
Testing
Risk Management Framework
Business
Technical
Assessment Assessment
Employment
Agreements
Job
Descriptions
Employee
Awareness
Event
Correlation
Database
Monitoring
Cloud
Monitoring
Application
Monitoring
E-Mail
Journaling
Honey
Pot
Market Threat
Intelligence
SOC Portal
Managed Security
Services
Knowledge
Base
Branding
Protection
Real-time internetwork defense (SCAP)
Contracts
E-Discovery
Incident Response Legal
Preparation
P2P
Objectives
Internal SLAs
OLAs
External SLAs
Vendor Management
End-Point
Monitoring
Service
Costing
Application Services
Programming Interfaces
Application Performance
Monitoring
Forensic
Analysis
e-Mail
Journaling
Capacity Planning
Software
Management
Automated Asset
Discovery
Configuration
Management
Physical Inventory
Event
Classifiation
Root Cause
Analysis
Ticketing
Trend
Analysis
Problem
Resolution
Benchmarking
Security Job
Aids
Security
FAQ
TOGAF
Approval
Workflow
Planned Changes
Project
Changes
Operational
Chages
Change
Review
Board
Emergency
Changes
Release
Management
Connectivity & Delivery
Risk
Dashboard
Authentication Services
Configuration
Management
Database
(CMDB)
SAML
Token
Risk Based
Multifactor
Auth
Smart
Password
OTP
Card
Management
Biometrics
Network
Authentication
Single Sign On
Middleware
WS-Security
Authentication
Federated IDM
Attribute
Provisioning
Dashboard
Data Mining
Reporting Tools
Business Intelligence
PMO
Strategy
Roadmap
Data Governance
Recovery
Plans
Problem
Incident
Management
Management
Knowledge
Session
Events
Authorization
Events
Authentication
Events
Application
Events
Network
Events
Change
Logs
GRC
RA
BIA
DR & BC
Plans
VRA
TVM
Data
Classification
Process
Ownership
Audit
Findings
HR Data
(Employees &
Contractors)
Business
Strategy
User Directory Services
NIPS
Events
ACLs
CRLs
Compliance
Monitoring
NIPS
Events
DLP
EVents
Privilege
Usage Events
Active
Directory
Services
LDAP
Repositories
eDiscovery
Events
Registry
Services
Location
Services
DBMS
X.500
Repositories Repositories
Federated
Services
Vulnerability Management
Network
Application
Virtual
Directory
Services
DB
Threat Management
Risk Taxonomy
Infrastructure Protection Services
End-Point
Anti-Virus, Anti-Spam,
Anti-Malware
Media
Lockdown
Behavioral Malware Prevention
Content
Filtering
Inventory Control
DPI
Host
Firewall
HIPS /HIDS
Behavioral
Malware
Prevention
Hardware Based
Trusted Assets
Network
Meta
Directory
Services
Infrastructure
Source Code Scanning
External
Behavioral Malware Prevention
White
Sensitive File
Listing
Protection
AntiHIPS /
Host
Virus
HIDS
Firewall
Firewall
Transformation Services
Database
Events
Change
Password
Vaulting
Resource
Protection
Hypervisor Governance and Compliance
Server
Computer
Events
Data
Segregation
Risk Management
Risk
Assessments
Management
Servers
Internal
Management
Management
HIPS
Knowledge
Repository
Keystroke/Session
Logging
Privilege Usage
Gateway
Penetration Testing
BOSS
Security Monitoring
Service
NonProduction
Data
Information
Leakage
Metadata
Service
Events
Privilege Usage Management
Threat and Vulnerability Management
Databases
ITOS
OTB AutN
Identity Verification
Out of the Box (OTB) AutZ
Abstraction
Forensic Tools
Content
Filtering
White Listing
Application
NIPS /
Wireless
NIDS
Protection
Link Layer Network Security
Black Listing Filtering
XML Applicance
Application Firewall
Secure Messaging Secure Collaboration
Real
Time
Filtering
Data Protection
Data lifecycle management
Internal Infrastructure
Facility Security
Controlled Physical
Access
Barriers
Electronic
Surveillance
Physical
Authentication
Asset
Handling
Data
Software
Equipment
Location
Patch
Management
Storage
Services
Power
Redundancy
Network
Services
Network
Segmentation
Servers
eSignature
Virtual Infrastructure
Desktop “Client” Virtualization
Image Management
Storage Virtualization
<<insert
Jairo’s
content>
Block-Based
Virtualization
Remote
Secure Build
Local
SessionBased
Compliance Monitoring
Host-Based
VM-Based
(VDI)
LDM
Equipment
Maintenance
Availability
Services
Authoritative
Time Source
Storage
DeviceBased
LVM
LUN
Service Discovery
Hardware
Environmental Risk Management
Physical Security
Meta Data
Control
Infrastructure Services
Scheduling
Testing
Version
Control
Build
Source Code
Management
Capability
Mapping
Risk Portfolio
Management
Residual Risk Management
Entitlement Review
Policy
Policy Definition
Enforcement
Principal Data
Policy
Management
Mangement
Resource Data
XACML
Management
Role
Obligation
Management
Security Application
Framwrok - ACEGI
Reporting Services
OLAs
SLAs
Orphan Incident Management
Change Management
Data
Code
Samples
Stress and
Volume
Testing
Service Delivery
Security Patrols
Service
Provisioning
IT Risk
Management
Problem Management
Automated
Ticketing
Trend
Analysis
Self Assessment
Audit
Management
Compliance Testing
Configuration
Rules
(Metadata)
Knowledge Management
Best
practices
Process or
Solution
Attack
Patterns
CMDB
Cross Cloud Security Incident
Response
ITIL v3
Application
Vulnerability
Scanning
Security
Code Review
Contracts
Service Support
Policy Management
Exceptions
Domain Unique
Identifier
Identity
Provisioning
Software Quality Assurance
Service Support
User Behavior &
Profile Patterns
Vendor
Management
Identity Management
Integration Middleware
Development Process
Risk
Assessments
Anti-Phishing
Compliance
Management
InfoSec
Management
Authorization Services
Security
Design
Patterns
Self-Service
Service
Catalog
Investment
Budgeting
Self-Service
Container
Security Knowledge Lifecycle
Input
Validation
Resiliency
Analysis
Counter
Threat
Management
Internal Investigations
Secure Sandbox
Information Services
Operational
Bugdeting
Charge
Back
Handwriting
(ICR)
Smart Appliances
Capacity Planning
Service Dashboard
Security Incident
Response
SABSA
Medical Devices
Fixed Devices
Governance Risk &
Compliance
Privilege Management Infrastructure
Strategy Alignment
Availability
Management
Incident Management
Domain
e-Readers
Public Kiosk
Roadmap
Configuration Management
Legal Services
E-Mail
Third-Party
Standards and
Guidelines
Information Technology
Resiliency
Asset Management
Security Monitoring Services
Event
Mining
Search
Portable Devices
Employee Code of Conduct
Independent Risk Management
SIEM
Platform
B2B
Service Delivery
Service Level
Management
Business
Crisis
Management Impact Analysis
Key Risk Indicators
B2C
Colaboration
Speech Recognition
(IVR)
Desktops
Company
owned
Technical Awareness and Training
Maturity
Model
Remediation
Human Resources
Security
Operational Risk Committee
B2M
Portfolio
Management
Rules for
Data Retention
SaaS,
PaaS, IaaS
B2E
Mobile Devices
Mobile Device Management
IT Governance
Resource
Management
Data Governance
Data Ownership /
Stewardship
Secure Disposal of
Data
DRP
End-Points
Enterprise Service Platform
Social
Media
IT Operation
Contact/Authority
Maintenance
Security and Risk
Management
Presentation Platform
Application Virtualization
End Point
Client
Application
Streaming
Server
Application
Streaming
Virtual
Workspaces
Network
Hardware-Assisted
TPM
Virtualization
Virtual
Memory
Data Discovery
Network
End-Point
Server
(Data in Transit)
(Data in Use)
(Data at Rest)
External
(VLAN)
Internal
(VNIC)
Data Masking
Data Tagging
Data Obscuring
Data Seeding
Intellectual Property
Protection
Intellectual
Property
Digital Rights
Management
Cryptographic Services
Signature
PKI
Key Management
Services
Symmetric
Keys
Virtualizaton
Network
Address
Space
Virtualization
IPv4
IPv6
Paravirtualization
Data Loss Prevention
Switched
File-Based Virtualization
Server Virtualization
OS
VIrtualization
Appliance
Vertical Isolation
Virtual Machines (Hosted Based)
Full
Network-Based
(Unstructured data)
Data
De-Identification
Life cycle
management
Asymmetric
Keys
Mobile Device
Virtualization
Data-in-use
Encryption (Memory)
Data-at-Rest Encryption
(DB, File, SAN, Desktop,
Mobile)
(Transitory, Fixed)
Database
Virtualization
Policies and Standards
Operational Security Baselines
Smartcard
Virtualization
Data-in-Transit
Encryption
Information Security
Policies
Job Aid Guidelines
Technical Security
Standards
Role Based Awareness
Data/Asset Classification
Best Practices &
Regulatory correlation
JERICHO
Copyright © 2011 Cloud Security Alliance
Chief Architect: Jairo Orea
Lead Architects: Marlin Pholman, Yaron Levi, Dan Logan.
Team: David Sherr, Richard Austin , Vern Williams, Anish Mohammed, Harel
Hadass, Phil Cox, Yale Li, Price Oden, Tuhin Kumar, Rajiv Mishra, Ravila Whit
Scott Matsumoto, Rob Wilson, Charlton Barreto, Ryan Bagnulo, Subra
Kumaraswamy.
Date: 07/20/2011
Revision: 12th Review
www.cloudsecurityalliance.org
Copyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.org
Roadmap
• Control Mapping
• Operational Checklists
• Capability mapping
• Strategy alignment
• Use Cases (OSA)
Assess the
opportunity
• Security Patterns
• Guidelines
• Vendor Certification
Reuse
BOSS
ITOS
Presentation
SRM
Application
Information
CSA Controls Matrix
CSA Consensus Assessment
Infrastructure
Reference Architecture
Copyright © 2011 Cloud Security Alliance
Security Framework
and Patterns
www.cloudsecurityalliance.org
Copyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.org