the grc stack v2 0 understanding and applying the csa grc stack for payoffs and protection n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
THE GRC STACK ( V2.0) Understanding and applying the CSA GRC stack for payoffs and protection PowerPoint Presentation
Download Presentation
THE GRC STACK ( V2.0) Understanding and applying the CSA GRC stack for payoffs and protection

Loading in 2 Seconds...

play fullscreen
1 / 108

THE GRC STACK ( V2.0) Understanding and applying the CSA GRC stack for payoffs and protection - PowerPoint PPT Presentation


  • 203 Views
  • Uploaded on

THE GRC STACK ( V2.0) Understanding and applying the CSA GRC stack for payoffs and protection. A learning workshop from the CSA. CSA Organization & Operation Where does the GRC Stack fit in?. Board. Steering Committee. Executive Director. Membership. Working Groups. Research Director.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'THE GRC STACK ( V2.0) Understanding and applying the CSA GRC stack for payoffs and protection' - barto


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
the grc stack v2 0 understanding and applying the csa grc stack for payoffs and protection

THE GRC STACK (V2.0)Understanding and applying the CSA GRC stack for payoffs and protection

A learning workshop from the CSA

csa organization operation where does the grc stack fit in
CSA Organization & OperationWhere does the GRC Stack fit in?

Board

Steering Committee

Executive Director

Membership

Working Groups

Research Director

Individual

Corporate

Research

Education

Affiliate

CCSK

Security Guidance for Critical Areas of Cloud Computing

GRC Stack(CCM, CAIQ, CloudAudit, CTP)

. . .

PCI

Cloud Controls Matrix (CCM)

CSA Security, Trust, & Assurance Registry (STAR)

Chapters

GRC Stack

. . .

Consensus Assessments Initiative Questionnaire (CAIQ)

Trusted Cloud Initiative

Special competencies …

We are here today …

We are here today …

session 1

SESSION 1 //

Why a cloud GRC stack?The GRC stack value equation

the big rocks of cloud security trust and control take care of the big rocks first
The “big rocks” of cloud security, trust, and controlTake care of the big rocks first …
key cloud security problems
From CSA Top Threats Research:

Trust:Lack of Provider transparency, impacts Governance, Risk Management, Compliance, and the capture of real value

Data: Leakage, Loss or Storage in unfriendly geography

Insecure Cloud software

Malicious use of Cloud services

Account/Service Hijacking

Malicious Insiders

Cloud-specific attacks

Key Cloud Security Problems

6

slide7
Cloud Adoption ObstaclesPlanning often neglects Information Risk Management Transition & Transformation
  • Traditional
  • Enterprise strategy
  • Business function (workload) adaptation to cloud delivery
  • Technical architecture
  • Network connections
  • Application standards
  • Interoperability
  • “Buying time” for current compliance programs
  • Concept of Operations
  • Neglected but Necessary
  • IT and IT risk governance
    • Traditional sourcing?
    • Cloud?
      • Private? Community? Public? Hybrid?
    • Traditional + cloud?
    • How measured?
  • Security policy
    • Uniform across all delivery methods?
    • Cloud adjusted?
      • Private? Community? Public? Hybrid?
  • Risk/compliance management standards/benchmarks
    • Cloud adjusted?
      • Private? Community? Public? Hybrid?
the value equation in the cloud
The Value Equation in the Cloud
  • Security Service + Transparency Service =
  • Compliance & Trust  VALUE Captured
  • delivering evidence-based confidence …
  • with compliance-supporting data & artifacts …
  • using the best virtualization and cloud technologies …
  • within quality processes …
  • operated by trainedand certified staffand partners …
the roots of the value equation in the cloud
The Roots of the Value Equation in the Cloud

Impact

  • The “Rebound Effect” between security & interoperability
  • Information risk management transition & transformation planning
    • Policy
    • Governance
    • Compliance & Risk Management Thresholds
  • Business model
  • Downstream application of reclaimed transparency
the grc stack solving the value equation in the cloud
The GRC StackSolving the Value Equation in the Cloud

GRC Stack

Evidence and

Assurance

Needs and

Claims

Payoffs andProtection

ComplianceandTrust

Security Requirementsand Capabilities

Security Transparencyand Visibility

VALUE Captured

Payoffs

Delivering evidence-based confidence…

with compliance-supporting data & artifacts.

slide11

SESSION 2 //

GRC Stack Overview

“The Stack Packs”

the csa grc stack
The CSA GRC Stack
  • A suite of four integrated and reinforcing CSA initiatives (the “stack packages”)
    • The Stack Packs
      • Cloud Controls Matrix
      • Consensus Assessments Initiative
      • Cloud Audit
      • CloudTrust Protocol
  • Designed to support cloud consumers and cloud providers
  • Prepared to capture value from the cloud as well as support compliance and control within the cloud
csa grc value equation contributions for consumers and providers
CSA GRC Value Equation Contributions for Consumers and Providers
  • Individually useful
  • Collectively powerful
  • Productive way to reclaim end-to-end information risk management capability

What control requirements should I have as a cloud consumer or cloud provider?

How do I ask about the control requirements that are satisfied (consumer) or express my claim of control response (provider)?

How do I announce and automate my claims of audit support for all of the various compliance mandates and control obligations?

How do I know that the controls I need are working for me now (consumer)? How do I provide actual security and transparency of service to all of my cloud users (provider)?

Dynamic (continuous) monitoring and transparency

Static claims & assurances

a headstart for control and compliance forged by the global marketplace ready for all
A Headstart for Control and ComplianceForged by the Global Marketplace; Ready for All

Professional

  • Legend
  • In place
  • Offered

Deliver “continuous monitoring” required by A&A methodologies

SSAE SOC2 control assessment criteria

csa guidance research
CSA Guidance Research
  • Popular best practices for securing cloud computing
  • 13 Domains of concern
    • governing & operating groupings

Cloud Architecture

Governance and Enterprise Risk Management

Legal and Electronic Discovery

Governing the Cloud

Compliance and Audit

Information Lifecycle Management

Portability and Interoperability

Security, Bus. Cont,, and Disaster Recovery

Data Center Operations

Incident Response, Notification, Remediation

Application Security

Operating in the Cloud

Encryption and Key Management

Identity and Access Management

Virtualization

Guidance > 100k downloads: cloudsecurityalliance.org/guidance

csa guidance research1
CSA Guidance Research
  • Popular best practices for securing cloud computing
  • 13 Domains of concern
    • governing & operating groupings

Cloud Architecture

Transparency

Governance and Enterprise Risk Management

Legal and Electronic Discovery

Governing the Cloud

Compliance and Audit

Information Lifecycle Management

Portability and Interoperability

14?

Security, Bus. Cont,, and Disaster Recovery

Data Center Operations

Incident Response, Notification, Remediation

Operating in the Cloud

Application Security

Encryption and Key Management

Identity and Access Management

Virtualization

accepting the grc value solution reference model readiness
Accepting the GRC Value Solution …Reference Model Readiness??

?

?

Enough?

Source: NIST SP500-291-v1.0, p. 42, Figure 12

just not enough baby barry white can t get enough of your love babe
“Just not enough, baby …”(Barry White – “Can’t Get Enough of Your Love, Babe”)

Now it’s enough!

Transparency

Source: NIST SP500-291-v1.0, p. 42, Figure 12

slide20

SESSION 3 //

Component Descriptions

cloud controls matrix ccm
Cloud Controls Matrix (CCM)

Leadership Team

Becky Swain – EKKO Consulting

Philip Agcaoili – Cox Communications

Marlin Pohlman – EMC, RSA

Kip Boyle – CSA

V1.0 (Apr 2010), v1.1 (Dec 2010, v1.2 (Aug 2011),

V2.0 (2012)

Controls baselined and mapped to:

COBIT BITS Shared Assessments

HIPAA/HITECH Act Jericho Forum

ISO/IEC 27001-2005 NERC CIP

NISTSP800-53

FedRAMP

PCI DSSv2.0

what is the ccm
What is the CCM?
  • First ever baseline control framework specifically designed for managing risk in the Cloud Supply Chain:
    • Addressing the inter and intra-organizational challenges of persistent information security by clearly delineating control ownership.
    • Providing an anchor point and common language for balanced measurement of security and compliance postures.
    • Providing the holistic adherence to the vast and ever evolving landscape of global data privacy regulations and security standards.
  • Serves as the basis for new industry standards and certifications.
ccm v1 1 industry participation
CCM v1.1 Industry Participation

This grass roots movement continues to grow with over 100 volunteer industry experts in the recent release of v1.2!

cloud supply chain information security risks
Cloud Supply Chain – Information Security Risks
  • You can outsource business capability or function but you cannot outsource accountability for information security  do your due diligence to identify and address…
    • Control Gaps (Shared Control)
      • Information Security (Access Controls, Vulnerability & Patch Management)
      • Security Architecture
      • Data Governance (Lifecycle Management)
      • Release Management (Change Control)
      • Facility Security
    • Control Dependencies
      • Corporate Governance
      • Incident Response
      • Resiliency (BCM & DR)
      • Risk & Compliance Management
consensus assessment initiative
Consensus Assessment Initiative
  • A cloud supply chain risk management and due diligence questionnaire
  • ~ 200 yes/no questions that map directly to the CCM, and thus, in turn, to many industry standards.
  • can be used by both CSPs for self-assessment or by potential customers for the following purposes
    • to identify the presence of security controls and practices for cloud offerings
    • procurement negotiation
    • contract inclusion
    • to quantify SLAs

For potential customers, the CAIQ is intended to be part of an initial assessment followed by further clarifying questions of the provider as it is applicable to their particular needs.

  • v1.1 available as of Sept 2011; v1.2 underway to map to CCM v1.2
caiq guiding principles
CAIQ Guiding Principles

The following are the principles that the working group utilized as guidance when developing the CAIQ:

  • The questionnaire is organized using CSA 13 governing & operating domains divided into “control areas” within CSA’s Control Matrix structure
  • Questions are to assist both cloud providers in general principles of cloud security and clients in vetting cloud providers on the security of their offering and company security profile
  • CAIQ not intended to duplicate or replace existing industry security assessments but to contain questions unique or critical to the cloud computing model in each control area
  • Each question should be able to be answered yes or no
  • If a question can’t be answered yes or no then it was separated into two or more questions to allow yes or no answers.
  • Questions are intended to foster further detailed questions to provider by client specific to client’s cloud security needs. This was done to limit number of questions to make the assessment feasible and since each client may have unique follow-on questions or may not be concerned with all “follow-on questions
caiq questionnaire
CAIQ Questionnaire
  • Control Group, Control Group ID (CGID) and Control Identifier (CID) all map the CAIQ question being asked directly to the CCM control that is being addressed.
  • Relevant compliance and standards are mapped line by line to the CAIQ, which, in turn, also map to the CCM. The CAIQ v1.1 maps to the following compliance areas – HIPPA, ISO 27001, COBIT, SP800_53, FedRAMP, PCI_DSS, BITS and GAPP. V1.2 will additionally include mappings to Jericho Forum and NERC CIP.
  • Each question can be answered by a provider with a yes or no answer.
cloudaudit objectives

41

CloudAuditObjectives
  • Provide a common interface and namespace that allows cloud computing providers to automate collection of Audit, Assertion, Assessment, and Assurance Artifacts (A6) of their operating environments
  • Allow authorized consumers of services and concerned parties to do likewise via an open, extensible and secure interface and methodology.
what cloudaudit does

42

What CloudAudit Does
  • Provide a structure for organizing assertions and supporting documentation for specific controls across different compliance frameworks in a way that simplifies discovery by humans and tools.
    • Define a namespace that can support diverse frameworks
    • Express compliance frameworks in that namespace
    • Define the mechanisms for requesting and responding to queries relating to specific controls
    • Integrate with portals and AAA systems
how cloudaudit works

43

How CloudAudit Works
  • Utilize security automation capabilities with existing tools/protocols/frameworks via a standard, open and extensible set of interfaces
  • Keep it simple, lightweight and easy to implement; offer primitive definitions & language structure using HTTP(S) first at a very basic level
  • Allow for extension and elaboration by providers and choice of trusted assertion validation sources, checklist definitions, etc.
context for cloudaudit

44

Context for CloudAudit
  • CloudAudit is not designed to validate or attest “compliance”
  • Automates collection and presentation of data supporting queries using a common set of namespaces aligned CSA Cloud Control Matrix
  • Artifacts are accessible by a human operating a web browser or a tool capable of utilizing CloudAudit over HTTP(S).
  • The consumers of this information are internal & external auditors, compliance teams, risk managers, security teams, etc. & in the longer term, brokers
aligned to csa control matrix

45

Aligned to CSA Control Matrix
  • Officially folded CloudAudit under the Cloud Security Alliance in October, 2010
  • First efforts aligned to compliance frameworks as established by CSA Control Matrix:
    • PCI DSS
    • NIST 800-53
    • HIPAA
    • COBIT
    • ISO 27002
  • Incorporate CSA’s CAI and additional CompliancePacks
  • Expand alignment to “infrastructure” and “operations” -centric views also
what was delivered in v1 0
What Was Delivered in v1.0
  • The first release of CloudAuditprovides for the scoped capability for providers to store evidentiary data in well-defined namespaces aligned to the 5 CSA Control Matrix Mappings (PCI, HIPAA, NIST800-53, ISO27002,COBIT)*
  • The data in these namespaces is arbitrary and can be named and file-typed as such, so we need a way of dealing with what can be one to hundreds of supporting files, the contents of some of which are actually URIs to other locations

* Update v1.1 packaging available to include CSA CCM Updates

current discussions

47

Current Discussions*
  • Stack Providers with whom we have discussed CloudAudit:
    • VMware, Citrix, Microsoft, OpenStack
  • Cloud Service Providers with whom we have discussed CloudAudit:
    • AWS, Google, Microsoft, Terremark, Savvis, Rackspace
  • Tool (GRC) solution providers with whom we are discussing CloudAudit Implementation:
    • Agiliance, RSA
  • Audit/Standards associations with whom we are discussing CloudAudit:
    • ISACA, ODCA, BITS, ISO, Open Group, DMTF, IETF

* NOTE: Discussions do not imply commitment to proceed or intent to support

what s on the 6 month roadmap

48

What’s On The 6 Month Roadmap
  • Extend ATOM in manifest.xml to provide for timestamps, signatures and version control [need XML/ATOM expertise]
  • Version control and change notification in conjunction with…
  • …Architecture for registry services [cloudaudit.net] and extensions of such (public and/or private)
  • Implementation architecture for “atomic queries” (e.g. “PCI Compliant,” or “SAS-70 Certified”
  • Expand On Specific CloudAudit Use Cases:
    • CloudAudit for Federal Government
    • CloudAuditfor Cloud Providers
    • CloudAuditfor Auditors/Assessors
    • Intensify and clarify connection between CloudAudit and the CTP
m anifest xml

50

Manifest.xml
  • Structured listing of control contents
  • Can be extended to provide contextual information
  • Primarily aimed at tool consumption
  • In Atom format
index html default jsp etc

52

index.html/default.jsp/etc.
  • Index.html is for dumb browser consumption
    • Typically, the direct human user use case
  • It can be omitted if directory browsing is enabled (not recommended)
  • It contains JavaScript to look for the manifest.xml file, parse it, and render it as HTML.
  • If no manifest.xml exists, it should list the directory contents relevant to the control in question
atom specification rfc4287

53

Atom Specification (RFC4287)
  • http://www.ietf.org/rfc/rfc4287.txt
  • Atom is an XML-based document format that describes lists of related information known as "feeds". Feeds are composed of a number of items, known as "entries", each with an extensible set of attached metadata. For example, each entry has a title.
  • The primary use case that Atom addresses is the syndication of Web content such as weblogs and news headlines to Web sites as well as directly to user agents.
why a cloudtrust protocol information assurance is cloud complicated clouds are cloudy
Why a CloudTrust Protocol?Information Assurance is Cloud-Complicated … “Clouds are cloudy”

Requirements

Private

Services

Private

Applications

Applications

As visibility is lost …

  • Where is the data?
  • Who can see the data?
  • Who has seen the data?
  • Is data untampered?
  • Where is processing performed?
  • How is processing configured?
  • Does backup happen? How? Where?

? ? ?

? ? ?

Public

Amazon

Public

Microsoft

Public

Google

… Security, compliance, and value are lost as well

cloud processing three big obstacles to value capture
Cloud ProcessingThree Big Obstacles to Value Capture
  • Lack of standards
  • Lack of portability
  • Lack of transparency

controls …, compliance …, sustained payoff …, reliability …, liability …, confidentiality …, privacy …,

Leading to

problems with ...

Compliance issues

absent transparency some big problems
Absent Transparency … Some Big Problems

For example, … without transparency …

  • No confirmed chain of custody for information
  • No way to conduct investigative forensics
  • Little confidence in the ability to detect attempts or occurrences of illegal disclosure
  • Little capability to discover or enforce configurations
  • No ability to monitor operational access or service management actions (e.g., change management, patch management, vulnerability management, …)
relationship between transparency and elastic payoff potential based on deployment model
Relationship between Transparency and Elastic Payoff Potential based on Deployment Model

Seeking the best (realistic) enterprise cloud strategy on this risk/reward axis

slide63

Requirements

Private

Services

Private

Applications

Applications

Transparency Restores Information Assurance Working with a “glass cloud” delivers the elastic benefits of the cloud

' ' '

' ' '

Public

Amazon

Visibility

Visibility

  • As visibility is gained …
  • Configurations are known and verified
  • Data exposure and use is collected and reported
  • Access permissions are discovered and validated
  • Processing and data locations are exposed
  • Compliance evidence can be gathered and analyzed
  • Processing risks and readiness become known

Public

Microsoft

Visibility

Public

Google

… Security, compliance, and value are captured as well

cloudtrust protocol ctp to deliver transparency as a service taas
CloudTrust Protocol (CTP) to deliverTransparency-as-a-Service (TaaS)
elements of transparency in the ctp v2 0
6 Types

Initiation

Policy Introduction

Provider assertions

Provider notifications

Evidence requests

Client extensions

Elements of Transparency in the CTP v2.0

Only 23 in total in the entire protocol!

  • Families
    • Configuration
    • Vulnerabilities
    • Anchoring
    • Audit log
    • Service Management
    • Service Statistics
  • Elements
    • Geographic
    • Platform
    • Process
cloudtrust protocol pathways mapping the elements of transparency in deployment
CloudTrust Protocol PathwaysMapping the Elements of Transparency in Deployment

SCAP

CloudAudit.org

SCAP

Sign/sealing

23

1

cloudtrust protocol v2 0
CloudTrust Protocol V2.0
  • Syntax
    • Based on XML
    • Traditional RESTful web service over HTTP
  • Legend:
  • New in V2.0
  • SCAP / XCCDF query & response structure
ctp implementation architecture configuration item relationships
CTP Implementation ArchitectureConfiguration Item Relationships

Cloud Consumer

TaaS (CTP) U/I and service director

  • Legend
  • Cloud consumer or service broker
  • Cloud provider
  • Identification, authorization, accounting, flow control, CTMB interface, response and reporting
  • The storage of user authorizations and credentials, request status, result histories, specifications, and commentary; management of the CTMB

CloudTrustManagement Base (CTMB)

CTP

  • CTP request /response translation, packaging, and brokering

Others …

CTP request & response stack

Automated

Manual

  • CTP request queuing and execution in a conforming cloud

CTP

Cloud Providers

RE

CSC

Savvis

RE

IBM

RE

(RE) CTP Response Engine

Microsoft

Google

Cloud that acknowledges CTP(CTP conforming)

RE

Salesforce

RE

Amazon

transparency as a service taas turn on the lights you need when you need them
Transparency-as-a-Service (TaaS)Turn on the lights you need … when you need them

Authorized TaaS Users

  • What does my cloud computing configuration look like right now?
  • What audit events have occurred in my cloud configuration?
  • Who has access to my data now?

. . .

. . .

  • Who has had access to my data?
  • Where are my data and processing being performed?
  • What vulnerabilities exist in my cloud configuration?

CloudTrust Protocol (CTP) Elements of Transparency

1

23

CTP

CTP

Microsoft

Amazon

CTUIHost (Cloud)

CTP

CTUI

Transparency-as-a-Service(TaaS)

CTP

CTP

Google

Salesforce

Others …

CTP

the csa ctp working group agenda moving toward ctp v3 0

CTMB structure/schema

Trust package correlation with all contributing (traditional) security services

EoT extension technique

Characteristics of specification

Degree of automation

API

Priority/relative value of each Element of Transparency

SLA foundation

Transparency operator training and operations monitoring

Degree of automatic correlation with other elements of GRC stack

Final namespace

Identity store for transparency service authorizations; IAM for federated or “chained” identity needs across multiple cloud service providers

Evidence Request category “integrity and liability verification technique”

Attest to the content, provenance, and imputability of the response (with legal import)

Transmission integrity not sufficient; storage integrity not sufficient; require legal liability of intent to provide response as delivered

E.g, Surety AbsoluteProof, (Kinamik Secure Audit Vault)

The CSA CTP Working Group AgendaMoving toward CTP V3.0
  • Look for opportunities to join the working group!
  • Ask CSA for help in pilot implementations!
  • Get started now!
slide79

SESSION 4 //

Where and How to Begin

Connections to Other CSA Initiatives

using the grc stack making the stack pack approach work for you
Using the GRC StackMaking the Stack Pack Approach Work for You
  • Easy to get started
  • Many successful combinations
  • Benefits accrue with each stack pack addition
  • Multiple alternatives to application and deployment
  • Mapped across multiple compliance mandates
slide82
CSA STAR (Security, Trust and Assurance Registry)

Public Registry of Cloud Provider self assessments

Leverages GRC Stack Projects

Consensus Assessments Initiative Questionnaire

Provider may substitute documented Cloud Controls Matrix compliance

Voluntary industry action promoting transparency

Free market competition to provide quality assessments

Available October 2011

Security, Trust, and Assurance Registry (CSA STAR)

security trust and assurance registry csa star
Security, Trust, and Assurance Registry (CSA STAR)
  • Encourage transparency of security practices within cloud providers
  • Documents the security controls provided by various cloud computing offerings
  • Free and open to all cloud providers
  • Option to use data/report based on CCM or the CAIQ

GRCStack

star listing process
Provider fills out CAIQ or customizes CCM

Uploads document at /star

CSA performs basic verification

Authorized listing from provider

Delete SPAM, “poisoned” listing

Basic content accuracy check

CSA digitally signs and posts at /star

STAR Listing Process
slide85
Where? www.cloudsecurityalliance.org/star/

Help? Special LinkedIn support group and private mailbox moderated by CSA volunteers, online next week

Costs? Free to post, free to use

Is this a new hacker threat vector? No, it is responsible disclosure of security practices

Will CSA police STAR? Initial verification and maintenance of “Abuse” mailbox

Do listings expire? Yes, 1 year limit

Full FAQ to be posted at /star next week

FAQ
why not certification or 3 rd party assessment
Complex to do certification right

Many uses of cloud, many customer needs

Different risk profiles for each

CSA supporting broad industry consortia and standards bodies

ISO, ITU-T

Common Assurance Maturity Model (CAMM – 3rd Party assessment)

GRC Stack aligns with common requirements (e.g. PCI/DSS, HIPAA, FedRAMP, 27001, CoBIT, etc)

Self assessment & transparency complements all

STAR could be part of SSAE 16 SOC II report (SAS 70 replacement)

Why not certification or 3rd party assessment?
is csa star temporary or the ultimate assurance solution
Neither

Permanent effort to drive transparency, competition, innovation and self regulation with agility – crowdsourcing cloud security

Does not provide automation, 3rd party assessment, relative/absolute scoring, real-time controls monitoring, etc

Ultimate assurance is real time GRC (enabled by CloudAudit) complemented by CSA STAR and 3rd party attestation. Will look to solution providers to deliver this integration

Is CSA STAR temporary or the ultimate assurance solution?
trusted cloud initiative tci
Trusted Cloud Initiative (TCI)
  • CSA certification criteria and seal program for cloud providers
  • Initial focus on secure & interoperable identity in the cloud, and its alignment with data encryption
  • Assemble with existing standards
  • Reference models & Proof of concept
  • Outline responsibilities for Identity Providers, Enterprises, Cloud Providers, Consumers
  • www.cloudsecurityalliance.org/trustedcloud.html
tci mission
TCI Mission

“To create a Trusted Cloud reference architecture for cloud use cases that leverage cloud delivery models (SaaS, PaaS, IaaS) in the context of operational models (Public, Private, Hybrid) to deliver a secure and trusted cloud service.”

holistic approach around controls
Holistic approach around controls…

https://cloudsecurityalliance.org/research/projects/cloud-controls-matrix-ccm/

and architecture best practices
… and Architecture best practices

https://cloudsecurityalliance.org/research/projects/cloud-controls-matrix-ccm/

use cases and patterns
Use Cases and Patterns

Trusted Cloud Initiative

slide97
CAMM

The Common Assurance Maturity Model (CAMM) is designed to provide trustworthiness (safety, security and reliability) of the supply chain working within and across the Internet in the new information world. It offers the following benefits to customer and service provider organizations:

camm objectives
CAMM Objectives

Purpose

– Provide a framework to provide the necessary transparency in attesting the Information Assurance Maturity of a third party (e.g. Cloud provider).

– Allow the publication of results to be performed in an open and transparent manner, without the mandatory need for third party audit functions.

– Allow for data processors to demonstratively publicise their attention to Information Assurance over other suppliers that may not take it as seriously.

– Avoid the subjective and bespoke arrangements that customers of such services are currently faced with.

Method

– Utilise existing standards such as ISO 27001, BS 25999, NIST SP 800-53, etc to develop a series of control questions specific to the organisation.

– Responses to such questions (and the subsequent detail) to be published and available.

– Output to also include a score that details the providers Common Assurance Maturity score

camm new business assurance barometer
CAMM: New business assurance barometer

CAMM is built on existing standards, so need for massive re-investment.

Provides a genuine USP to organisations that have higher levels of information risk maturity

Genuine USP for providers

Leverage existing expenditure

Risk management maturity is open for stakeholders to view, using appropriate language and detail.

Business

Assurance

Transaparent risk management

Meaningful

Objective

A business benefit that creates consumer trust that is both meaningful and understandable

Measures maturity against defined controls areas, with particular focus on key controls.

how it works a simplified view
How it Works: A Simplified View

Risk

Appetite

Maturity

Third party requesting access

Maturity

Cloud provider

Third Party

Assurance Centre

1. Business sets level of risk they are willing to tolerate (number of levels depending on the data). Maturity will include CAMM plus possible bespoke modules.

Maturity

Internal hosting provider

2.Level of risk management maturity is communicated to business partners (and possible partners)

4. Leverage existing expenditure and remove need for duplicate verification (note: May remove audit requirement altogether)

3. Evidence of compliance may be uploaded to central repository that can be used by numerous customers.

slide101

SESSION 5 //

GRC Stack Evolution and Administration

How to Learn More

Open Mic for Q&A

grc stack planned evolutions
GRC Stack Planned Evolutions

Board

Steering Committee

Executive Director

Membership

Working Groups

Research Director

Individual

Corporate

Research

Education

Affiliate

CCSK

Security Guidance for Critical Areas of Cloud Computing

GRC Stack(CCM, CAIQ, CloudAudit, CTP)

. . .

PCI

Cloud Controls Matrix (CCM)

CSA Security, Trust, & Assurance Registry (STAR)

Chapters

GRC Stack

. . .

Consensus Assessments Initiative Questionnaire (CAIQ)

Trusted Cloud Initiative

Special competencies …

Legal perspectives and alterations…a

the grc stack evolution plan
The GRC Stack Evolution Plan

What is the current expansion/evolution plan for the GRC stack?

what s happening now
What’s Happening Now?

Research Work Groups Underway

  • CCM update
  • CAIQ update
  • CloudAudit update
  • CloudTrust Protocol update and integration into CSA GRC stack
  • Trusted Cloud Initiative
  • CloudSIRT
  • Cloud data governance
  • Cloud metrics
  • Security as a service (SecaaS)

Education

  • CCSK update
  • GRC stack training
  • PCI compliance in the cloud

A great time to move the security ecosystem forward in the cloud

  • Legend
  • Current planned sources of evolution for the GRC stack
slide105

105

of AM presentation

questions & dialogue

cloud security alliance industry efforts to secure cloud computing

106

Cloud Security Alliance: Industry Efforts to Secure Cloud Computing

A Workshop on the CSA Governance, Risk, and Compliance (GRC) Stack

Jim Reavis, CSA Executive Director

Ron Knode (CSC), Marlin Pohlman (EMC), Kip Boyle (…), Becky Swain (…), John Yeoh (CSA)

October 2011

slide107

PM SESSIONS

SESSION 9 //

Connections and applications of GRC stack components in other initiatives (inside and outside the CSA)