Optimising cloud security, trust and transparency

Transcription

1 Optimising cloud security, trust and transparency April 2013 Jim Reavis, CSA Founder and Executive Director Daniele Catteddu, CSA Managing Director EMEA

2 About the Cloud Security Alliance! Global, not-for-profit organisation! Over 40,000 individual members, more than 160 corporate members, over 60 chapters! Building best practices and a trusted cloud ecosystem! Agile philosophy, rapid development of applied research! GRC: Balance compliance with risk management! Reference models: build using existing standards! Identity: a key foundation of a functioning cloud economy! Champion interoperability! Enable innovation! Advocacy of prudent public policy To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.

3 Cloud and the Future Cloud is not just an option for the future. It is currently THE best option for IT services The strategic decision is not about moving or not to Cloud Computing, it is about HOW to embrace cloud computing

4 Agenda! INTRO! Cloud Trust! EU Policies and proposed Privacy reform! Certification Challenges! OPEN CERTIFICATION FRAMEWORK! STAR Certification! STAR Attestation

5 What are the Trust Issues?! Information asymmetry and lack of transparency! Complex global regulatory regimes! Compliance! Lack of awareness and education! Complex service delivery supply chain (by now even my 6y old son knows that a customer using DropBox is using Amazon without any direct contract..etc)

6 A new GOVERNANCE model Users need to understand the shift in the balance of responsibility and accountability for key functions such as governance and control over data and IT operations, ensuring compliance with laws and regulations. Cloud computing requires a new model for assessing organisational risks related to security and resilience.

7 INDIRECT CONTROL

8 ACCOUNTABILITY

9 Accountability in the cloud: the role of contracts! Contracts as an accountability mechanism! Cloud computing contracts (standard and negotiated)! Who is accountable to whom in cloud agreements! Main accountability obligations in contracts! Third parties and accountability in contracts! Third parties alternative mechanisms! Industry standards and model contract terms?

10 ASSURANCE Consumers do not have simple, cost effective ways to evaluate and compare their providers resilience, data protection capabilities and service portability.

11 EU Policies and proposed Privacy reform

12 European Cloud Strategy! (1) Key Action 1: Cutting through the Jungle of Standards! (2) Key Action 2: Safe and Fair Contract Terms and Conditions! (3) Key Action 3: Establishing a European Cloud Partnership to drive innovation and growth from the public sector.

13 European Cloud Strategy A wider use of standards, the certification of cloud services to show they meet these standards and the endorsement of such certificates by regulatory authorities as indicating compliance with legal obligations will help cloud take-off.

14 European Cloud Strategy The Commission will: Promote trusted and reliable cloud offerings by tasking ETSI to coordinate with stakeholders in a transparent and open way to identify by 2013 a detailed map of the necessary standards (inter alia for security, interoperability, data portability and reversibility). Enhance trust in cloud computing services by recognising at EU-level technical specifications in the field of information and communication technologies for the protection of personal information in accordance with the new Regulation on European Standardisation. Work with the support of ENISA and other relevant bodies to assist the development of EU-wide voluntary certification schemes in the area of cloud computing (including as regards data protection) and establish a list of such schemes by 2014.

15 EU data protection reform! Problems with 1995 Data Protection Directive as a harmonisation measure and in relation to new technologies (including cloud)! 25 January 2012 Commission published proposed reform package Current status of the reform proposals:! Draft reports from multiple committees of the European Parliament! About 4300 amendments proposed! Extensive lobbying by industry and governments (inc US)! Considerable uncertainty over timetable and outcome! Adoption of Regulation not the end of the process:! Regulation to come into force two years after publication! Delegated and implementing acts to be adopted over several years

16 EU data protection reform: key features! Data Controllers would have greater responsibilities! Data Processors would have new obligations and liabilities! Privacy by Design, Privacy by Default, Privacy Impact Assessments! Risk-appropriate security measures and data breach notification! Stricter rules on international data transfers! Right to be forgotten! Data portabillity! Codes of conduct! Certification mechanisms (including DP seals and marks)! Data Protection Officers (DPOs)

17 HOW DO WE BUILD TRUST & TRANSPARENCY? IS A SEC CERTIFICATION AN EFFECTIVE SOLUTIONS?

18 Certification for cloud services! In the Agenda of the EC! Requested from Art29 WP as a measure for privacy compliance! Already part of the cloud strategy in countries such USA, Singapore, Thailand, China, Honk Kong, Taiwan,! In Europe various Member States are looking at a certification/accreditation schema for cloud service (especially in Public Procurement)! The UK G-Cloud is based on a logic of companies accredited to offer service in the App Store

19 Certification Challenges! Provide a globally relevant certification to reduce duplication of efforts! Address localized, national-state and regional compliance needs! Address industry specific requirements! Address different assurance requirements! Address certification staleness assure provider is still secure after point in time certification! Do all of the above while recognizing the dynamic and fastchanging world that is cloud

20 Certification Challenges This gap of trust mainly lies down in the difficulties of cloud users in addressing fundamental assurance issues with cloud providers, such as:! Understanding legal compliance and contractual liabilities,! Defining and allocating responsibilities! Enforcing accountability! Translating requirements into cloud language/controls/ checks! Identifying means for an ex-ante analysis assessment of cloud services and for a! Continuous monitoring of cloud service contract execution

21 Which are the driving principle?

22 Which are the driving principle?

23 Which are the driving principle?

24 Certification Challenges The Cloud Security Alliance has identified gaps within the IT ecosystem that are inhibiting market adoption of secure and reliable cloud services. Consumers do not have simple, cost effective ways to evaluate and compare their providers resilience, data protection capabilities and service portability.

25 OCF: VISION STATEMENT! The CSA Open Certification Framework is an industry initiative to allow global, accredited, trusted certification of cloud providers.! The CSA Open Certification Framework is a program for flexible, incremental and multi-layered cloud provider certification according to the Cloud Security Alliance s industry leading security guidance and control objectives.! The program will integrate with popular third-party assessment and attestation statements developed within the public accounting community to avoid duplication of effort and cost. ~Jim Reavis & Daniele Catteddu; CSA~

26 OCF: The structure The open certification framework is structured on 3 LEVELs of TRUST, each one of them providing an incremental level of visibility and transparency into the operations of the Cloud Service Provider and a higher level of assurance to the Cloud consumer.

27 OCF Level 1: CSA STAR Registry! CSA STAR (Security, Trust and Assurance Registry)! Public Registry of Cloud Provider self assessments! Based on Consensus Assessments Initiative Questionnaire! Provider may substitute documented Cloud Controls Matrix compliance! Voluntary industry action promoting transparency! Free market competition to provide quality assessments! Provider may elect to provide assessments from third parties! Available since October 2011

28 OCF: Level 2 CERTIFICATION

29 What is STAR Certification?! Continuous monitoring of cloud service contract executionstar CERTIFICATION evaluates the efficiency of an organization s ISMS and ensures the scope, processes and objectives are Fit for Purpose.! Help organizations prioritize areas for improvement and lead them towards business excellence.! Enables effective comparison across other organizations in the applicable sector.! Focused on the strategic & operational business benefits as well as effective partnership relationships.! Based upon the Plan, Do, Check, Act (PDCA) approach and the controls outlined in the Cloud Controls Matrix (CCM)! Enables the auditor to assess a company s performance, on longterm sustainability and risks, in addition to ensuring they are SLA driven, allowing senior management to quantify and measure improvement year on year.

30 What is STAR Certification? The concept of the scheme is to use to the ISO/IEC 27001:2005 certification integrated with the CSA Cloud Control Matrix (CCM) as additional or compensating controls as applicable and the organization s own internal requirements or specifications to assess how advanced their systems are. The scheme will be compliant with ISO and ISO Will be open to all 3rd party Certified Bodies (CB) Will be an additional scheme to the CB organizations internal ISO scheme requirements. It is not meant to be a replacement.

31 PDCA Model for an ISMS

32 Application of ISO Application Excluding any of the requirements specified in Clauses 4, 5, 6, 7, and 8 is not acceptable when an organization claims conformity to this International Standard. These clauses are: Information security management system Management responsibility Internal ISMS audits Management review of the ISMS ISMS improvement

33 Annex A is not mandatory! It s an Annex, not a RequirementAnnex A contains a comprehensive list of control objectives and controls that have been found to be commonly relevant in organizationsusers of this International Standard are directed to Annex A as a starting point for control selection to ensure that no important control options are overlookedadditional controls may be necessary for cloud service providers. Also compensating controls can be used to strengthen the ISMS and management system.

34 What is STAR Certification?

35 STAR Certification: the role of CCM The CCM is specifically designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider. The Cloud Controls Matrix is meant to be integrated into the assessment by the auditor, referencing the applicable CCM control to the associated ISO controls (SOA) The output will be the result of the overall performance of the organization within the scope of certification.

36 Benefits of STAR Certification? Sales and Marketing Benefits:! Added to the current management system.! A ISO certification plus a STAR certificate as evidence of both compliance and performance to both suppliers, customers and other interested parties.! The ability to benchmark your organization s performance and gauge your improvement from year to year.! An independently validated report from an external Certified Body (CB) body which can be used to demonstrate an organization s progress & performance levels.! Exclusive to the STAR Registry.

37 Benefits of STAR Certification? Strategic Benefits:! A 360º enhanced assessment giving senior management full visibility to evaluate the effectiveness of both their management system and the roles and responsibilities of personnel within the organization.! A flexible assessment that can be tailored through the Statement of Applicability. This guarantees the results and measurements of assessments are both relevant and necessary in helping organizations manage their business.! A comprehensive business report that goes beyond a usual assessment report and gives a strategic and accurate overview of an organizations performance to enabling senior management to the identify action areas needed.! A set of improvement targets to encourage an organization to move beyond compliance toward continued improvement.

38 Benefits of STAR Certification? Operational Benefits! Scalable to organizations of all sizes. Provides information that allows you to know where they are now and measure any improvements, internally benchmark their sites and potentially externally benchmark their supply chain to stimulate healthy competition.! A visual representation of the status of a business and instantly highlights where the strengths, weaknesses, allowing clients to maximize resources, improve operational efficiencies and reduce costs! Independent reassurance to prove to senior management where the risks, threats, opportunities lie within a business

39 OCF: Level 2 Attestation

40 What is STAR Attestation?! Star Attestation (through the type 2 SOC attestation examination) helps companies meet the assessment and reporting needs of the majority of users of cloud services, when the criteria for the engagement are supplemented by the criteria in the CSA Cloud Controls Matrix (CCM). This assessment:! Is based on a mature attest standard! Allows for immediate adoption of the CCM as additional criteria and the flexibility to update the criteria as technology and market requirements change! Does not require the use of any criteria that were not designed for, or readily accepted by cloud providers! Provides for robust reporting on the service provider s description of its system, and on the service provider s controls, including a description of the service auditor s tests of controls in a format very similar to the now obsolete SAS 70 reporting format, and current SSAE 16 (SOC 1) reporting, thereby facilitating market acceptance

41 AICPA SOC Reporting Options Trust Services Principles and Criteria

42 What is STAR Attestation? Who the users are Why What SOC Management 2 SM Regulators Others GRC programs Oversight Due diligence Concerns regarding security, availability, processing integrity, confidentiality or privacy If the report will be used by customers and/or stakeholders to gain confidence and place trust in a service organization s system: Need to understand the details of processing and controls at your organization, the tests performed & results of those tests? SOC 2 SM Report

43 SOC 2 (AT 101): Key strengths! AT 101 is a mature attest standard (it serves as the standard for SOC 2 and SOC 3 reporting )! Provides for robust reporting on the service provider s description of its system, and on the service provider s controls, including a description of the service auditor s tests of controls in a format very similar to the now obsolete SAS 70 reporting format, and current SSAE 16 (SOC 1) reporting, thereby facilitating market acceptance! Evaluation over a period of time rather than a point in time! Recognition with an AICPA Logo

44 SOC 2 SM Report 5 Trust Services Attributes! Security The system is protected against unauthorized access (both physical and logical).! Availability The system is available for operation and use as committed or agreed.! Processing integrity System processing is complete, accurate, timely and authorized.! Confidentiality Information designated as confidential is protected as committed or agreed.! Privacy Personal information is collected, used, retained, disclosed and disposed of in conformity with the commitments in the entity s privacy notice, and with criteria set forth in Generally Accepted Privacy Principles (GAPP) issued by the AICPA and Canadian Institute of Chartered Accountants.

45 Customized business report The report goes beyond the usual assessment report and helps you to identify your:! Business threats! Business risks! Business impacts! Business improvement actions in relation to your business objectives and current processes

46 Qualified Auditors for STAR ATTESTATION! Independent Certified Public Accountant (CPA)! CPA s are subject to licensing and continuing education requirements! Firms and engagements are subject to quality review

47 Contact Help Us Secure Cloud Computing!! LinkedIn:

48 THANK YOU!