CSA GUIDANCE VERSION 4 S TAT E O F T H E A R T CLOUD SECURITY AND GDPR NOTES. Hing-Yan Lee (Dr.) EVP, APAC, Cloud Security Alliance

Transcription

1 CSA GUIDANCE VERSION 4 S TAT E O F T H E A R T CLOUD SECURITY AND GDPR NOTES Hing-Yan Lee (Dr.) EVP, APAC, Cloud Security Alliance

2 ABOUT THE BUILDING SECURITY BEST PRACTICES FOR NEXT GENERATION IT CLOUD SECURITY ALLIANCE GLOBAL, NOT-FOR-PROFIT ORGANIZATION RESEARCH AND EDUCATIONAL PROGRAMS CLOUD PROVIDER CERTIFICATION CSA STAR To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing. USER CERTIFICATION CCSK THE GLOBALLY AUTHORITATIVE SOURCE FOR TRUST IN THE CLOUD

3 88,000+ INDIVIDUAL MEMBERS 80+ CHAPTERS 2009 CSA FOUNDED OUR COMMUNITY 400+ CORPORATE MEMBERS 35+ ACTIVE WORKING GROUPS SEATTLE/BELLINGHAM, WA // US HEADQUARTERS EDINBURGH // UK HEADQUARTERS Strategic partnerships with governments, research institutions, professional associations and industry CSA research is FREE! SINGAPORE // ASIA PACIFIC HEADQUARTERS

4 SECURITYGUIDANCE V.4 AT A GLANCE

5 About Security Guidance V4 Fundamental cloud security research that started CSA 4 th version, released July 2017 Architecture Governing in the Cloud Governance and Enterprise Risk Management Legal Compliance & Audit Management Information Governance Operating in the Cloud Management Plane & Business Continuity Infrastructure Security Virtualization & Containers Incident Response Application Security Data Security & Encryption Identity Management Security as a Service Related Technologies

6 DOMAIN 1: CLOUD COMPUTING CONCEPTS & ARCHITECTURE Definitions

7 Definitions DOMAIN 1: CLOUD COMPUTING CONCEPTS & ARCHITECTURE

8 DOMAIN 1: CLOUD COMPUTING CONCEPTS & ARCHITECTURE Logical Models & Architectures Shared Responsibility Sample SaaS Architecture Logical Model

9 DOMAIN 1: CLOUD COMPUTING CONCEPTS & ARCHITECTURE Key Takeaways Understand Cloud Definitions Shared Responsibility of Security Leverage key CSA assurance tools Cloud Controls Matrix Consensus Assessments Initiative Questionnaire CSA Security, Trust & Assurance Registry (STAR) CSA Enterprise Architecture

10 DOMAIN 2: GOVERNANCE AND ENTERPRISE RISK MANAGEMENT Risk & Governance Hierarchy

11 DOMAIN 2: GOVERNANCE AND ENTERPRISE RISK MANAGEMENT Key Takeaways Adapting Risk Management program to cloud s unique characteristics Understanding tradeoffs and tools Understanding a virtual approach to security risk management Assessment process Cloud Assessment Process

12 DOMAIN 3: LEGAL

13 DOMAIN 3: LEGAL Key Takeaways Regional regulatory examples affecting cloud Contract criteria, due diligence focus and negotiations Electronic discovery Data collection and retention issues High level discussion of critical legal issues for both providers and customers NOTE: for GDPR tools, check out our GDPR Resource Center and the CSA Code of Conduct for GDPR Compliance: gdpr.cloudsecurityalliance.org/

14 DOMAIN 4: COMPLIANCE AND AUDIT MANAGEMENT Key Takeaways Have a continuous approach Leverage high quality certifications & attestation as opposed to bespoke audits Scoping of audits/assessments is critical CSA tools essential

15 DOMAIN 5: INFORMATION GOVERNANCE Key Takeaways Understand cloud information governance domains, e.g. privacy, location, classification, controls, etc. Know your governance requirements before selecting cloud application Take a data security lifecycle approach Data Security Lifecycle

16 DOMAIN 6: MANAGEMENT PLANE AND BUSINESS CONTINUITY Key Takeaways Critical new domain reflecting practical knowledge in cloud security management High availability and business continuity intra-cloud vs inter-cloud Protection of privileged accounts

17 DOMAIN 7: INFRASTRUCTUR E SECURITY Key Takeaways Fundamentals of IaaS platform security Apply least privilege on a granular level, e.g. workloads Apply Software-Defined Networking (SDN) & Software-Defined Perimeter (SDP) Understand vulnerability assessment and penetration testing changes Immutable VM/Container Deployment

18 DOMAIN 8: VIRTUALIZATION AND CONTAINERS Key Takeaways Tenant isolation Secure by default images Cloud-native patch management Orchestration tools

19 DOMAIN 9: INCIDENT RESPONSE Key Takeaways Understand the IR lifecycle process Cloud providers have varying options supporting IR SLAs are an important area to understand ahead of time Cloud tools provide superior capabilities to orchestrate and automate IR

20 DOMAIN 10: APPLICATION SECURITY Key Takeaways Leverage a recognized secure software development lifecycle, e.g.: MS-SDLC, NIST800-64, ISO/IEC Understand new cloud app design trends Make sure you are addressing DevOps and Continuous Deployment Understand multi-tenant vulnerability assessment & pen testing considerations Continuous Deployment Pipeline

21 DOMAIN 11: DATA SECURITY AND ENCRYPTION Key Takeaways Understand provider data security controls, risk based approach to encryption (can t encrypt everything) Customer-managed keys preferable where feasible CASB may help with encryption prioritization/decision support Granular access control & entitlements

22 DOMAIN 12: IDENTITY MANAGEMENT Key Takeaways Extend strong internal identity federation Federation standards critical Multi-factor authentication needed (mandatory for privileged identities) Attribute-based preferred to role-based access control

23 DOMAIN 13: SECURITY AS A SERVICE Key Takeaways Numerous benefits Flexible deployment Shared intelligence Staffing expertise Vetting as you would any important cloud provider: certifications, portability, regulatory support Visibility into your data & logs critical

24 DOMAIN 14: RELATED TECHNOLOGIES Key Takeaways Big Data Internet of Things Mobile computing Serverless cloud Discuss synergy and cloud leverage

25 CSA Code of Conduct for GDPR Compliance Released November 2017 Provide CSPs a tool to achieve EU Data Protection Provide cloud customer with a tool to evaluate CSP Data Protection compliance Code of Conduct Self-Assessment and Certification added to CSA STAR in early 2018 Working closely with supervisory authorities for approval

26 CSA Code of Conduct Structure of components Part 1: CSA CoC objectives & scope Part 2: Privacy Level Agreement Code of Practice Part 3: CSA CoC Governance mechanisms Detailed list of GDPR requirements Strongly based on WP29 Opinions, ENISA Guidelines and ISO standards Considers differences between CSPcontroller and CSP-processor

27 L E G A L C O M P L I A N C E CODE OF CONDUCT FOR GDPR COMPLIANCE CSA Code of Conduct and CSA STAR CSA STAR: world s largest registry of cloud security assertions Adding GDPR self-assessment January 2018 Adding GDPR 3 rd party certification H View specifications in Part 3 of Code of Conduct T E C H N I C A L C O M P L I A N C E

28 THANK YOU Contact CSA Site: Learn: Download: GDPR Resource center: