Www.cloudsecurityalliance.org Copyright © 2011 Cloud Security Alliance Trusted Cloud Initiative...
-
Upload
lawrence-leedom -
Category
Documents
-
view
221 -
download
1
Transcript of Www.cloudsecurityalliance.org Copyright © 2011 Cloud Security Alliance Trusted Cloud Initiative...
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
Trusted Cloud Initiative Work Group Session
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
Architecture Focus Areas
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
High Level Use Cases
Use Case DescriptionEnd User to Cloud Applications running on the
cloud and accessed by end users
Enterprise to Cloud to End User
Applications running in the public cloud and accessed by employees and customers
Enterprise to Cloud Cloud applications integrated with internal capabilities
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
PrinciplesDefine protections that enable trust in the cloud.
Develop cross-platform capabilities and patterns for proprietary and open-source providers.
Will facilitate trusted and efficient access, administration and resiliency to the customer/consumer.
Provide direction to secure information that is protected by regulations.
The Architecture must facilitate proper and efficient governance, identification, authentication, authorization, administration and auditability.
Centralize security policy, maintenance operation and oversight functions.
Access to information must be secure yet still easy to obtain.
Delegate or Federate access control where appropriate.
Must be easy to adopt and consume, supporting the design of security patterns.
The Architecture must be elastic, flexible and resilient supporting multi-tenant, multi-landlord platforms
The Architecture must address and support multiple levels of protection, including network, operating system, and application security needs.
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
GoalsUse the breadth of the Cloud Security Alliance
Adjacent initiatives will be a focus for the TCI mandate Built upon “pillars” from the Cloud Security Alliance Provide an end-to-end security specification for cloud security
Use the depth of the Cloud Security Alliance membership Members have credibility from the top of the application to the “bare metal” GRC and interoperability
Enable a vendor neutral reference architecture specification All vendor products that enable an end-to-end security platform will be used
Provide a exemplary reference set of implementations Global examples so that any country can implement the architecture to their
requirements Show examples of standards and how they can be implemented across products
Open source initiative Where the TCI supports implementation under its direction the implementation is
open source
Note: The TCI Reference Architecture is not the same as the Cloud Computing Architectural Framework (Domain 1 of the Security Guidance for Critical Areas of Focus in Cloud Computing V2.1)
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
Holistic Approach to Controls...
Security Framework
(ISO-27002)
IT Audit Framework
(COBIT
)
Legislative Framework
(PCI, SOX, Etc.)
S-P-I Fra
mework
CSA Controls Matrix
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
… And Architecture Best Practices
Business Architecture
(SABSA)
Service
Management Architecture (ITIL)
Security Architecture
(Jericho)
IT Refere
nce Architecture (TOGA
F)
CSA Controls Matrix
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
Reference Model Structure
Business Operation Support Services
(SABSA)
Information Technology Operation &
Support
(ITIL)
Presentation Services
Application Services
Infrastructure Services
(TOGAF)
Information Services
Security and Risk
Management
(Jericho)
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
Business Operation Support Services
(BOSS)
Data Governance
Operational Risk Management
Compliance
Security and Risk Management
Presentation Services
Information Services
Infrastructure ServicesFacility Security
Asset Handling
Controlled Physical Access
Information Technology Operation & Support
(ITOS)
Application Services
Service Support
Configuration Management
Problem ManagementIncident Management
Change Management Release Management
Service Delivery
Policies and Standards
Data Protection
Audit Planning
Reference Architecture Version 2.0 (pending changes)
Guiding Principlesq Define protections that enable trust in the cloud.
q Develop cross-platform capabilities and patterns for proprietary and open-source providers.
q Will facilitate trusted and efficient access, administration and resiliency to the customer/consumer.
q Provide direction to secure information that is protected by regulations .
q The Architecture must facilitate proper and efficient identification, authentication, authorization, administration and auditability.
q Centralize security policy, maintenance operation and oversight functions.
q Access to information must be secure yet still easy to obtain.
q Delegate or Federate access control where appropriate.
q Must be easy to adopt and consume, supporting the design of security patterns
q The Architecture must be elastic, flexible and resilient supporting multi-tenant, multi-landlord platforms
q The architecture must address and support multiple levels of protection, including network, operating system, and application security needs.
High Level Use Cases
Chief Architect: Jairo OreaLead Architects: Marlin Pholman, Yaron Levi, Dan Logan.Team: David Sherr, Richard Austin , Vern Williams, Anish Mohammed, Harel Hadass, Phil Cox, Yale Li, Price Oden, Tuhin Kumar, Rajiv Mishra, Ravila White, Scott Matsumoto, Rob Wilson, Charlton Barreto, Ryan Bagnulo, Subra Kumaraswamy.Date: 07/20/2011Revision: 12th Review
SABSA
ITIL v3
JERICHO
Independent Audits
Third-Party Audits
Internal Audits
Contact/Authority Maintenance
Information System Regulatory Mapping
Intellectual Property Protection
Data Ownership / Stewardship
Data Classification
Handling / Labeling / Security Policy
Secure Disposal of Data
Data GovernanceRisk
Assessments
Non-Production
Data
Rules for Information Leakage Prevention
Information Leakage Metadata
Technical Security Standards Data/Asset Classification
BarriersElectronic
SurveillancePhysical
AuthenticationSecurity Patrols
Business Impact Analysis
TOGAF
Data
SoftwareHardware
Information Technology Resiliency
Capacity Planning Software Management Physical Inventory
Automated Asset Discovery
Configuration Management
Emergency Changes
Planned Changes
Project Changes
Scheduling
Operational Chages
Service Provisioning
Approval Workflow
Change Review Board
Security Incident Response
Automated Ticketing
Self-Service Ticketing
Event Classifiation
Root Cause Analysis
Source Code Management
Trend Analysis
Problem Resolution
TestingBuild
VersionControl
Availability Management
Resiliency Analysis
Capacity Planning
Service Level Management
Objectives Internal SLAs
External SLAs
Vendor Management
OLAs
Service Dashboard
Asset Management
Service Costing
Operational Bugdeting
InvestmentBudgeting
Charge Back
Connectivity & Delivery
Abstraction
Integration MiddlewareProgramming Interfaces
Knowledge Management
Presentation ModalityPresentation Platform
Service Support
Configuration Rules
(Metadata)
Service Events
Service DeliveryService Catalog
SLAs OLAs
ContractsRecovery
Plans
Business Continuity
DomainContainer
Process or Solution Data
Human Resources Security
Crisis Management
Background Screening
Employment Agreements
Employee Termination
Governance Risk & Compliance
Policy Management
IT Risk Management
Compliance Management
Technical Awareness and Training
InfoSec Management
Capability MappingRisk Portfolio Management
Risk Dashboard
Vendor Management
Audit Management
Residual Risk Management
Best practices
Trend Analysis Benchmarking
Job Descriptions
Roles and Responsibilities
Employee Code of Conduct
IT Operation
Resource Management
Segregation of Duties
PMO Portfolio ManagementMaturity Model
Roadmap
IT GovernanceArchitectrure Governance
Standards and Guidelines
Project Mgmnt
Clear Desk PolicyStrategy Alignment
Data Loss Prevention
Network (Data in Transit)
End-Point(Data in Use)
Server(Data at Rest)
Intellectual Property Protection
Intellectual Property
Digital Rights Management
Cryptographic Services
Threat and Vulnerability Management
Patch Management
Compliance TestingDatabases
Signature ServicesPKI
Data-in-Transit Encryption
(Transitory, Fixed)
Privilege Management InfrastructureIdentity Management
Domain Unique Identifier Federated IDM
Identity Provisioning
Attribute Provisioning
Authentication ServicesSAML Token
Risk Based Auth
OTP Smart Card
Multifactor
Password Management
Authorization Services
Policy Enforcement
Policy Definition
Policy Mangement
Principal Data Management
Resource Data Management XACML
Network Authentication
Biometrics
Single Sign OnMiddleware
AuthenticationWS-Security
Privilege Usage Management
Servers Network
Vulnerability ManagementApplication Infrastructure DB
Penetration TestingInternal External
Threat ManagementSource Code Scanning Risk Taxonomy
Infrastructure Protection Services Server
Anti-Virus
HIPS /HIDS
Host Firewall
End-PointAnti-Virus, Anti-Spam,
Anti-MalwareHIPS /HIDS Host
Firewall
Data-at-Rest Encryption(DB, File, SAN, Desktop,
Mobile)
Media Lockdown
Hardware Based Trusted Assets
Forensic ToolsInventory Control Content
Filtering
ApplicationXML Applicance Application Firewall
Secure Messaging Secure Collaboration
Network
Firewall Content Filtering
NIPS / NIDSLink Layer Network Security
Wireless Protection
User Directory Services
Active Directory Services
LDAP Repositories
X.500 Repositories
DBMS Repositories
Registry Services
Location Services
Federated Services
Reporting ServicesDashboard Reporting ToolsData Mining Business Intelligence
Virtual Directory Services
Security Monitoring
Risk ManagementGRC RA BIA
DR & BC Plans
VRA TVM
Availability Services
Network Services
Storage Services
Development Process
Configuration Management
Database (CMDB)
Knowledge Repository
Change Logs
Meta Directory Services
Internal Infrastructure
Servers
End-Points
Virtual Infrastructure
BOSS
SaaS, PaaS, IaaS
Identity Verification
DPI
Session Events
AuthorizationEvents
Authentication Events
Application Events
Network Events
Computer Events
Risk Assessments
Audit Findings
Data Classification
Process Ownership
HR Data(Employees & Contractors)
BusinessStrategy
HIPS
Database Events
ACLs CRLs Compliance Monitoring
NIPSEvents
DLPEVents
Transformation Services
NIPSEvents
Privilege Usage Events
eDiscoveryEvents
ITOSPMO Strategy
Problem Management
Incident Management
CMDB Knowledge Management
ServiceManagement
ChangeManagement
Roadmap
Security Monitoring ServicesSIEM
PlatformEvent Mining
Database Monitoring
Application Monitoring
End-PointMonitoring
Event Correlation
SOC Portal
Market Threat Intelligence
Counter Threat
Management
Cloud Monitoring
HoneyPot
E-Mail Journaling
Managed Security Services
Knowledge Base
Branding Protection
Anti-Phishing
Legal ServicesContracts E-Discovery
Internal InvestigationsForensic Analysis
Data lifecycle managementData
De-IdentificationLife cycle
management Data Seeding
Data TaggingMeta Data
Control
e-Mail Journaling
Data Obscuring
Data Masking
eSignature(Unstructured data)
Key ManagementSymmetric
KeysAsymmetric
Keys
Role Management
Keystroke/Session Logging
Privilege Usage Gateway
Password Vaulting
Resource Protection
DRPPlan
ManagementTest
Management
Contractors
Network Virtualizaton
External(VLAN)
Internal (VNIC)
Application Virtualization
Desktop “Client” Virtualization
Local Remote
Session-Based
VM-Based (VDI)
Server VirtualizationVirtual Machines (Hosted Based)
Hardware-AssistedParavirtualizationFull
Storage Virtualization <<insert Jairo’s content>
Network Address Space
VirtualizationIPv4 IPv6
OS VIrtualization
TPM Virtualization
Server Application Streaming
Block-Based VirtualizationHost-Based
Storage Device-Based
Network-Based
LVM
LUN
LDM Appliance
Switched
File-Based Virtualization
Database Virtualization
VirtualMemory
Client Application Streaming
Mobile Device Virtualization
Smartcard Virtualization
VirtualWorkspaces
Data Discovery
Obligation
Remediation
Exceptions Self Assessment
Program Mgmnt
Best Practices & Regulatory correlation
Image Management
Out of the Box (OTB) AutZ
Application Performance Monitoring
Security Knowledge Lifecycle
SecurityDesign
Patterns
Real-time internetwork defense (SCAP)
Cross Cloud Security Incident Response
User Behavior & Profile Patterns
Black Listing Filtering
Self-ServiceSecurity
Code Review
Application Vulnerability
Scanning
Stress and Volume Testing
Attack Patterns
Real Time
Filtering
Software Quality Assurance
Security Application Framwrok - ACEGI
Code Samples
Risk Management Framework
Employee Awareness
Security Job Aids
Security FAQ
Orphan Incident Management
Secure Build
Compliance Monitoring
Service Discovery
OTB AutN
Mobile Devices Desktops
Portable DevicesSmart AppliancesMedical Devices Handwriting
(ICR)
Speech Recognition(IVR)
Company owned Third-Party Public Kiosk
Consumer Service Platform
Social Media
Colaboration
Enterprise Service Platform
B2B B2C
B2E B2M
Search E-Mail P2Pe-Readers
Rules for Data Retention
Information Security Policies
Independent Risk Management
Operational Security Baselines Job Aid Guidelines Role Based Awareness
Business Assessment
TechnicalAssessment
Data-in-use Encryption (Memory)
Incident Response Legal Preparation
Key Risk Indicators
Fixed Devices
Mobile Device Management
Equipment Maintenance
Data Segregation
Input Validation
Planning Testing
Environmental Risk ManagementPhysical Security
Equipment Location
Power Redundancy
Network Segmentation
Authoritative Time Source
White Listing
White Listing
Operational Risk Committee
End Point
Entitlement Review
Sensitive File Protection
Behavioral Malware Prevention
Hypervisor Governance and Compliance
Vertical Isolation
Behavioral Malware Prevention
Behavioral Malware
Prevention
Secure Sandbox
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
Mapping from CCM to TCI
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
How to Use the Architecture
BOSS ITOS Presentation SRM
Application
Information
Infrastructure
• Control Mapping• Operational Checklists
Assess the opportunity
Reference ArchitectureCSA Controls MatrixCSA Consensus Assessment
Security Framework and Patterns
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
Interactive Website