5/26/2018 CloudBytes_STAR Certification V1
1/56
CSA Cloud STAR
CertificationJohn A. DiMaria; CSSBB,HISP,MHISP,AMBCI
Certification Product Manager; BSI Group America Inc.
.
2014 Cloud Security Alliance - All Rights Reserved.CloudBytes // BSI Presentation
The Paradigm Has Changed
5/26/2018 CloudBytes_STAR Certification V1
2/56
"When aparadigm shifts,everything goesback to zero.~Joel Barker~
Nothing youhave done in thepast matters any
more. You cannot count onpast success.
5/26/2018 CloudBytes_STAR Certification V1
3/56
5/26/2018 CloudBytes_STAR Certification V1
4/56
www.cloudsecurityalliance.orgCopyright 2014 Cloud Security Alliance
The CSA GRC Stack
A suite of four integrated and reinforcing CSA initiatives (the stack
packages) The Stack Packs
Cloud Controls Matrix
Consensus Assessments Initiative
Cloud Audit
CloudTrust Protocol
Designed to support cloud consumers and cloud providers
Prepared to capture value from the cloud as well as supportcompliance and control within the cloud
5/26/2018 CloudBytes_STAR Certification V1
5/56
www.cloudsecurityalliance.orgCopyright 2014 Cloud Security Alliance
A Complete Cloud Security Governance, Risk,and Compliance (GRC) Stack
Delivering Stack Pack Description
Con nuousmonitoringwithapurpose
Commontechniqueandnomenclaturetorequestandreceiveevidenceandaffirma onofcurrentcloudserviceopera ngcircumstancesfromcloudproviders
Claims,offers,andthebasisforaudi ngservice
delivery
CommoninterfaceandnamespacetoautomatetheAudit,Asser on,Assessment,andAssurance(A6)ofcloudenvironments
Pre
auditchecklistsandques onnairestoinventory
controls
Industryacceptedwaystodocumentwhatsecuritycontrolsexist
Therecommendedfounda onsforcontrols
Fundamentalsecurityprinciplesin specifyingtheoverallsecurityneedsofacloudconsumersandassessingtheoverallsecurityriskofacloudprovider
5/26/2018 CloudBytes_STAR Certification V1
6/56
www.cloudsecurityalliance.orgCopyright 2014 Cloud Security Alliance
CAIQ Guiding Principles
The following are the principles that the working group utilized as guidance when developing the CAIQ:
The questionnaire is organized using CSA 13 governing & operating domains divided into controlareas within CSAs Control Matrix structure
Questions are to assist both cloud providers in general principles of cloud security and clients invetting cloud providers on the security of their offering and company security profile
CAIQ not intended to duplicate or replace existing industry security assessments but to contain
questions unique or critical to the cloud computing model in each control area Each question should be able to be answered yes or no
If a question cant be answered yes or no then it was separated into two or more questions to allowyes or no answers.
Questions are intended to foster further detailed questions to provider by client specific to clients
cloud security needs. This was done to limit number of questions to make the assessment feasibleand since each client may have unique follow-on questions or may not be concerned with all follow-on questions
5/26/2018 CloudBytes_STAR Certification V1
7/56
www.cloudsecurityalliance.orgCopyright 2014 Cloud Security Alliance
The CAIQ Questionnaire
5/26/2018 CloudBytes_STAR Certification V1
8/56
www.cloudsecurityalliance.orgCopyright 2014 Cloud Security Alliance
CAIQ Questionnaire
Control Group, Control Group ID (CGID) and Control Identifier (CID) all map the
CAIQ question being asked directly to the CCM control that is being addressed. Relevant compliance and standards are mapped line by line to the CAIQ,
which, in turn, also map to the CCM. The CAIQ v1.1 maps to the followingcompliance areas HIPPA, ISO 27001, COBIT, SP800_53, FedRAMP,PCI_DSS, BITS and GAPP. V1.2 will additionally include mappings to Jericho
Forum and NERC CIP. Each question can be answered by a provider with a yes or no answer.
This provides a wide variety of transparency and of course is a self-assessment.
5/26/2018 CloudBytes_STAR Certification V1
9/56
www.cloudsecurityalliance.orgCopyright 2014 Cloud Security Alliance
Sample Questions to Vendors
Compliance - Independent
Audits
CO-02 CO-02a - Do you allow tenants to view your SAS70 Type II/SSAE 16 SOC2/ISAE3402 or similar third party audit
reports?CO-02b - Do you conduct network penetration tests of your cloud service infrastructure regularly as prescribed by
industry best practices and guidance?
CO-02c - Do you conduct application penetration tests of your cloud service infrastructure regularly as prescribed
by industry best practices and guidance?
CO-02d - Do you conduct internal audits regularly as prescribed by industry best practices and guidance?
CO-02e - Do you conduct external audits regularly as prescribed by industry best practices and guidance?
CO-02f - Are the results of the network penetration tests available to tenants at their request?
CO-02g - Are the results of internal and external audits available to tenants at their request?
Data Governance -
Classification
DG-02 DG-02a - Do you provide a capability to identify virtual machines via policy tags/metadata (ex. Tags can be used to
limit guest operating systems from booting/instantiating/transporting data in the wrong country, etc.?)
DG-02b - Do you provide a capability to identify hardware via policy tags/metadata/hardware tags (ex. TXT/TPM,
VN-Tag, etc.)?
DG-02c - Do you have a capability to use system geographic location as an authentication factor?
DG-02d - Can you provide the physical location/geography of storage of a tenants data upon request?
DG-02e - Do you allow tenants to define acceptable geographical locations for data routing or resource
instantiation?
5/26/2018 CloudBytes_STAR Certification V1
10/56
www.cloudsecurityalliance.orgCopyright 2014 Cloud Security Alliance
Example Answers
5/26/2018 CloudBytes_STAR Certification V1
11/56
www.cloudsecurityalliance.orgCopyright 2014 Cloud Security Alliance
Example Answers
5/26/2018 CloudBytes_STAR Certification V1
12/56
ISO/IEC 27001 is the international management systems standard for Information Security.
It is widely recognized and respected and in some cases mandated by some governments like Japan and G-
the Her Majesties' Government (HMG) G-Cloud. (?)
Does not focus in detail on any particular sector specific areas of security. It is scalable and flexible to allow
for growth and applicability.
The Cloud Controls Matrix (CCM) provides the additional detail required to ensure that the generic standard
focuses on the critical controls for Cloud Security.
ISO 27001 is written with the expectation that other controls could be added.
Extract from ISO/IEC 27001 Control objectives are implicitly included in the controls chosen. The control
objectives and controls listed in Annex A are not exhaustive and additional control objectives and controls
may be needed. Organizations can design controls as required, or identify them from any source.
In addition there was a concern that the pass/fail approach to standards does not give much information tocloud service purchasers. Therefore the CCM will be assessed against a 5 level capability model.
2014 Cloud Security Alliance - All Rights Reserved. 12CloudBytes // BSI Presentation
Background
5/26/2018 CloudBytes_STAR Certification V1
13/56
ISO/IEC 27001 ensures an organization has the overarching management systems in place to manage the
processes and procedures governing the controls. Without this in place there would be little reassurance
that the controls sat within a sound management framework.
Scope must be Fit-for-Purpose and SLA Driven.
The audit has additional assessment of the CCM against a maturity because this not only lets an
organization and its clients understand that they have met the minimum standards, but shows them where
there is potential for improvement.
The maturity model was piloted and improved to ensure a reliable result can be achieved.
BSI facilitated the development because we have experience in creating maturity/capability models that work
with management system standards.
Our aim was to take the most appropriate approaches out there to create a model that works with the CCM.
2014 Cloud Security Alliance - All Rights Reserved. 13CloudBytes // BSI Presentation
Assessing the CCM
5/26/2018 CloudBytes_STAR Certification V1
14/56
2014 Cloud Security Alliance - All Rights Reserved. 14CloudBytes // BSI Presentation
Assessing the CCMCCM 1.4 11 Do ma in s
1. Compliance (CO)
2. Data Governance (DG)
3. Facility Security (FS)
4. Human Resources (HR)
5. Information Security (IS)
6. Legal (LG)
7. Operations Management (OM)
8. Risk Management (RI)
9. Release Management (RM)
10. Resiliency (RS)
11.Security Architecture (SA)
5/26/2018 CloudBytes_STAR Certification V1
15/56
2014 Cloud Security Alliance - All Rights Reserved. 15CloudBytes // BSI Presentation
Assessing the CCM 98 Controls
5/26/2018 CloudBytes_STAR Certification V1
16/56
CloudBytes // BS Presentation 2014 Cloud Security Alliance - All Rights Reserved. 16
Assessing the CCM 98 Controls
5/26/2018 CloudBytes_STAR Certification V1
17/56
CloudBytes // BSI Presentation 2014 Cloud Security Alliance - All Rights Reserved. 17
Assessing the CCM 98 Controls
Add controls to existing SOA
5/26/2018 CloudBytes_STAR Certification V1
18/56
2014 Cloud Security Alliance - All Rights Reserved. 18
Capabil i ty Maturity Model
If you dont know where you aregoing, any road will get you there
~Lewis Carroll~
5/26/2018 CloudBytes_STAR Certification V1
19/56
CloudBytes // BSI Presentation 2014 Cloud Security Alliance - All Rights Reserved. 19
Capabil ity Life Cycle - PDM
Kaizen principle
5/26/2018 CloudBytes_STAR Certification V1
20/56
CloudBytes // BSI Presentation 2014 Cloud Security Alliance - All Rights Reserved. 20
5/26/2018 CloudBytes_STAR Certification V1
21/56
CloudBytes // BSI Presentation 2014 Cloud Security Alliance - All Rights Reserved. 21
The Management Capabil i ty Levels
Capability levels
1. No Formal Approach
2. Reactive Approach
3. Proactive Approach
4. Improvement Based Approach
5. Innovative Approach
Capability Factors
1. Communication and StakeholderEngagement
2. Policies, Plans and Procedures, and aSystematic Approach
3. Skills and Expertise
4. Ownership, Leadership andManagement
5. Monitoring and Measuring
5/26/2018 CloudBytes_STAR Certification V1
22/56
5/26/2018 CloudBytes_STAR Certification V1
23/56
CloudBytes // BSI Presentation 2014 Cloud Security Alliance - All Rights Reserved. 23
5/26/2018 CloudBytes_STAR Certification V1
24/56
CloudBytes // BSI Presentation 2014 Cloud Security Alliance - All Rights Reserved. 24
General
Management
System
Cloud Specific
Controls
Well MANAGED and FOCUSED system
ISO/IEC27001
CapabilityModel
CCM
5/26/2018 CloudBytes_STAR Certification V1
25/56
G-Cloud
5/26/2018 CloudBytes_STAR Certification V1
26/56
2014 Cloud Security Alliance - All Rights Reserved. 26CloudBytes // BSI Presentation
The G-Cloud has a current accreditation scheme which focuses on the sensitivity of the information that
is stored within the cloud solution and couples that with certain controls, actions and evidence that the
cloud provider must provide in order to prove that the information is kept safe. ~ SaaSAssurance ~
By achieving Pan Government Accreditation it will enable these services to be procured by multiple
customers, benefiting both customer and supplier fitting with our mantra of do it once and re-use, re-use, re-use. ~HM Government G-Cloud~
5/26/2018 CloudBytes_STAR Certification V1
27/56
CloudBytes // BSI Presentation 2014 Cloud Security Alliance - All Rights Reserved. 27
Business Impact Levels
Extract from HMG IA Standard No.1 Business Impact Level Tables
5/26/2018 CloudBytes_STAR Certification V1
28/56
CloudBytes // BSI Presentation 2014 Cloud Security Alliance - All Rights Reserved. 28
5/26/2018 CloudBytes_STAR Certification V1
29/56
Well, earlier on I made the claim that the answer to providetransparency in public sector cloud Certification when none exists isthe CSA (STAR).
Using the principles of the G-Cloud accreditation plus the CloudSecurity Alliance (STAR) Certification can provide a very high level ofassurance ~Mark Dunne, CEO; SaaSAssurance~
The following slides demonstrate how both G-Cloud and (STAR) canbe used together for that high level of assurance
CloudBytes // BSI Presentation 2014 Cloud Security Alliance - All Rights Reserved. 29
What the Experts Say
5/26/2018 CloudBytes_STAR Certification V1
30/56
CloudBytes // BSI Presentation 2014 Cloud Security Alliance - All Rights Reserved. 30
G-Cloud Accreditation CSA (STAR)
Lets look at ways to optimise the best level of assurance by using both certification schemes
in tandem
5/26/2018 CloudBytes_STAR Certification V1
31/56
CloudBytes // BSI Presentation 2014 Cloud Security Alliance - All Rights Reserved. 31
G-Cloud Accreditation CSA (STAR)
Risk Assessment, RMADs, Residual
Risk Statement, Risk Register
For G-Cloud accreditation, the Pan Government Accreditor must review and approve the
Risk Management And Accreditation Documentation Set (RMADS)
5/26/2018 CloudBytes_STAR Certification V1
32/56
CloudBytes // BSI Presentation 2014 Cloud Security Alliance - All Rights Reserved. 32
G-Cloud Accreditation CSA (STAR)
Risk Assessment, RMADs, Residual
Risk Statement, Risk Register
For G-Cloud accreditation, the Pan Government Accreditor must review and approve the
Risk Management And Accreditation Documentation Set (RMADS)
5/26/2018 CloudBytes_STAR Certification V1
33/56
CloudBytes // BSI Presentation 2014 Cloud Security Alliance - All Rights Reserved. 33
G-Cloud Accreditation CSA (STAR)
Risk Assessment, RMADs, Residual
Risk Statement, Risk Register
Cloud Controls Matrix (CCM)
For G-Cloud accreditation, the Pan Government Accreditor must review and approve the
Risk Management And Accreditation Documentation Set (RMADS)
To bolster this process, ensure the controls from the Cloud Controls Matrix (CCM) are
reviewed while dealing with all assets related to cloud technology
5/26/2018 CloudBytes_STAR Certification V1
34/56
CloudBytes // BSI Presentation 2014 Cloud Security Alliance - All Rights Reserved. 34
G-Cloud Accreditation CSA (STAR)
Risk Assessment, RMADs, Residual
Risk Statement, Risk Register
Cloud Controls Matrix (CCM)
ISO/IEC 27001 Certificate
For G-Cloud accreditation, ISO/IEC 27001 Certification must be carried out by a UKAS accredited
body or an international equivalent (a signatory to the EA MLA)
5/26/2018 CloudBytes_STAR Certification V1
35/56
CloudBytes // BSI Presentation 2014 Cloud Security Alliance - All Rights Reserved. 35
G-Cloud Accreditation CSA (STAR)
Risk Assessment, RMADs, Residual
Risk Statement, Risk Register
Cloud Controls Matrix (CCM)
ISO/IEC 27001 Certificate ISO/IEC 27001 Certificate
For G-Cloud accreditation, ISO/IEC 27001 Certification must be carried out by a UKAS accredited
body or an international equivalent (a signatory to the EA MLA)
The STAR Certification is based upon achieving ISO/IEC 27001 and the specified set of criteria outlined
in the Cloud Controls Matrix
5/26/2018 CloudBytes_STAR Certification V1
36/56
CloudBytes // BSI Presentation 2014 Cloud Security Alliance - All Rights Reserved. 36
G-Cloud Accreditation CSA (STAR)
Risk Assessment, RMADs, Residual
Risk Statement, Risk Register
Cloud Controls Matrix (CCM)
ISO/IEC 27001 Certificate ISO/IEC 27001 Certificate
ISO/IEC 27001 Certificate (suitably
scoped)
On top of being UKAS or equivalent, IL1/2 (Business Impact Level profiles 11x/22x): Based on good
commercial standards, centred around a suitably scoped ISO/IEC 27001 certification
5/26/2018 CloudBytes_STAR Certification V1
37/56
CloudBytes // BSI Presentation 2014 Cloud Security Alliance - All Rights Reserved. 37
G-Cloud Accreditation CSA (STAR)
Risk Assessment, RMADs, Residual
Risk Statement, Risk Register
Cloud Controls Matrix (CCM)
ISO/IEC 27001 Certificate ISO/IEC 27001 Certificate
ISO/IEC 27001 Certificate (suitably
scoped)
ISO/IEC 27001 Certificate (fit for purpose)
On top of being UKAS or equivalent, IL1/2 (Business Impact Level profiles 11x/22x): Based on good
commercial standards, centred around a suitably scoped ISO/IEC 27001 certification
STAR Certification evaluates the efficiency of an organizations ISMS and ensures the scope,
processes and objectives are Fit for Purpose
5/26/2018 CloudBytes_STAR Certification V1
38/56
CloudBytes // BSI Presentation 2014 Cloud Security Alliance - All Rights Reserved. 38
G-Cloud Accreditation CSA (STAR)
Risk Assessment, RMADs, Residual
Risk Statement, Risk Register
Cloud Controls Matrix (CCM)
ISO/IEC 27001 Certificate ISO/IEC 27001 Certificate
ISO/IEC 27001 Certificate (suitably
scoped)
ISO/IEC 27001 Certificate (fit for purpose)
Information Assurance (IA) compliance
Public Sector requires information assurance as part of security accreditation of G-Cloud ICT
services (Providing evidence on DPA, Location, Personal Information, subcontractors,technical solution, etc..)
5/26/2018 CloudBytes_STAR Certification V1
39/56
CloudBytes // BSI Presentation 2014 Cloud Security Alliance - All Rights Reserved. 39
G-Cloud Accreditation CSA (STAR)
Risk Assessment, RMADs, Residual
Risk Statement, Risk Register
Cloud Controls Matrix (CCM)
ISO/IEC 27001 Certificate ISO/IEC 27001 Certificate
ISO/IEC 27001 Certificate (suitably
scoped)
ISO/IEC 27001 Certificate (fit for purpose)
Information Assurance (IA) compliance Management Capability Score
Public Sector requires information assurance as part of security accreditation of G-Cloud ICT services
(Providing evidence on DPA, Location, Personal Information, subcontractors, technical solution, etc..)
With STAR Each domain will be scored on a specific maturity and will be measured against fivemanagement principles, defining the Management Capability Score.
These levels will be designated as either No, Bronze, Silver or Gold awards.
5/26/2018 CloudBytes_STAR Certification V1
40/56
CloudBytes // BSI Presentation 2014 Cloud Security Alliance - All Rights Reserved. 40
UK G-Cloud & CSA (STAR)
As you can see, this is an example of when combined, the CSA (STAR) and Government
accreditation frameworks can provide an exceptional level of assurance for solutions operatingin the public sector and the (STAR) Certification will become that differentiator.
By: Mark Dunne, SaaSAssurance
@2SaaS
Digital Information Security Management SystemsISO/IEC 27001
Full article to feature in eForensics magazine
5/26/2018 CloudBytes_STAR Certification V1
41/56
CloudBytes // BSI Presentation 2014 Cloud Security Alliance - All Rights Reserved. 41
Cloud Controls What are they about?
5/26/2018 CloudBytes_STAR Certification V1
42/56
Experience
They must be a qualified auditorworking for an ISO 27006
accredited CB
Evidence of conducting ISO
27001 assessments for acertification body accredited by anIAF member to ISO 27006 or their
qualifications as an auditor for thatorganization.
Competence
They must complete the CSA-approved course qualifying
them to audit the CCM for STARCertification (This course is
sanctioned by CSA and carriedout by BSI)
Approving Assessors
BackgroundThey must demonstrate
knowledge of the Cloud SectorEither through verifiable
industry experience this caninclude through assessing
organizationsOr through completing CCSKcertification or equivalent
2014 Cloud Security Alliance - All Rights Reserved. 42CloudBytes // BSI Presentation
5/26/2018 CloudBytes_STAR Certification V1
43/56
CloudBytes // BSI Presentation 2014 Cloud Security Alliance - All Rights Reserved. 43
Knowledge ofCloud
Knowledgeof the CCM
audit
Knowledgeof ISO 27k
auditAssessor
5/26/2018 CloudBytes_STAR Certification V1
44/56
Credibility
5/26/2018 CloudBytes_STAR Certification V1
45/56
European CommissionThailand
Singapore
TaiwanAustraliaNew Zealand
Internet2
Countries/entities that refer to OCF / STAR Certificationeither as requirement in cloud service procurement or
suitable certification for the security cloud services.
CloudBytes // BSI Presentation 2014 Cloud Security Alliance - All Rights Reserved.
5/26/2018 CloudBytes_STAR Certification V1
46/56
Endorsements
CloudBytes // BSI Presentation 2014 Cloud Security Alliance - All Rights Reserved.
This unified third-party certification greatly improves the efficiency
with which consumers evaluate providers and provides an objective,thorough credential upon which to build trust in a providers services.
In the absence of CSAs STAR certification, parties negotiating cloud-
based services confront significant friction in putting in place the terms
and conditions of their arrangements. No one benefits from extensive
contract negotiations that are often shaped by lawyers struggling to
understand the technologies and assurances; STAR certification
streamlines the dialogue and provides a transparent, shared
foundation for moving forward.
Jeffery Ritter, EsqCyber Law, Research, Standards, Technology, International Trade and Author
Recognized as a pioneer in shaping the legal rules for cyberspace.
The CSA STAR Certification and Registry represent an importantinnovation toward improving the transparency and certainty with
which the global community can embrace cloud-based services with
greater confidence.
5/26/2018 CloudBytes_STAR Certification V1
47/56
Real time monitoring of
security properties, as well as
continuous transparency of servicesand comparability between serviceson core security properties.
Cloud Trust Protocol
5/26/2018 CloudBytes_STAR Certification V1
48/56
Consumers do not have simple, cost effective ways to evaluate andcompare their providers resilience, security processes, dataprotection capabilities, and service portability in real time.
The CSA Cloud Trust Protocol (CTP) is an industry initiative to enablereal time monitoring of cloud provider security properties, as well as
providing continuous transparency of services and comparabilitybetween services on core security properties.
CTP forms part of the GRC stack and the Open Certification
Framework as the continuous monitoring component, complementingassessments provided by STAR certification and STAR assessment.
CloudBytes // BSI Presentation 2014 Cloud Security Alliance - All Rights Reserved. 48
CTP Real-Time Monitor ing
5/26/2018 CloudBytes_STAR Certification V1
49/56
The CTP Application Programming Interface (API) is designed to be aRESTful protocol that Cloud Customers can use to query a CloudService Provider (CSP) on current security attributes related to a
cloud, such as the current level of availability of the service orinformation on the last vulnerability assessment, which can be donein a classical query response approach.
It will be built on the following CSA best practices/standards: Cloud Controls Matrix (CCM)
Cloud Trust Protocol (CTP)
CloudAudit
CSA STAR Continuous is currently under development and the target date of
delivery is 2015.
CloudBytes // BSI Presentation 2014 Cloud Security Alliance - All Rights Reserved. 49
CTP Real-Time Monitor ing
5/26/2018 CloudBytes_STAR Certification V1
50/56
New and evolving standardsStandards Update
5/26/2018 CloudBytes_STAR Certification V1
51/56
CloudBytes // BSI Presentation 2014 Cloud Security Alliance - All Rights Reserved. 51
2013
2013
2013
5/26/2018 CloudBytes_STAR Certification V1
52/56
CloudBytes // BSI Presentation 2014 Cloud Security Alliance - All Rights Reserved. 52
2013
5/26/2018 CloudBytes_STAR Certification V1
53/56
CloudBytes // BSI Presentation 2014 Cloud Security Alliance - All Rights Reserved. 53
5/26/2018 CloudBytes_STAR Certification V1
54/56
CloudBytes // Lorem Ipsum Presentation 2014 Cloud Security Alliance - All Rights Reserved. 54
Transforming the Cloud
Our key to
transforminganything lies
in our ability
to reframe it.~Marianne Williamson~
5/26/2018 CloudBytes_STAR Certification V1
55/56
Questions?
5/26/2018 CloudBytes_STAR Certification V1
56/56
Contact Us
(571) 830 4555www.bsiamerica.com
THANK YOU!
2014 Cloud Security Alliance - All Rights Reserved. 56CloudBytes // BSI Presentation
Top Related