CloudBytes - STAR Certification V1

CSA Cloud STAR Certification
John A. DiMaria; CSSBB,HISP,MHISP,AMBCI Certification Product Manager; BSI Group America Inc. .
The Paradigm Has Changed

CloudBytes // BSI Presentation 2014 Cloud Security Alliance - All Rights Reserved.
"When a
paradigm shifts, everything goes back to zero. ~Joel Barker~ Nothing you have done in the past matters any more. You can not count on past success.
The CSA GRC Stack

A suite of four integrated and reinforcing CSA initiatives (the stack packages)
The Stack Packs Cloud Controls Matrix Consensus Assessments Initiative Cloud Audit CloudTrust Protocol
Designed to support cloud consumers and cloud providers Prepared to capture value from the cloud as well as support compliance and control within the cloud
Copyright 2014 Cloud Security Alliance
www.cloudsecurityalliance.org
A Complete Cloud Security Governance, Risk, and Compliance (GRC) Stack

Delivering
Con nuous monitoring with a purpose
Stack Pack
Description
Common technique and nomenclature to request and receive evidence and affirma on of current cloud service opera ng circumstances from cloud providers Common interface and namespace to automate the Audit, Asser on, Assessment, and Assurance (A6) of cloud environments
Claims, offers, and the basis for audi ng service delivery
Preaudit checklists and ques onnaires to inventory controls
Industryaccepted ways to document what security controls exist Fundamental security principles in specifying the overall security needs of a cloud consumers and assessing the overall security risk of a cloud provider
The recommended founda ons for controls
CAIQ Guiding Principles

The following are the principles that the working group utilized as guidance when developing the CAIQ: The questionnaire is organized using CSA 13 governing & operating domains divided into control areas within CSAs Control Matrix structure Questions are to assist both cloud providers in general principles of cloud security and clients in vetting cloud providers on the security of their offering and company security profile CAIQ not intended to duplicate or replace existing industry security assessments but to contain questions unique or critical to the cloud computing model in each control area Each question should be able to be answered yes or no If a question cant be answered yes or no then it was separated into two or more questions to allow yes or no answers. Questions are intended to foster further detailed questions to provider by client specific to clients cloud security needs. This was done to limit number of questions to make the assessment feasible and since each client may have unique follow-on questions or may not be concerned with all followon questions
The CAIQ Questionnaire
CAIQ Questionnaire
Control Group, Control Group ID (CGID) and Control Identifier (CID) all map the CAIQ question being asked directly to the CCM control that is being addressed. Relevant compliance and standards are mapped line by line to the CAIQ, which, in turn, also map to the CCM. The CAIQ v1.1 maps to the following compliance areas HIPPA, ISO 27001, COBIT, SP800_53, FedRAMP, PCI_DSS, BITS and GAPP. V1.2 will additionally include mappings to Jericho Forum and NERC CIP. Each question can be answered by a provider with a yes or no answer. This provides a wide variety of transparency and of course is a selfassessment.
Sample Questions to Vendors

Compliance - Independent Audits CO-02 CO-02a - Do you allow tenants to view your SAS70 Type II/SSAE 16 SOC2/ISAE3402 or similar third party audit reports? CO-02b - Do you conduct network penetration tests of your cloud service infrastructure regularly as prescribed by industry best practices and guidance? CO-02c - Do you conduct application penetration tests of your cloud service infrastructure regularly as prescribed by industry best practices and guidance? CO-02d - Do you conduct internal audits regularly as prescribed by industry best practices and guidance? CO-02e - Do you conduct external audits regularly as prescribed by industry best practices and guidance? CO-02f - Are the results of the network penetration tests available to tenants at their request? CO-02g - Are the results of internal and external audits available to tenants at their request?
Data Governance Classification
DG-02 DG-02a - Do you provide a capability to identify virtual machines via policy tags/metadata (ex. Tags can be used to limit guest operating systems from booting/instantiating/transporting data in the wrong country, etc.?) DG-02b - Do you provide a capability to identify hardware via policy tags/metadata/hardware tags (ex. TXT/TPM, VN-Tag, etc.)? DG-02c - Do you have a capability to use system geographic location as an authentication factor? DG-02d - Can you provide the physical location/geography of storage of a tenants data upon request? DG-02e - Do you allow tenants to define acceptable geographical locations for data routing or resource instantiation?
Example Answers
Example Answers
Background
ISO/IEC 27001 is the international management systems standard for Information Security. It is widely recognized and respected and in some cases mandated by some governments like Japan and Gthe Her Majesties' Government (HMG) G-Cloud. (?) Does not focus in detail on any particular sector specific areas of security. It is scalable and flexible to allow for growth and applicability. The Cloud Controls Matrix (CCM) provides the additional detail required to ensure that the generic standard focuses on the critical controls for Cloud Security. ISO 27001 is written with the expectation that other controls could be added. Extract from ISO/IEC 27001 Control objectives are implicitly included in the controls chosen. The control objectives and controls listed in Annex A are not exhaustive and additional control objectives and controls may be needed. Organizations can design controls as required, or identify them from any source. In addition there was a concern that the pass/fail approach to standards does not give much information to cloud service purchasers. Therefore the CCM will be assessed against a 5 level capability model.
CloudBytes // BSI Presentation
2014 Cloud Security Alliance - All Rights Reserved.
12
Assessing the CCM

ISO/IEC 27001 ensures an organization has the overarching management systems in place to manage the processes and procedures governing the controls. Without this in place there would be little reassurance that the controls sat within a sound management framework. Scope must be Fit-for-Purpose and SLA Driven. The audit has additional assessment of the CCM against a maturity because this not only lets an organization and its clients understand that they have met the minimum standards, but shows them where there is potential for improvement. The maturity model was piloted and improved to ensure a reliable result can be achieved. BSI facilitated the development because we have experience in creating maturity/capability models that work with management system standards. Our aim was to take the most appropriate approaches out there to create a model that works with the CCM.
13
Assessing the CCM

C C M 1 . 4 11 D o m a i n s
1. Compliance
(CO)
7. Operations
Management (OM)
2. Data Governance (DG) 3. Facility Security (FS) 4. Human Resources (HR) 5. Information Security (IS) 6. Legal (LG)
8. Risk Management (RI) 9. Release Management (RM) 10. Resiliency (RS) 11.Security Architecture (SA)
14
Assessing the CCM 98 Controls
15
CloudBytes // BS Presentation
16
Add controls to existing SOA
17
Capability Maturity Model
If you dont know where you are going, any road will get you there ~Lewis Carroll~
18
Capability Life Cycle - PDM
Kaizen principle
19
20
The Management Capability Levels

Capability levels 1. No Formal Approach 2. Reactive Approach 3. Proactive Approach 4. Improvement Based Approach 5. Innovative Approach Capability Factors 1. Communication and Stakeholder Engagement 2. Policies, Plans and Procedures, and a Systematic Approach 3. Skills and Expertise 4. Ownership, Leadership and Management 5. Monitoring and Measuring
21
Score Factors
1 to 3 No formal approach
4 to 6 Reactive
7 to 9 Proactive
10 to 12 Improving
12 to 15 Innovating
13. Relevant stakeholders understand the monitoring and measuring processes in the control area. 14. Stakeholders understand how the control area will need to develop to meet the businesses strategic objectives. 15. Control area owners actively share best practice to support development in other areas of the business. 13. There is strong leadership to align all the plans policies and procedures within the control area to drive coherent changes in the system they form part of. 14. Plans policies and procedures are compared with best practice within and outside the organisation. 15. Changes to plans processes and procedures are made with an appreciation of how they align with the vision of the organisation.
10. Stakeholders are actively engaged in improving measures in the control. 4. Some evidence that stakeholders are 1. Identification of stakeholders is 7. Stakeholders are systematically 11. Stakeholders have a clear identified and some communication is limited or non existent. 2. Some Communication identified. 8. Stakeholders are consulted understanding of how changes in the effective. 5. Key communications are stakeholders have been identified but and Stakeholder over proposed changes. 9. The control area affect their area of effectively disseminated . 6. There communication does not take place. 3. effectiveness of the communication Engagement responsibility. 12. Methods of evidence that most communication is Communication takes place but there is process monitored and reviewed. communications are reviewed to ensure effective. no evidence that it is effective. they effective.
Policies, Plans, Processes and Procedures, and a systematic approach
1. There is no evidence of effective plans, processes, policies or procedures. 2. A limited number of processes are defined 3. Processess are followed in some key areas.
7. Comprehensive plans processes 4. There is evidence some staff are and procedures cover most areas of aware of processes for core areas of operation in the control. 8. Plans the control. 5. Most plans, processes, policies and procedures are up to date. processes and procedures are routinely reviewed. 9. Staff can find out how to 6. There is evidence that these plans, polices, processes and procedures are access relevant plans, processes and procedures. usually followed.
10. Plans processes and procedures covers contingency operations as well as routine operations. 11. Plans, Policies, Processes and Procedures are reviewed against the risks and opportunities associated with the context of the organisations activities . 12. Staff are actively involved in risk management and mitigation
Skills and Expertise
Ownership, Leadership and Management
Monitoring and Measuring
13. Succession planning is in place to 10. Staff competence is continually 4. There is evidence that staff are 7. Staff have competence to perform the ensure the continuity of skills. 14. monitored to identify any weaknesses 1. People operating in the control area competent to operate the core activities full range of activities defined within the Resources are managed to ensure the and actively improved where in the control area. 5. The competencies have limited skills to perform basic control area. 8. Staff competency is competent staff are always available to required to operate the control area are functions. 2. Skill requirements are weaknesses are found. 11. Staff training monitored and where appropriate react to issues in an appropriate time partially understood 3. There is partial defined. 6. There is some evidence that includes a full range of business recorded. 9. Staff competency is scale. 15. Best practice in training staff could react to issues arising in the definition of the skills required. continuity plans. 12. The cost benefits of formally monitored and recorded. approaches is considered across the control area. staff training is considered. organisation. 10. There is clear leadership in driving 13. There is clear leadership in aligning 7. The control area owner actively 4. The control area owner understands activities within the control area with the improvements in the control area. 11. the key activities within the control area. reviews the control area to ensure they 1. A named control area owner can be overall business strategy. 14. The Risk analysis are regularly review by 5. The control area owner understands alligned with customer requiements. 8. identified. 2. The control area owner people empowered to take action 12. implications of issues in the control area There clear leadership in addressing the broader implication of actions within recognises their responsibility. 3. The can be rapidly escalated and can result The resources are made available to issues identified in the review. 9. The the control area 6. The control area control area owner understands the in action. 15. There is clear succession make proactive improvements to control area owner is empowered to owner is empowered to provide the scope of the control area. planning in place for leadership prevent potential risks posing a provide the resources required to take resources required to fix issues in the positions. problem. preventive action where it is justified. control area. 13. The capability of monitoring 7. Monitoring information is formally 10. Monitoring information is analysed procedures to detect issues are analysed. 8. Tools and automated using statistical techniques to identify 1. Informal monitoring of some areas of regularly tested. 14. Monitoring 4. Formal monitoring covers key areas techniques are employed or have been anomalies. 11. Anomalies are the system are in place. 2. Informal processes are reviewed every time evaluated to improve reliability of the of operation. 5. Monitoring would detect investigates and where appropriate monitoring would detect some issues in significant changes in the control area likely issues. 6. Monitoring information is monitoring and measuring processes. 9. action is taken. 12. Monitoring the control area. 3. Informal monitoring occur. 15. Approaches to monitoring are Monitoring is capable of detecting a reviewed in a timely manner. processes are reviewed regularly in line covers most areas of the control. routinely benchmarked with industry best comprehensive range of issues in the with a thorough risk analysis. practice. control area.
22
23
ISO/IEC 27001
General Management System
CCM
Cloud Specific Controls
Well MANAGED and FOCUSED system
Capability Model
24
G-Cloud
The G-Cloud has a current accreditation scheme which focuses on the sensitivity of the information that is stored within the cloud solution and couples that with certain controls, actions and evidence that the cloud provider must provide in order to prove that the information is kept safe. ~ SaaSAssurance ~ By achieving Pan Government Accreditation it will enable these services to be procured by multiple customers, benefiting both customer and supplier fitting with our mantra of do it once and re-use, reuse, re-use. ~HM Government G-Cloud~
26
Business Impact Levels
Extract from HMG IA Standard No.1 Business Impact Level Tables
27
28
What the Experts Say

Well, earlier on I made the claim that the answer to provide transparency in public sector cloud Certification when none exists is the CSA (STAR). Using the principles of the G-Cloud accreditation plus the Cloud Security Alliance (STAR) Certification can provide a very high level of assurance ~Mark Dunne, CEO; SaaSAssurance~
The following slides demonstrate how both G-Cloud and (STAR) can be used together for that high level of assurance
29
G-Cloud Accreditation CSA (STAR)
Lets look at ways to optimise the best level of assurance by using both certification schemes in tandem
30

Risk Assessment, RMADs, Residual Risk Statement, Risk Register
For G-Cloud accreditation, the Pan Government Accreditor must review and approve the Risk Management And Accreditation Documentation Set (RMADS)
31

Risk Assessment, RMADs, Residual Risk Statement, Risk Register
For G-Cloud accreditation, the Pan Government Accreditor must review and approve the Risk Management And Accreditation Documentation Set (RMADS)
32

Risk Assessment, RMADs, Residual Risk Statement, Risk Register Cloud Controls Matrix (CCM)
For G-Cloud accreditation, the Pan Government Accreditor must review and approve the Risk Management And Accreditation Documentation Set (RMADS) To bolster this process, ensure the controls from the Cloud Controls Matrix (CCM) are reviewed while dealing with all assets related to cloud technology
33

Risk Assessment, RMADs, Residual Risk Statement, Risk Register ISO/IEC 27001 Certificate Cloud Controls Matrix (CCM)
For G-Cloud accreditation, ISO/IEC 27001 Certification must be carried out by a UKAS accredited body or an international equivalent (a signatory to the EA MLA)
34

Risk Assessment, RMADs, Residual Risk Statement, Risk Register ISO/IEC 27001 Certificate Cloud Controls Matrix (CCM)
ISO/IEC 27001 Certificate
For G-Cloud accreditation, ISO/IEC 27001 Certification must be carried out by a UKAS accredited body or an international equivalent (a signatory to the EA MLA) The STAR Certification is based upon achieving ISO/IEC 27001 and the specified set of criteria outlined in the Cloud Controls Matrix
35

Risk Assessment, RMADs, Residual Risk Statement, Risk Register ISO/IEC 27001 Certificate ISO/IEC 27001 Certificate (suitably scoped) Cloud Controls Matrix (CCM)
ISO/IEC 27001 Certificate
On top of being UKAS or equivalent, IL1/2 (Business Impact Level profiles 11x/22x): Based on good commercial standards, centred around a suitably scoped ISO/IEC 27001 certification
36

Risk Assessment, RMADs, Residual Risk Statement, Risk Register ISO/IEC 27001 Certificate ISO/IEC 27001 Certificate (suitably scoped) Cloud Controls Matrix (CCM)
ISO/IEC 27001 Certificate ISO/IEC 27001 Certificate (fit for purpose)
On top of being UKAS or equivalent, IL1/2 (Business Impact Level profiles 11x/22x): Based on good commercial standards, centred around a suitably scoped ISO/IEC 27001 certification STAR Certification evaluates the efficiency of an organizations ISMS and ensures the scope, processes and objectives are Fit for Purpose
37

Risk Assessment, RMADs, Residual Risk Statement, Risk Register ISO/IEC 27001 Certificate ISO/IEC 27001 Certificate (suitably scoped) Information Assurance (IA) compliance Cloud Controls Matrix (CCM)
ISO/IEC 27001 Certificate ISO/IEC 27001 Certificate (fit for purpose)
Public Sector requires information assurance as part of security accreditation of G-Cloud ICT services (Providing evidence on DPA, Location, Personal Information, subcontractors, technical solution, etc..)
38

Risk Assessment, RMADs, Residual Risk Statement, Risk Register ISO/IEC 27001 Certificate ISO/IEC 27001 Certificate (suitably scoped) Information Assurance (IA) compliance Cloud Controls Matrix (CCM)
ISO/IEC 27001 Certificate ISO/IEC 27001 Certificate (fit for purpose) Management Capability Score
Public Sector requires information assurance as part of security accreditation of G-Cloud ICT services (Providing evidence on DPA, Location, Personal Information, subcontractors, technical solution, etc..) With STAR Each domain will be scored on a specific maturity and will be measured against five management principles, defining the Management Capability Score. These levels will be designated as either No, Bronze, Silver or Gold awards.
39
UK G-Cloud & CSA (STAR) As you can see, this is an example of when combined, the CSA (STAR) and Government accreditation frameworks can provide an exceptional level of assurance for solutions operating in the public sector and the (STAR) Certification will become that differentiator.
By: Mark Dunne, SaaSAssurance Mark.Dunne@SaaSAssurance.com @2SaaS
Digital Information Security Management Systems ISO/IEC 27001
Full article to feature in eForensics magazine CloudBytes // BSI Presentation 2014 Cloud Security Alliance - All Rights Reserved.
40
Cloud Controls What are they about?
41
Approving Assessors
Background
They must demonstrate knowledge of the Cloud Sector Either through verifiable industry experience this can include through assessing organizations Or through completing CCSK certification or equivalent
Experience
They must be a qualified auditor working for an ISO 27006 accredited CB Evidence of conducting ISO 27001 assessments for a certification body accredited by an IAF member to ISO 27006 or their qualifications as an auditor for that organization. 2014 Cloud Security Alliance - All Rights Reserved.
Competence
They must complete the CSAapproved course qualifying them to audit the CCM for STAR Certification (This course is sanctioned by CSA and carried out by BSI)
42
Knowledge of Cloud
Knowledge of ISO 27k audit
Knowledge of the CCM audit
Assessor
43
Credibility
Countries/entities that refer to OCF / STAR Certification either as requirement in cloud service procurement or suitable certification for the security cloud services.
European Commission Thailand Singapore Taiwan Australia New Zealand Internet2
Endorsements
Jeffery Ritter, Esq

Cyber Law, Research, Standards, Technology, International Trade and Author Recognized as a pioneer in shaping the legal rules for cyberspace.
The CSA STAR Certification and Registry represent an important innovation toward improving the transparency and certainty with which the global community can embrace cloud-based services with greater confidence. This unified third-party certification greatly improves the efficiency with which consumers evaluate providers and provides an objective, thorough credential upon which to build trust in a providers services.
In the absence of CSAs STAR certification, parties negotiating cloudbased services confront significant friction in putting in place the terms and conditions of their arrangements. No one benefits from extensive contract negotiations that are often shaped by lawyers struggling to understand the technologies and assurances; STAR certification streamlines the dialogue and provides a transparent, shared foundation for moving forward.
Cloud Trust Protocol

Real time monitoring of security properties, as well as continuous transparency of services and comparability between services on core security properties.
CTP Real-Time Monitoring

Consumers do not have simple, cost effective ways to evaluate and compare their providers resilience, security processes, data protection capabilities, and service portability in real time. The CSA Cloud Trust Protocol (CTP) is an industry initiative to enable real time monitoring of cloud provider security properties, as well as providing continuous transparency of services and comparability between services on core security properties. CTP forms part of the GRC stack and the Open Certification Framework as the continuous monitoring component, complementing assessments provided by STAR certification and STAR assessment.
48
CTP Real-Time Monitoring

The CTP Application Programming Interface (API) is designed to be a RESTful protocol that Cloud Customers can use to query a Cloud Service Provider (CSP) on current security attributes related to a cloud, such as the current level of availability of the service or information on the last vulnerability assessment, which can be done in a classical query response approach. It will be built on the following CSA best practices/standards:
Cloud Controls Matrix (CCM) Cloud Trust Protocol (CTP) CloudAudit CSA STAR Continuous is currently under development and the target date of delivery is 2015.
49
Standards Update
New and evolving standards
2013 2013 2013
51
2013
52
53
Transforming the Cloud
Our key to transforming anything lies in our ability to reframe it.

~Marianne Williamson~
CloudBytes // Lorem Ipsum Presentation
54
Questions?
THANK YOU!
Contact Us john.dimaria@bsigroup.com (571) 830 4555 www.bsiamerica.com inquiry.msamericas@bsigroup.com 56

CloudBytes - STAR Certification V1

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

CloudBytes - STAR Certification V1

Caricato da

Copyright:

Formati disponibili

CSA Cloud STAR Certification

The Paradigm Has Changed

The CSA GRC Stack

Copyright 2014 Cloud Security Alliance

A Complete Cloud Security Governance, Risk, and Compliance (GRC) Stack

Claims, offers, and the basis for audi ng service delivery

Preaudit checklists and ques onnaires to inventory controls

The recommended founda ons for controls

Copyright 2014 Cloud Security Alliance

CAIQ Guiding Principles

Copyright 2014 Cloud Security Alliance

The CAIQ Questionnaire

Copyright 2014 Cloud Security Alliance

Copyright 2014 Cloud Security Alliance

Sample Questions to Vendors

Data Governance Classification

Copyright 2014 Cloud Security Alliance

Copyright 2014 Cloud Security Alliance

Copyright 2014 Cloud Security Alliance

CloudBytes // BSI Presentation

2014 Cloud Security Alliance - All Rights Reserved.

Assessing the CCM

CloudBytes // BSI Presentation

2014 Cloud Security Alliance - All Rights Reserved.

Assessing the CCM

CloudBytes // BSI Presentation

2014 Cloud Security Alliance - All Rights Reserved.

Assessing the CCM 98 Controls

CloudBytes // BSI Presentation

2014 Cloud Security Alliance - All Rights Reserved.

Assessing the CCM 98 Controls

2014 Cloud Security Alliance - All Rights Reserved.

Assessing the CCM 98 Controls

Add controls to existing SOA

CloudBytes // BSI Presentation

2014 Cloud Security Alliance - All Rights Reserved.

Capability Maturity Model

2014 Cloud Security Alliance - All Rights Reserved.

Capability Life Cycle - PDM

CloudBytes // BSI Presentation

2014 Cloud Security Alliance - All Rights Reserved.

CloudBytes // BSI Presentation

2014 Cloud Security Alliance - All Rights Reserved.

The Management Capability Levels

CloudBytes // BSI Presentation

2014 Cloud Security Alliance - All Rights Reserved.

Policies, Plans, Processes and Procedures, and a systematic approach

Skills and Expertise

Ownership, Leadership and Management

Monitoring and Measuring

CloudBytes // BSI Presentation

2014 Cloud Security Alliance - All Rights Reserved.

CloudBytes // BSI Presentation

2014 Cloud Security Alliance - All Rights Reserved.

Cloud Specific Controls

Well MANAGED and FOCUSED system

CloudBytes // BSI Presentation

2014 Cloud Security Alliance - All Rights Reserved.

CloudBytes // BSI Presentation

2014 Cloud Security Alliance - All Rights Reserved.

Business Impact Levels

Extract from HMG IA Standard No.1 Business Impact Level Tables

CloudBytes // BSI Presentation