Pa isd E-guide
LAMM WM
Enhancing Cloud
Security
How to evaluate risk and establish secure control standards for
your cloud environment
gecberty
Soc
Inthise-guide
How to achieve better cloud
‘security fr your enterprise
IRis FedRAMP the cloud security
standard weve been waiting
for?
IRAisk equation unravels the
cloud security paradox
[AGetting more PRO- essential
content
age 26
MM
Prot
E-guide Content
VMOU
UILLLLALLLLLLLILLLLLLALLLALLLLLLLLILLLALALLLLLLLLLLULLLLLALLLALLLLLLIOLLALLLLD
In this e-guide:
Despite the many improvements in cloud security
capabilities there are still risks to assess. One of the biggest
challenges facing organizations looking to move assets and
data into the cloud is the lack of accepted security standards
for cloud provider environments.
With security being the number one concern for most
organizations offloading services to cloud environments,
FedRAMP has proven they are vital to the cloud industry.
In this e-guide, uncover key areas of cloud security
governance and where it needs improvements. Learn how to
achieve better cloud security for your enterprise and how to
assess your risk before moving data processing or
applications to the cloud.Pen
cas
Inthise-guide
How to achieve better cloud
‘security fr your enterprise
IRis FedRAMP the cloud security
standard weve been waiting
for?
IWAisk equation unravels the
[RGetting more PRO essential
content
age2ot28
MMM
E-guide Content
MMM
UILLLLALLLLLLLILLLLLLALLLALLLLLLLLILLLALALLLLLLLLLLULLLLLALLLALLLLLLIOLLALLLLD
® How to achieve better cloud security for
your enterprise
Dave Shackleford, Voodoo Secuity
Better security in the cloud is possible. Learn what national standards and
the CSA can do, what they cannot and how to plug the security gap.
‘There have been significant improvements in basic security capabilties for
cloud deployments over the past two years ~ a good thing, given that 45%
of organizations now use infrastructure asa service (laa)
While tools are essential, effective cloud security demands a number of
‘governance-focused elements as wel, and many of these need further
scrutiny and maturity. In this article, we'll examine the key areas of cloud
security governance, detail where they need improvement and offer advice
for enterprises in the interim,Soc meme
Inthise-guide
How to achieve better cloud
‘security fr your enterprise
IRis FedRAMP the cloud security
standard weve been waiting
for?
IWAisk equation unravels the
cloud security paradox
[RGetting more PRO essential
content
Page3ot28
MMM
E-quide Content
MMM
Cloud security standards and frameworks
First among these are the accepted frameworks (and associated questions)
for assessing cloud provider and project risk and standards for security best
practices. There are a number of risk assessment options for cloud
deployments, as well as security controlsframeworks that may help
‘organizations evaluate the types of controls cloud providers have in place,
FedRAMP presents one interesting model, but there are others, which well
get to shortly.
‘One of the biggest challenges facing organizations looking to move assets
and data into the cloud is the lack of accepted security standards for cloud
provider environments. This makes risk assessment difficult, as every
‘organization will have subjective views on what constitutes an appropriate
minimum standard for security controls, as well as a model for evaluating
risk.
‘The federal government, with its FedRAMP standard, has solved this
problem to some degree. FedRAMP provides a framework of controls that
Cloud providers must have in place before being approved for use in
‘government agency cloud deployments. Independent auditing firms are
required to evaluate provider controls against NIST federal standards forSoc
Inthise-guide
How to achieve better cloud
‘security fr your enterprise
IRis FedRAMP the cloud security
standard weve been waiting
for?
IWAisk equation unravels the
cloud security paradox
[RGetting more PRO essential
content
Page 40126
MMM
E-quide Content
MMM
security (800-53 version 3), including the ability to provide continuous
monitoring of controls. Once a cloud provider is authorized to operate,
agencies can properly evaluate providers using its own business criteria,
knowing that a minimum standard of security isin place.
‘The UK. government has a similar initiative to FedRAMP, called G-Cloud,
Cloud service providers request acceptance into the program; if accepted,
they are listed as a G-Cloud supplier. There are excellent guidelines and
frameworks for risk assessment publidy available for both US. and UK.
initiatives.
However, these programs are only focused on government cloud use, so
their applicability and mechanics are somewhat limited for many
‘organizations, Fundamentally though the concept and design of a program
like FedRAMP is gaining traction. Organizations want the following:
+ Aset of security and organizational controls that cloud providers
must implement and attest to in regular audits
+ Arequitement (compliance or otherwise) that mandates sharing
details of the cloud provider's controls infrastructure and status both
prior to contracts (during a due-diligence phase with vendor and
contract management) and on demand during the period of service
implementation,cas eae!
Inthise-guide
How to achieve better cloud
‘security fr your enterprise
IRis FedRAMP the cloud security
standard weve been waiting
for?
IWAisk equation unravels the
cloud security paradox
[RGetting more PRO essential
content
Pages 126
MM
E-quide Content
VMOU
+ Anindependent third-party organization that is responsible for
auditing and assessing cloud providers and attesting to their security
controls efficacy.
+ process for managing all of this and facilitating cloud service
provider evaluation and selection.
‘There is no independent risk program for cloud that provides this for all
types of organizations internationally. One effort that is currently underway
is the Cloud Security Alliance's Open Certification Framework (OCF) This
consists of the following programs:
+ CSA STAR Certifcatiort The STAR Certification relies on an
independent third-party assessment of a cloud provider against the
ISO 27001 standard, as well as the CSA Cloud Controls Matrix (CCM).
+ CSA STAR Attestation: The STAR Attestation phase will provide a
report via the audit-reporting standard for customer consumption
known as theSSAE SOC 2 Report.
+ CSA STAR Continuous: STAR Continuous is not yet implemented, but
is planned for release in 2015, CSA says the Continuous service will
provide a scanning and monitoring console that customers can use to
remotely assess cloud providers’ control statements using theoO sor i Prot
Soc meme E-guide Content
LMAO
‘CloudAudit XML-based tag format and the Cloud Trust Protocol
{mn this e-guide (CTP) for data transmission and retention
Iviow to schiove beter loud ‘This model from CSA is similar conceptualy to the FedRAMP program, but
secu fr your enterprise is maintained by CSA and implemented by a network of independent aucit
a ‘and security firms. Additional cloud risk frameworks and guides (albeit less-
is Foshan we coud socuty specific ones) are available from the Shared Assessments Program and the
standard we've been waltng European Union Agency for Network and Information Security (ENISA). The
for?
ENISA guide, in particular, breaks down the various areas of risk
categorically, aligning more effectively with ISO 27001 and CoBIT standards.
IWAisk equation unravels the
cloud security paradox
Surveying cloud provider security controls
Getting more PRO essenta
content ‘The other major area of focus for enterprise teams concerned about cloud
provider security is the controls used within any given risk framework. Most
‘organizations using cloud computing will have already defined some controls
they want met, for internal policy and compliance/regulatory requirements.
This serves as a good starting point, since there will be ‘need to have" and
“nice to have" controls, as well as potential compensating controls that have
already been defined and established. Most organizations will also have
‘specific requirements for disaster recovery and business continuity (for
instance, recovery metrics and service level agreements), and these should
be extrapolated to any cloud-control model implemented, along with
Pagesot26Soc
Inthise-guide
How to achieve better cloud
‘security fr your enterprise
IRis FedRAMP the cloud security
standard weve been waiting
for?
IWAisk equation unravels the
cloud security paradox
[RGetting more PRO essential
content
age of 28
MMM
E-guide Content
MMM
physical security needs for hosting, colocation or wholly owned data
centers.
Beyond these areas, however, many teams need help defining the additional
controls that should be evaluated within different types of cloud service
environments, and also need guidance on what best practices are for cloud
provider controls implementations. The threat surface is much larger in
‘cloud environments: The provider maintains most or all of the controls, and,
on a regular basis there are many attackers looking to compromise cloud
provider environments.
‘The best source of data for building an initial matrix of cloud security
controls, or adapting one that an organization may have in place, is the CSA.
‘Cloud Controis Matrix (GCM). The COM (current version is 8.0.1) contains
more than 100 various controls that apply directly to most cloud providers,
‘These are broken down into categories such as security incident
management, application security, physical security, and others (much like
the ENISA risk assessment guide). To implement the CCM successfully,
‘adapt the framework to your needs: Take your existing controls set,
determine what you need to have in place and map this to the CCM. Also,
break down controls severity and applicability by relating each assessment
based on the CCM to data value or sensitivity. If your teams want to move
sensitive data into a cloud service environment, more controls (and more
strict ones) should be required.E-guide Content
LMAO
Soc
ae Defining controls and risk frameworks to perform a reasonably thorough
In thise-guide assessment of providers can be done. The industry is stil lacking
—_—— independent organizations that can emulate FedRAMP and related
INttow to achiewe better cloud frameworks for government, but using CSA's CCM as a starting point, we
security for your enterprise ‘can then adopt any number of risk assessment models ranging from ENISA
to ISO 27001
Nis FodRAMP the cloud secunty
standard weve been waiting ‘Over time, as industry pressure is apple to cloud providers, | believe they/ll
for? become more transparent about the controls they have in place and how
a ‘well they're implemented. Either way, a Sound risk assessment program for
WNArisk equation unraves the cloud services implementation is needed. To get started, youll need to build
cloud secutty paradox ‘an in-house program that incorporates existing and new standards and
a ‘guidelines like the CCM, and then develop a process for gathering controls
INGotting more PRO essential information about providers and assessing the risks both prior to signing the
content ‘contract and afterward,
Here's your short list of steps to get started:
4. Download the CCM, and modify i to meet your particular controls
requirements (add controls you would like to see, remove and change
others if needed). This can serve as a great template if you don't have
‘an existing controls framework in place.
2. Add a column in the spreadsheet forall data classification levels you
have defined per your internal policy (including regulated data). With
Pages of28