Anda di halaman 1dari 27
Pa isd E-guide LAMM WM Enhancing Cloud Security How to evaluate risk and establish secure control standards for your cloud environment gecb erty Soc Inthise-guide How to achieve better cloud ‘security fr your enterprise IRis FedRAMP the cloud security standard weve been waiting for? IRAisk equation unravels the cloud security paradox [AGetting more PRO- essential content age 26 MM Prot E-guide Content VMOU UILLLLALLLLLLLILLLLLLALLLALLLLLLLLILLLALALLLLLLLLLLULLLLLALLLALLLLLLIOLLALLLLD In this e-guide: Despite the many improvements in cloud security capabilities there are still risks to assess. One of the biggest challenges facing organizations looking to move assets and data into the cloud is the lack of accepted security standards for cloud provider environments. With security being the number one concern for most organizations offloading services to cloud environments, FedRAMP has proven they are vital to the cloud industry. In this e-guide, uncover key areas of cloud security governance and where it needs improvements. Learn how to achieve better cloud security for your enterprise and how to assess your risk before moving data processing or applications to the cloud. Pen cas Inthise-guide How to achieve better cloud ‘security fr your enterprise IRis FedRAMP the cloud security standard weve been waiting for? IWAisk equation unravels the [RGetting more PRO essential content age2ot28 MMM E-guide Content MMM UILLLLALLLLLLLILLLLLLALLLALLLLLLLLILLLALALLLLLLLLLLULLLLLALLLALLLLLLIOLLALLLLD ® How to achieve better cloud security for your enterprise Dave Shackleford, Voodoo Secuity Better security in the cloud is possible. Learn what national standards and the CSA can do, what they cannot and how to plug the security gap. ‘There have been significant improvements in basic security capabilties for cloud deployments over the past two years ~ a good thing, given that 45% of organizations now use infrastructure asa service (laa) While tools are essential, effective cloud security demands a number of ‘governance-focused elements as wel, and many of these need further scrutiny and maturity. In this article, we'll examine the key areas of cloud security governance, detail where they need improvement and offer advice for enterprises in the interim, Soc meme Inthise-guide How to achieve better cloud ‘security fr your enterprise IRis FedRAMP the cloud security standard weve been waiting for? IWAisk equation unravels the cloud security paradox [RGetting more PRO essential content Page3ot28 MMM E-quide Content MMM Cloud security standards and frameworks First among these are the accepted frameworks (and associated questions) for assessing cloud provider and project risk and standards for security best practices. There are a number of risk assessment options for cloud deployments, as well as security controlsframeworks that may help ‘organizations evaluate the types of controls cloud providers have in place, FedRAMP presents one interesting model, but there are others, which well get to shortly. ‘One of the biggest challenges facing organizations looking to move assets and data into the cloud is the lack of accepted security standards for cloud provider environments. This makes risk assessment difficult, as every ‘organization will have subjective views on what constitutes an appropriate minimum standard for security controls, as well as a model for evaluating risk. ‘The federal government, with its FedRAMP standard, has solved this problem to some degree. FedRAMP provides a framework of controls that Cloud providers must have in place before being approved for use in ‘government agency cloud deployments. Independent auditing firms are required to evaluate provider controls against NIST federal standards for Soc Inthise-guide How to achieve better cloud ‘security fr your enterprise IRis FedRAMP the cloud security standard weve been waiting for? IWAisk equation unravels the cloud security paradox [RGetting more PRO essential content Page 40126 MMM E-quide Content MMM security (800-53 version 3), including the ability to provide continuous monitoring of controls. Once a cloud provider is authorized to operate, agencies can properly evaluate providers using its own business criteria, knowing that a minimum standard of security isin place. ‘The UK. government has a similar initiative to FedRAMP, called G-Cloud, Cloud service providers request acceptance into the program; if accepted, they are listed as a G-Cloud supplier. There are excellent guidelines and frameworks for risk assessment publidy available for both US. and UK. initiatives. However, these programs are only focused on government cloud use, so their applicability and mechanics are somewhat limited for many ‘organizations, Fundamentally though the concept and design of a program like FedRAMP is gaining traction. Organizations want the following: + Aset of security and organizational controls that cloud providers must implement and attest to in regular audits + Arequitement (compliance or otherwise) that mandates sharing details of the cloud provider's controls infrastructure and status both prior to contracts (during a due-diligence phase with vendor and contract management) and on demand during the period of service implementation, cas eae! Inthise-guide How to achieve better cloud ‘security fr your enterprise IRis FedRAMP the cloud security standard weve been waiting for? IWAisk equation unravels the cloud security paradox [RGetting more PRO essential content Pages 126 MM E-quide Content VMOU + Anindependent third-party organization that is responsible for auditing and assessing cloud providers and attesting to their security controls efficacy. + process for managing all of this and facilitating cloud service provider evaluation and selection. ‘There is no independent risk program for cloud that provides this for all types of organizations internationally. One effort that is currently underway is the Cloud Security Alliance's Open Certification Framework (OCF) This consists of the following programs: + CSA STAR Certifcatiort The STAR Certification relies on an independent third-party assessment of a cloud provider against the ISO 27001 standard, as well as the CSA Cloud Controls Matrix (CCM). + CSA STAR Attestation: The STAR Attestation phase will provide a report via the audit-reporting standard for customer consumption known as theSSAE SOC 2 Report. + CSA STAR Continuous: STAR Continuous is not yet implemented, but is planned for release in 2015, CSA says the Continuous service will provide a scanning and monitoring console that customers can use to remotely assess cloud providers’ control statements using the oO sor i Prot Soc meme E-guide Content LMAO ‘CloudAudit XML-based tag format and the Cloud Trust Protocol {mn this e-guide (CTP) for data transmission and retention Iviow to schiove beter loud ‘This model from CSA is similar conceptualy to the FedRAMP program, but secu fr your enterprise is maintained by CSA and implemented by a network of independent aucit a ‘and security firms. Additional cloud risk frameworks and guides (albeit less- is Foshan we coud socuty specific ones) are available from the Shared Assessments Program and the standard we've been waltng European Union Agency for Network and Information Security (ENISA). The for? ENISA guide, in particular, breaks down the various areas of risk categorically, aligning more effectively with ISO 27001 and CoBIT standards. IWAisk equation unravels the cloud security paradox Surveying cloud provider security controls Getting more PRO essenta content ‘The other major area of focus for enterprise teams concerned about cloud provider security is the controls used within any given risk framework. Most ‘organizations using cloud computing will have already defined some controls they want met, for internal policy and compliance/regulatory requirements. This serves as a good starting point, since there will be ‘need to have" and “nice to have" controls, as well as potential compensating controls that have already been defined and established. Most organizations will also have ‘specific requirements for disaster recovery and business continuity (for instance, recovery metrics and service level agreements), and these should be extrapolated to any cloud-control model implemented, along with Pagesot26 Soc Inthise-guide How to achieve better cloud ‘security fr your enterprise IRis FedRAMP the cloud security standard weve been waiting for? IWAisk equation unravels the cloud security paradox [RGetting more PRO essential content age of 28 MMM E-guide Content MMM physical security needs for hosting, colocation or wholly owned data centers. Beyond these areas, however, many teams need help defining the additional controls that should be evaluated within different types of cloud service environments, and also need guidance on what best practices are for cloud provider controls implementations. The threat surface is much larger in ‘cloud environments: The provider maintains most or all of the controls, and, on a regular basis there are many attackers looking to compromise cloud provider environments. ‘The best source of data for building an initial matrix of cloud security controls, or adapting one that an organization may have in place, is the CSA. ‘Cloud Controis Matrix (GCM). The COM (current version is 8.0.1) contains more than 100 various controls that apply directly to most cloud providers, ‘These are broken down into categories such as security incident management, application security, physical security, and others (much like the ENISA risk assessment guide). To implement the CCM successfully, ‘adapt the framework to your needs: Take your existing controls set, determine what you need to have in place and map this to the CCM. Also, break down controls severity and applicability by relating each assessment based on the CCM to data value or sensitivity. If your teams want to move sensitive data into a cloud service environment, more controls (and more strict ones) should be required. E-guide Content LMAO Soc ae Defining controls and risk frameworks to perform a reasonably thorough In thise-guide assessment of providers can be done. The industry is stil lacking —_—— independent organizations that can emulate FedRAMP and related INttow to achiewe better cloud frameworks for government, but using CSA's CCM as a starting point, we security for your enterprise ‘can then adopt any number of risk assessment models ranging from ENISA to ISO 27001 Nis FodRAMP the cloud secunty standard weve been waiting ‘Over time, as industry pressure is apple to cloud providers, | believe they/ll for? become more transparent about the controls they have in place and how a ‘well they're implemented. Either way, a Sound risk assessment program for WNArisk equation unraves the cloud services implementation is needed. To get started, youll need to build cloud secutty paradox ‘an in-house program that incorporates existing and new standards and a ‘guidelines like the CCM, and then develop a process for gathering controls INGotting more PRO essential information about providers and assessing the risks both prior to signing the content ‘contract and afterward, Here's your short list of steps to get started: 4. Download the CCM, and modify i to meet your particular controls requirements (add controls you would like to see, remove and change others if needed). This can serve as a great template if you don't have ‘an existing controls framework in place. 2. Add a column in the spreadsheet forall data classification levels you have defined per your internal policy (including regulated data). With Pages of28

Anda mungkin juga menyukai