Defined Categories of Service 2011 - Cloud Security Alliance
Defined Categories of Service 2011 - Cloud Security Alliance
Defined Categories of Service 2011 - Cloud Security Alliance
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>Defined</strong> <strong>Categories</strong> <strong>of</strong><br />
<strong>Service</strong> <strong>2011</strong>
Introduction<br />
CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE <strong>2011</strong><br />
The permanent and <strong>of</strong>ficial location for the <strong>Cloud</strong> <strong>Security</strong> <strong>Alliance</strong> <strong>Security</strong> as a <strong>Service</strong><br />
research is:<br />
https://cloudsecurityalliance.org/research/working-groups/security-as-a-service/<br />
© <strong>2011</strong> <strong>Cloud</strong> <strong>Security</strong> <strong>Alliance</strong>.<br />
All rights reserved. You may download, store, display on your computer, view, print, and link<br />
to the <strong>Cloud</strong> <strong>Security</strong> <strong>Alliance</strong> “<strong>Security</strong> as a <strong>Service</strong>” at https://cloudsecurityalliance.org/wpcontent/uploads/<strong>2011</strong>/09/SecaaS_V1_0.pdf<br />
subject to the following: (a) the Guidance may be<br />
used solely for your personal, informational, non-commercial use; (b) the Guidance may not be<br />
modified or altered in any way; (c) the Guidance may not be redistributed; and (d) the<br />
trademark, copyright or other notices may not be removed. You may quote portions <strong>of</strong> the<br />
Guidance as permitted by the Fair Use provisions <strong>of</strong> the United States Copyright Act, provided<br />
that you attribute the portions to the <strong>Cloud</strong> <strong>Security</strong> <strong>Alliance</strong> “<strong>Security</strong> as a <strong>Service</strong>” Version 1.0<br />
(<strong>2011</strong>).<br />
Copyright © <strong>2011</strong> <strong>Cloud</strong> <strong>Security</strong> <strong>Alliance</strong> 2
Table <strong>of</strong> Contents<br />
CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE <strong>2011</strong><br />
Introduction.................................................................................................................................................2<br />
Foreword......................................................................................................................................................4<br />
Acknowledgments......................................................................................................................................5<br />
Executive Summary ...................................................................................................................................7<br />
Category 1: Identity and Access Management ….................................................................................8<br />
Category 2: Data Loss Prevention..........................................................................................................10<br />
Category 3: Web <strong>Security</strong>........................................................................................................................12<br />
Category 4: Email <strong>Security</strong>......................................................................................................................14<br />
Category 5: <strong>Security</strong> Assessments.........................................................................................................16<br />
Category 6: Intrusion Management.......................................................................................................18<br />
Category 7: <strong>Security</strong> Information and Event Management (SIEM)..................................................20<br />
Category 8: Encryption...........................................................................................................................22<br />
Category 9: Business Continuity and Disaster Recovery...................................................................24<br />
Category 10: Network <strong>Security</strong>..............................................................................................................26<br />
Copyright © <strong>2011</strong> <strong>Cloud</strong> <strong>Security</strong> <strong>Alliance</strong> 3
Foreword<br />
CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE <strong>2011</strong><br />
Welcome to the <strong>Cloud</strong> <strong>Security</strong> <strong>Alliance</strong>’s “<strong>Security</strong> as a <strong>Service</strong>,” Version 1.0. This is one <strong>of</strong><br />
many research deliverables CSA will release in <strong>2011</strong>.<br />
There is currently a lot <strong>of</strong> work regarding the security <strong>of</strong> the cloud and data in the cloud, but<br />
until now there has been limited research into the provision <strong>of</strong> security services in an elastic<br />
cloud model that scales as the client requirements change. This paper is the initial output from<br />
research into how security can be provided as a service (SecaaS).<br />
Also, we encourage you to download and review our flagship research, “<strong>Security</strong> Guidance for<br />
Critical Areas <strong>of</strong> Focus in <strong>Cloud</strong> Computing,” which you can download at:<br />
http://www.cloudsecurityalliance.org/guidance<br />
Best Regards,<br />
Jerry Archer Alan Boehme Dave Cullinane<br />
Nils Puhlmann Paul Kurtz Jim Reavis<br />
The <strong>Cloud</strong> <strong>Security</strong> <strong>Alliance</strong> Board <strong>of</strong> Directors<br />
Copyright © <strong>2011</strong> <strong>Cloud</strong> <strong>Security</strong> <strong>Alliance</strong> 4
Acknowledgments<br />
Co-chairs<br />
Kevin Fielder: GE, Cameron Smith: Zscaler<br />
Working Group Leaders<br />
CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE <strong>2011</strong><br />
Runa Desai Delal: Agama Consulting, Ulrich Lang: Object<strong>Security</strong>, Atul Shah: Micros<strong>of</strong>t, Aaron Bryson:<br />
Cisco, Mark Hahn: TCB Technologies, Wolfgang Kandek: Qualys, John Hearton: Secure Mission<br />
Solutions, Justin Foster: Trend Micro, Ben Chung: HP, Jens Laundrup: Emagined <strong>Security</strong>, Ge<strong>of</strong>f Webb:<br />
Credant Technologies, Kevin Fielder: GE, Cameron Smith: Zscaler, Ken Owens: Savvis<br />
Steering Committee<br />
Scott Chasin: McAfee, Kevin Fielder: GE Global, Patrick Harding: Ping Indentity, John Hearton: Secure<br />
Mission Solutions, Bernd Jager: Colt, Joe Knape: AT&T, Marlin Pohlman: EMC, Jim Reavis: <strong>Cloud</strong><br />
<strong>Security</strong> <strong>Alliance</strong>, Archie Reed: HP, J.R. Santos: <strong>Cloud</strong> <strong>Security</strong> <strong>Alliance</strong>, Cameron Smith: Zscaler,<br />
Michael Sutton: Zscaler, Brian Todd: ING<br />
SecaaS Members<br />
Lenin Aboagye: Apollo Group Inc., Ravikanth Anisingaraju: Nexus Informatics, Dave Asprey: Trend<br />
Micro, Karim Benzidane, Aaron Bryson: Cisco, Ben Chung: HP, Joel Cort: Xerox, Ricardo Costa: ESTG,<br />
Runa Desai Dalal: Agama Consulting, Jeff Finch: Interoute, Justin Foster: Trend Micro, Matthew<br />
Gardiner: CA Technologies, Suptrotik Ghose: Micros<strong>of</strong>t, Mark Hahn: TCB Technologies, Jeff Huegel:<br />
AT&T, Wolfgank Kandek: Qualys, Tuhin Kumar, Vijay Kumar Teki: HCL Technologies, Taiye Lambo:<br />
eFortresses, Jens Laundrup: Emagined <strong>Security</strong>, David Lingenfelter: Fiberlink, Drew Maness:<br />
Technicolor, Ken Owens: Savvis, Naynesh Patel: Simeio Solutions, Mike Qu, Kanchanna Ramasamy<br />
Balraj, Atul Shah: Micros<strong>of</strong>t, Said Tabet: EMC, Hassan Takabi: University <strong>of</strong> Pittsburgh, Danielito<br />
Vizcayno: E*Trade, Ge<strong>of</strong>f Webb: Credant Technologies, Arnold Webster: EC-Council University, Nick<br />
Yoo: McKesson Corp.<br />
Contributors<br />
Jim Beadel: AT&T, Cheng-Yin Lee: CSA, Jie Wang: Converging Stream Technologies, Inc, Kapil<br />
Assudani: HCSC, Valmiki Mukherjee: (ISC)2, JP Morgenthal: Smartronix <strong>Cloud</strong> <strong>Security</strong> <strong>Alliance</strong> DC<br />
Chapter, Vladimir Jirasek: Nokia, Amol Godbole: Cisco Systems, Tuhin Kumar: Oracle Corp., Martin<br />
Lee: Symantec.cloud, Andrey Dulkin: Cyber-Ark S<strong>of</strong>tware, John Hearton: Secure Mission Solutions,<br />
Nandakumar: Novell, Bernd Jaeger: Colt Technology <strong>Service</strong>s, Tyson Macaulay: Bell Canada, Lenin<br />
Aboagye: Apollo Group, David Treece: Edgile, Benzidane Karim: NTIQual, Atul Shah: Micros<strong>of</strong>t, Mark<br />
Hahn: TCB Technologies, Inc., Bradley Anstis: M86 <strong>Security</strong>, JD Hascup: Weyerhaeuser, Balaji<br />
Ramamoorthy: TCG, Hassan Takabi: University <strong>of</strong> Pittsburgh, Henry St. Andre: inContact, Faud Khan:<br />
TwelveDot, Inc., MS Prasad: Rediffmail, Gaurav Godhwani: Student, Ang Puay Young, Singapore<br />
Ministry <strong>of</strong> Health Holdings, Ted Skinner, Harris Corporation<br />
Copyright © <strong>2011</strong> <strong>Cloud</strong> <strong>Security</strong> <strong>Alliance</strong> 5
CSA Staff<br />
CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE <strong>2011</strong><br />
Jim Reavis: Executive Director, J.R. Santos: Research Director, John Yeoh: Research Analyst, Amy Van<br />
Antwerp: Technical Writer/Editor, Kendall Scoboria: Graphic Designer, Evan Scoboria: Web Developer<br />
Copyright © <strong>2011</strong> <strong>Cloud</strong> <strong>Security</strong> <strong>Alliance</strong> 6
Executive Summary<br />
CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE <strong>2011</strong><br />
<strong>Cloud</strong> Computing represents one <strong>of</strong> the most significant shifts in information technology many<br />
<strong>of</strong> us are likely to see in our lifetimes. Reaching the point where computing functions as a utility<br />
has great potential, promising innovations we cannot yet imagine.<br />
Customers are both excited and nervous at the prospects <strong>of</strong> <strong>Cloud</strong> Computing. They are excited<br />
by the opportunities to reduce capital costs. They are excited for a chance to divest<br />
infrastructure management and focus on core competencies. Most <strong>of</strong> all, they are excited by the<br />
agility <strong>of</strong>fered by the on-demand provisioning <strong>of</strong> computing resources and the ability to align<br />
information technology with business strategies and needs more readily. However, customers<br />
are also very concerned about the security risks <strong>of</strong> <strong>Cloud</strong> Computing and the loss <strong>of</strong> direct<br />
control over the security <strong>of</strong> systems for which they are accountable. Vendors have attempted to<br />
satisfy this demand for security by <strong>of</strong>fering security services in a cloud platform, but because<br />
these services take many forms, they have caused market confusion and complicated the<br />
selection process. This has led to limited adoption <strong>of</strong> cloud based security services thus far.<br />
However, the future looks bright for SecaaS, with Gartner predicting that cloud-based security<br />
service us will more than triple in many segments by 2013.<br />
To aid both cloud customers and cloud providers, CSA has embarked on a new research project<br />
to provide greater clarity on the area <strong>of</strong> <strong>Security</strong> as a <strong>Service</strong>. <strong>Security</strong> as a <strong>Service</strong> refers to the<br />
provision <strong>of</strong> security applications and services via the cloud either to cloud-based infrastructure<br />
and s<strong>of</strong>tware or from the cloud to the customers’ on-premise systems. This will enable<br />
enterprises to make use <strong>of</strong> security services in new ways, or in ways that would not be cost<br />
effective if provisioned locally.<br />
Numerous security vendors are now leveraging cloud-based models to deliver security<br />
solutions. This shift has occurred for a variety <strong>of</strong> reasons, including greater economies <strong>of</strong> scale<br />
and streamlined delivery mechanisms. Consumers are increasingly faced with evaluating<br />
security solutions, which do not run on-premises. Consumers need to understand the unique<br />
nature <strong>of</strong> cloud-delivered security <strong>of</strong>ferings so they can evaluate the <strong>of</strong>ferings and understand if<br />
they will meet their needs.<br />
Based on survey results collected from prominent consumers <strong>of</strong> cloud services, the following<br />
security service categories are <strong>of</strong> most interest to experienced industry consumers and security<br />
pr<strong>of</strong>essionals:<br />
Identity and Access<br />
Management (IAM)<br />
Data Loss Prevention<br />
(DLP)<br />
Web <strong>Security</strong><br />
Email <strong>Security</strong><br />
<strong>Security</strong> Assessments<br />
Intrusion Management<br />
<strong>Security</strong> Information<br />
and Event Management<br />
(SIEM)<br />
Encryption<br />
Business Continuity<br />
and Disaster Recovery<br />
Network <strong>Security</strong><br />
Copyright © <strong>2011</strong> <strong>Cloud</strong> <strong>Security</strong> <strong>Alliance</strong> 7
CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE <strong>2011</strong><br />
Category #1: Identity and Access Management (IAM)<br />
Description: Identity and Access Management (IAM) should provide controls for assured<br />
identities and access management.<br />
IAM includes people, processes, and systems that are used to manage access to enterprise<br />
resources by assuring the identity <strong>of</strong> an entity is verified and is granted the correct level <strong>of</strong> access<br />
based on this assured identity. Audit logs <strong>of</strong> activity such as successful and failed authentication<br />
and access attempts should be kept by the application / solution.<br />
Class: Protective/Preventative<br />
CORE FUNCTIONALITIES<br />
Provisioning/de-provisioning <strong>of</strong> accounts (<strong>of</strong> both cloud &<br />
on-premise applications and resources)<br />
Authentication (multiple forms and factors)<br />
Directory services<br />
Directory synchronization (multilateral as required)<br />
Federated SSO<br />
Web SSO (e granular access enforcement & session<br />
management - different from Federated SSO)<br />
Authorization (both user and application/system)<br />
Authorization token management and provisioning<br />
User pr<strong>of</strong>ile & entitlement management (both user and<br />
application/system)<br />
Support for policy& regulatory compliance monitoring<br />
and/or reporting<br />
Federated Provisioning <strong>of</strong> <strong>Cloud</strong> Applications<br />
Self-<strong>Service</strong> request processing, like password reset, setting<br />
up challenge questions, request for role/resource etc.<br />
Privileged user management/privileged user password<br />
management<br />
Policy management (incl. authorization management, role<br />
management, compliance policy management)<br />
Role Based Access Controls (RBAC) (Where supported by the<br />
underlying system/service)<br />
OPTIONAL FEATURES<br />
Support for DLP<br />
Granular Activity Auditing broken down by individual<br />
Segregation <strong>of</strong> duties based on identity entitlement<br />
Compliance-centric reporting<br />
CHALLENGES<br />
Lack <strong>of</strong> standards and vendor lock-in<br />
Identity theft<br />
Unauthorized access<br />
Privilege escalation<br />
Continued on the following page…<br />
SERVICES<br />
Includes: User Centric ID Provider,<br />
Federated IDs, Web-SSO, Identity<br />
Provider, Authorization Management<br />
Policy Provider, Electronic Signature,<br />
Device Signature, User Managed Access<br />
Related <strong>Service</strong>s: DLP, SIEM<br />
Related Technologies and Standards:<br />
SAML, SPML, XACML, (MOF/ECORE),<br />
OAuth, OpenID, Active Directory<br />
Federated <strong>Service</strong>s (ADFS2), WS-<br />
Federation<br />
<strong>Service</strong> Model: SaaS, PaaS<br />
CSA Domains (v2.1): 4, 12<br />
THREATS ADDRESSED<br />
Identity theft<br />
Unauthorized access<br />
Privilege escalation<br />
Insider threat<br />
Non-repudiation<br />
Excess privileges / excessive<br />
access<br />
Delegation <strong>of</strong> authorizations /<br />
entitlements<br />
Fraud<br />
Copyright © <strong>2011</strong> <strong>Cloud</strong> <strong>Security</strong> <strong>Alliance</strong> 8
Continued from the previous page…<br />
CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE <strong>2011</strong><br />
CHALLENGES<br />
Insider threat<br />
Non-Repudiation<br />
Least privilege / need-to-know<br />
Segregation <strong>of</strong> administrative (provider) vs. end user (client)<br />
interface and access<br />
Delegation <strong>of</strong> authorizations/entitlements<br />
Attacks on Identity <strong>Service</strong>s such as DDoS<br />
Eavesdropping on Identity <strong>Service</strong> messaging (Non-<br />
Repudiation)<br />
Password management (communication, retrieval) – Different<br />
requirements across clients<br />
Resource hogging with unauthorized provisioning<br />
Complete removal <strong>of</strong> identity information at the end <strong>of</strong> the<br />
life cycle<br />
Real-time provisioning and de-provisioning<br />
Lack <strong>of</strong> interoperable representation <strong>of</strong> entitlement<br />
information<br />
Dynamic trust propagation and development <strong>of</strong> trusted<br />
relationships among service providers<br />
Transparency: security measures must be available to the<br />
customers to gain their trust.<br />
Developing a user centric access control where user requests<br />
to service providers are bundled with their identity and<br />
entitlement information<br />
Interoperability with existing IT systems and existing<br />
solutions with minimum changes<br />
Dynamically scale up and down; scale to hundreds <strong>of</strong> millions<br />
<strong>of</strong> transactions for millions <strong>of</strong> identities and thousands <strong>of</strong><br />
connections in a reasonable time<br />
Privacy preservation across multiple tenants<br />
Multi-jurisdictional regulatory requirements<br />
REFERENCES / ADDITIONAL RESOURCES<br />
https://cloudsecurityalliance.org/guidance/csaguide-dom12-v2.10.pdf<br />
CSA Silicon Valley cloud authorization policy automation presentation:<br />
http://www.objectsecurity.com/en-resources-video-<strong>2011</strong>0208-webinar-79898734.htm<br />
(Alternate download: http://www.objectsecurity.com/en-contact-resources.html)<br />
REFERENCE EXAMPLES<br />
(Products and vendors. Non-exhaustive list)<br />
<strong>Cloud</strong><br />
CA Arcot Webfort<br />
CyberArk S<strong>of</strong>tware Privileged<br />
Identity Manager<br />
Novell <strong>Cloud</strong> <strong>Security</strong> <strong>Service</strong>s<br />
Object<strong>Security</strong> OpenPMF<br />
(authorization policy automation,<br />
for private cloud only)<br />
Symplified<br />
Non-<strong>Cloud</strong><br />
Novell Identity Manager<br />
Oracle Identity Manager<br />
Oracle Access Manager Suite<br />
Copyright © <strong>2011</strong> <strong>Cloud</strong> <strong>Security</strong> <strong>Alliance</strong> 9
CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE <strong>2011</strong><br />
Category #2: Data Loss Prevention<br />
Description: Data Loss Prevention is the monitoring, protecting, and verifying the security <strong>of</strong><br />
data at rest, in motion and in use both in the cloud and on-premises.<br />
DLP services <strong>of</strong>fer protection <strong>of</strong> data usually by running as some sort <strong>of</strong> client on desktops /<br />
servers and running rules around what can be done. Where these differ from broad rules like<br />
“No FTP” or “No uploads” to web sites, etc. is the level to which the services understand data.<br />
A few examples <strong>of</strong> policies you can specify are “No documents with numbers that look like<br />
credit cards can be emailed,” “Anything saved to USB storage is automatically encrypted and<br />
can only be unencrypted on another <strong>of</strong>fice owned machine with a correctly installed DLP<br />
client,” and “Only clients with functioning DLP s<strong>of</strong>tware can open files from the fileserver,”<br />
etc.<br />
Within the cloud, DLP services could be <strong>of</strong>fered as something that is provided as part <strong>of</strong> the<br />
build, such that all servers built for that client get the DLP s<strong>of</strong>tware installed with an agreed set<br />
<strong>of</strong> rules deployed.<br />
Class: Preventative<br />
CORE FUNCTIONALITIES<br />
Data labeling and classification<br />
Identification <strong>of</strong> Sensitive Data<br />
Predefined policies for major regulatory statues<br />
Context Detection Heuristics<br />
Structured Data Matching (data-at-rest)<br />
SQL regular expression detection<br />
Traffic Spanning (data-in-motion) detection<br />
Real Time User Awareness<br />
<strong>Security</strong> Level Assignment<br />
Custom Attribute Lookup<br />
Automated Incident Response<br />
Signing <strong>of</strong> Data<br />
Cryptographic data protection and access control<br />
Machine readable policy language<br />
OPTIONAL FEATURES<br />
Rate domains<br />
Smart Response (integrated remediation workflow)<br />
Automated event escalation<br />
Automated false positive signature compensation<br />
Unstructured Data Matching<br />
File / directory integrity via hashing<br />
Integration with Intrusion Detection Systems<br />
Multiple Language Pack<br />
Data privacy<br />
Chain <strong>of</strong> evidence services to support investigations and<br />
prosecutions<br />
Continued on the following page…<br />
SERVICES<br />
Includes: Encryption, Meta-data<br />
tagging, Data Identification, Multilingual<br />
fingerprinting, Data leakage<br />
detection, Policy management and<br />
classification, Transparent data<br />
encryption, Policy controlled data<br />
access, storage and transportation,<br />
Dynamic data masking<br />
Related <strong>Service</strong>s: IAM<br />
Related Technologies and Standards:<br />
SAML, SPML, XACML,<br />
(MOF/ECORE), ESG<br />
<strong>Service</strong> Model: SaaS, PaaS<br />
THREATS ADDRESSED<br />
Data loss/leakage<br />
Unauthorized access<br />
Malicious compromises <strong>of</strong> data<br />
integrity<br />
Data sovereignty issues<br />
Regulatory sanctions and fines<br />
Copyright © <strong>2011</strong> <strong>Cloud</strong> <strong>Security</strong> <strong>Alliance</strong> 10
Continued from the previous page…<br />
CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE <strong>2011</strong><br />
CHALLENGES<br />
Data may be stolen from the datacenter virtually or even<br />
physically<br />
Data could be misused by the datacenter operator or others<br />
employees with access<br />
Compliance requires certifying cloud stack at all levels<br />
repeatedly<br />
Data sovereignty issues reduce customer rights with regard<br />
to governments<br />
Encrypted Data<br />
Performance when analyzing and monitoring large / heavily<br />
accessed data sets<br />
False negatives / false positives (tuning)<br />
Rule base may be complex to manage<br />
Outside <strong>of</strong> ‘known’ items such as credit card numbers and<br />
social security numbers, data can only be classified with<br />
detailed input from the end user<br />
Lack <strong>of</strong> data classification standards<br />
Ensuring customer data segregation when multiple tenants<br />
present<br />
REFERENCES<br />
REFERENCE EXAMPLES<br />
(Products and vendors. Non-exhaustive list)<br />
<strong>Cloud</strong><br />
BlueCoat<br />
IBM<br />
Imperva<br />
Oracle<br />
Reconnex<br />
RSA<br />
Symantec/Vontu<br />
WebSens<br />
Zscaler<br />
Non-<strong>Cloud</strong><br />
Digital Guardian<br />
Palisade Systems PacketSure<br />
Symantec Protection Suite<br />
Enterprise Edition<br />
http://www.technewsworld.com/story/66562.html<br />
http://www.datalossbarometer.com/14945.htm<br />
http://community.websense.com/blogs/websense-media-coverage/archive/2010/07/20/channelinsider-websense-plans-to-tap-micros<strong>of</strong>t-channel-cloud-dlp-innovatin-in-the-present-and-future.aspx<br />
http://www.asiacloudforum.com/content/vmmare-embeds-rsa-dlp-virtual-environments<br />
http://searchsecuritychannel.techtarget.com/news/1374080/Partner-Engage-2009-VARs-dish-on-DLPimplementation-and-the-cloud<br />
http://infinite-identities.blogspot.com/2009/12/next-cloud-security-frontier-dlp-for.html<br />
Copyright © <strong>2011</strong> <strong>Cloud</strong> <strong>Security</strong> <strong>Alliance</strong> 11
Category #3: Web <strong>Security</strong><br />
CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE <strong>2011</strong><br />
Description: Web <strong>Security</strong> is real-time protection <strong>of</strong>fered either on-premise through<br />
s<strong>of</strong>tware/appliance installation or via the cloud by proxying or redirecting web traffic to the<br />
cloud provider.<br />
This provides an added layer <strong>of</strong> protection on top <strong>of</strong> things like AV to prevent malware from<br />
entering the enterprise via activities such as web browsing. Policy rules around the types <strong>of</strong><br />
web access and the times this is acceptable can also be enforced via these technologies.<br />
Class: Protective, detective, reactive<br />
CORE FUNCTIONALITIES<br />
Web Filtering<br />
Malware, Spyware & Bot Network analyzer and blocking<br />
Phishing site blocker<br />
Instant Messaging Scanning<br />
Email <strong>Security</strong><br />
Bandwidth management/traffic control<br />
Data Loss Prevention<br />
Fraud Prevention<br />
Web Access Control<br />
Backup<br />
SSL (decryption / hand <strong>of</strong>f)<br />
Usage policy enforcement<br />
OPTIONAL FEATURES<br />
Rate domains<br />
Categorize websites by URL/IP address<br />
Rate sites by user requests<br />
Transparent updating <strong>of</strong> user mistakes<br />
Categorize and rate websites as needed<br />
Categorize websites for policy enforcement<br />
Recognize multiple languages<br />
Categorize top-level domains<br />
Block downloads with spo<strong>of</strong>ed file extensions<br />
Strip potential spyware downloads from high-risk sites<br />
CHALLENGES<br />
Constantly evolving threats<br />
Insider circumvention <strong>of</strong> web security<br />
Compromise <strong>of</strong> the web filtering service by proxy<br />
Potentially higher cost <strong>of</strong> real time monitoring<br />
Lack <strong>of</strong> features vs. premise based solutions<br />
Lack <strong>of</strong> policy granularity and reporting<br />
Relinquishing control<br />
Encrypted traffic<br />
Continued on the following page…<br />
SERVICES<br />
Includes: Email Server, Anti-virus,<br />
Anti-spam, Web Filtering, Web<br />
Monitoring, Vulnerability<br />
Management, Anti-phishing<br />
Related <strong>Service</strong>s: Firewalls, Proxy,<br />
DLP, Email <strong>Security</strong><br />
Related Technologies and Standards:<br />
HTTP/HTTPS, RuleML, XML, PHP,<br />
anti-virus<br />
<strong>Service</strong> Model: SaaS, PaaS<br />
CSA Domains (v2.1): 5, 10<br />
THREATS ADDRESSED<br />
Keyloggers<br />
Domain Content<br />
Malware<br />
Spyware<br />
Bot Network<br />
Phishing<br />
Virus<br />
Bandwidth consumption<br />
Data Loss Prevention<br />
Spam<br />
Copyright © <strong>2011</strong> <strong>Cloud</strong> <strong>Security</strong> <strong>Alliance</strong> 12
Continued from the previous page…<br />
CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE <strong>2011</strong><br />
REFERENCES / ADDITIONAL RESOURCES<br />
http://www.technewsworld.com/story/66562.html<br />
BT case study:<br />
http://www.globalservices.bt.com/static/assets/pdf/case_s<br />
tudies/EN_NEW/edinburgh_cc_web_security_case_study.p<br />
df<br />
W3C Web <strong>Security</strong> FAQ:<br />
http://www.w3.org/<strong>Security</strong>/Faq/<br />
OWASP: https://www.owasp.org/index.php/Main_Page<br />
REFERENCE EXAMPLES<br />
(Products and vendors. Non-exhaustive list)<br />
<strong>Cloud</strong><br />
BlueCoat<br />
RSA<br />
TrendMicro<br />
Websense<br />
zScaler<br />
Non-<strong>Cloud</strong><br />
Barracuda<br />
BlueCoat<br />
Cisco<br />
McAfee<br />
Symantec<br />
Watchguard<br />
Copyright © <strong>2011</strong> <strong>Cloud</strong> <strong>Security</strong> <strong>Alliance</strong> 13
Category #4: Email <strong>Security</strong><br />
CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE <strong>2011</strong><br />
Description: Email <strong>Security</strong> should provide control over inbound and outbound email, thereby<br />
protecting the organization from phishing, malicious attachments, enforcing corporate polices<br />
such as acceptable use and spam, and providing business continuity options.<br />
In addition, the solution should allow for policy-based encryption <strong>of</strong> emails, as well as<br />
integrating with various email server solutions.<br />
Digital signatures enabling identification and non-repudiation are also features <strong>of</strong> many email<br />
security solutions.<br />
Class: Protective, detective, reactive<br />
CORE FUNCTIONALITIES<br />
Accurate filtering to block spam and phishing<br />
Deep protection against viruses and spyware before they<br />
enter the enterprise perimeter<br />
Flexible policies to define granular mail flow and encryption<br />
Rich, interactive and correlate real-time reporting<br />
Deep content scanning to enforce policies<br />
Option to encrypt some / all emails based on policy<br />
Integration with various email server solutions<br />
OPTIONAL FEATURES<br />
Secure archiving<br />
Web-mail interface<br />
Full integration with in-house identity system (LDAP, Active<br />
Directory, etc.)<br />
Mail encryption, signing & time-stamping<br />
Flexible integration<br />
Data Loss Prevention (DLP) for SMTP and webmail<br />
E-discovery<br />
Email system backup (e.g., stores mails on cloud provider<br />
infrastructure until customer systems restored<br />
IDS / IPS for the mail servers<br />
Digital signatures<br />
CHALLENGES<br />
Portability<br />
Storage<br />
Use <strong>of</strong> unauthorized webmail for business purposes<br />
Management <strong>of</strong> logs and access to logs<br />
Ensuring no access to emails by cloud provider staff<br />
Continued on the following page…<br />
SERVICES<br />
Includes: Content security, Antivirus/Anti-malware,<br />
Spam filtering,<br />
Email encryption, DLP for outbound<br />
email, Web mail, Anti-phishing<br />
Related <strong>Service</strong>s: DLP, Web <strong>Security</strong>,<br />
Business Continuity<br />
Related Technologies and Standards:<br />
SMTP (ESMTP, SMTPS), IMAP, POP,<br />
MIME, S/MIME, PGP<br />
<strong>Service</strong> Model: SaaS<br />
CSA Domains (v2.1): 3, 5<br />
THREATS ADDRESSED<br />
Phishing<br />
Intrusion<br />
Malware<br />
Spam<br />
Address spo<strong>of</strong>ing<br />
Copyright © <strong>2011</strong> <strong>Cloud</strong> <strong>Security</strong> <strong>Alliance</strong> 14
Continued from the previous page…<br />
CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE <strong>2011</strong><br />
REFERENCES / ADDITIONAL RESOURCES<br />
http://www.eweek.com/c/a/Messaging-and-<br />
Collaboration/SAAS-Email-From-Google-Micros<strong>of</strong>t-Proves-<br />
Cost-Effective-For-Up-to-15K-Seats/<br />
http://www.symanteccloud.com/datasheet/Technical_doc_<br />
Ext_Web_Global.pdf<br />
REFERENCE EXAMPLES<br />
(Products and vendors. Non-exhaustive list)<br />
<strong>Cloud</strong><br />
Barracuda Networks<br />
Gmail for Domains (Google<br />
Apps)<br />
McAfee<br />
Message Labs / Symantec <strong>Cloud</strong><br />
Micros<strong>of</strong>t <strong>Cloud</strong> <strong>Service</strong>s<br />
Postini (Google)<br />
TrendMicro<br />
Zscaler Email <strong>Security</strong><br />
Non-<strong>Cloud</strong><br />
Postini<br />
Symantec<br />
WebSense<br />
Copyright © <strong>2011</strong> <strong>Cloud</strong> <strong>Security</strong> <strong>Alliance</strong> 15
CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE <strong>2011</strong><br />
Category #5: <strong>Security</strong> Assessment<br />
Description: <strong>Security</strong> assessments are third-party audits <strong>of</strong> cloud services or assessments <strong>of</strong> onpremises<br />
systems via cloud-provided solutions based on industry standards.<br />
Traditional security assessments for infrastructure and applications and compliance audits are<br />
well defined and supported by multiple standards such as NIST, ISO, and CIS. A relatively<br />
mature toolset exists, and a number <strong>of</strong> tools have been implemented using the SaaS delivery<br />
model. In the SaaS delivery model, subscribers get the typical benefits <strong>of</strong> this cloud computing<br />
variant - elasticity, negligible setup time, low administration overhead, and pay-per-use with<br />
low initial investments.<br />
While not the focus <strong>of</strong> this effort, additional challenges arise when these tools are used to audit<br />
cloud environments. Multiple organizations, including the CSA, have been working on the<br />
guidelines to help organizations understand the additional challenges:<br />
• Virtualization awareness <strong>of</strong> the tool, frequently necessary for IaaS platform auditing<br />
• Support for common web frameworks in PaaS applications<br />
• Compliance Controls for IaaS, PaaS, and SaaS platforms<br />
• Standardized questionnaires for XaaS environments, that help address:<br />
o What should be tested in a cloud environment?<br />
o How does one assure data isolation in a multi-tenant environment?<br />
o What should appear in a typical infrastructure vulnerability report? Is it<br />
acceptable to use results provided by cloud provider?<br />
Class: Detective<br />
CORE FUNCTIONALITIES<br />
Governance — process by which policies are set and decision<br />
making is executed<br />
Risk Management — process for ensuring that important<br />
business processes and behaviors remain within the<br />
tolerances associated with those policies and decisions<br />
Compliance — process <strong>of</strong> adherence to policies and decisions.<br />
Policies can be derived from internal directives, procedures<br />
and requirements, or external laws, regulations, standards<br />
and agreements.<br />
Technical Compliance Audits - automated auditing <strong>of</strong><br />
configuration settings in devices, operating systems,<br />
databases, and applications.<br />
Application <strong>Security</strong> Assessments - automated auditing <strong>of</strong><br />
custom applications<br />
Vulnerability Assessments - automated probing <strong>of</strong> network<br />
devices, computers and applications for known<br />
vulnerabilities and configuration issues<br />
Penetration Testing - exploitation <strong>of</strong> vulnerabilities and<br />
configuration issues to gain access to a an environment,<br />
network or computer, typically requiring manual assistance<br />
<strong>Security</strong> / risk rating - assessment <strong>of</strong> the overall security /<br />
vulnerability <strong>of</strong> the systems being tested, e.g. based on the<br />
OWASP Risk Rating Methodology<br />
SERVICES<br />
Includes: Internal and / or external<br />
penetration test, Application<br />
penetration test, Host and guest<br />
assessments, Firewall / IPS (security<br />
components <strong>of</strong> the infrastructure)<br />
assessments, Virtual infrastructure<br />
assessment<br />
Related <strong>Service</strong>s: Intrusion<br />
Management<br />
Related Technologies and Standards:<br />
SCAP (FDCC), CVSS, CVE, CWE,<br />
SCAP, CYBEX<br />
<strong>Service</strong> Model: SaaS, PaaS, IaaS<br />
CSA Domains (v2.1): 2, 4<br />
Continued on the following page…<br />
Copyright © <strong>2011</strong> <strong>Cloud</strong> <strong>Security</strong> <strong>Alliance</strong> 16
Continued from the previous page…<br />
CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE <strong>2011</strong><br />
OPTIONAL FEATURES<br />
SI/EM Integration<br />
Physical security assessments<br />
CHALLENGES<br />
Standards are on different maturity levels in the various<br />
sections<br />
Certification & Accreditation<br />
Boundary definition for any assessments<br />
Skills <strong>of</strong> tester(s) / assessors<br />
Accuracy<br />
Inconsistent ratings from different individuals / vendors<br />
Typically limited to known vulnerabilities<br />
REFERENCES / ADDITIONAL RESOURCES<br />
CSA Guidance:<br />
https://cloudsecurityalliance.org/research/projects/<br />
https://cloudsecurityalliance.org/grcstack.html<br />
Gartner - GRC definition:<br />
http://blogs.gartner.com/french_caldwell/2010/01/12/wecome-to-kill-grc-not-to-praise-it/<br />
NIST (800-146):<br />
http://csrc.nist.gov/publications/drafts/800-146/Draft-<br />
NIST-SP800-146.pdf<br />
http://www.owasp.org/images/5/56/OWASP_Testing_Gui<br />
de_v3.pdf<br />
ENISA Information Assurance:<br />
http://www.enisa.europa.eu/act/rm/files/deliverables/clo<br />
ud-computing-information-assurance-framework<br />
BSI Cornerstones cloud Computing (in German):<br />
https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI<br />
/Mindestanforderungen/Eckpunktepapier-<br />
Sicherheitsempfehlungen-<strong>Cloud</strong>Computing-Anbieter.pdf<br />
CAMM-common-assurance.com<br />
http://objectsecurity-mds.blogspot.com/2009/06/modeldriven-security-accreditation.html<br />
http://www.oceg.org/<br />
THREATS ADDRESSED<br />
Inaccurate inventory<br />
Lack <strong>of</strong> continuous monitoring<br />
Lack <strong>of</strong> correlation information<br />
Lack <strong>of</strong> complete auditing<br />
Failure to meet/prove adherence<br />
to Regulatory/Standards<br />
Compliance<br />
Insecure / vulnerable<br />
configurations<br />
Insecure architectures<br />
Insecure processes / processes<br />
not being followed<br />
REFERENCE EXAMPLES<br />
(Products and vendors. Non-exhaustive list)<br />
<strong>Cloud</strong><br />
Agiliance<br />
Core <strong>Security</strong><br />
Modulo<br />
Qualys<br />
Veracode<br />
WhiteHat<br />
Non-<strong>Cloud</strong><br />
Agiliance<br />
Archer<br />
Cenzic<br />
Core <strong>Security</strong><br />
eEye<br />
HP<br />
Immunity<br />
Modulo<br />
nCircle<br />
Rapid7<br />
Saint<br />
Symantec<br />
Tenable<br />
Copyright © <strong>2011</strong> <strong>Cloud</strong> <strong>Security</strong> <strong>Alliance</strong> 17
CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE <strong>2011</strong><br />
Category #6: Intrusion Management<br />
Description: Intrusion Management is the process <strong>of</strong> using pattern recognition to detect and<br />
react to statistically unusual events. This may include reconfiguring system components in real<br />
time to stop / prevent an intrusion.<br />
The methods <strong>of</strong> intrusion detection, prevention, and response in physical environments are<br />
mature; however, the growth <strong>of</strong> virtualization and massive multi-tenancy is creating new<br />
targets for intrusion and raises many questions about the implementation <strong>of</strong> the same protection<br />
in cloud environments.<br />
Examples <strong>of</strong> how cloud-based Intrusion Management could be <strong>of</strong>fered include:<br />
• Provided by the <strong>Cloud</strong> <strong>Service</strong> Provider<br />
• Provided by a third-party (routing traffic through a SecaaS)<br />
• Hybrid SaaS with third-party management and host-based or virtual appliances running<br />
in the cloud consumer's context<br />
Class: Detective, protective, reactive<br />
General<br />
CORE FUNCTIONALITIES<br />
Identification <strong>of</strong> intrusions and policy violations<br />
Automatic or manual remediation actions<br />
Coverage for:<br />
Workloads<br />
Virtualization Layer (VMM/Hypervisor)<br />
Management Plane<br />
<strong>Cloud</strong> and other APIs<br />
Updates to address new vulnerabilities, exploits and policies<br />
Network <strong>Security</strong> (NBA, NIPS/NIDS or HIPS/HIDS using<br />
network)<br />
Deep Packet Inspection using one or more <strong>of</strong> the following<br />
techniques: statistical, behavioral, signature, heuristic<br />
System/Behavioral<br />
One or more <strong>of</strong>:<br />
System Call Monitoring<br />
System/Application Log Inspection<br />
Integrity Monitoring OS (Files, Registry, Ports, Processes,<br />
Installed S<strong>of</strong>tware, etc)<br />
Integrity Monitoring VMM/Hypervisor<br />
VM Image Repository Monitoring<br />
Continued on the following page…<br />
SERVICES<br />
Includes: Packet Inspection, Detection,<br />
Prevention, IR<br />
Related <strong>Service</strong>s: Web <strong>Security</strong>, Secure<br />
<strong>Cloud</strong> & Virtualization <strong>Security</strong><br />
Related Technologies and Standards:<br />
DPI, Event correlation and pattern<br />
recognition<br />
<strong>Service</strong> Model: SaaS, PaaS, IaaS<br />
CSA Domains (v2.1): 13<br />
THREATS ADDRESSED<br />
Intrusion<br />
Malware<br />
REFERENCE EXAMPLES<br />
(Products and vendors. Non-exhaustive list)<br />
<strong>Cloud</strong><br />
Alert Logic Threat Manager<br />
Arbor Peakflow X<br />
Check Point - <strong>Security</strong> Gateway<br />
Virtual Edition<br />
<strong>Cloud</strong>leverage <strong>Cloud</strong><br />
IPS/firewall<br />
<br />
Copyright © <strong>2011</strong> <strong>Cloud</strong> <strong>Security</strong> <strong>Alliance</strong> 18
Continued from the previous page…<br />
CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE <strong>2011</strong><br />
OPTIONAL FEATURES<br />
Central Reporting<br />
SIEM Integration<br />
Administrator Notification<br />
Customization <strong>of</strong> policy (automatic or manual)<br />
Mapping to cloud-layer tenancy<br />
<strong>Cloud</strong> sourcing information to reduce false positives and<br />
improve coverage<br />
Remote storage or transmission <strong>of</strong> integrity information, to<br />
prevent local evasion<br />
General Challenges:<br />
CHALLENGES<br />
Proliferation <strong>of</strong> SSL required by deployment in public clouds<br />
adds complexity or blocks visibility to network-based IDS/IPS<br />
Complexity and immaturity <strong>of</strong> Intrusion Management for APIs<br />
Lack <strong>of</strong> tools to manage instance-to-instance relationships<br />
Wire speed with full malware / attack coverage performance<br />
not meeting expectations<br />
Specific to <strong>Cloud</strong> Consumers:<br />
Current lack <strong>of</strong> virtual SPAN ports in public cloud providers<br />
for typical deployment <strong>of</strong> NIDS or NBA<br />
Current lack <strong>of</strong> network-edge TAP interfaces for public cloud<br />
and virtual private cloud for typical deployment <strong>of</strong> NIPS<br />
Inability to utilize hypervisor (vSwitch/vNIC) introspection<br />
Latency, resiliency and bandwidth concerns with proxying<br />
network traffic through virtual appliances or 3rd party services<br />
Privacy concerns <strong>of</strong> service-based security<br />
Short lived instances (HIDS/HIPS logs can be lost)<br />
Performance limitations with network traffic in a shared<br />
environment<br />
Ownership / managing access to monitoring equipment and<br />
data<br />
Specific to <strong>Cloud</strong> <strong>Service</strong> Providers:<br />
Policy management in a multi-tenant environment<br />
Policy management for application-layer multi-tenancy (SaaS,<br />
some PaaS services such as Micros<strong>of</strong>t SQL Azure)<br />
Complexity <strong>of</strong> deployment and configuration<br />
REFERENCES / ADDITIONAL RESOURCES<br />
REFERENCE EXAMPLES<br />
<strong>Cloud</strong><br />
Cymtec Scout<br />
eEye Digital <strong>Security</strong> Blink<br />
IBM Proventia<br />
McAfee - Host Intrusion<br />
Prevention<br />
Sourcefire - 3D System<br />
StoneGate - Virtual IPS<br />
Symantec Critical System<br />
Protection<br />
Symantec Endpoint Protection<br />
Trend Micro Deep <strong>Security</strong><br />
Trend Micro Threat Detection<br />
Appliance<br />
TrustNet iTrust SaaS Intrusion<br />
Detection<br />
XO Enterprise <strong>Cloud</strong> <strong>Security</strong><br />
Non-<strong>Cloud</strong><br />
AIDE<br />
CA-eTrust Intrusion Detection<br />
Check Point IPS<br />
Cerero - Top Layer IPS<br />
Cetacea Networks - OrcaFlow<br />
Cisco Guard / IPS<br />
Detector<br />
DeepNines - BBX<br />
e-Cop - Cyclops<br />
Enterasys - IPS<br />
HP S IPS<br />
Intrusion – SecureNet / Host<br />
iPolicy<br />
Juniper Networks IDP<br />
Lancope - StealthWatch<br />
McAfee - Network Intrusion<br />
Prevention<br />
OSSEC<br />
Q1 Labs - QRadar<br />
Radware - DefensePro<br />
Samhain<br />
S<strong>of</strong>tSphere Technologies HIPS<br />
StillSecure - Strata Guard<br />
StoneGate - IPS<br />
Suricata<br />
Symantec Network <strong>Security</strong><br />
<strong>Cloud</strong> <strong>Security</strong> <strong>Alliance</strong> Guidance: https://cloudsecurityalliance.org/guidance/csaguide-dom12-v2.10.pdf<br />
NIST Guide to Intrusion Detection and Prevention Systems (IDPS):<br />
http://csrc.nist.gov/publications/nistpubs/800-94/SP800-94.pdf<br />
Intrusion Detection: http://en.wikipedia.org/wiki/Intrusion_detection_system<br />
Intrusion Prevention: http://en.wikipedia.org/wiki/Intrusion_prevention_system<br />
Copyright © <strong>2011</strong> <strong>Cloud</strong> <strong>Security</strong> <strong>Alliance</strong> 19
CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE <strong>2011</strong><br />
Category #7: <strong>Security</strong> Information & Event Management (SIEM)<br />
Description: <strong>Security</strong> Information and Event Management (SIEM) systems accept (via push or<br />
pull mechanisms) log and event information. This information is then correlated and analyzed<br />
to provide real-time reporting and alerting on incidents / events that may require intervention.<br />
The logs are likely to be kept in a manner that prevents tampering to enable their use as<br />
evidence in any investigations.<br />
Class: Detective<br />
CORE FUNCTIONALITIES<br />
Real time log /event collection, de-duplication,<br />
normalization, aggregation and visualization<br />
Log normalization<br />
Real-time event correlation<br />
Forensics support<br />
Compliance reporting & support<br />
IR support<br />
Email anomaly detection<br />
Reporting<br />
Flexible data retention periods and policies management,<br />
compliance policy management)<br />
OPTIONAL FEATURES<br />
Heuristic controls<br />
Specialized systems<br />
Physical log monitoring<br />
Access control system monitoring<br />
Physical security integration (cameras, alarms, phone, etc.)<br />
Integration with call / ticketing system<br />
CHALLENGES<br />
Standardization <strong>of</strong> log formats<br />
Timing lag caused by translations from native log formats<br />
Unwillingness <strong>of</strong> providers to share logs<br />
Scaling for high volumes<br />
Identification and visualization <strong>of</strong> key information<br />
Usable, segregated by client interface<br />
REFERENCES<br />
http://www.darkreading.com/securitymonitoring/167901086/security/securitymanagement/228000206/cloud-creates-siem-blind-spot.html<br />
http://securecloudreview.com/2010/08/service-provider-<strong>of</strong>tomorrow-part-9-as-the-cloud-thrives-siem-will-suffer/<br />
Continued on the following page…<br />
SERVICES<br />
Includes: Log management, Event<br />
correlation, <strong>Security</strong>/Incident response,<br />
Scalability, Log and Event Storage,<br />
Interactive searching and parsing <strong>of</strong> log<br />
data, Logs immutable (for legal<br />
investigations)<br />
Related <strong>Service</strong>s: Architectural<br />
considerations, Compliance reporting,<br />
S<strong>of</strong>tware inventory, Non-traditional<br />
correlation, On-traditional monitoring,<br />
Database monitoring, Request<br />
fulfillment<br />
Related Technologies and Standards:<br />
FIPS 140-2 compliant, Common Event<br />
Format (CEF), Common Event<br />
Expression (CEE), IF-MAP (TCG)<br />
<strong>Service</strong> Model: SaaS, PaaS<br />
CSA Domains (v2.1): 2, 3, 4, 5, 7, 9, 12<br />
THREATS ADDRESSED<br />
Abuse and Nefarious Use<br />
Insecure Interfaces and APIs<br />
Malicious Insiders<br />
Shared Technology Issues<br />
Data Loss and Leakage<br />
Account or <strong>Service</strong> Hijacking<br />
Unknown Risk Pr<strong>of</strong>ile<br />
Fraud<br />
Copyright © <strong>2011</strong> <strong>Cloud</strong> <strong>Security</strong> <strong>Alliance</strong> 20
Continued from the previous page…<br />
CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE <strong>2011</strong><br />
REFERENCES<br />
http://en.wikipedia.org/wiki/<strong>Security</strong>_information_and_ev<br />
ent_management<br />
http://en.wikipedia.org/wiki/<strong>Security</strong>_event_manager<br />
REFERENCE EXAMPLES<br />
(Products and vendors. Non-exhaustive list)<br />
AccellOps<br />
Alien Vault (OSSIM)<br />
ArcSight ESM<br />
eIQnetworks<br />
Loglogic<br />
netForensics nFX One<br />
Novell <strong>Cloud</strong> <strong>Security</strong> <strong>Service</strong>s /<br />
E-Sentinel<br />
OSSIM<br />
Prelude-SIEM<br />
Q1 Labs<br />
Quest S<strong>of</strong>tware<br />
RSA/EMC enVision<br />
SenSage<br />
Solar Winds Log and Event<br />
Manager<br />
Splunk<br />
Copyright © <strong>2011</strong> <strong>Cloud</strong> <strong>Security</strong> <strong>Alliance</strong> 21
Category #8: Encryption<br />
CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE <strong>2011</strong><br />
Description: Encryption is the process <strong>of</strong> obfuscating/encoding data (usually referred to as<br />
plain text) using cryptographic algorithms the product <strong>of</strong> which is encrypted data (usually<br />
referred to as ciphertext). Only the intended recipient or system that is in possession <strong>of</strong> the<br />
correct key can decode (unencrypt) this ciphertext. In the case <strong>of</strong> one-way cryptographic<br />
functions, a digest or hash is created instead.<br />
Encryption systems typically consist <strong>of</strong> an algorithm(s) that are computationally difficult (or<br />
infeasible) to break, along with the processes and procedures to manage encryption and<br />
decryption, hashing, digital signatures, certificate generation and renewal, key exchange, etc.<br />
Each part is effectively useless without the other, e.g. the best algorithm is easy to “crack” if an<br />
attacker can access the keys due to weak processes.<br />
Class: Protective<br />
CORE FUNCTIONALITIES<br />
Data protection (at rest and in motion)<br />
Data validation<br />
Message Authentication<br />
Message/data integrity<br />
Data Time-stamping (digital notary)<br />
Identity validation (certificates to identify IT<br />
assets/endpoints)<br />
Code Signing<br />
Forgery detection<br />
Identity validation (digital signatures)<br />
Digital Fingerprinting<br />
Forensic protection (hashing <strong>of</strong> log files and evidence)<br />
Pseudorandom number generation<br />
Data Destruction (throw away the key!)<br />
Key/certificate generation and management<br />
OPTIONAL FEATURES<br />
Searching encrypted data<br />
Sorting encrypted data<br />
Identity based encryption<br />
Data integrity<br />
Mechanism to ensure secure removal <strong>of</strong> customer data when<br />
term / contract terminated<br />
Identity assurance (e.g., the parties involved are who they<br />
claim to be)<br />
CHALLENGES<br />
Risk <strong>of</strong> compromised keys<br />
Searching and/or sorting <strong>of</strong> encrypted data<br />
Continued on the following page…<br />
SERVICES<br />
Includes: VPN services, Encryption<br />
Key Management, Virtual Storage<br />
Encryption, Communications<br />
Encryption, Application Encryption,<br />
Database Encryption, digital<br />
signatures, Integrity validation<br />
Related <strong>Service</strong>s: VM Architecture,<br />
Hardware protection, S<strong>of</strong>tware-based<br />
protection, remote access validation<br />
Related Technologies and Standards:<br />
FIPS 140-2, IPSEC, SSL, Hashing, and<br />
algorithms , Symetric and Asymetric<br />
Cryptography<br />
<strong>Service</strong> Model: PaaS, SaaS, IaaS<br />
CSA Domains (v2.1): 11<br />
THREATS ADDRESSED<br />
Failure to meet Regulatory<br />
Compliance requirements<br />
Mitigating insider and external<br />
threats to data<br />
Intercepted clear text network<br />
traffic<br />
Clear text data on stolen /<br />
disposed <strong>of</strong> hardware<br />
Reducing the risk or and<br />
potentially enabling crossborder<br />
business opportunities<br />
Copyright © <strong>2011</strong> <strong>Cloud</strong> <strong>Security</strong> <strong>Alliance</strong> 22
Continued from the previous page…<br />
CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE <strong>2011</strong><br />
CHALLENGES<br />
Separation <strong>of</strong> duties between data owners, administrators<br />
and cloud service providers<br />
Legal issues<br />
Federated trust between providers<br />
REFERENCES / ADDITIONAL RESOURCES<br />
http://www.eweek.com/c/a/<strong>Security</strong>/IBM-Uncovers-<br />
Encryption-Scheme-That-Could-Improve-<strong>Cloud</strong>-<strong>Security</strong>-<br />
Spam-Filtering-135413/<br />
https://cloudsecurityalliance.org/csaguide.pdf<br />
“Implementing and Developing <strong>Cloud</strong> Computing<br />
Applications” by David E.Y. Sarna<br />
http://www.ctoedge.com/content/new-approach-enteprisedata-security-tokenization<br />
http://arstechnica.com/tech-policy/news/2009/09/yoursecrets-live-online-in-databases-<strong>of</strong>-ruin.ars<br />
CSA discussion forums : “The Illegality <strong>of</strong> Exporting<br />
Personal Data into the <strong>Cloud</strong>. Is the following Hypothesis the<br />
Answer? Does the following Hypothesis Handle the<br />
Objection?” http://www.linkedin.com/e/-njv39egmdp90wv-<br />
1m/vaq/23764306/1864210/36300812/view_disc/<br />
“IETF RFC 5246”. The Transport Layer <strong>Security</strong> (TLS)<br />
Protocol Version 1.2: http://tools.ietf.org/rfc/rfc5246.txt<br />
“SP 800-57 Recommendation for Key Management” NIST,<br />
January <strong>2011</strong>: http://csrc.nist.gov/publications/nistpubs/<br />
800-57/sp800-57-Part1-revised2_Mar08-2007.pdf<br />
http://csrc.nist.gov/publications/nistpubs/800-57/SP800-<br />
57-Part2.pdf http://csrc.nist.gov/publications/nistpubs/800-<br />
57/sp800-57_PART3_key-management_Dec2009.pdf<br />
“SP 800-131A Transitions: Recommendation for Transitioning<br />
the Use <strong>of</strong> Cryptographic Algorithms and Key Lengths”<br />
NIST, January <strong>2011</strong>:<br />
http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-<br />
131A.pdf<br />
ISO/TR (2010). “ISO TR-14742:2010 Financial <strong>Service</strong>s -<br />
Recommendations on Cryptographic Algorithms and their<br />
Use.” ISO.<br />
Ferguson, N., Schneier, B., and Kohno T., (2010).<br />
“Cryptography Engineering: Design Principles and Practical<br />
Applications.” New York: John Wiley and Sons.<br />
THREATS ADDRESSED<br />
Reducing perceived risks and<br />
thus enabling <strong>Cloud</strong>'s Adoption<br />
by government<br />
REFERENCE EXAMPLES<br />
(Products and vendors. Non-exhaustive list)<br />
<strong>Cloud</strong><br />
Credant<br />
Cypher <strong>Cloud</strong><br />
enStratus<br />
Novaho<br />
Perpecsys<br />
ProtectV<br />
Secure<strong>Cloud</strong><br />
SurePassID<br />
Vormetric<br />
Non-<strong>Cloud</strong><br />
Crypo.com<br />
Sendinc<br />
Copyright © <strong>2011</strong> <strong>Cloud</strong> <strong>Security</strong> <strong>Alliance</strong> 23
CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE <strong>2011</strong><br />
Category #9: Business Continuity and Disaster Recovery<br />
Description: Business Continuity and Disaster Recovery are the measures designed and<br />
implemented to ensure operational resiliency in the event <strong>of</strong> any service interruptions.<br />
BCDR provides flexible and reliable failover for required services in the event <strong>of</strong> any service<br />
interruptions, including those caused by natural or man-made disasters or disruptions. <strong>Cloud</strong>centric<br />
BCDR makes use <strong>of</strong> the cloud’s flexibility to minimize cost and maximize benefits. For<br />
example, a tenant could make use <strong>of</strong> low specification guest machines to replicate applications<br />
and data to the cloud, but with the provision to quickly ramp up the CPU and RAM, etc. <strong>of</strong><br />
these machines in a BCDR scenario.<br />
Class: Reactive, Protective, Detective<br />
CORE FUNCTIONALITIES<br />
Flexible infrastructure<br />
Secure backup<br />
Monitored operations<br />
Third party service connectivity<br />
Replicated infrastructure components<br />
Replicated data (core / critical systems)<br />
Data and/or application recovery<br />
Alternate sites <strong>of</strong> operation<br />
Tested and measured processes and operations to ensure<br />
Geographically distributed data centers / infrastructure<br />
Network survivability<br />
OPTIONAL FEATURES<br />
Support for BC and DR compliance monitoring and/or<br />
reporting or testing flexible infrastructure<br />
Authorized post disaster privileged account management<br />
Enable DR Policy management (incl. authorization<br />
management, role management, compliance management)<br />
CHALLENGES<br />
Over-centralization <strong>of</strong> data<br />
Lack <strong>of</strong> approved and tested policies, processes, and<br />
procedures<br />
Legal constraints on transportation <strong>of</strong> data outside affected<br />
region<br />
Network connectivity failures<br />
Identification <strong>of</strong> Recovery Time Objectives / Recovery Point<br />
Objectives / SLAs<br />
Agreed definition between vendor and client <strong>of</strong> what DR /<br />
BCP means<br />
<strong>Security</strong> – Data in multiple locations<br />
Continued on the following page…<br />
SERVICES<br />
Includes: File recovery provider, File<br />
backup provider, Cold site, Warm site,<br />
Hot site, Insurance, Business partner<br />
agreements, Replication (e.g.<br />
Databases)<br />
Related <strong>Service</strong>s: Fail-back to live<br />
systems, Encryption <strong>of</strong> data in transit,<br />
Encryption <strong>of</strong> data at rest, Field level<br />
encryption, Realm-based access control<br />
Related Technologies and Standards:<br />
ISO/IEC 24762:2008, BS25999<br />
<strong>Service</strong> Model: IaaS, SaaS<br />
CSA Domains (v2.1): 7<br />
THREATS ADDRESSED<br />
Natural disaster<br />
Fire<br />
Power outage<br />
Terrorism/sabotage<br />
Data corruption<br />
Data deletion<br />
Pandemic/biohazard<br />
Copyright © <strong>2011</strong> <strong>Cloud</strong> <strong>Security</strong> <strong>Alliance</strong> 24
Continued from the previous page…<br />
CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE <strong>2011</strong><br />
REFERENCES / ADDITIONAL RESOURCES<br />
NIST SP 800-34<br />
ISO/IEC-27031<br />
http://en.wikipedia.org/wiki/Disaster_recovery<br />
http://www.silicon.com/management/cioinsights/2010/09/30/cloud-computing-is-it-ready-fordisaster-recovery-39746406/<br />
http://blogs.forrester.com/rachel_dines/11-08-29disaster_recovery_meet_the_cloud<br />
http://www.usenix.org/event/hotcloud10/tech/full_papers<br />
/Wood.pdf<br />
REFERENCE EXAMPLES<br />
(Products and vendors. Non-exhaustive list)<br />
<strong>Cloud</strong><br />
Atmos<br />
Decco<br />
Digital Parallels<br />
Quantix<br />
Rackspace<br />
Non-<strong>Cloud</strong><br />
IBM<br />
Iron Mountain<br />
Sunguard<br />
Copyright © <strong>2011</strong> <strong>Cloud</strong> <strong>Security</strong> <strong>Alliance</strong> 25
CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE <strong>2011</strong><br />
Category #10: Network <strong>Security</strong><br />
Description: Network <strong>Security</strong> consists <strong>of</strong> security services that allocate access, distribute,<br />
monitor, and protect the underlying resource services.<br />
Architecturally, network security provides services that address security controls at the<br />
network in aggregate or specifically addressed at the individual network <strong>of</strong> each underlying<br />
resource.<br />
In a cloud / virtual environment network security is likely to be provided by virtual devices<br />
alongside traditional physical devices. Tight integration with the hypervisor to ensure full<br />
visibility <strong>of</strong> all traffic on the virtual network layer is key.<br />
Class: Detective, protective, reactive<br />
CORE FUNCTIONALITIES<br />
Data Threats<br />
Access Control Threats<br />
Access and Authentication controls<br />
<strong>Security</strong> Gateways (firewalls, WAF, SOA/API, VPN)<br />
<strong>Security</strong> Products (IDS/IPS, Server Tier Firewall, File<br />
Integrity Monitoring, DLP, Anti-Virus, Anti-Spam<br />
<strong>Security</strong> Monitoring and IR<br />
DoS protection/mitigation<br />
Secure “base services” like DNS and/or DNSSEC, DHCP,<br />
NTP, RAS, OAuth, SNMP, Management network<br />
segmentation and security<br />
Traffic / netflow monitoring<br />
Integration with Hypervisor layer<br />
OPTIONAL FEATURES<br />
Log correlation/ Secure and Immutable Logging<br />
Secure data encryption at rest<br />
Performance monitoring <strong>of</strong> the network<br />
Real-time alerting<br />
Change Management<br />
CHALLENGES<br />
Micro-borders (instead <strong>of</strong> traditional clearly defined network<br />
boundaries the borders between tenant networks can be<br />
dynamic and potentially blurred in a large scale virtual /<br />
cloud environment)<br />
Virtual Segmentation <strong>of</strong> Physical Servers<br />
Limited visibility <strong>of</strong> inter-VM traffic<br />
Continued on the following page…<br />
SERVICES<br />
Includes: Firewall (perimeter and<br />
server tier), Web application firewall,<br />
DDOS protection/mitigation, DLP, IR<br />
management, IDS / IPS<br />
Related <strong>Service</strong>s: Identity and Access<br />
Management, Data Loss Prevention,<br />
Web <strong>Security</strong>, Intrusion Management,<br />
<strong>Security</strong> Information and Event<br />
Management, and Encryption<br />
Related Technologies and Standards:<br />
<strong>Service</strong> Model: IaaS, SaaS, PaaS<br />
CSA Domains (v2.1): 7,8,9,10,13<br />
THREATS ADDRESSED<br />
Data Threats<br />
Access Control Threats<br />
Application Vulnerabilities<br />
<strong>Cloud</strong> Platform Threats<br />
Regulatory, Compliance & Law<br />
Enforcement<br />
Copyright © <strong>2011</strong> <strong>Cloud</strong> <strong>Security</strong> <strong>Alliance</strong> 26
Continued from the previous page…<br />
CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE <strong>2011</strong><br />
CHALLENGES<br />
Non-standard API’s<br />
Management <strong>of</strong> many virtual networks / VLAN in a complex<br />
environment – reliant on providers policies and procedures<br />
Separation <strong>of</strong> production and non-production environments<br />
Logical and Virtual Segregation <strong>of</strong> Customer<br />
Network/Systems/Data<br />
REFERENCES / ADDITIONAL RESOURCES<br />
CSA<br />
Intel <strong>Cloud</strong> <strong>Security</strong> Reference Architecture:<br />
http://s<strong>of</strong>tware.intel.com/en-us/articles/<strong>Cloud</strong>-<strong>Security</strong>-<br />
Reference-Architecture-Guide/<br />
http://www.intel.com/content/dam/doc/referencearchitecture/cloud-computing-enhanced-cloud-securityhytrust-vmware-architecture.pdf<br />
ENISA <strong>Cloud</strong> Computing Risk Assessment:<br />
http://www.enisa.europa.eu/act/rm/files/deliverables/cl<br />
oud-computing-risk-assessment<br />
REFERENCE EXAMPLES<br />
(Products and vendors. Non-exhaustive list)<br />
<strong>Cloud</strong><br />
<strong>Cloud</strong>Flare<br />
HP<br />
IBM<br />
Imperva - Incapsula<br />
McAfee<br />
Rackspace<br />
Stones<strong>of</strong>t<br />
Symantec<br />
Non-<strong>Cloud</strong><br />
HP<br />
IBM<br />
McAfee<br />
Snort<br />
Symantec<br />
Copyright © <strong>2011</strong> <strong>Cloud</strong> <strong>Security</strong> <strong>Alliance</strong> 27