Defined Categories of Service 2011 - Cloud Security Alliance

Defined Categories of 

Service 2011

Introduction 

CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE 2011 

The permanent and official location for the Cloud Security Alliance Security as a Service 

research is: 

https://cloudsecurityalliance.org/research/working-groups/security-as-a-service/ 

© 2011 Cloud Security Alliance. 

All rights reserved. You may download, store, display on your computer, view, print, and link 

to the Cloud Security Alliance “Security as a Service” at https://cloudsecurityalliance.org/wpcontent/uploads/2011/09/SecaaS_V1_0.pdf 

subject to the following: (a) the Guidance may be 

used solely for your personal, informational, non-commercial use; (b) the Guidance may not be 

modified or altered in any way; (c) the Guidance may not be redistributed; and (d) the 

trademark, copyright or other notices may not be removed. You may quote portions of the 

Guidance as permitted by the Fair Use provisions of the United States Copyright Act, provided 

that you attribute the portions to the Cloud Security Alliance “Security as a Service” Version 1.0 

(2011). 

Copyright © 2011 Cloud Security Alliance 2

Table of Contents 


Introduction.................................................................................................................................................2 

Foreword......................................................................................................................................................4 

Acknowledgments......................................................................................................................................5 

Executive Summary ...................................................................................................................................7 

Category 1: Identity and Access Management ….................................................................................8 

Category 2: Data Loss Prevention..........................................................................................................10 

Category 3: Web Security........................................................................................................................12 

Category 4: Email Security......................................................................................................................14 

Category 5: Security Assessments.........................................................................................................16 

Category 6: Intrusion Management.......................................................................................................18 

Category 7: Security Information and Event Management (SIEM)..................................................20 

Category 8: Encryption...........................................................................................................................22 

Category 9: Business Continuity and Disaster Recovery...................................................................24 

Category 10: Network Security..............................................................................................................26 


Foreword 


Welcome to the Cloud Security Alliance’s “Security as a Service,” Version 1.0. This is one of 

many research deliverables CSA will release in 2011. 

There is currently a lot of work regarding the security of the cloud and data in the cloud, but 

until now there has been limited research into the provision of security services in an elastic 

cloud model that scales as the client requirements change. This paper is the initial output from 

research into how security can be provided as a service (SecaaS). 

Also, we encourage you to download and review our flagship research, “Security Guidance for 

Critical Areas of Focus in Cloud Computing,” which you can download at: 

http://www.cloudsecurityalliance.org/guidance 

Best Regards, 

Jerry Archer Alan Boehme Dave Cullinane 

Nils Puhlmann Paul Kurtz Jim Reavis 

The Cloud Security Alliance Board of Directors 


Acknowledgments 

Co-chairs 

Kevin Fielder: GE, Cameron Smith: Zscaler 

Working Group Leaders 


Runa Desai Delal: Agama Consulting, Ulrich Lang: ObjectSecurity, Atul Shah: Microsoft, Aaron Bryson: 

Cisco, Mark Hahn: TCB Technologies, Wolfgang Kandek: Qualys, John Hearton: Secure Mission 

Solutions, Justin Foster: Trend Micro, Ben Chung: HP, Jens Laundrup: Emagined Security, Geoff Webb: 

Credant Technologies, Kevin Fielder: GE, Cameron Smith: Zscaler, Ken Owens: Savvis 

Steering Committee 

Scott Chasin: McAfee, Kevin Fielder: GE Global, Patrick Harding: Ping Indentity, John Hearton: Secure 

Mission Solutions, Bernd Jager: Colt, Joe Knape: AT&T, Marlin Pohlman: EMC, Jim Reavis: Cloud 

Security Alliance, Archie Reed: HP, J.R. Santos: Cloud Security Alliance, Cameron Smith: Zscaler, 

Michael Sutton: Zscaler, Brian Todd: ING 

SecaaS Members 

Lenin Aboagye: Apollo Group Inc., Ravikanth Anisingaraju: Nexus Informatics, Dave Asprey: Trend 

Micro, Karim Benzidane, Aaron Bryson: Cisco, Ben Chung: HP, Joel Cort: Xerox, Ricardo Costa: ESTG, 

Runa Desai Dalal: Agama Consulting, Jeff Finch: Interoute, Justin Foster: Trend Micro, Matthew 

Gardiner: CA Technologies, Suptrotik Ghose: Microsoft, Mark Hahn: TCB Technologies, Jeff Huegel: 

AT&T, Wolfgank Kandek: Qualys, Tuhin Kumar, Vijay Kumar Teki: HCL Technologies, Taiye Lambo: 

eFortresses, Jens Laundrup: Emagined Security, David Lingenfelter: Fiberlink, Drew Maness: 

Technicolor, Ken Owens: Savvis, Naynesh Patel: Simeio Solutions, Mike Qu, Kanchanna Ramasamy 

Balraj, Atul Shah: Microsoft, Said Tabet: EMC, Hassan Takabi: University of Pittsburgh, Danielito 

Vizcayno: E*Trade, Geoff Webb: Credant Technologies, Arnold Webster: EC-Council University, Nick 

Yoo: McKesson Corp. 

Contributors 

Jim Beadel: AT&T, Cheng-Yin Lee: CSA, Jie Wang: Converging Stream Technologies, Inc, Kapil 

Assudani: HCSC, Valmiki Mukherjee: (ISC)2, JP Morgenthal: Smartronix Cloud Security Alliance DC 

Chapter, Vladimir Jirasek: Nokia, Amol Godbole: Cisco Systems, Tuhin Kumar: Oracle Corp., Martin 

Lee: Symantec.cloud, Andrey Dulkin: Cyber-Ark Software, John Hearton: Secure Mission Solutions, 

Nandakumar: Novell, Bernd Jaeger: Colt Technology Services, Tyson Macaulay: Bell Canada, Lenin 

Aboagye: Apollo Group, David Treece: Edgile, Benzidane Karim: NTIQual, Atul Shah: Microsoft, Mark 

Hahn: TCB Technologies, Inc., Bradley Anstis: M86 Security, JD Hascup: Weyerhaeuser, Balaji 

Ramamoorthy: TCG, Hassan Takabi: University of Pittsburgh, Henry St. Andre: inContact, Faud Khan: 

TwelveDot, Inc., MS Prasad: Rediffmail, Gaurav Godhwani: Student, Ang Puay Young, Singapore 

Ministry of Health Holdings, Ted Skinner, Harris Corporation 


CSA Staff 


Jim Reavis: Executive Director, J.R. Santos: Research Director, John Yeoh: Research Analyst, Amy Van 

Antwerp: Technical Writer/Editor, Kendall Scoboria: Graphic Designer, Evan Scoboria: Web Developer 


Executive Summary 


Cloud Computing represents one of the most significant shifts in information technology many 

of us are likely to see in our lifetimes. Reaching the point where computing functions as a utility 

has great potential, promising innovations we cannot yet imagine. 

Customers are both excited and nervous at the prospects of Cloud Computing. They are excited 

by the opportunities to reduce capital costs. They are excited for a chance to divest 

infrastructure management and focus on core competencies. Most of all, they are excited by the 

agility offered by the on-demand provisioning of computing resources and the ability to align 

information technology with business strategies and needs more readily. However, customers 

are also very concerned about the security risks of Cloud Computing and the loss of direct 

control over the security of systems for which they are accountable. Vendors have attempted to 

satisfy this demand for security by offering security services in a cloud platform, but because 

these services take many forms, they have caused market confusion and complicated the 

selection process. This has led to limited adoption of cloud based security services thus far. 

However, the future looks bright for SecaaS, with Gartner predicting that cloud-based security 

service us will more than triple in many segments by 2013. 

To aid both cloud customers and cloud providers, CSA has embarked on a new research project 

to provide greater clarity on the area of Security as a Service. Security as a Service refers to the 

provision of security applications and services via the cloud either to cloud-based infrastructure 

and software or from the cloud to the customers’ on-premise systems. This will enable 

enterprises to make use of security services in new ways, or in ways that would not be cost 

effective if provisioned locally. 

Numerous security vendors are now leveraging cloud-based models to deliver security 

solutions. This shift has occurred for a variety of reasons, including greater economies of scale 

and streamlined delivery mechanisms. Consumers are increasingly faced with evaluating 

security solutions, which do not run on-premises. Consumers need to understand the unique 

nature of cloud-delivered security offerings so they can evaluate the offerings and understand if 

they will meet their needs. 

Based on survey results collected from prominent consumers of cloud services, the following 

security service categories are of most interest to experienced industry consumers and security 

professionals: 

Identity and Access 

Management (IAM) 

Data Loss Prevention 

(DLP) 

Web Security 

Email Security 

Security Assessments 

Intrusion Management 

Security Information 

and Event Management 

(SIEM) 

Encryption 

Business Continuity 

and Disaster Recovery 

Network Security 



Category #1: Identity and Access Management (IAM) 

Description: Identity and Access Management (IAM) should provide controls for assured 

identities and access management. 

IAM includes people, processes, and systems that are used to manage access to enterprise 

resources by assuring the identity of an entity is verified and is granted the correct level of access 

based on this assured identity. Audit logs of activity such as successful and failed authentication 

and access attempts should be kept by the application / solution. 

Class: Protective/Preventative 

CORE FUNCTIONALITIES 

Provisioning/de-provisioning of accounts (of both cloud & 

on-premise applications and resources) 

Authentication (multiple forms and factors) 

Directory services 

Directory synchronization (multilateral as required) 

Federated SSO 

Web SSO (e granular access enforcement & session 

management - different from Federated SSO) 

Authorization (both user and application/system) 

Authorization token management and provisioning 

User profile & entitlement management (both user and 

application/system) 

Support for policy& regulatory compliance monitoring 

and/or reporting 

Federated Provisioning of Cloud Applications 

Self-Service request processing, like password reset, setting 

up challenge questions, request for role/resource etc. 

Privileged user management/privileged user password 

management 

Policy management (incl. authorization management, role 

management, compliance policy management) 

Role Based Access Controls (RBAC) (Where supported by the 

underlying system/service) 

OPTIONAL FEATURES 

Support for DLP 

Granular Activity Auditing broken down by individual 

Segregation of duties based on identity entitlement 

Compliance-centric reporting 

CHALLENGES 

Lack of standards and vendor lock-in 

Identity theft 

Unauthorized access 

Privilege escalation 

Continued on the following page… 

SERVICES 

Includes: User Centric ID Provider, 

Federated IDs, Web-SSO, Identity 

Provider, Authorization Management 

Policy Provider, Electronic Signature, 

Device Signature, User Managed Access 

Related Services: DLP, SIEM 

Related Technologies and Standards: 

SAML, SPML, XACML, (MOF/ECORE), 

OAuth, OpenID, Active Directory 

Federated Services (ADFS2), WS- 

Federation 

Service Model: SaaS, PaaS 

CSA Domains (v2.1): 4, 12 

THREATS ADDRESSED 

Identity theft 


Privilege escalation 

Insider threat 

Non-repudiation 

Excess privileges / excessive 

access 

Delegation of authorizations / 

entitlements 

Fraud 


Continued from the previous page… 


CHALLENGES 

Insider threat 

Non-Repudiation 

Least privilege / need-to-know 

Segregation of administrative (provider) vs. end user (client) 

interface and access 

Delegation of authorizations/entitlements 

Attacks on Identity Services such as DDoS 

Eavesdropping on Identity Service messaging (Non- 

Repudiation) 

Password management (communication, retrieval) – Different 

requirements across clients 

Resource hogging with unauthorized provisioning 

Complete removal of identity information at the end of the 

life cycle 

Real-time provisioning and de-provisioning 

Lack of interoperable representation of entitlement 

information 

Dynamic trust propagation and development of trusted 

relationships among service providers 

Transparency: security measures must be available to the 

customers to gain their trust. 

Developing a user centric access control where user requests 

to service providers are bundled with their identity and 

entitlement information 

Interoperability with existing IT systems and existing 

solutions with minimum changes 

Dynamically scale up and down; scale to hundreds of millions 

of transactions for millions of identities and thousands of 

connections in a reasonable time 

Privacy preservation across multiple tenants 

Multi-jurisdictional regulatory requirements 

REFERENCES / ADDITIONAL RESOURCES 

https://cloudsecurityalliance.org/guidance/csaguide-dom12-v2.10.pdf 

CSA Silicon Valley cloud authorization policy automation presentation: 

http://www.objectsecurity.com/en-resources-video-20110208-webinar-79898734.htm 

(Alternate download: http://www.objectsecurity.com/en-contact-resources.html) 

REFERENCE EXAMPLES 

(Products and vendors. Non-exhaustive list) 

Cloud 

CA Arcot Webfort 

CyberArk Software Privileged 

Identity Manager 

Novell Cloud Security Services 

ObjectSecurity OpenPMF 

(authorization policy automation, 

for private cloud only) 

Symplified 

Non-Cloud 

Novell Identity Manager 

Oracle Identity Manager 

Oracle Access Manager Suite 



Category #2: Data Loss Prevention 

Description: Data Loss Prevention is the monitoring, protecting, and verifying the security of 

data at rest, in motion and in use both in the cloud and on-premises. 

DLP services offer protection of data usually by running as some sort of client on desktops / 

servers and running rules around what can be done. Where these differ from broad rules like 

“No FTP” or “No uploads” to web sites, etc. is the level to which the services understand data. 

A few examples of policies you can specify are “No documents with numbers that look like 

credit cards can be emailed,” “Anything saved to USB storage is automatically encrypted and 

can only be unencrypted on another office owned machine with a correctly installed DLP 

client,” and “Only clients with functioning DLP software can open files from the fileserver,” 

etc. 

Within the cloud, DLP services could be offered as something that is provided as part of the 

build, such that all servers built for that client get the DLP software installed with an agreed set 

of rules deployed. 

Class: Preventative 


Data labeling and classification 

Identification of Sensitive Data 

Predefined policies for major regulatory statues 

Context Detection Heuristics 

Structured Data Matching (data-at-rest) 

SQL regular expression detection 

Traffic Spanning (data-in-motion) detection 

Real Time User Awareness 

Security Level Assignment 

Custom Attribute Lookup 

Automated Incident Response 

Signing of Data 

Cryptographic data protection and access control 

Machine readable policy language 


Rate domains 

Smart Response (integrated remediation workflow) 

Automated event escalation 

Automated false positive signature compensation 

Unstructured Data Matching 

File / directory integrity via hashing 

Integration with Intrusion Detection Systems 

Multiple Language Pack 

Data privacy 

Chain of evidence services to support investigations and 

prosecutions 


SERVICES 

Includes: Encryption, Meta-data 

tagging, Data Identification, Multilingual 

fingerprinting, Data leakage 

detection, Policy management and 

classification, Transparent data 

encryption, Policy controlled data 

access, storage and transportation, 

Dynamic data masking 

Related Services: IAM 


SAML, SPML, XACML, 

(MOF/ECORE), ESG 



Data loss/leakage 


Malicious compromises of data 

integrity 

Data sovereignty issues 

Regulatory sanctions and fines 




CHALLENGES 

Data may be stolen from the datacenter virtually or even 

physically 

Data could be misused by the datacenter operator or others 

employees with access 

Compliance requires certifying cloud stack at all levels 

repeatedly 

Data sovereignty issues reduce customer rights with regard 

to governments 

Encrypted Data 

Performance when analyzing and monitoring large / heavily 

accessed data sets 

False negatives / false positives (tuning) 

Rule base may be complex to manage 

Outside of ‘known’ items such as credit card numbers and 

social security numbers, data can only be classified with 

detailed input from the end user 

Lack of data classification standards 

Ensuring customer data segregation when multiple tenants 

present 

REFERENCES 




BlueCoat 

IBM 

Imperva 

Oracle 

Reconnex 

RSA 

Symantec/Vontu 

WebSens 

Zscaler 


Digital Guardian 

Palisade Systems PacketSure 

Symantec Protection Suite 

Enterprise Edition 

http://www.technewsworld.com/story/66562.html 

http://www.datalossbarometer.com/14945.htm 

http://community.websense.com/blogs/websense-media-coverage/archive/2010/07/20/channelinsider-websense-plans-to-tap-microsoft-channel-cloud-dlp-innovatin-in-the-present-and-future.aspx 

http://www.asiacloudforum.com/content/vmmare-embeds-rsa-dlp-virtual-environments 

http://searchsecuritychannel.techtarget.com/news/1374080/Partner-Engage-2009-VARs-dish-on-DLPimplementation-and-the-cloud 

http://infinite-identities.blogspot.com/2009/12/next-cloud-security-frontier-dlp-for.html 


Category #3: Web Security 


Description: Web Security is real-time protection offered either on-premise through 

software/appliance installation or via the cloud by proxying or redirecting web traffic to the 

cloud provider. 

This provides an added layer of protection on top of things like AV to prevent malware from 

entering the enterprise via activities such as web browsing. Policy rules around the types of 

web access and the times this is acceptable can also be enforced via these technologies. 

Class: Protective, detective, reactive 


Web Filtering 

Malware, Spyware & Bot Network analyzer and blocking 

Phishing site blocker 

Instant Messaging Scanning 

Email Security 

Bandwidth management/traffic control 


Fraud Prevention 

Web Access Control 

Backup 

SSL (decryption / hand off) 

Usage policy enforcement 


Rate domains 

Categorize websites by URL/IP address 

Rate sites by user requests 

Transparent updating of user mistakes 

Categorize and rate websites as needed 

Categorize websites for policy enforcement 

Recognize multiple languages 

Categorize top-level domains 

Block downloads with spoofed file extensions 

Strip potential spyware downloads from high-risk sites 

CHALLENGES 

Constantly evolving threats 

Insider circumvention of web security 

Compromise of the web filtering service by proxy 

Potentially higher cost of real time monitoring 

Lack of features vs. premise based solutions 

Lack of policy granularity and reporting 

Relinquishing control 

Encrypted traffic 


SERVICES 

Includes: Email Server, Anti-virus, 

Anti-spam, Web Filtering, Web 

Monitoring, Vulnerability 

Management, Anti-phishing 

Related Services: Firewalls, Proxy, 

DLP, Email Security 


HTTP/HTTPS, RuleML, XML, PHP, 

anti-virus 




Keyloggers 

Domain Content 

Malware 

Spyware 

Bot Network 

Phishing 

Virus 

Bandwidth consumption 


Spam 





http://www.technewsworld.com/story/66562.html 

BT case study: 

http://www.globalservices.bt.com/static/assets/pdf/case_s 

tudies/EN_NEW/edinburgh_cc_web_security_case_study.p 

df 

W3C Web Security FAQ: 

http://www.w3.org/Security/Faq/ 

OWASP: https://www.owasp.org/index.php/Main_Page 




BlueCoat 

RSA 

TrendMicro 

Websense 

zScaler 


Barracuda 

BlueCoat 

Cisco 

McAfee 

Symantec 

Watchguard 


Category #4: Email Security 


Description: Email Security should provide control over inbound and outbound email, thereby 

protecting the organization from phishing, malicious attachments, enforcing corporate polices 

such as acceptable use and spam, and providing business continuity options. 

In addition, the solution should allow for policy-based encryption of emails, as well as 

integrating with various email server solutions. 

Digital signatures enabling identification and non-repudiation are also features of many email 

security solutions. 

Class: Protective, detective, reactive 


Accurate filtering to block spam and phishing 

Deep protection against viruses and spyware before they 

enter the enterprise perimeter 

Flexible policies to define granular mail flow and encryption 

Rich, interactive and correlate real-time reporting 

Deep content scanning to enforce policies 

Option to encrypt some / all emails based on policy 

Integration with various email server solutions 


Secure archiving 

Web-mail interface 

Full integration with in-house identity system (LDAP, Active 

Directory, etc.) 

Mail encryption, signing & time-stamping 

Flexible integration 

Data Loss Prevention (DLP) for SMTP and webmail 

E-discovery 

Email system backup (e.g., stores mails on cloud provider 

infrastructure until customer systems restored 

IDS / IPS for the mail servers 

Digital signatures 

CHALLENGES 

Portability 

Storage 

Use of unauthorized webmail for business purposes 

Management of logs and access to logs 

Ensuring no access to emails by cloud provider staff 


SERVICES 

Includes: Content security, Antivirus/Anti-malware, 

Spam filtering, 

Email encryption, DLP for outbound 

email, Web mail, Anti-phishing 

Related Services: DLP, Web Security, 

Business Continuity 


SMTP (ESMTP, SMTPS), IMAP, POP, 

MIME, S/MIME, PGP 

Service Model: SaaS 



Phishing 

Intrusion 

Malware 

Spam 

Address spoofing 





http://www.eweek.com/c/a/Messaging-and- 

Collaboration/SAAS-Email-From-Google-Microsoft-Proves- 

Cost-Effective-For-Up-to-15K-Seats/ 

http://www.symanteccloud.com/datasheet/Technical_doc_ 

Ext_Web_Global.pdf 




Barracuda Networks 

Gmail for Domains (Google 

Apps) 

McAfee 

Message Labs / Symantec Cloud 

Microsoft Cloud Services 

Postini (Google) 

TrendMicro 

Zscaler Email Security 


Postini 

Symantec 

WebSense 



Category #5: Security Assessment 

Description: Security assessments are third-party audits of cloud services or assessments of onpremises 

systems via cloud-provided solutions based on industry standards. 

Traditional security assessments for infrastructure and applications and compliance audits are 

well defined and supported by multiple standards such as NIST, ISO, and CIS. A relatively 

mature toolset exists, and a number of tools have been implemented using the SaaS delivery 

model. In the SaaS delivery model, subscribers get the typical benefits of this cloud computing 

variant - elasticity, negligible setup time, low administration overhead, and pay-per-use with 

low initial investments. 

While not the focus of this effort, additional challenges arise when these tools are used to audit 

cloud environments. Multiple organizations, including the CSA, have been working on the 

guidelines to help organizations understand the additional challenges: 

• Virtualization awareness of the tool, frequently necessary for IaaS platform auditing 

• Support for common web frameworks in PaaS applications 

• Compliance Controls for IaaS, PaaS, and SaaS platforms 

• Standardized questionnaires for XaaS environments, that help address: 

o What should be tested in a cloud environment? 

o How does one assure data isolation in a multi-tenant environment? 

o What should appear in a typical infrastructure vulnerability report? Is it 

acceptable to use results provided by cloud provider? 

Class: Detective 


Governance — process by which policies are set and decision 

making is executed 

Risk Management — process for ensuring that important 

business processes and behaviors remain within the 

tolerances associated with those policies and decisions 

Compliance — process of adherence to policies and decisions. 

Policies can be derived from internal directives, procedures 

and requirements, or external laws, regulations, standards 

and agreements. 

Technical Compliance Audits - automated auditing of 

configuration settings in devices, operating systems, 

databases, and applications. 

Application Security Assessments - automated auditing of 

custom applications 

Vulnerability Assessments - automated probing of network 

devices, computers and applications for known 

vulnerabilities and configuration issues 

Penetration Testing - exploitation of vulnerabilities and 

configuration issues to gain access to a an environment, 

network or computer, typically requiring manual assistance 

Security / risk rating - assessment of the overall security / 

vulnerability of the systems being tested, e.g. based on the 

OWASP Risk Rating Methodology 

SERVICES 

Includes: Internal and / or external 

penetration test, Application 

penetration test, Host and guest 

assessments, Firewall / IPS (security 

components of the infrastructure) 

assessments, Virtual infrastructure 

assessment 

Related Services: Intrusion 

Management 


SCAP (FDCC), CVSS, CVE, CWE, 

SCAP, CYBEX 

Service Model: SaaS, PaaS, IaaS 







SI/EM Integration 

Physical security assessments 

CHALLENGES 

Standards are on different maturity levels in the various 

sections 

Certification & Accreditation 

Boundary definition for any assessments 

Skills of tester(s) / assessors 

Accuracy 

Inconsistent ratings from different individuals / vendors 

Typically limited to known vulnerabilities 


CSA Guidance: 

https://cloudsecurityalliance.org/research/projects/ 

https://cloudsecurityalliance.org/grcstack.html 

Gartner - GRC definition: 

http://blogs.gartner.com/french_caldwell/2010/01/12/wecome-to-kill-grc-not-to-praise-it/ 

NIST (800-146): 

http://csrc.nist.gov/publications/drafts/800-146/Draft- 

NIST-SP800-146.pdf 

http://www.owasp.org/images/5/56/OWASP_Testing_Gui 

de_v3.pdf 

ENISA Information Assurance: 

http://www.enisa.europa.eu/act/rm/files/deliverables/clo 

ud-computing-information-assurance-framework 

BSI Cornerstones cloud Computing (in German): 

https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI 

/Mindestanforderungen/Eckpunktepapier- 

Sicherheitsempfehlungen-CloudComputing-Anbieter.pdf 

CAMM-common-assurance.com 

http://objectsecurity-mds.blogspot.com/2009/06/modeldriven-security-accreditation.html 

http://www.oceg.org/ 


Inaccurate inventory 

Lack of continuous monitoring 

Lack of correlation information 

Lack of complete auditing 

Failure to meet/prove adherence 

to Regulatory/Standards 

Compliance 

Insecure / vulnerable 

configurations 

Insecure architectures 

Insecure processes / processes 

not being followed 




Agiliance 

Core Security 

Modulo 

Qualys 

Veracode 

WhiteHat 


Agiliance 

Archer 

Cenzic 

Core Security 

eEye 

HP 

Immunity 

Modulo 

nCircle 

Rapid7 

Saint 

Symantec 

Tenable 



Category #6: Intrusion Management 

Description: Intrusion Management is the process of using pattern recognition to detect and 

react to statistically unusual events. This may include reconfiguring system components in real 

time to stop / prevent an intrusion. 

The methods of intrusion detection, prevention, and response in physical environments are 

mature; however, the growth of virtualization and massive multi-tenancy is creating new 

targets for intrusion and raises many questions about the implementation of the same protection 

in cloud environments. 

Examples of how cloud-based Intrusion Management could be offered include: 

• Provided by the Cloud Service Provider 

• Provided by a third-party (routing traffic through a SecaaS) 

• Hybrid SaaS with third-party management and host-based or virtual appliances running 

in the cloud consumer's context 

Class: Detective, protective, reactive 

General 


Identification of intrusions and policy violations 

Automatic or manual remediation actions 

Coverage for: 

Workloads 

Virtualization Layer (VMM/Hypervisor) 

Management Plane 

Cloud and other APIs 

Updates to address new vulnerabilities, exploits and policies 

Network Security (NBA, NIPS/NIDS or HIPS/HIDS using 

network) 

Deep Packet Inspection using one or more of the following 

techniques: statistical, behavioral, signature, heuristic 

System/Behavioral 

One or more of: 

System Call Monitoring 

System/Application Log Inspection 

Integrity Monitoring OS (Files, Registry, Ports, Processes, 

Installed Software, etc) 

Integrity Monitoring VMM/Hypervisor 

VM Image Repository Monitoring 


SERVICES 

Includes: Packet Inspection, Detection, 

Prevention, IR 

Related Services: Web Security, Secure 

Cloud & Virtualization Security 


DPI, Event correlation and pattern 

recognition 

Service Model: SaaS, PaaS, IaaS 

CSA Domains (v2.1): 13 


Intrusion 

Malware 




Alert Logic Threat Manager 

Arbor Peakflow X 

Check Point - Security Gateway 

Virtual Edition 

Cloudleverage Cloud 

IPS/firewall 

 





Central Reporting 

SIEM Integration 

Administrator Notification 

Customization of policy (automatic or manual) 

Mapping to cloud-layer tenancy 

Cloud sourcing information to reduce false positives and 

improve coverage 

Remote storage or transmission of integrity information, to 

prevent local evasion 

General Challenges: 

CHALLENGES 

Proliferation of SSL required by deployment in public clouds 

adds complexity or blocks visibility to network-based IDS/IPS 

Complexity and immaturity of Intrusion Management for APIs 

Lack of tools to manage instance-to-instance relationships 

Wire speed with full malware / attack coverage performance 

not meeting expectations 

Specific to Cloud Consumers: 

Current lack of virtual SPAN ports in public cloud providers 

for typical deployment of NIDS or NBA 

Current lack of network-edge TAP interfaces for public cloud 

and virtual private cloud for typical deployment of NIPS 

Inability to utilize hypervisor (vSwitch/vNIC) introspection 

Latency, resiliency and bandwidth concerns with proxying 

network traffic through virtual appliances or 3rd party services 

Privacy concerns of service-based security 

Short lived instances (HIDS/HIPS logs can be lost) 

Performance limitations with network traffic in a shared 

environment 

Ownership / managing access to monitoring equipment and 

data 

Specific to Cloud Service Providers: 

Policy management in a multi-tenant environment 

Policy management for application-layer multi-tenancy (SaaS, 

some PaaS services such as Microsoft SQL Azure) 

Complexity of deployment and configuration 




Cymtec Scout 

eEye Digital Security Blink 

IBM Proventia 

McAfee - Host Intrusion 

Prevention 

Sourcefire - 3D System 

StoneGate - Virtual IPS 

Symantec Critical System 

Protection 

Symantec Endpoint Protection 

Trend Micro Deep Security 

Trend Micro Threat Detection 

Appliance 

TrustNet iTrust SaaS Intrusion 

Detection 

XO Enterprise Cloud Security 


AIDE 

CA-eTrust Intrusion Detection 

Check Point IPS 

Cerero - Top Layer IPS 

Cetacea Networks - OrcaFlow 

Cisco Guard / IPS 

Detector 

DeepNines - BBX 

e-Cop - Cyclops 

Enterasys - IPS 

HP S IPS 

Intrusion – SecureNet / Host 

iPolicy 

Juniper Networks IDP 

Lancope - StealthWatch 

McAfee - Network Intrusion 

Prevention 

OSSEC 

Q1 Labs - QRadar 

Radware - DefensePro 

Samhain 

SoftSphere Technologies HIPS 

StillSecure - Strata Guard 

StoneGate - IPS 

Suricata 

Symantec Network Security 

Cloud Security Alliance Guidance: https://cloudsecurityalliance.org/guidance/csaguide-dom12-v2.10.pdf 

NIST Guide to Intrusion Detection and Prevention Systems (IDPS): 

http://csrc.nist.gov/publications/nistpubs/800-94/SP800-94.pdf 

Intrusion Detection: http://en.wikipedia.org/wiki/Intrusion_detection_system 

Intrusion Prevention: http://en.wikipedia.org/wiki/Intrusion_prevention_system 



Category #7: Security Information & Event Management (SIEM) 

Description: Security Information and Event Management (SIEM) systems accept (via push or 

pull mechanisms) log and event information. This information is then correlated and analyzed 

to provide real-time reporting and alerting on incidents / events that may require intervention. 

The logs are likely to be kept in a manner that prevents tampering to enable their use as 

evidence in any investigations. 

Class: Detective 


Real time log /event collection, de-duplication, 

normalization, aggregation and visualization 

Log normalization 

Real-time event correlation 

Forensics support 

Compliance reporting & support 

IR support 

Email anomaly detection 

Reporting 

Flexible data retention periods and policies management, 

compliance policy management) 


Heuristic controls 

Specialized systems 

Physical log monitoring 

Access control system monitoring 

Physical security integration (cameras, alarms, phone, etc.) 

Integration with call / ticketing system 

CHALLENGES 

Standardization of log formats 

Timing lag caused by translations from native log formats 

Unwillingness of providers to share logs 

Scaling for high volumes 

Identification and visualization of key information 

Usable, segregated by client interface 

REFERENCES 

http://www.darkreading.com/securitymonitoring/167901086/security/securitymanagement/228000206/cloud-creates-siem-blind-spot.html 

http://securecloudreview.com/2010/08/service-provider-oftomorrow-part-9-as-the-cloud-thrives-siem-will-suffer/ 


SERVICES 

Includes: Log management, Event 

correlation, Security/Incident response, 

Scalability, Log and Event Storage, 

Interactive searching and parsing of log 

data, Logs immutable (for legal 

investigations) 

Related Services: Architectural 

considerations, Compliance reporting, 

Software inventory, Non-traditional 

correlation, On-traditional monitoring, 

Database monitoring, Request 

fulfillment 


FIPS 140-2 compliant, Common Event 

Format (CEF), Common Event 

Expression (CEE), IF-MAP (TCG) 


CSA Domains (v2.1): 2, 3, 4, 5, 7, 9, 12 


Abuse and Nefarious Use 

Insecure Interfaces and APIs 

Malicious Insiders 

Shared Technology Issues 

Data Loss and Leakage 

Account or Service Hijacking 

Unknown Risk Profile 

Fraud 




REFERENCES 

http://en.wikipedia.org/wiki/Security_information_and_ev 

ent_management 

http://en.wikipedia.org/wiki/Security_event_manager 



AccellOps 

Alien Vault (OSSIM) 

ArcSight ESM 

eIQnetworks 

Loglogic 

netForensics nFX One 

Novell Cloud Security Services / 

E-Sentinel 

OSSIM 

Prelude-SIEM 

Q1 Labs 

Quest Software 

RSA/EMC enVision 

SenSage 

Solar Winds Log and Event 

Manager 

Splunk 


Category #8: Encryption 


Description: Encryption is the process of obfuscating/encoding data (usually referred to as 

plain text) using cryptographic algorithms the product of which is encrypted data (usually 

referred to as ciphertext). Only the intended recipient or system that is in possession of the 

correct key can decode (unencrypt) this ciphertext. In the case of one-way cryptographic 

functions, a digest or hash is created instead. 

Encryption systems typically consist of an algorithm(s) that are computationally difficult (or 

infeasible) to break, along with the processes and procedures to manage encryption and 

decryption, hashing, digital signatures, certificate generation and renewal, key exchange, etc. 

Each part is effectively useless without the other, e.g. the best algorithm is easy to “crack” if an 

attacker can access the keys due to weak processes. 

Class: Protective 


Data protection (at rest and in motion) 

Data validation 

Message Authentication 

Message/data integrity 

Data Time-stamping (digital notary) 

Identity validation (certificates to identify IT 

assets/endpoints) 

Code Signing 

Forgery detection 

Identity validation (digital signatures) 

Digital Fingerprinting 

Forensic protection (hashing of log files and evidence) 

Pseudorandom number generation 

Data Destruction (throw away the key!) 

Key/certificate generation and management 


Searching encrypted data 

Sorting encrypted data 

Identity based encryption 

Data integrity 

Mechanism to ensure secure removal of customer data when 

term / contract terminated 

Identity assurance (e.g., the parties involved are who they 

claim to be) 

CHALLENGES 

Risk of compromised keys 

Searching and/or sorting of encrypted data 


SERVICES 

Includes: VPN services, Encryption 

Key Management, Virtual Storage 

Encryption, Communications 

Encryption, Application Encryption, 

Database Encryption, digital 

signatures, Integrity validation 

Related Services: VM Architecture, 

Hardware protection, Software-based 

protection, remote access validation 


FIPS 140-2, IPSEC, SSL, Hashing, and 

algorithms , Symetric and Asymetric 

Cryptography 

Service Model: PaaS, SaaS, IaaS 



Failure to meet Regulatory 

Compliance requirements 

Mitigating insider and external 

threats to data 

Intercepted clear text network 

traffic 

Clear text data on stolen / 

disposed of hardware 

Reducing the risk or and 

potentially enabling crossborder 

business opportunities 




CHALLENGES 

Separation of duties between data owners, administrators 

and cloud service providers 

Legal issues 

Federated trust between providers 


http://www.eweek.com/c/a/Security/IBM-Uncovers- 

Encryption-Scheme-That-Could-Improve-Cloud-Security- 

Spam-Filtering-135413/ 

https://cloudsecurityalliance.org/csaguide.pdf 

“Implementing and Developing Cloud Computing 

Applications” by David E.Y. Sarna 

http://www.ctoedge.com/content/new-approach-enteprisedata-security-tokenization 

http://arstechnica.com/tech-policy/news/2009/09/yoursecrets-live-online-in-databases-of-ruin.ars 

CSA discussion forums : “The Illegality of Exporting 

Personal Data into the Cloud. Is the following Hypothesis the 

Answer? Does the following Hypothesis Handle the 

Objection?” http://www.linkedin.com/e/-njv39egmdp90wv- 

1m/vaq/23764306/1864210/36300812/view_disc/ 

“IETF RFC 5246”. The Transport Layer Security (TLS) 

Protocol Version 1.2: http://tools.ietf.org/rfc/rfc5246.txt 

“SP 800-57 Recommendation for Key Management” NIST, 

January 2011: http://csrc.nist.gov/publications/nistpubs/ 

800-57/sp800-57-Part1-revised2_Mar08-2007.pdf 

http://csrc.nist.gov/publications/nistpubs/800-57/SP800- 

57-Part2.pdf http://csrc.nist.gov/publications/nistpubs/800- 

57/sp800-57_PART3_key-management_Dec2009.pdf 

“SP 800-131A Transitions: Recommendation for Transitioning 

the Use of Cryptographic Algorithms and Key Lengths” 

NIST, January 2011: 

http://csrc.nist.gov/publications/nistpubs/800-131A/sp800- 

131A.pdf 

ISO/TR (2010). “ISO TR-14742:2010 Financial Services - 

Recommendations on Cryptographic Algorithms and their 

Use.” ISO. 

Ferguson, N., Schneier, B., and Kohno T., (2010). 

“Cryptography Engineering: Design Principles and Practical 

Applications.” New York: John Wiley and Sons. 


Reducing perceived risks and 

thus enabling Cloud's Adoption 

by government 




Credant 

Cypher Cloud 

enStratus 

Novaho 

Perpecsys 

ProtectV 

SecureCloud 

SurePassID 

Vormetric 


Crypo.com 

Sendinc 



Category #9: Business Continuity and Disaster Recovery 

Description: Business Continuity and Disaster Recovery are the measures designed and 

implemented to ensure operational resiliency in the event of any service interruptions. 

BCDR provides flexible and reliable failover for required services in the event of any service 

interruptions, including those caused by natural or man-made disasters or disruptions. Cloudcentric 

BCDR makes use of the cloud’s flexibility to minimize cost and maximize benefits. For 

example, a tenant could make use of low specification guest machines to replicate applications 

and data to the cloud, but with the provision to quickly ramp up the CPU and RAM, etc. of 

these machines in a BCDR scenario. 

Class: Reactive, Protective, Detective 


Flexible infrastructure 

Secure backup 

Monitored operations 

Third party service connectivity 

Replicated infrastructure components 

Replicated data (core / critical systems) 

Data and/or application recovery 

Alternate sites of operation 

Tested and measured processes and operations to ensure 

Geographically distributed data centers / infrastructure 

Network survivability 


Support for BC and DR compliance monitoring and/or 

reporting or testing flexible infrastructure 

Authorized post disaster privileged account management 

Enable DR Policy management (incl. authorization 

management, role management, compliance management) 

CHALLENGES 

Over-centralization of data 

Lack of approved and tested policies, processes, and 

procedures 

Legal constraints on transportation of data outside affected 

region 

Network connectivity failures 

Identification of Recovery Time Objectives / Recovery Point 

Objectives / SLAs 

Agreed definition between vendor and client of what DR / 

BCP means 

Security – Data in multiple locations 


SERVICES 

Includes: File recovery provider, File 

backup provider, Cold site, Warm site, 

Hot site, Insurance, Business partner 

agreements, Replication (e.g. 

Databases) 

Related Services: Fail-back to live 

systems, Encryption of data in transit, 

Encryption of data at rest, Field level 

encryption, Realm-based access control 


ISO/IEC 24762:2008, BS25999 

Service Model: IaaS, SaaS 



Natural disaster 

Fire 

Power outage 

Terrorism/sabotage 

Data corruption 

Data deletion 

Pandemic/biohazard 





NIST SP 800-34 

ISO/IEC-27031 

http://en.wikipedia.org/wiki/Disaster_recovery 

http://www.silicon.com/management/cioinsights/2010/09/30/cloud-computing-is-it-ready-fordisaster-recovery-39746406/ 

http://blogs.forrester.com/rachel_dines/11-08-29disaster_recovery_meet_the_cloud 

http://www.usenix.org/event/hotcloud10/tech/full_papers 

/Wood.pdf 




Atmos 

Decco 

Digital Parallels 

Quantix 

Rackspace 


IBM 

Iron Mountain 

Sunguard 



Category #10: Network Security 

Description: Network Security consists of security services that allocate access, distribute, 

monitor, and protect the underlying resource services. 

Architecturally, network security provides services that address security controls at the 

network in aggregate or specifically addressed at the individual network of each underlying 

resource. 

In a cloud / virtual environment network security is likely to be provided by virtual devices 

alongside traditional physical devices. Tight integration with the hypervisor to ensure full 

visibility of all traffic on the virtual network layer is key. 

Class: Detective, protective, reactive 


Data Threats 

Access Control Threats 

Access and Authentication controls 

Security Gateways (firewalls, WAF, SOA/API, VPN) 

Security Products (IDS/IPS, Server Tier Firewall, File 

Integrity Monitoring, DLP, Anti-Virus, Anti-Spam 

Security Monitoring and IR 

DoS protection/mitigation 

Secure “base services” like DNS and/or DNSSEC, DHCP, 

NTP, RAS, OAuth, SNMP, Management network 

segmentation and security 

Traffic / netflow monitoring 

Integration with Hypervisor layer 


Log correlation/ Secure and Immutable Logging 

Secure data encryption at rest 

Performance monitoring of the network 

Real-time alerting 

Change Management 

CHALLENGES 

Micro-borders (instead of traditional clearly defined network 

boundaries the borders between tenant networks can be 

dynamic and potentially blurred in a large scale virtual / 

cloud environment) 

Virtual Segmentation of Physical Servers 

Limited visibility of inter-VM traffic 


SERVICES 

Includes: Firewall (perimeter and 

server tier), Web application firewall, 

DDOS protection/mitigation, DLP, IR 

management, IDS / IPS 

Related Services: Identity and Access 

Management, Data Loss Prevention, 

Web Security, Intrusion Management, 

Security Information and Event 

Management, and Encryption 


Service Model: IaaS, SaaS, PaaS 

CSA Domains (v2.1): 7,8,9,10,13 


Data Threats 

Access Control Threats 

Application Vulnerabilities 

Cloud Platform Threats 

Regulatory, Compliance & Law 

Enforcement 




CHALLENGES 

Non-standard API’s 

Management of many virtual networks / VLAN in a complex 

environment – reliant on providers policies and procedures 

Separation of production and non-production environments 

Logical and Virtual Segregation of Customer 

Network/Systems/Data 


CSA 

Intel Cloud Security Reference Architecture: 

http://software.intel.com/en-us/articles/Cloud-Security- 

Reference-Architecture-Guide/ 

http://www.intel.com/content/dam/doc/referencearchitecture/cloud-computing-enhanced-cloud-securityhytrust-vmware-architecture.pdf 

ENISA Cloud Computing Risk Assessment: 

http://www.enisa.europa.eu/act/rm/files/deliverables/cl 

oud-computing-risk-assessment 




CloudFlare 

HP 

IBM 

Imperva - Incapsula 

McAfee 

Rackspace 

Stonesoft 

Symantec 


HP 

IBM 

McAfee 

Snort 

Symantec

Defined Categories of Service 2011 - Cloud Security Alliance

Create successful ePaper yourself

Delete template?

Save as template?