Defined Categories of Service 2011 - Cloud Security Alliance

More documents

Recommendations

Info

CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE 2011 Category #2: Data Loss Prevention Description: Data Loss Prevention is the monitoring, protecting, and verifying the security of data at rest, in motion and in use both in the cloud and on-premises. DLP services offer protection of data usually by running as some sort of client on desktops / servers and running rules around what can be done. Where these differ from broad rules like “No FTP” or “No uploads” to web sites, etc. is the level to which the services understand data. A few examples of policies you can specify are “No documents with numbers that look like credit cards can be emailed,” “Anything saved to USB storage is automatically encrypted and can only be unencrypted on another office owned machine with a correctly installed DLP client,” and “Only clients with functioning DLP software can open files from the fileserver,” etc. Within the cloud, DLP services could be offered as something that is provided as part of the build, such that all servers built for that client get the DLP software installed with an agreed set of rules deployed. Class: Preventative CORE FUNCTIONALITIES Data labeling and classification Identification of Sensitive Data Predefined policies for major regulatory statues Context Detection Heuristics Structured Data Matching (data-at-rest) SQL regular expression detection Traffic Spanning (data-in-motion) detection Real Time User Awareness Security Level Assignment Custom Attribute Lookup Automated Incident Response Signing of Data Cryptographic data protection and access control Machine readable policy language OPTIONAL FEATURES Rate domains Smart Response (integrated remediation workflow) Automated event escalation Automated false positive signature compensation Unstructured Data Matching File / directory integrity via hashing Integration with Intrusion Detection Systems Multiple Language Pack Data privacy Chain of evidence services to support investigations and prosecutions Continued on the following page… SERVICES Includes: Encryption, Meta-data tagging, Data Identification, Multilingual fingerprinting, Data leakage detection, Policy management and classification, Transparent data encryption, Policy controlled data access, storage and transportation, Dynamic data masking Related Services: IAM Related Technologies and Standards: SAML, SPML, XACML, (MOF/ECORE), ESG Service Model: SaaS, PaaS THREATS ADDRESSED Data loss/leakage Unauthorized access Malicious compromises of data integrity Data sovereignty issues Regulatory sanctions and fines Copyright © 2011 Cloud Security Alliance 10
Continued from the previous page… CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE 2011 CHALLENGES Data may be stolen from the datacenter virtually or even physically Data could be misused by the datacenter operator or others employees with access Compliance requires certifying cloud stack at all levels repeatedly Data sovereignty issues reduce customer rights with regard to governments Encrypted Data Performance when analyzing and monitoring large / heavily accessed data sets False negatives / false positives (tuning) Rule base may be complex to manage Outside of ‘known’ items such as credit card numbers and social security numbers, data can only be classified with detailed input from the end user Lack of data classification standards Ensuring customer data segregation when multiple tenants present REFERENCES REFERENCE EXAMPLES (Products and vendors. Non-exhaustive list) Cloud BlueCoat IBM Imperva Oracle Reconnex RSA Symantec/Vontu WebSens Zscaler Non-Cloud Digital Guardian Palisade Systems PacketSure Symantec Protection Suite Enterprise Edition http://www.technewsworld.com/story/66562.html http://www.datalossbarometer.com/14945.htm http://community.websense.com/blogs/websense-media-coverage/archive/2010/07/20/channelinsider-websense-plans-to-tap-microsoft-channel-cloud-dlp-innovatin-in-the-present-and-future.aspx http://www.asiacloudforum.com/content/vmmare-embeds-rsa-dlp-virtual-environments http://searchsecuritychannel.techtarget.com/news/1374080/Partner-Engage-2009-VARs-dish-on-DLPimplementation-and-the-cloud http://infinite-identities.blogspot.com/2009/12/next-cloud-security-frontier-dlp-for.html Copyright © 2011 Cloud Security Alliance 11
Page 1 and 2: Defined Categories of Service 2011
Page 3 and 4: Table of Contents CLOUD SECURITY AL
Page 5 and 6: Acknowledgments Co-chairs Kevin Fie
Page 7 and 8: Executive Summary CLOUD SECURITY AL
Page 9: Continued from the previous page…
Page 13 and 14: Continued from the previous page…
Page 27: Continued from the previous page…

Defined Categories of Service 2011 - Cloud Security Alliance

Create successful ePaper yourself

Delete template?

Save as template?