Defined Categories of Service 2011 - Cloud Security Alliance

More documents

Recommendations

Info

CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE 2011 Category #5: Security Assessment Description: Security assessments are third-party audits of cloud services or assessments of onpremises systems via cloud-provided solutions based on industry standards. Traditional security assessments for infrastructure and applications and compliance audits are well defined and supported by multiple standards such as NIST, ISO, and CIS. A relatively mature toolset exists, and a number of tools have been implemented using the SaaS delivery model. In the SaaS delivery model, subscribers get the typical benefits of this cloud computing variant - elasticity, negligible setup time, low administration overhead, and pay-per-use with low initial investments. While not the focus of this effort, additional challenges arise when these tools are used to audit cloud environments. Multiple organizations, including the CSA, have been working on the guidelines to help organizations understand the additional challenges: • Virtualization awareness of the tool, frequently necessary for IaaS platform auditing • Support for common web frameworks in PaaS applications • Compliance Controls for IaaS, PaaS, and SaaS platforms • Standardized questionnaires for XaaS environments, that help address: o What should be tested in a cloud environment? o How does one assure data isolation in a multi-tenant environment? o What should appear in a typical infrastructure vulnerability report? Is it acceptable to use results provided by cloud provider? Class: Detective CORE FUNCTIONALITIES Governance — process by which policies are set and decision making is executed Risk Management — process for ensuring that important business processes and behaviors remain within the tolerances associated with those policies and decisions Compliance — process of adherence to policies and decisions. Policies can be derived from internal directives, procedures and requirements, or external laws, regulations, standards and agreements. Technical Compliance Audits - automated auditing of configuration settings in devices, operating systems, databases, and applications. Application Security Assessments - automated auditing of custom applications Vulnerability Assessments - automated probing of network devices, computers and applications for known vulnerabilities and configuration issues Penetration Testing - exploitation of vulnerabilities and configuration issues to gain access to a an environment, network or computer, typically requiring manual assistance Security / risk rating - assessment of the overall security / vulnerability of the systems being tested, e.g. based on the OWASP Risk Rating Methodology SERVICES Includes: Internal and / or external penetration test, Application penetration test, Host and guest assessments, Firewall / IPS (security components of the infrastructure) assessments, Virtual infrastructure assessment Related Services: Intrusion Management Related Technologies and Standards: SCAP (FDCC), CVSS, CVE, CWE, SCAP, CYBEX Service Model: SaaS, PaaS, IaaS CSA Domains (v2.1): 2, 4 Continued on the following page… Copyright © 2011 Cloud Security Alliance 16
Continued from the previous page… CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE 2011 OPTIONAL FEATURES SI/EM Integration Physical security assessments CHALLENGES Standards are on different maturity levels in the various sections Certification & Accreditation Boundary definition for any assessments Skills of tester(s) / assessors Accuracy Inconsistent ratings from different individuals / vendors Typically limited to known vulnerabilities REFERENCES / ADDITIONAL RESOURCES CSA Guidance: https://cloudsecurityalliance.org/research/projects/ https://cloudsecurityalliance.org/grcstack.html Gartner - GRC definition: http://blogs.gartner.com/french_caldwell/2010/01/12/wecome-to-kill-grc-not-to-praise-it/ NIST (800-146): http://csrc.nist.gov/publications/drafts/800-146/Draft- NIST-SP800-146.pdf http://www.owasp.org/images/5/56/OWASP_Testing_Gui de_v3.pdf ENISA Information Assurance: http://www.enisa.europa.eu/act/rm/files/deliverables/clo ud-computing-information-assurance-framework BSI Cornerstones cloud Computing (in German): https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI /Mindestanforderungen/Eckpunktepapier- Sicherheitsempfehlungen-CloudComputing-Anbieter.pdf CAMM-common-assurance.com http://objectsecurity-mds.blogspot.com/2009/06/modeldriven-security-accreditation.html http://www.oceg.org/ THREATS ADDRESSED Inaccurate inventory Lack of continuous monitoring Lack of correlation information Lack of complete auditing Failure to meet/prove adherence to Regulatory/Standards Compliance Insecure / vulnerable configurations Insecure architectures Insecure processes / processes not being followed REFERENCE EXAMPLES (Products and vendors. Non-exhaustive list) Cloud Agiliance Core Security Modulo Qualys Veracode WhiteHat Non-Cloud Agiliance Archer Cenzic Core Security eEye HP Immunity Modulo nCircle Rapid7 Saint Symantec Tenable Copyright © 2011 Cloud Security Alliance 17
Page 1 and 2: Defined Categories of Service 2011
Page 3 and 4: Table of Contents CLOUD SECURITY AL
Page 5 and 6: Acknowledgments Co-chairs Kevin Fie
Page 7 and 8: Executive Summary CLOUD SECURITY AL
Page 9 and 10: Continued from the previous page…
Page 15: Continued from the previous page…
Page 27: Continued from the previous page…

Defined Categories of Service 2011 - Cloud Security Alliance

Create successful ePaper yourself

Delete template?

Save as template?