Defined Categories of Service 2011 - Cloud Security Alliance
Defined Categories of Service 2011 - Cloud Security Alliance
Defined Categories of Service 2011 - Cloud Security Alliance
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE <strong>2011</strong><br />
Category #5: <strong>Security</strong> Assessment<br />
Description: <strong>Security</strong> assessments are third-party audits <strong>of</strong> cloud services or assessments <strong>of</strong> onpremises<br />
systems via cloud-provided solutions based on industry standards.<br />
Traditional security assessments for infrastructure and applications and compliance audits are<br />
well defined and supported by multiple standards such as NIST, ISO, and CIS. A relatively<br />
mature toolset exists, and a number <strong>of</strong> tools have been implemented using the SaaS delivery<br />
model. In the SaaS delivery model, subscribers get the typical benefits <strong>of</strong> this cloud computing<br />
variant - elasticity, negligible setup time, low administration overhead, and pay-per-use with<br />
low initial investments.<br />
While not the focus <strong>of</strong> this effort, additional challenges arise when these tools are used to audit<br />
cloud environments. Multiple organizations, including the CSA, have been working on the<br />
guidelines to help organizations understand the additional challenges:<br />
• Virtualization awareness <strong>of</strong> the tool, frequently necessary for IaaS platform auditing<br />
• Support for common web frameworks in PaaS applications<br />
• Compliance Controls for IaaS, PaaS, and SaaS platforms<br />
• Standardized questionnaires for XaaS environments, that help address:<br />
o What should be tested in a cloud environment?<br />
o How does one assure data isolation in a multi-tenant environment?<br />
o What should appear in a typical infrastructure vulnerability report? Is it<br />
acceptable to use results provided by cloud provider?<br />
Class: Detective<br />
CORE FUNCTIONALITIES<br />
Governance — process by which policies are set and decision<br />
making is executed<br />
Risk Management — process for ensuring that important<br />
business processes and behaviors remain within the<br />
tolerances associated with those policies and decisions<br />
Compliance — process <strong>of</strong> adherence to policies and decisions.<br />
Policies can be derived from internal directives, procedures<br />
and requirements, or external laws, regulations, standards<br />
and agreements.<br />
Technical Compliance Audits - automated auditing <strong>of</strong><br />
configuration settings in devices, operating systems,<br />
databases, and applications.<br />
Application <strong>Security</strong> Assessments - automated auditing <strong>of</strong><br />
custom applications<br />
Vulnerability Assessments - automated probing <strong>of</strong> network<br />
devices, computers and applications for known<br />
vulnerabilities and configuration issues<br />
Penetration Testing - exploitation <strong>of</strong> vulnerabilities and<br />
configuration issues to gain access to a an environment,<br />
network or computer, typically requiring manual assistance<br />
<strong>Security</strong> / risk rating - assessment <strong>of</strong> the overall security /<br />
vulnerability <strong>of</strong> the systems being tested, e.g. based on the<br />
OWASP Risk Rating Methodology<br />
SERVICES<br />
Includes: Internal and / or external<br />
penetration test, Application<br />
penetration test, Host and guest<br />
assessments, Firewall / IPS (security<br />
components <strong>of</strong> the infrastructure)<br />
assessments, Virtual infrastructure<br />
assessment<br />
Related <strong>Service</strong>s: Intrusion<br />
Management<br />
Related Technologies and Standards:<br />
SCAP (FDCC), CVSS, CVE, CWE,<br />
SCAP, CYBEX<br />
<strong>Service</strong> Model: SaaS, PaaS, IaaS<br />
CSA Domains (v2.1): 2, 4<br />
Continued on the following page…<br />
Copyright © <strong>2011</strong> <strong>Cloud</strong> <strong>Security</strong> <strong>Alliance</strong> 16