Add to collection(s) Add to saved
  1. No category
Uploaded by daletor

SecaaS V1 0

Defined Categories of
Service 2011
CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE 2011
Introduction
The permanent and official location for the Cloud Security Alliance Security as a Service
research is:
https://cloudsecurityalliance.org/research/working-groups/security-as-a-service/
© 2011 Cloud Security Alliance.
All rights reserved. You may download, store, display on your computer, view, print, and link
to the Cloud Security Alliance “Security as a Service” at https://cloudsecurityalliance.org/wpcontent/uploads/2011/09/SecaaS_V1_0.pdf subject to the following: (a) the Guidance may be
used solely for your personal, informational, non-commercial use; (b) the Guidance may not be
modified or altered in any way; (c) the Guidance may not be redistributed; and (d) the
trademark, copyright or other notices may not be removed. You may quote portions of the
Guidance as permitted by the Fair Use provisions of the United States Copyright Act, provided
that you attribute the portions to the Cloud Security Alliance “Security as a Service” Version 1.0
(2011).
Copyright © 2011 Cloud Security Alliance
2
CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE 2011
Table of Contents
Introduction.................................................................................................................................................2
Foreword......................................................................................................................................................4
Acknowledgments......................................................................................................................................5
Executive Summary ...................................................................................................................................7
Category 1: Identity and Access Management ….................................................................................8
Category 2: Data Loss Prevention..........................................................................................................10
Category 3: Web Security........................................................................................................................12
Category 4: Email Security......................................................................................................................14
Category 5: Security Assessments.........................................................................................................16
Category 6: Intrusion Management.......................................................................................................18
Category 7: Security Information and Event Management (SIEM)..................................................20
Category 8: Encryption...........................................................................................................................22
Category 9: Business Continuity and Disaster Recovery...................................................................24
Category 10: Network Security..............................................................................................................26
Copyright © 2011 Cloud Security Alliance
3
CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE 2011
Foreword
Welcome to the Cloud Security Alliance’s “Security as a Service,” Version 1.0. This is one of
many research deliverables CSA will release in 2011.
There is currently a lot of work regarding the security of the cloud and data in the cloud, but
until now there has been limited research into the provision of security services in an elastic
cloud model that scales as the client requirements change. This paper is the initial output from
research into how security can be provided as a service (SecaaS).
Also, we encourage you to download and review our flagship research, “Security Guidance for
Critical Areas of Focus in Cloud Computing,” which you can download at:
http://www.cloudsecurityalliance.org/guidance
Best Regards,
Jerry Archer
Alan Boehme
Dave Cullinane
Nils Puhlmann
Paul Kurtz
Jim Reavis
The Cloud Security Alliance Board of Directors
Copyright © 2011 Cloud Security Alliance
4
CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE 2011
Acknowledgments
Co-chairs
Kevin Fielder: GE, Cameron Smith: Zscaler
Working Group Leaders
Runa Desai Delal: Agama Consulting, Ulrich Lang: ObjectSecurity, Atul Shah: Microsoft, Aaron Bryson:
Cisco, Mark Hahn: TCB Technologies, Wolfgang Kandek: Qualys, John Hearton: Secure Mission
Solutions, Justin Foster: Trend Micro, Ben Chung: HP, Jens Laundrup: Emagined Security, Geoff Webb:
Credant Technologies, Kevin Fielder: GE, Cameron Smith: Zscaler, Ken Owens: Savvis
Steering Committee
Scott Chasin: McAfee, Kevin Fielder: GE Global, Patrick Harding: Ping Indentity, John Hearton: Secure
Mission Solutions, Bernd Jager: Colt, Joe Knape: AT&T, Marlin Pohlman: EMC, Jim Reavis: Cloud
Security Alliance, Archie Reed: HP, J.R. Santos: Cloud Security Alliance, Cameron Smith: Zscaler,
Michael Sutton: Zscaler, Brian Todd: ING
SecaaS Members
Lenin Aboagye: Apollo Group Inc., Ravikanth Anisingaraju: Nexus Informatics, Dave Asprey: Trend
Micro, Karim Benzidane, Aaron Bryson: Cisco, Ben Chung: HP, Joel Cort: Xerox, Ricardo Costa: ESTG,
Runa Desai Dalal: Agama Consulting, Jeff Finch: Interoute, Justin Foster: Trend Micro, Matthew
Gardiner: CA Technologies, Suptrotik Ghose: Microsoft, Mark Hahn: TCB Technologies, Jeff Huegel:
AT&T, Wolfgank Kandek: Qualys, Tuhin Kumar, Vijay Kumar Teki: HCL Technologies, Taiye Lambo:
eFortresses, Jens Laundrup: Emagined Security, David Lingenfelter: Fiberlink, Drew Maness:
Technicolor, Ken Owens: Savvis, Naynesh Patel: Simeio Solutions, Mike Qu, Kanchanna Ramasamy
Balraj, Atul Shah: Microsoft, Said Tabet: EMC, Hassan Takabi: University of Pittsburgh, Danielito
Vizcayno: E*Trade, Geoff Webb: Credant Technologies, Arnold Webster: EC-Council University, Nick
Yoo: McKesson Corp.
Contributors
Jim Beadel: AT&T, Cheng-Yin Lee: CSA, Jie Wang: Converging Stream Technologies, Inc, Kapil
Assudani: HCSC, Valmiki Mukherjee: (ISC)2, JP Morgenthal: Smartronix Cloud Security Alliance DC
Chapter, Vladimir Jirasek: Nokia, Amol Godbole: Cisco Systems, Tuhin Kumar: Oracle Corp., Martin
Lee: Symantec.cloud, Andrey Dulkin: Cyber-Ark Software, John Hearton: Secure Mission Solutions,
Nandakumar: Novell, Bernd Jaeger: Colt Technology Services, Tyson Macaulay: Bell Canada, Lenin
Aboagye: Apollo Group, David Treece: Edgile, Benzidane Karim: NTIQual, Atul Shah: Microsoft, Mark
Hahn: TCB Technologies, Inc., Bradley Anstis: M86 Security, JD Hascup: Weyerhaeuser, Balaji
Ramamoorthy: TCG, Hassan Takabi: University of Pittsburgh, Henry St. Andre: inContact, Faud Khan:
TwelveDot, Inc., MS Prasad: Rediffmail, Gaurav Godhwani: Student, Ang Puay Young, Singapore
Ministry of Health Holdings, Ted Skinner, Harris Corporation
Copyright © 2011 Cloud Security Alliance
5
CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE 2011
CSA Staff
Jim Reavis: Executive Director, J.R. Santos: Research Director, John Yeoh: Research Analyst, Amy Van
Antwerp: Technical Writer/Editor, Kendall Scoboria: Graphic Designer, Evan Scoboria: Web Developer
Copyright © 2011 Cloud Security Alliance
6
CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE 2011
Executive Summary
Cloud Computing represents one of the most significant shifts in information technology many
of us are likely to see in our lifetimes. Reaching the point where computing functions as a utility
has great potential, promising innovations we cannot yet imagine.
Customers are both excited and nervous at the prospects of Cloud Computing. They are excited
by the opportunities to reduce capital costs. They are excited for a chance to divest
infrastructure management and focus on core competencies. Most of all, they are excited by the
agility offered by the on-demand provisioning of computing resources and the ability to align
information technology with business strategies and needs more readily. However, customers
are also very concerned about the security risks of Cloud Computing and the loss of direct
control over the security of systems for which they are accountable. Vendors have attempted to
satisfy this demand for security by offering security services in a cloud platform, but because
these services take many forms, they have caused market confusion and complicated the
selection process. This has led to limited adoption of cloud based security services thus far.
However, the future looks bright for SecaaS, with Gartner predicting that cloud-based security
service us will more than triple in many segments by 2013.
To aid both cloud customers and cloud providers, CSA has embarked on a new research project
to provide greater clarity on the area of Security as a Service. Security as a Service refers to the
provision of security applications and services via the cloud either to cloud-based infrastructure
and software or from the cloud to the customers’ on-premise systems. This will enable
enterprises to make use of security services in new ways, or in ways that would not be cost
effective if provisioned locally.
Numerous security vendors are now leveraging cloud-based models to deliver security
solutions. This shift has occurred for a variety of reasons, including greater economies of scale
and streamlined delivery mechanisms. Consumers are increasingly faced with evaluating
security solutions, which do not run on-premises. Consumers need to understand the unique
nature of cloud-delivered security offerings so they can evaluate the offerings and understand if
they will meet their needs.
Based on survey results collected from prominent consumers of cloud services, the following
security service categories are of most interest to experienced industry consumers and security
professionals:
 Identity and Access
Management (IAM)
 Data Loss Prevention
(DLP)
 Web Security
 Email Security
 Security Assessments
 Intrusion Management
 Security Information
and Event Management
(SIEM)
 Encryption
 Business Continuity
and Disaster Recovery
 Network Security
Copyright © 2011 Cloud Security Alliance
7
CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE 2011
Category #1: Identity and Access Management (IAM)
Description: Identity and Access Management (IAM) should provide controls for assured
identities and access management.
IAM includes people, processes, and systems that are used to manage access to enterprise
resources by assuring the identity of an entity is verified and is granted the correct level of access
based on this assured identity. Audit logs of activity such as successful and failed authentication
and access attempts should be kept by the application / solution.
Class: Protective/Preventative
SERVICES
CORE FUNCTIONALITIES















Provisioning/de-provisioning of accounts (of both cloud &
on-premise applications and resources)
Authentication (multiple forms and factors)
Directory services
Directory synchronization (multilateral as required)
Federated SSO
Web SSO (e granular access enforcement & session
management - different from Federated SSO)
Authorization (both user and application/system)
Authorization token management and provisioning
User profile & entitlement management (both user and
application/system)
Support for policy& regulatory compliance monitoring
and/or reporting
Federated Provisioning of Cloud Applications
Self-Service request processing, like password reset, setting
up challenge questions, request for role/resource etc.
Privileged user management/privileged user password
management
Policy management (incl. authorization management, role
management, compliance policy management)
Role Based Access Controls (RBAC) (Where supported by the
underlying system/service)
OPTIONAL FEATURES




Support for DLP
Granular Activity Auditing broken down by individual
Segregation of duties based on identity entitlement
Compliance-centric reporting
Includes: User Centric ID Provider,
Federated IDs, Web-SSO, Identity
Provider, Authorization Management
Policy Provider, Electronic Signature,
Device Signature, User Managed Access
Related Services: DLP, SIEM
Related Technologies and Standards:
SAML, SPML, XACML, (MOF/ECORE),
OAuth, OpenID, Active Directory
Federated Services (ADFS2), WSFederation
Service Model: SaaS, PaaS
CSA Domains (v2.1): 4, 12
THREATS ADDRESSED








Identity theft
Unauthorized access
Privilege escalation
Insider threat
Non-repudiation
Excess privileges / excessive
access
Delegation of authorizations /
entitlements
Fraud
CHALLENGES




Lack of standards and vendor lock-in
Identity theft
Unauthorized access
Privilege escalation
Continued on the following page…
Copyright © 2011 Cloud Security Alliance
8
CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE 2011
Continued from the previous page…
CHALLENGES



















REFERENCE EXAMPLES
Insider threat
Non-Repudiation
Least privilege / need-to-know
Segregation of administrative (provider) vs. end user (client)
interface and access
Delegation of authorizations/entitlements
Attacks on Identity Services such as DDoS
Eavesdropping on Identity Service messaging (NonRepudiation)
Password management (communication, retrieval) – Different
requirements across clients
Resource hogging with unauthorized provisioning
Complete removal of identity information at the end of the
life cycle
Real-time provisioning and de-provisioning
Lack of interoperable representation of entitlement
information
Dynamic trust propagation and development of trusted
relationships among service providers
Transparency: security measures must be available to the
customers to gain their trust.
Developing a user centric access control where user requests
to service providers are bundled with their identity and
entitlement information
Interoperability with existing IT systems and existing
solutions with minimum changes
Dynamically scale up and down; scale to hundreds of millions
of transactions for millions of identities and thousands of
connections in a reasonable time
Privacy preservation across multiple tenants
Multi-jurisdictional regulatory requirements
(Products and vendors. Non-exhaustive list)
Cloud





CA Arcot Webfort
CyberArk Software Privileged
Identity Manager
Novell Cloud Security Services
ObjectSecurity OpenPMF
(authorization policy automation,
for private cloud only)
Symplified
Non-Cloud
 Novell Identity Manager
 Oracle Identity Manager
 Oracle Access Manager Suite
REFERENCES / ADDITIONAL RESOURCES


https://cloudsecurityalliance.org/guidance/csaguide-dom12-v2.10.pdf
CSA Silicon Valley cloud authorization policy automation presentation:
http://www.objectsecurity.com/en-resources-video-20110208-webinar-79898734.htm
(Alternate download: http://www.objectsecurity.com/en-contact-resources.html)
Copyright © 2011 Cloud Security Alliance
9
CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE 2011
Category #2: Data Loss Prevention
Description: Data Loss Prevention is the monitoring, protecting, and verifying the security of
data at rest, in motion and in use both in the cloud and on-premises.
DLP services offer protection of data usually by running as some sort of client on desktops /
servers and running rules around what can be done. Where these differ from broad rules like
“No FTP” or “No uploads” to web sites, etc. is the level to which the services understand data.
A few examples of policies you can specify are “No documents with numbers that look like
credit cards can be emailed,” “Anything saved to USB storage is automatically encrypted and
can only be unencrypted on another office owned machine with a correctly installed DLP
client,” and “Only clients with functioning DLP software can open files from the fileserver,”
etc.
Within the cloud, DLP services could be offered as something that is provided as part of the
build, such that all servers built for that client get the DLP software installed with an agreed set
of rules deployed.
Class: Preventative
CORE FUNCTIONALITIES














SERVICES
Data labeling and classification
Identification of Sensitive Data
Predefined policies for major regulatory statues
Context Detection Heuristics
Structured Data Matching (data-at-rest)
SQL regular expression detection
Traffic Spanning (data-in-motion) detection
Real Time User Awareness
Security Level Assignment
Custom Attribute Lookup
Automated Incident Response
Signing of Data
Cryptographic data protection and access control
Machine readable policy language
OPTIONAL FEATURES










Includes: Encryption, Meta-data
tagging, Data Identification, Multilingual fingerprinting, Data leakage
detection, Policy management and
classification, Transparent data
encryption, Policy controlled data
access, storage and transportation,
Dynamic data masking
Related Services: IAM
Related Technologies and Standards:
SAML, SPML, XACML,
(MOF/ECORE), ESG
Service Model: SaaS, PaaS
Rate domains
Smart Response (integrated remediation workflow)
Automated event escalation
Automated false positive signature compensation
Unstructured Data Matching
File / directory integrity via hashing
Integration with Intrusion Detection Systems
Multiple Language Pack
Data privacy
Chain of evidence services to support investigations and
prosecutions
THREATS ADDRESSED





Data loss/leakage
Unauthorized access
Malicious compromises of data
integrity
Data sovereignty issues
Regulatory sanctions and fines
Continued on the following page…
Copyright © 2011 Cloud Security Alliance
10
CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE 2011
Continued from the previous page…
REFERENCE EXAMPLES
CHALLENGES











Data may be stolen from the datacenter virtually or even
physically
Data could be misused by the datacenter operator or others
employees with access
Compliance requires certifying cloud stack at all levels
repeatedly
Data sovereignty issues reduce customer rights with regard
to governments
Encrypted Data
Performance when analyzing and monitoring large / heavily
accessed data sets
False negatives / false positives (tuning)
Rule base may be complex to manage
Outside of ‘known’ items such as credit card numbers and
social security numbers, data can only be classified with
detailed input from the end user
Lack of data classification standards
Ensuring customer data segregation when multiple tenants
present
(Products and vendors. Non-exhaustive list)
Cloud









BlueCoat
IBM
Imperva
Oracle
Reconnex
RSA
Symantec/Vontu
WebSens
Zscaler
Non-Cloud
 Digital Guardian
 Palisade Systems PacketSure
 Symantec Protection Suite
Enterprise Edition
REFERENCES






http://www.technewsworld.com/story/66562.html
http://www.datalossbarometer.com/14945.htm
http://community.websense.com/blogs/websense-media-coverage/archive/2010/07/20/channelinsider-websense-plans-to-tap-microsoft-channel-cloud-dlp-innovatin-in-the-present-and-future.aspx
http://www.asiacloudforum.com/content/vmmare-embeds-rsa-dlp-virtual-environments
http://searchsecuritychannel.techtarget.com/news/1374080/Partner-Engage-2009-VARs-dish-on-DLPimplementation-and-the-cloud
http://infinite-identities.blogspot.com/2009/12/next-cloud-security-frontier-dlp-for.html
Copyright © 2011 Cloud Security Alliance
11
CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE 2011
Category #3: Web Security
Description: Web Security is real-time protection offered either on-premise through
software/appliance installation or via the cloud by proxying or redirecting web traffic to the
cloud provider.
This provides an added layer of protection on top of things like AV to prevent malware from
entering the enterprise via activities such as web browsing. Policy rules around the types of
web access and the times this is acceptable can also be enforced via these technologies.
Class: Protective, detective, reactive
SERVICES
CORE FUNCTIONALITIES












Web Filtering
Malware, Spyware & Bot Network analyzer and blocking
Phishing site blocker
Instant Messaging Scanning
Email Security
Bandwidth management/traffic control
Data Loss Prevention
Fraud Prevention
Web Access Control
Backup
SSL (decryption / hand off)
Usage policy enforcement
Includes: Email Server, Anti-virus,
Anti-spam, Web Filtering, Web
Monitoring, Vulnerability
Management, Anti-phishing
Related Services: Firewalls, Proxy,
DLP, Email Security
Related Technologies and Standards:
HTTP/HTTPS, RuleML, XML, PHP,
anti-virus
Service Model: SaaS, PaaS
OPTIONAL FEATURES










CSA Domains (v2.1): 5, 10
Rate domains
Categorize websites by URL/IP address
Rate sites by user requests
Transparent updating of user mistakes
Categorize and rate websites as needed
Categorize websites for policy enforcement
Recognize multiple languages
Categorize top-level domains
Block downloads with spoofed file extensions
Strip potential spyware downloads from high-risk sites
CHALLENGES








Constantly evolving threats
Insider circumvention of web security
Compromise of the web filtering service by proxy
Potentially higher cost of real time monitoring
Lack of features vs. premise based solutions
Lack of policy granularity and reporting
Relinquishing control
Encrypted traffic
THREATS ADDRESSED










Keyloggers
Domain Content
Malware
Spyware
Bot Network
Phishing
Virus
Bandwidth consumption
Data Loss Prevention
Spam
Continued on the following page…
Copyright © 2011 Cloud Security Alliance
12
CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE 2011
Continued from the previous page…
REFERENCES / ADDITIONAL RESOURCES
REFERENCE EXAMPLES
(Products and vendors. Non-exhaustive list)




http://www.technewsworld.com/story/66562.html
BT case study:
http://www.globalservices.bt.com/static/assets/pdf/case_s
tudies/EN_NEW/edinburgh_cc_web_security_case_study.p
df
W3C Web Security FAQ:
http://www.w3.org/Security/Faq/
OWASP: https://www.owasp.org/index.php/Main_Page
Cloud





BlueCoat
RSA
TrendMicro
Websense
zScaler
Non-Cloud
 Barracuda
 BlueCoat
 Cisco
 McAfee
 Symantec
 Watchguard
Copyright © 2011 Cloud Security Alliance
13
CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE 2011
Category #4: Email Security
Description: Email Security should provide control over inbound and outbound email, thereby
protecting the organization from phishing, malicious attachments, enforcing corporate polices
such as acceptable use and spam, and providing business continuity options.
In addition, the solution should allow for policy-based encryption of emails, as well as
integrating with various email server solutions.
Digital signatures enabling identification and non-repudiation are also features of many email
security solutions.
Class: Protective, detective, reactive
CORE FUNCTIONALITIES







SERVICES
Accurate filtering to block spam and phishing
Deep protection against viruses and spyware before they
enter the enterprise perimeter
Flexible policies to define granular mail flow and encryption
Rich, interactive and correlate real-time reporting
Deep content scanning to enforce policies
Option to encrypt some / all emails based on policy
Integration with various email server solutions







Related Services: DLP, Web Security,
Business Continuity
Related Technologies and Standards:
SMTP (ESMTP, SMTPS), IMAP, POP,
MIME, S/MIME, PGP
OPTIONAL FEATURES



Includes: Content security, Antivirus/Anti-malware, Spam filtering,
Email encryption, DLP for outbound
email, Web mail, Anti-phishing
Secure archiving
Web-mail interface
Full integration with in-house identity system (LDAP, Active
Directory, etc.)
Mail encryption, signing & time-stamping
Flexible integration
Data Loss Prevention (DLP) for SMTP and webmail
E-discovery
Email system backup (e.g., stores mails on cloud provider
infrastructure until customer systems restored
IDS / IPS for the mail servers
Digital signatures
Service Model: SaaS
CSA Domains (v2.1): 3, 5
THREATS ADDRESSED





Phishing
Intrusion
Malware
Spam
Address spoofing
CHALLENGES





Portability
Storage
Use of unauthorized webmail for business purposes
Management of logs and access to logs
Ensuring no access to emails by cloud provider staff
Continued on the following page…
Copyright © 2011 Cloud Security Alliance
14
CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE 2011
Continued from the previous page…
REFERENCES / ADDITIONAL RESOURCES


http://www.eweek.com/c/a/Messaging-andCollaboration/SAAS-Email-From-Google-Microsoft-ProvesCost-Effective-For-Up-to-15K-Seats/
http://www.symanteccloud.com/datasheet/Technical_doc_
Ext_Web_Global.pdf
REFERENCE EXAMPLES
(Products and vendors. Non-exhaustive list)
Cloud








Barracuda Networks
Gmail for Domains (Google
Apps)
McAfee
Message Labs / Symantec Cloud
Microsoft Cloud Services
Postini (Google)
TrendMicro
Zscaler Email Security
Non-Cloud
 Postini
 Symantec
 WebSense
Copyright © 2011 Cloud Security Alliance
15
CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE 2011
Category #5: Security Assessment
Description: Security assessments are third-party audits of cloud services or assessments of onpremises systems via cloud-provided solutions based on industry standards.
Traditional security assessments for infrastructure and applications and compliance audits are
well defined and supported by multiple standards such as NIST, ISO, and CIS. A relatively
mature toolset exists, and a number of tools have been implemented using the SaaS delivery
model. In the SaaS delivery model, subscribers get the typical benefits of this cloud computing
variant - elasticity, negligible setup time, low administration overhead, and pay-per-use with
low initial investments.
While not the focus of this effort, additional challenges arise when these tools are used to audit
cloud environments. Multiple organizations, including the CSA, have been working on the
guidelines to help organizations understand the additional challenges:
•
•
•
•
Virtualization awareness of the tool, frequently necessary for IaaS platform auditing
Support for common web frameworks in PaaS applications
Compliance Controls for IaaS, PaaS, and SaaS platforms
Standardized questionnaires for XaaS environments, that help address:
o What should be tested in a cloud environment?
o How does one assure data isolation in a multi-tenant environment?
o What should appear in a typical infrastructure vulnerability report? Is it
acceptable to use results provided by cloud provider?
Class: Detective
CORE FUNCTIONALITIES








SERVICES
Governance — process by which policies are set and decision
making is executed
Risk Management — process for ensuring that important
business processes and behaviors remain within the
tolerances associated with those policies and decisions
Compliance — process of adherence to policies and decisions.
Policies can be derived from internal directives, procedures
and requirements, or external laws, regulations, standards
and agreements.
Technical Compliance Audits - automated auditing of
configuration settings in devices, operating systems,
databases, and applications.
Application Security Assessments - automated auditing of
custom applications
Vulnerability Assessments - automated probing of network
devices, computers and applications for known
vulnerabilities and configuration issues
Penetration Testing - exploitation of vulnerabilities and
configuration issues to gain access to a an environment,
network or computer, typically requiring manual assistance
Security / risk rating - assessment of the overall security /
vulnerability of the systems being tested, e.g. based on the
OWASP Risk Rating Methodology
Includes: Internal and / or external
penetration test, Application
penetration test, Host and guest
assessments, Firewall / IPS (security
components of the infrastructure)
assessments, Virtual infrastructure
assessment
Related Services: Intrusion
Management
Related Technologies and Standards:
SCAP (FDCC), CVSS, CVE, CWE,
SCAP, CYBEX
Service Model: SaaS, PaaS, IaaS
CSA Domains (v2.1): 2, 4
Continued on the following page…
Copyright © 2011 Cloud Security Alliance
16
CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE 2011
Continued from the previous page…
THREATS ADDRESSED
OPTIONAL FEATURES


SI/EM Integration
Physical security assessments
CHALLENGES







Inaccurate inventory
Lack of continuous monitoring
Lack of correlation information
Lack of complete auditing
Failure to meet/prove adherence
to Regulatory/Standards
Compliance
Insecure / vulnerable
configurations
Insecure architectures
Insecure processes / processes
not being followed





Standards are on different maturity levels in the various
sections
Certification & Accreditation
Boundary definition for any assessments
Skills of tester(s) / assessors
Accuracy
Inconsistent ratings from different individuals / vendors
Typically limited to known vulnerabilities



REFERENCE EXAMPLES
(Products and vendors. Non-exhaustive list)
REFERENCES / ADDITIONAL RESOURCES









CSA Guidance:
https://cloudsecurityalliance.org/research/projects/
https://cloudsecurityalliance.org/grcstack.html
Gartner - GRC definition:
http://blogs.gartner.com/french_caldwell/2010/01/12/wecome-to-kill-grc-not-to-praise-it/
NIST (800-146):
http://csrc.nist.gov/publications/drafts/800-146/DraftNIST-SP800-146.pdf
http://www.owasp.org/images/5/56/OWASP_Testing_Gui
de_v3.pdf
ENISA Information Assurance:
http://www.enisa.europa.eu/act/rm/files/deliverables/clo
ud-computing-information-assurance-framework
BSI Cornerstones cloud Computing (in German):
https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI
/Mindestanforderungen/EckpunktepapierSicherheitsempfehlungen-CloudComputing-Anbieter.pdf
CAMM-common-assurance.com
http://objectsecurity-mds.blogspot.com/2009/06/modeldriven-security-accreditation.html
http://www.oceg.org/
Cloud






Agiliance
Core Security
Modulo
Qualys
Veracode
WhiteHat
Non-Cloud
 Agiliance
 Archer
 Cenzic
 Core Security
 eEye
 HP
 Immunity
 Modulo
 nCircle
 Rapid7
 Saint
 Symantec
 Tenable
Copyright © 2011 Cloud Security Alliance
17
CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE 2011
Category #6: Intrusion Management
Description: Intrusion Management is the process of using pattern recognition to detect and
react to statistically unusual events. This may include reconfiguring system components in real
time to stop / prevent an intrusion.
The methods of intrusion detection, prevention, and response in physical environments are
mature; however, the growth of virtualization and massive multi-tenancy is creating new
targets for intrusion and raises many questions about the implementation of the same protection
in cloud environments.
Examples of how cloud-based Intrusion Management could be offered include:
•
•
•
Provided by the Cloud Service Provider
Provided by a third-party (routing traffic through a SecaaS)
Hybrid SaaS with third-party management and host-based or virtual appliances running
in the cloud consumer's context
Class: Detective, protective, reactive
SERVICES
CORE FUNCTIONALITIES
General




Identification of intrusions and policy violations
Automatic or manual remediation actions
Coverage for:
Workloads
Virtualization Layer (VMM/Hypervisor)
Management Plane
Cloud and other APIs
Updates to address new vulnerabilities, exploits and policies
Network Security (NBA, NIPS/NIDS or HIPS/HIDS using
network)

Deep Packet Inspection using one or more of the following
techniques: statistical, behavioral, signature, heuristic
Includes: Packet Inspection, Detection,
Prevention, IR
Related Services: Web Security, Secure
Cloud & Virtualization Security
Related Technologies and Standards:
DPI, Event correlation and pattern
recognition
Service Model: SaaS, PaaS, IaaS
CSA Domains (v2.1): 13
THREATS ADDRESSED
System/Behavioral


One or more of:





System Call Monitoring
System/Application Log Inspection
Integrity Monitoring OS (Files, Registry, Ports, Processes,
Installed Software, etc)
Integrity Monitoring VMM/Hypervisor
VM Image Repository Monitoring
Continued on the following page…
Intrusion
Malware
REFERENCE EXAMPLES
(Products and vendors. Non-exhaustive list)
Cloud
 Alert Logic Threat Manager
 Arbor Peakflow X
 Check Point - Security Gateway
Virtual Edition
 Cloudleverage Cloud
IPS/firewall

Copyright © 2011 Cloud Security Alliance
18
CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE 2011
Continued from the previous page…
REFERENCE EXAMPLES
OPTIONAL FEATURES







Central Reporting
SIEM Integration
Administrator Notification
Customization of policy (automatic or manual)
Mapping to cloud-layer tenancy
Cloud sourcing information to reduce false positives and
improve coverage
Remote storage or transmission of integrity information, to
prevent local evasion
CHALLENGES
General Challenges:




Proliferation of SSL required by deployment in public clouds
adds complexity or blocks visibility to network-based IDS/IPS
Complexity and immaturity of Intrusion Management for APIs
Lack of tools to manage instance-to-instance relationships
Wire speed with full malware / attack coverage performance
not meeting expectations
Specific to Cloud Consumers:








Current lack of virtual SPAN ports in public cloud providers
for typical deployment of NIDS or NBA
Current lack of network-edge TAP interfaces for public cloud
and virtual private cloud for typical deployment of NIPS
Inability to utilize hypervisor (vSwitch/vNIC) introspection
Latency, resiliency and bandwidth concerns with proxying
network traffic through virtual appliances or 3rd party services
Privacy concerns of service-based security
Short lived instances (HIDS/HIPS logs can be lost)
Performance limitations with network traffic in a shared
environment
Ownership / managing access to monitoring equipment and
data
Specific to Cloud Service Providers:



Policy management in a multi-tenant environment
Policy management for application-layer multi-tenancy (SaaS,
some PaaS services such as Microsoft SQL Azure)
Complexity of deployment and configuration
Cloud
 Cymtec Scout
 eEye Digital Security Blink
 IBM Proventia
 McAfee - Host Intrusion
Prevention
 Sourcefire - 3D System
 StoneGate - Virtual IPS
 Symantec Critical System
Protection
 Symantec Endpoint Protection
 Trend Micro Deep Security
 Trend Micro Threat Detection
Appliance
 TrustNet iTrust SaaS Intrusion
Detection
 XO Enterprise Cloud Security
Non-Cloud
 AIDE
 CA-eTrust Intrusion Detection
 Check Point IPS
 Cerero - Top Layer IPS
 Cetacea Networks - OrcaFlow
 Cisco Guard / IPS
 Detector
 DeepNines - BBX
 e-Cop - Cyclops
 Enterasys - IPS
 HP S IPS
 Intrusion – SecureNet / Host
 iPolicy
 Juniper Networks IDP
 Lancope - StealthWatch
 McAfee - Network Intrusion
Prevention
 OSSEC
 Q1 Labs - QRadar
 Radware - DefensePro
 Samhain
 SoftSphere Technologies HIPS
 StillSecure - Strata Guard
 StoneGate - IPS
 Suricata
 Symantec Network Security
REFERENCES / ADDITIONAL RESOURCES




Cloud Security Alliance Guidance: https://cloudsecurityalliance.org/guidance/csaguide-dom12-v2.10.pdf
NIST Guide to Intrusion Detection and Prevention Systems (IDPS):
http://csrc.nist.gov/publications/nistpubs/800-94/SP800-94.pdf
Intrusion Detection: http://en.wikipedia.org/wiki/Intrusion_detection_system
Intrusion Prevention: http://en.wikipedia.org/wiki/Intrusion_prevention_system
Copyright © 2011 Cloud Security Alliance
19
CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE 2011
Category #7: Security Information & Event Management (SIEM)
Description: Security Information and Event Management (SIEM) systems accept (via push or
pull mechanisms) log and event information. This information is then correlated and analyzed
to provide real-time reporting and alerting on incidents / events that may require intervention.
The logs are likely to be kept in a manner that prevents tampering to enable their use as
evidence in any investigations.
Class: Detective
SERVICES
CORE FUNCTIONALITIES









Real time log /event collection, de-duplication,
normalization, aggregation and visualization
Log normalization
Real-time event correlation
Forensics support
Compliance reporting & support
IR support
Email anomaly detection
Reporting
Flexible data retention periods and policies management,
compliance policy management)
OPTIONAL FEATURES






Heuristic controls
Specialized systems
Physical log monitoring
Access control system monitoring
Physical security integration (cameras, alarms, phone, etc.)
Integration with call / ticketing system
Includes: Log management, Event
correlation, Security/Incident response,
Scalability, Log and Event Storage,
Interactive searching and parsing of log
data, Logs immutable (for legal
investigations)
Related Services: Architectural
considerations, Compliance reporting,
Software inventory, Non-traditional
correlation, On-traditional monitoring,
Database monitoring, Request
fulfillment
Related Technologies and Standards:
FIPS 140-2 compliant, Common Event
Format (CEF), Common Event
Expression (CEE), IF-MAP (TCG)
Service Model: SaaS, PaaS
CSA Domains (v2.1): 2, 3, 4, 5, 7, 9, 12
CHALLENGES






Standardization of log formats
Timing lag caused by translations from native log formats
Unwillingness of providers to share logs
Scaling for high volumes
Identification and visualization of key information
Usable, segregated by client interface
REFERENCES


http://www.darkreading.com/securitymonitoring/167901086/security/securitymanagement/228000206/cloud-creates-siem-blind-spot.html
http://securecloudreview.com/2010/08/service-provider-oftomorrow-part-9-as-the-cloud-thrives-siem-will-suffer/
THREATS ADDRESSED








Abuse and Nefarious Use
Insecure Interfaces and APIs
Malicious Insiders
Shared Technology Issues
Data Loss and Leakage
Account or Service Hijacking
Unknown Risk Profile
Fraud
Continued on the following page…
Copyright © 2011 Cloud Security Alliance
20
CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE 2011
Continued from the previous page…
REFERENCES


REFERENCE EXAMPLES
http://en.wikipedia.org/wiki/Security_information_and_ev
ent_management
http://en.wikipedia.org/wiki/Security_event_manager
(Products and vendors. Non-exhaustive list)















AccellOps
Alien Vault (OSSIM)
ArcSight ESM
eIQnetworks
Loglogic
netForensics nFX One
Novell Cloud Security Services /
E-Sentinel
OSSIM
Prelude-SIEM
Q1 Labs
Quest Software
RSA/EMC enVision
SenSage
Solar Winds Log and Event
Manager
Splunk
Copyright © 2011 Cloud Security Alliance
21
CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE 2011
Category #8: Encryption
Description: Encryption is the process of obfuscating/encoding data (usually referred to as
plain text) using cryptographic algorithms the product of which is encrypted data (usually
referred to as ciphertext). Only the intended recipient or system that is in possession of the
correct key can decode (unencrypt) this ciphertext. In the case of one-way cryptographic
functions, a digest or hash is created instead.
Encryption systems typically consist of an algorithm(s) that are computationally difficult (or
infeasible) to break, along with the processes and procedures to manage encryption and
decryption, hashing, digital signatures, certificate generation and renewal, key exchange, etc.
Each part is effectively useless without the other, e.g. the best algorithm is easy to “crack” if an
attacker can access the keys due to weak processes.
Class: Protective
SERVICES
CORE FUNCTIONALITIES














Data protection (at rest and in motion)
Data validation
Message Authentication
Message/data integrity
Data Time-stamping (digital notary)
Identity validation (certificates to identify IT
assets/endpoints)
Code Signing
Forgery detection
Identity validation (digital signatures)
Digital Fingerprinting
Forensic protection (hashing of log files and evidence)
Pseudorandom number generation
Data Destruction (throw away the key!)
Key/certificate generation and management

Searching encrypted data
Sorting encrypted data
Identity based encryption
Data integrity
Mechanism to ensure secure removal of customer data when
term / contract terminated
Identity assurance (e.g., the parties involved are who they
claim to be)
CHALLENGES


Risk of compromised keys
Searching and/or sorting of encrypted data
Continued on the following page…
Related Services: VM Architecture,
Hardware protection, Software-based
protection, remote access validation
Related Technologies and Standards:
FIPS 140-2, IPSEC, SSL, Hashing, and
algorithms , Symetric and Asymetric
Cryptography
Service Model: PaaS, SaaS, IaaS
OPTIONAL FEATURES





Includes: VPN services, Encryption
Key Management, Virtual Storage
Encryption, Communications
Encryption, Application Encryption,
Database Encryption, digital
signatures, Integrity validation
CSA Domains (v2.1): 11
THREATS ADDRESSED





Failure to meet Regulatory
Compliance requirements
Mitigating insider and external
threats to data
Intercepted clear text network
traffic
Clear text data on stolen /
disposed of hardware
Reducing the risk or and
potentially enabling crossborder business opportunities
Copyright © 2011 Cloud Security Alliance
22
CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE 2011
Continued from the previous page…
CHALLENGES



THREATS ADDRESSED
Separation of duties between data owners, administrators
and cloud service providers
Legal issues
Federated trust between providers
REFERENCES / ADDITIONAL RESOURCES












http://www.eweek.com/c/a/Security/IBM-UncoversEncryption-Scheme-That-Could-Improve-Cloud-SecuritySpam-Filtering-135413/
https://cloudsecurityalliance.org/csaguide.pdf
“Implementing and Developing Cloud Computing
Applications” by David E.Y. Sarna
http://www.ctoedge.com/content/new-approach-enteprisedata-security-tokenization
http://arstechnica.com/tech-policy/news/2009/09/yoursecrets-live-online-in-databases-of-ruin.ars
CSA discussion forums : “The Illegality of Exporting
Personal Data into the Cloud. Is the following Hypothesis the
Answer? Does the following Hypothesis Handle the
Objection?” http://www.linkedin.com/e/-njv39egmdp90wv1m/vaq/23764306/1864210/36300812/view_disc/
“IETF RFC 5246”. The Transport Layer Security (TLS)
Protocol Version 1.2: http://tools.ietf.org/rfc/rfc5246.txt
“SP 800-57 Recommendation for Key Management” NIST,
January 2011: http://csrc.nist.gov/publications/nistpubs/
800-57/sp800-57-Part1-revised2_Mar08-2007.pdf
http://csrc.nist.gov/publications/nistpubs/800-57/SP80057-Part2.pdf http://csrc.nist.gov/publications/nistpubs/80057/sp800-57_PART3_key-management_Dec2009.pdf
“SP 800-131A Transitions: Recommendation for Transitioning
the Use of Cryptographic Algorithms and Key Lengths”
NIST, January 2011:
http://csrc.nist.gov/publications/nistpubs/800-131A/sp800131A.pdf
ISO/TR (2010). “ISO TR-14742:2010 Financial Services Recommendations on Cryptographic Algorithms and their
Use.” ISO.
Ferguson, N., Schneier, B., and Kohno T., (2010).
“Cryptography Engineering: Design Principles and Practical
Applications.” New York: John Wiley and Sons.
Reducing perceived risks and
thus enabling Cloud's Adoption
by government

REFERENCE EXAMPLES
(Products and vendors. Non-exhaustive list)
Cloud









Credant
Cypher Cloud
enStratus
Novaho
Perpecsys
ProtectV
SecureCloud
SurePassID
Vormetric
Non-Cloud
 Crypo.com
 Sendinc
Copyright © 2011 Cloud Security Alliance
23
CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE 2011
Category #9: Business Continuity and Disaster Recovery
Description: Business Continuity and Disaster Recovery are the measures designed and
implemented to ensure operational resiliency in the event of any service interruptions.
BCDR provides flexible and reliable failover for required services in the event of any service
interruptions, including those caused by natural or man-made disasters or disruptions. Cloudcentric BCDR makes use of the cloud’s flexibility to minimize cost and maximize benefits. For
example, a tenant could make use of low specification guest machines to replicate applications
and data to the cloud, but with the provision to quickly ramp up the CPU and RAM, etc. of
these machines in a BCDR scenario.
Class: Reactive, Protective, Detective
SERVICES
CORE FUNCTIONALITIES











Flexible infrastructure
Secure backup
Monitored operations
Third party service connectivity
Replicated infrastructure components
Replicated data (core / critical systems)
Data and/or application recovery
Alternate sites of operation
Tested and measured processes and operations to ensure
Geographically distributed data centers / infrastructure
Network survivability
Includes: File recovery provider, File
backup provider, Cold site, Warm site,
Hot site, Insurance, Business partner
agreements, Replication (e.g.
Databases)
Related Services: Fail-back to live
systems, Encryption of data in transit,
Encryption of data at rest, Field level
encryption, Realm-based access control
Related Technologies and Standards:
OPTIONAL FEATURES



ISO/IEC 24762:2008, BS25999
Support for BC and DR compliance monitoring and/or
reporting or testing flexible infrastructure
Authorized post disaster privileged account management
Enable DR Policy management (incl. authorization
management, role management, compliance management)
Service Model: IaaS, SaaS
CSA Domains (v2.1): 7
THREATS ADDRESSED
CHALLENGES







Over-centralization of data
Lack of approved and tested policies, processes, and
procedures
Legal constraints on transportation of data outside affected
region
Network connectivity failures
Identification of Recovery Time Objectives / Recovery Point
Objectives / SLAs
Agreed definition between vendor and client of what DR /
BCP means
Security – Data in multiple locations







Natural disaster
Fire
Power outage
Terrorism/sabotage
Data corruption
Data deletion
Pandemic/biohazard
Continued on the following page…
Copyright © 2011 Cloud Security Alliance
24
CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE 2011
Continued from the previous page…
REFERENCES / ADDITIONAL RESOURCES






NIST SP 800-34
ISO/IEC-27031
http://en.wikipedia.org/wiki/Disaster_recovery
http://www.silicon.com/management/cioinsights/2010/09/30/cloud-computing-is-it-ready-fordisaster-recovery-39746406/
http://blogs.forrester.com/rachel_dines/11-08-29disaster_recovery_meet_the_cloud
http://www.usenix.org/event/hotcloud10/tech/full_papers
/Wood.pdf
REFERENCE EXAMPLES
(Products and vendors. Non-exhaustive list)
Cloud
 Atmos
 Decco
 Digital Parallels
 Quantix
 Rackspace
Non-Cloud
 IBM
 Iron Mountain
 Sunguard
Copyright © 2011 Cloud Security Alliance
25
CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE 2011
Category #10: Network Security
Description: Network Security consists of security services that allocate access, distribute,
monitor, and protect the underlying resource services.
Architecturally, network security provides services that address security controls at the
network in aggregate or specifically addressed at the individual network of each underlying
resource.
In a cloud / virtual environment network security is likely to be provided by virtual devices
alongside traditional physical devices. Tight integration with the hypervisor to ensure full
visibility of all traffic on the virtual network layer is key.
Class: Detective, protective, reactive
SERVICES
CORE FUNCTIONALITIES










Data Threats
Access Control Threats
Access and Authentication controls
Security Gateways (firewalls, WAF, SOA/API, VPN)
Security Products (IDS/IPS, Server Tier Firewall, File
Integrity Monitoring, DLP, Anti-Virus, Anti-Spam
Security Monitoring and IR
DoS protection/mitigation
Secure “base services” like DNS and/or DNSSEC, DHCP,
NTP, RAS, OAuth, SNMP, Management network
segmentation and security
Traffic / netflow monitoring
Integration with Hypervisor layer
Includes: Firewall (perimeter and
server tier), Web application firewall,
DDOS protection/mitigation, DLP, IR
management, IDS / IPS
Related Services: Identity and Access
Management, Data Loss Prevention,
Web Security, Intrusion Management,
Security Information and Event
Management, and Encryption
Related Technologies and Standards:
Service Model: IaaS, SaaS, PaaS
CSA Domains (v2.1): 7,8,9,10,13
OPTIONAL FEATURES





THREATS ADDRESSED
Log correlation/ Secure and Immutable Logging
Secure data encryption at rest
Performance monitoring of the network
Real-time alerting
Change Management





CHALLENGES



Data Threats
Access Control Threats
Application Vulnerabilities
Cloud Platform Threats
Regulatory, Compliance & Law
Enforcement
Micro-borders (instead of traditional clearly defined network
boundaries the borders between tenant networks can be
dynamic and potentially blurred in a large scale virtual /
cloud environment)
Virtual Segmentation of Physical Servers
Limited visibility of inter-VM traffic
Continued on the following page…
Copyright © 2011 Cloud Security Alliance
26
CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE 2011
Continued from the previous page…
REFERENCE EXAMPLES
CHALLENGES




Non-standard API’s
Management of many virtual networks / VLAN in a complex
environment – reliant on providers policies and procedures
Separation of production and non-production environments
Logical and Virtual Segregation of Customer
Network/Systems/Data
REFERENCES / ADDITIONAL RESOURCES



CSA
Intel Cloud Security Reference Architecture:
http://software.intel.com/en-us/articles/Cloud-SecurityReference-Architecture-Guide/
http://www.intel.com/content/dam/doc/referencearchitecture/cloud-computing-enhanced-cloud-securityhytrust-vmware-architecture.pdf
ENISA Cloud Computing Risk Assessment:
http://www.enisa.europa.eu/act/rm/files/deliverables/cl
oud-computing-risk-assessment
(Products and vendors. Non-exhaustive list)
Cloud
 CloudFlare
 HP
 IBM
 Imperva - Incapsula
 McAfee
 Rackspace
 Stonesoft
 Symantec
Non-Cloud
 HP
 IBM
 McAfee
 Snort
 Symantec
Copyright © 2011 Cloud Security Alliance
27
Related documents
One of the lead activities assigned to ITU-T Study Group... presentation gives an overview on the ongoing work of Study... SG13 Activities and Achievements Related to Cloud Computing
One of the lead activities assigned to ITU-T Study Group... presentation gives an overview on the ongoing work of Study... SG13 Activities and Achievements Related to Cloud Computing
Cloud Based Business Growth Support Processes
Cloud Based Business Growth Support Processes
Security Position
Security Position
Download