Defined Categories of
Service 2011
CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE 2011
v
Executive Summary
Cloud Computing represents one of the most significant shifts in information technology many
of us are likely to see in our lifetimes. Reaching the point where computing functions as a utility
has great potential, promising innovations we cannot yet imagine.
Customers are both excited and nervous at the prospects of Cloud Computing. They are excited
by the opportunities to reduce capital costs. They are excited for a chance to divest
infrastructure management and focus on core competencies. Most of all, they are excited by the
agility offered by the on-demand provisioning of computing and the ability to align information
technology with business strategies and needs more readily. However, customers are also very
concerned about the security risks of Cloud Computing and the loss of direct control over the
security of systems for which they are accountable. Vendors have attempted to satisfy this
demand for security by offering security services in a cloud platform, but because these services
take many forms, they have caused market confusion and complicated the selection process.
To aid both cloud customers and cloud providers, CSA has embarked on a new research project
to provide greater clarity on the area of Security as a Service.
Numerous security vendors are now leveraging cloud-based models to deliver security
solutions. This shift has occurred for a variety of reasons including greater economies of scale
and streamlined delivery mechanisms. Consumers are increasingly faced with evaluating
security solutions, which do not run on premises. Consumers need to understand the unique
nature of cloud delivered security offerings so that they are in a position to evaluate the
offerings and to understand if they will meet their needs.
Based on survey results collected from prominent consumers of cloud services, the following
security service categories of most interest to experienced industry consumers are:
 Identity and Access Management
(IAM)
 Data Loss Prevention
 Web Security
 Email Security
 Security Assessments
 Intrusion Management
 Security Information and Event
Management
 Encryption
 Business Continuity and Disaster
Recovery
 Network Security
Copyright © 2011 Cloud Security Alliance
2
CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE 2011
v
Category #1: Identity and Access
Management (IAM)
Description: Identity and Access Management (IAM) should
provide assured Identities and access controls.
SERVICES
Includes: User Centric ID Provider,
Federated IDs, Web-SSO, Identity
Provider, Authorization Management
Policy Provider, Electronic Signature
Class: Protective
Related Services: DLP
CORE FUNCTIONALITIES















Provisioning/de-provisioning of accounts (of both cloud &
on-premise applications)
Authentication (all forms)
Directory services
Directory synchronization (bilateral)
Federated SSO
Web SSO (e granular access enforcement & session
management - different from Federated SSO)
Fraud Prevention
Authorization (both user and application/system)
Authorization token management and provisioning
User profile & entitlement management (both user and
application/system)
Support for policy& regulatory compliance monitoring
and/or reporting
Federated Provisioning of Cloud Applications
Self-Service request processing, like password reset, setting
up challenge questions, request for role/resource etc.
Privileged user management/privileged user password
management
Policy management (incl. authorization management, role
management, compliance policy management)
Related Technologies and Standards:
SAML, SPML, XACML,
(MOF/ECORE)
Service Model: SaaS, PaaS
CSA Domains (v2.1): 4, 12
THREATS ADDRESSED







Identity theft
Unauthorized access
Privilege escalation
Insider threat
Non-repudiation
Least privilege / need-to-know
Delegation of authorizations /
entitlements
REFERENCE EXAMPLES
OPTIONAL FEATURES




Support for DLP
Granular Activity Auditing broken down by individual
Segregation of duties based on identity entitlement
Compliance-centric reporting
CHALLENGES







Lack of standards, vendor lock-in, ...
Identity theft
Unauthorized access
Privilege escalation
Insider threat
Non-Repudiation
Least privilege / need-to-know
Cloud


Novell Cloud Security Services
ObjectSecurity OpenPMF
(authorization policy
automation, for private cloud
only)
Non-Cloud
 Novell Identity Manager
 Oracle Identity Manager
 Oracle Access Manager Suite
 ObjectSecurity OpenPMF
(authorization policy
automation)
 Delegation of authorizations/entitlements
 Attacks
on Identity
Services such as DDoS
Continued
on the following
page…
 Eavesdropping on Identity Service messaging
 Resource hogging with unauthorized provisioning
Copyright
 Removing the identity information completely when
the life © 2011 Cloud Security Alliance
cycle is over
 Real-time provisioning and de-provisioning
 Lack of interoperable representation of entitlement
3
CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE 2011
Continued from the previous page…
v
CHALLENGES












Delegation of authorizations/entitlements
Attacks on Identity Services such as DDoS
Eavesdropping on Identity Service messaging
Resource hogging with unauthorized provisioning
Removing the identity information completely when the life
cycle is over
Real-time provisioning and de-provisioning
Lack of interoperable representation of entitlement
information
Dynamic trust propagation and development of trusted
relationships among service providers
Transparency: security measures must be available to the
customers to gain their trust.
Developing a user centric access control where user requests
to service providers are bundled with their identity and
entitlement information
Interoperate with all existing it systems and existing solutions
with minimum changes.
Dynamically scale up and down; scale to hundreds of millions
of transactions for millions of identities and thousands of
connections in a reasonable time
Copyright © 2011 Cloud Security Alliance
4
CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE 2011
v
Category #2: Data Loss Prevention
Description: Data Loss Prevention is the monitoring,
protecting, and verifying the security of data at rest, in motion,
and in use.
Class: Preventative
Related Technologies and Standards:
SAML, SPML, XACML,
(MOF/ECORE), ESG
Identification of Sensitive Data
Predefined policies for major regulatory statues
Context Detection Heuristics
Structured Data Matching (data-at-rest)
SQL regular expression detection
Traffic Spanning (data-in-motion) detection
Real Time User Awareness
Security Level Assignment
Custom Attribute Lookup
Automated Incident Response
Service Model: SaaS, PaaS
CSA Domains (v2.1): 4, 12
THREATS ADDRESSED
OPTIONAL FEATURES








Includes: Encryption, Meta-data
tagging, Data Identification, Multilingual fingerprinting, Data leakage
detection, Policy management and
classification
Related Services: DLP
CORE FUNCTIONALITIES










SERVICES
Rate domains
Smart Response (integrated remediation workflow)
Automated event escalation
Automated false positive signature compensation
Unstructured Data Matching
File Fingerprint Hashing
Integration with Intrusion Detection Systems
Multiple Language Pack





Identity theft
Data loss/leakage
Unauthorized access
Data integrity
Separation of data storage and
data ownership
Data sovereignty issues
Regulatory sanctions and fines


REFERENCE EXAMPLES
Cloud
CHALLENGES




Data may be stolen from the datacenter virtually or even
physically
Data could be misused by the datacenter operator or others
employees with access
Compliance requires certifying cloud stack at all levels
repeatedly
Data sovereignty issues reduce customer rights with regard to
governments









RSA
WebSense
Reconnex
Oracle
IBM
BlueCoat
Symantic
Vontu
Zscaler
Non-Cloud
 Palisade Systems PacketSure
 Symantec Protection Suite
Enterprise Edition
 Digital Guardian
Copyright © 2011 Cloud Security Alliance
5
CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE 2011
v
Category #3: Web Security
SERVICES
Description: Web Security is real-time protection offered either
on premise through hardware installation or in the cloud by
proxying web traffic to the cloud provider.
Class: Protective
Includes: Mail Server, Backup Server,
Email, Anti-virus, Anti-spam, Web
Filtering, Web Monitoring,
Vulnerability Management
Related Services: Firewalls, Proxy
CORE FUNCTIONALITIES










Related Technologies and Standards:
RuleML, XML, PHP, anti-virus
Web Filtering
Malware, Spyware & Bot Network analyzer
Phishing site blocker
Instant Messaging Scanning
Email Security
Bandwidth
Data Loss Prevention
Fraud Prevention
Web Access Control
Backup
Service Model: SaaS, PaaS
CSA Domains (v2.1): 5, 10
THREATS ADDRESSED
OPTIONAL FEATURES










Rate domains
Categorize websites by URL/IP address
Rate sites by user requests
Transparent updating of user mistakes
Categorize and rate websites as needed
Categorize websites for policy enforcement
Recognize multiple languages
Categorize top-level domains
Block downloads with spoofed file extensions
Strip potential spyware downloads from high-risk sites
CHALLENGES







Constantly evolving threats
Insider circumvention of web security
Compromise of the web filtering service by proxy
Higher cost
Lack of features vs. premise based solutions
Lack of policy granularity and reporting
Relinquishing control









Keyloggers
Domain Content
Malware
Spyware
Bot Network
Phishing
Virus
Bandwidth consumption
Data Loss Prevention
REFERENCE EXAMPLES
Cloud




RSA
TrendMicro
Panda
zScaler
Cloud Enabling Hardware
 Symantec
 McAfee
 Cisco
 Blue Coat
 Barracuda
Copyright © 2011 Cloud Security Alliance
6
CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE 2011
v
Category #4: Email Security
SERVICES
Description: Email Security should provide control over inbound
and outbound email, protecting the organization from phishing,
malicious attachments, and spam, and providing business
continuity options.
Class: Protective, detective, reactive
Related Services: DLP, Web Secuirty,
Business Continuity
CORE FUNCTIONALITIES




Includes: Content Security, AntiVirus/Anit-malware, Spam Filtering,
Email Encryption, DLP for outbound
email, Web Mail
Accurate filtering to block spam and phishing
Deep protection against viruses and spyware before they
enter the enterprise perimeter
Flexible policies to define granular mail flow and encryption
Rich, interactive and correlate real-time reporting
Related Technologies and Standards:
SMTP (ESMTP, SMPTS), IMAP, POP,
MIME, S/MME, PGP
Service Model: SaaS
CSA Domains (v2.1): 3, 5
OPTIONAL FEATURES






Secure archiving
Web-mail interface
Full integration with inohouse identity system (LDAP, Active
Directory, etc.
Mail encryption, signing & time-stamping
Flexible integration
Data Loss Prevention (DLP) for SMTP and webmail
THREATS ADDRESSED



Phishing
Intrusion
Malware
REFERENCE EXAMPLES
Cloud
CHALLENGES



Portability
Storage
Use of unauthorized webmail for business purposes
REFERENCES

http://www.eweek.com/c/a/Messaging-andCollaboration/SAAS-Email-From-Google-Microsoft-ProvesCost-Effective-For-Up-to-15K-Seats/








Zscaler Email Security
Microsoft Cloud Services
SymantecCloud
Postini
Gmail for Domains
TrendMicro
McAfee
Barracuda Networks
Copyright © 2011 Cloud Security Alliance
7
CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE 2011
v
Category #5: Security Assessment
Description: Security Assessments are third party audits of
cloud services based on industry standards.
Class: Detective
CORE FUNCTIONALITIES







Governance — process by which policies are set and decision
making is executed
Risk Management — process for ensuring that important
business processes and behaviors remain within the
tolerances associated with those policies and decisions
Compliance — process of adherence to policies and decisions.
Policies can be derived from internal directives, procedures
and requirements, or external laws, regulations, standards
and agreements.
Technical Compliance Audits - automated auditing of
configuration settings in devices, operating systems,
databases, and applications.
Application Security Assessments - automated auditing of
custom applications
Vulnerability Assessments - automated probing of network
devices, computers and applications for known
vulnerabilities and configuration issues
Penetration Testing - exploitation of vulnerabilities and
configuration issues to gain access to a an environment,
network or computer, typically manual assistance
OPTIONAL FEATURES

SI/EM Integration
CHALLENGES


Standards are on different maturity levels in the various
sections
Certification & Accreditation
REFERENCES
CSA Guidance
https://cloudsecurityalliance.org/research/projects/
https://cloudsecurityalliance.org/grcstack.html
Gartner - GRC defintion http://blogs.gartner.com/french_caldwell/2010/01/12/wecome-to-kill-grc-not-to-praise-it/
NIST (800-146) http://csrc.nist.gov/publications/drafts/800-146/DraftNIST-SP800-146.pdf





SERVICES
Includes: Internal and / or external
penetration test, Application
penetration test, Host and guest
assessments, Firewall / IPS (security
components of the infrastructure)
assessments, Virtual infrastructure
assessment
Related Services: Intrusion
Management
Related Technologies and Standards:
SCAP (FDCC), CVSS, CVE, CWE,
SCAP, CYBEX
Service Model: SaaS, PaaS, IaaS
CSA Domains (v2.1): 2, 4
THREATS ADDRESSED





Accurate Inventory
Continuous Monitoring
Correlation Information
Remediation Auditing
Regulatory/Standards
Compliance
REFERENCE EXAMPLES
Cloud
 Governance
 Agiliance
 Modulo
 Risk Management
 Compliance
 Technical Policy Compliance
 Qualys-per IP/year
 Veracode
 WhiteHat
 Vulnerability Assessments
 Qualys-per IP/year
 Penetration Testing
 Core Security
Non-Cloud
 Governance
 Agiliance: Archer, Modulo
 Risk
Management
Continued
on the following page…
ENISA Information Assurance  Compliance
http://www.enisa.europa.eu/act/rm/files/deliverables/cl
 Technical
Compliance:
Copyright © 2011 Cloud
SecurityPolicy
Alliance
8
oud-computing-information-assurance-framework
nCircle, Symnatec
BSI Cornerstones cloud Compuing (in german)  Application Security
https://www.bsi.bund.de/SharedDocs/Downloads/DE/B
Assessments:
SI/Mindestanforderungen/Eckpunktepapier-
CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE 2011
Continued from the previous page…
v
REFERENCE EXAMPLES
REFERENCES





ENISA Information Assurance http://www.enisa.europa.eu/act/rm/files/deliverables/clo
ud-computing-information-assurance-framework
BSI Cornerstones cloud Compuing (in german) https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI
/Mindestanforderungen/EckpunktepapierSicherheitsempfehlungen-CloudComputing-Anbieter.pdf
CAMM
http://objectsecurity-mds.blogspot.com/2009/06/modeldriven-security-accreditation.html
http://www.oceg.org/
Non-Cloud
 Risk Management
 Compliance
 Technical Policy Compliance:
nCircle, Symnatec
 Application Security
Assessments:
Cenzic, HP
 Vulnerability Assessments:
nCircle, Rapid7, Tenable
 Penetration Testing:
Core Security, Immunity,
Rapid7 - Metasploit
Copyright © 2011 Cloud Security Alliance
9
CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE 2011
v
Category #6: Intrusion Management
Description: Intrusion Management is the process of using
pattern recognition to detect statistically unusual events.
Class: Detective, protective, reactive
Related Technologies and Standards:
DPI
General

Identification of intrusions and policy violations
Automatic or manual remediation actions
Coverage for:
Workloads
Virtualization Layer (VMM/Hypervisor)
Management Plane
Cloud and other APIs
Updates to address new vulnerabilities, exploits and policies
Network Security (NIPS/NIDS or HIPS/HIDS using network)

Includes: Packet Inspection, Detection,
Prevention, IR
Related Services: Web Security, Secure
Cloud & Virtualization Security
CORE FUNCTIONALITIES



SERVICES
Service Model: SaaS, PaaS, IaaS
CSA Domains (v2.1): 13
THREATS ADDRESSED


Deep Packet Inspection using one or more of the following
techniques: statistical, behavioral, signature, heuristic
REFERENCE EXAMPLES
System/Behavioral
Cloud
One or more of:





Intrusion
Malware
System Call Monitoring
System/Application Log Inspection
Integrity Monitoring OS (Files, Registry, Ports, Processes,
Installed Software, etc)
Integrity Monitoring VMM/Hypervisor
VM Image Repository Monitoring





Alert Logic Threat Manager
Cloudleverage Cloud
IPS/firewall
Cymtec Scout
TrustNet iTrust SaaS Intrusion
Detection
XO Enterprise Cloud Security
Non-Cloud
OPTIONAL FEATURES







Central Reporting
SI/EM Integration
Administrator Notification
Customization of policy (automatic or manual)
Mapping to cloud-layer tenancy
Cloud sourcing information to reduce false positives and
improve coverage
Remote storage or transmission of integrity information, to
prevent local evasion
















CA - eTrust Intrusion Detection
Cerero - Top Layer IPS
Check Point - Sentivist
Cisco
DeepNines - BBX
e-Cop - Cyclops
Enterasys Networks - Dragon
HP Tipping Point
Intrusion - SecureNet
IBM
iPolicy
Juniper Networks IDP
McAfee - IntruShield
Radware - DefensePro
Sourcefire - 3D System
Symantec Network Security
Vern Paxson – Bro
Continued on the following page…
 Arbor Peakflow X
 Cetacea Networks - OrcaFlow
Copyright © 2011 Cloud Security Alliance
10
 GraniteEdge ESP
 ISS - Proventia Network
Anomaly Detection System
CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE 2011
Continued from the previous page…
v
REFERENCE EXAMPLES
CHALLENGES
General Challenges:



Non-Cloud
Proliferation of SSL required by deployment in public clouds
adds complexity or blocks visibility to network-based
IDS/IPS
Complexity and immaturity of Intrusion Management for
APIs
Lack of tools to manage instance-to-instance relationships
Specific to Cloud Consumers:







Current lack of virtual SPAN ports in public cloud providers
for typical deployment of NIDS or NBA
Current lack of network-edge TAP interfaces for public cloud
and virtual private cloud for typical deployment of NIPS
Inability to utilize hypervisor (vSwitch/vNIC) introspection
Latency, resiliency and bandwidth concerns with proxying
network traffic through virtual appliances or 3rd party
services
Privacy concerns of service-based security
Short lived instances (HIDS/HIPS logs can be lost)
Performance limitations with network traffic in a shared
environment

















Arbor Peakflow X
Cetacea Networks - OrcaFlow
GraniteEdge ESP
ISS - Proventia Network
Anomaly Detection System
Lancope - StealthWatch
Mazu - Profiler
Q1 Labs - QRadar
Trend Micro Threat Detection
Appliance
AIDE
eEye Digital Security Blink
Intrusion SecureHost
Prevention
OSSEC
Samhain
SoftSphere Technologies DefenseWall HIPS
Suricata
Protection
Specific to Cloud Service Providers:



Policy management in a multi-tenant environment
Policy management for application-layer multi-tenancy (SaaS,
some PaaS services such as Microsoft SQL Azure)
Complexity of deployment and configuration
REFERENCES




Cloud Security Alliance Guidance https://cloudsecurityalliance.org/guidance/csaguide-dom12-v2.10.pdf
NIST Guide to Intrusion Detection and Prevention Systems (IDPS)
http://csrc.nist.gov/publications/nistpubs/800-94/SP800-94.pdf
Intrusion Detection http://en.wikipedia.org/wiki/Intrusion_detection_system
Intrusion Prevention http://en.wikipedia.org/wiki/Intrusion_prevention_system
Copyright © 2011 Cloud Security Alliance
11
CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE 2011
v
Category #7: Security Information &
Event Manager (SIEM)
Description: Security Incident and Event Management (SIEM)
systems accept log and event information, correlation and incident
data and provide real time analysis and correlation.
Class: Detective
CORE FUNCTIONALITIES








Real time log collection and aggregation
Log normalization
Real-time event correlation
Forensics support
Compliance reporting & support
IR support
Reporting
Flexible data retention periods and policies management,
compliance policy management)
SERVICES
Includes: Log Management, Event
Correlation, Security/Incident
response, Scalability, Log and Event
Storage, Interactive searching and
parsing of log data
Related Services: Architectural
considerations, Compliance reporting,
Software inventory, Non-traditional
correlation, On-traditional monitoring,
Database monitoring, Request
fulfillment
Related Technologies and Standards:
FIPS 140-2 compliant, Common Event
Format (CEF), Common Event
Expression (CEE)
Service Model: SaaS, PaaS
CSA Domains (v2.1): 2, 3, 4, 5, 7, 9, 12
OPTIONAL FEATURES





Heuristic controls
Specialized systems
Physical log monitoring
Access control system monitoring
Physical security integration (cameras, alarms, phone, etc.)
CHALLENGES



Standardization of log formats
Timing lag caused by translations from native log formats
Unwillingness of providers to share logs
THREATS ADDRESSED







Abuse and Nefarious Use
Insecure Interfaces and APIs
Malicious Insiders
Shared Technology Issues
Data Loss and Leakage
Account or Service Hijacking
Unknown Risk Profile
REFERENCE EXAMPLES
Cloud











Novell Cloud Security Services
ArcSight
Q1 Labs
RSA/EMC enVision
Loglogic
Novel’s E-Sentinel
Quest Software
SenSage
eIQnetworks
Alien Vault (OSSIM)
AccellOps
Copyright © 2011 Cloud Security Alliance
12
CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE 2011
v
Category #8: Encryption
Description: Encryption is the process of obfuscating data using
cryptographic and numerical ciphers.
Class: Protective
CORE FUNCTIONALITIES




Protection of data in transit
Protection of data at rest
Key and policy management
Protection of cached data
OPTIONAL FEATURES




Searching encrypted data
Sorting encrypted data
Identity based encryption
Data integrity
SERVICES
Includes: VPN services, Encryption
Key Management, Virtual Storage
Encryption, Communications
Encryption, Application Encryption,
Database Encryption
Related Services: VM Architecture,
Hardware Protection, Software-Based
Protection
Related Technologies and Standards:
FIPS 140-2, AES, RSA, IPSEC , SSL, and
Hashing
Service Model: IaaS
CSA Domains (v2.1): 11
THREATS ADDRESSED


CHALLENGES




Risk of compromised keys
Searching and/or sorting of encrypted data
Separation of duties between data owners, administrators and
cloud service providers
Legal issues





REFERENCES








http://www.eweek.com/c/a/Security/IBM-UncoversEncryption-Scheme-That-Could-Improve-Cloud-SecuritySpam-Filtering-135413/
https://cloudsecurityalliance.org/csaguide.pdf
“Implementing and Developing Cloud Computing
Applications” by David E.Y. Sarna
http://www.ctoedge.com/content/new-approach-enteprisedata-security-tokenization
http://arstechnica.com/tech-policy/news/2009/09/yoursecrets-live-online-in-databases-of-ruin.ars
“The Illegality of Exporting Personal Data into the Cloud. Is
the following Hypothesis the Answer? Does the following
Hypothesis Handle the Objection?”, CSA discussion forums http://www.linkedin.com/e/-njv39e-gmdp90wv1m/vaq/23764306/1864210/36300812/view_disc/
“IETF RFC 5246”. The Transport Layer Security (TLS)
Protocol Version 1.2 - http://tools.ietf.org/rfc/rfc5246.txt
“SP 800-57 Recommendation for Key Management” NIST,
January 2011 - http://csrc.nist.gov/publications/nistpubs/
800-57/sp800-57-Part1-revised2_Mar08-2007.pdf
Regulatory Compliance
Mitigating insider and external
threats to data
Cross-border business
opportunities
Cloud's Adoption by
government
Security as a market
differentiator
Communication Encryption
Vulnerabilities and poor key
management procedures
REFERENCE EXAMPLES
Cloud



Cypher Cloud
Novaho
Perpecsys
Non-Cloud
 Crypo.com
 Sendinc
Continued on the following page…

http://csrc.nist.gov/publications/nistpubs/800-57/SP800Copyright © 2011 Cloud Security Alliance
57-Part2.pdf http://csrc.nist.gov/publications/nistpubs/80057/sp800-57_PART3_key-management_Dec2009.pdf
 “SP 800-131A Transitions: Recommendation for
Transitioning the Use of Cryptographic Algorithms and
13
CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE 2011
Continued from the previous page…
v
REFERENCES




http://csrc.nist.gov/publications/nistpubs/800-57/SP80057-Part2.pdf http://csrc.nist.gov/publications/nistpubs/80057/sp800-57_PART3_key-management_Dec2009.pdf
“SP 800-131A Transitions: Recommendation for Transitioning
the Use of Cryptographic Algorithms and Key Lengths”
NIST, January 2011 http://csrc.nist.gov/publications/nistpubs/800-131A/sp800131A.pdf
ISO/TR (2010). “ISO TR-14742:2010 Financial Services Recommendations on Cryptographic Algorithms and their
Use.” ISO.
Ferguson, N., Schneier, B., and Kohno T., (2010).
“Cryptography Engineering: Design Principles and Practical
Applications.” New York: John Wiley and Sons.
Copyright © 2011 Cloud Security Alliance
14
CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE 2011
v
Category #9: Business Continuity and
Disaster Recovery
Description: Business Continuity and Disaster Recovery is the
implementation of measures designed to ensure operational
resiliency in the event of any service interruptions.
Includes: File recovery provider, File
backup provider, Cold site, Warm site,
Hot site, Insurance, Business Partner
Agreements
Related Services: Fail-back to live
systems, Encryption of data in transit,
Encryption of data at rest, Field level
encryption, Realm based access control
Class: Reactive
CORE FUNCTIONALITIES








SERVICES
Flexible infrastructure
Secure backup
Monitored operations
Third party service connectivity
Replicated infrastructure component
Data and/or application recovery
Alternate sites of operation
Tested and measured processes and operations to ensure
operational resiliency
Related Technologies and Standards:
ISO/IEC 24762:2008, BS25999
Service Model: IaaS
CSA Domains (v2.1): 7
THREATS ADDRESSED
OPTIONAL FEATURES



Support for BC and DR compliance monitoring and/or
reporting or testing Flexible infrastructure
Authorized post disaster privileged account management
Enable DR Policy management (incl. authorization
management, role management, compliance management)







Natural disaster
Fire
Power outage
Terrorism
Data corruption
Data deletion
Pandemic
CHALLENGES




Overcentralization of data
Lack of approved and tested policies, processes, and
procedures
Legal constraints on transportation of data outside affected
region
Network connectivity failures
REFERENCES


NIST SP 800-34
ISO/IEC-27031
REFERENCE EXAMPLES
Cloud
 Rackspace
 Quantix
 Digital Parrallels
 Atmos
 Decco
Non-Cloud
 Sunguard
 IBM
 Iron Mountain
Copyright © 2011 Cloud Security Alliance
15
CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE 2011
v
Category #10: Network Security
SERVICES
Description: Network Security consists of security services that
allocate access, distribute, monitor, and protect the underlying
resource services.
Class: Detective, protective, reactive
CORE FUNCTIONALITIES








Data Threats
Access Control Threats
Access and Authentication controls
Security Gateways (firewalls, WAF, SOA/API)
Security Products (IDS/IPS, Server Tier Firewall, File
Integrity Monitoring, DLP, Anti-Virus, Anti-Spam
Security Monitoring and IR
DoS protection/mitigation
Secure “base services” like DNSSEC, NTP, OAuth, SNMP,
Management network segmentation and security
OPTIONAL FEATURES


Log correlation
Secure data encryption at rest
CHALLENGES




Micro-boarders
Virtual Segmentation of Physical Servers
Limited visibility of inter-VM traffic
Non-standard API’s
REFERENCES



CSA
Intel Cloud Security Reference Architecture
ENISA Cloud computing Risk Assessment
Includes: Firewall (Perimeter and
Server Tier), Web Application Firewall,
DDOS Protection/Mitigation, DLP, IR
Management
Related Services: Identity and Access
Management, Data Loss Prevention,
Web Security, Intrusion Management,
Security Information and Event
Management, and Encryption
Related Technologies and Standards:
Service Model: IaaS, SaaS, PaaS
CSA Domains (v2.1): 7,8,9,10,13
THREATS ADDRESSED





Data Threats
Access Control Threats
Application Vulnerabilities
Cloud Platform Threats
Regulatory, Compliance & Law
Enforcement
REFERENCE EXAMPLES
Cloud
 HP
 IBM
 Stonesoft
 Symantec.cloud
 Rackspace
Non-Cloud
 HP
 IBM
 Snort
Copyright © 2011 Cloud Security Alliance
16