CSA Guidance Version 3
Domain 14: Security as a Service
Cloud Computing represents one of the most significant shifts in information technology
many of us are likely to see in our lifetimes. Reaching the point where computing functions as
a utility has great potential, promising innovations we cannot yet imagine. One such
innovation is the centralization of security resources. Consumers have recognized the
benefits of a standardized security framework for both the providers and consumers. One of
the milestones of the maturity of cloud as a platform for business operations is the adoption
of Security as a Service on a global scale and the recognition of how security can be
enhanced. The worldwide implementation of security as an outsourced commodity will
eventually minimize the disparate variances and security voids.
Overview.




This Domain will address the following topics:
The Ubiquity of Security as a Service in the Marketplace
Concerns when Implementing Security As a Service
Advantages of Implementing Security As a Service
The Flavors and Variety of Services that can be categorized
as Security As A Service
This document corresponds to the
Security as a Service publication as
well as the CSA Cloud Control
Matrix controls.
14.1 Ubiquity of Security as a Service
Customers are both excited and nervous at the prospects of Cloud Computing. They are
excited by the opportunities to reduce capital costs. They are excited for a chance to divest
infrastructure management and focus on core competencies. Most of all, they are excited by
the agility offered by the on-demand provisioning of computing resources and the ability to
align information technology with business strategies and needs more readily. However,
customers are also very concerned about the security risks of Cloud Computing and the loss
of direct control over the security of systems for which they are accountable. Vendors have
attempted to satisfy this demand for security by offering security services in a cloud platform,
but because these services take many forms, they have caused market confusion and
complicated the selection process. This has led to limited adoption of cloud based security
services thus far. However the future looks bright for SecaaS with Gartner predicting that
cloud based security service us will more than triple in many segments by 2013.
Copyright © 2011 Cloud Security Alliance
CSA Guidance Version 3
Many enterprises do not think that they use Security as a Service in the cloud but they are
often quite mistaken. Security as a Service is experiencing an exponential growth curve and
lacking a common set of standards, however, due to the lack of a common set of standards, it
is losing the potential economic and competitive benefits available. The Cloud Security
Alliance has been working with industry experts to develop recommended practices and
standards, and underscoring potential pitfalls.
Numerous security vendors are now leveraging cloud-based models to deliver security
solutions. This shift has occurred for a variety of reasons including greater economies of scale
and streamlined delivery mechanisms. Consumers are increasingly faced with evaluating
security solutions, which do not run on premises. Consumers need to understand the unique,
diverse and pervasive nature of cloud delivered security offerings so that they are in a
position to evaluate the offerings and to understand if they will meet their needs.
14.2 Concerns when implementing Security as a Service
Despite the impressive array of benefits provided by Cloud Security Services such as dynamic
scalability, virtually unlimited resources, and economies of scale that exist with lower or no
cost of ownership, there are concerns about security in the cloud environment, compliance
concerns, multi-tenancy, and vendor lock in. While these are being cited as concerns that
prevent the migration of Security into the cloud, these same concerns exist with traditional
data centers.
Security in the cloud environment is often based on the concern that the systems are not
locked down as well as in traditional data centers and that the personnel lack the proper
credentials and background checks. For Security as a Service provider, this is far from the
reality I have seen. They recognize the fragility of the relationship and often go to extreme
lengths to ensure that their environment is locked down as much as possible. They often run
background checks on their personnel that rival even the toughest government background
checks, and they run them often.
Compliance has been raised as a concern given the global regulatory environment. Security
as a Service providers have also recognized this and have gone to great efforts to
demonstrate their ability to not only meet but exceed these requirements, or to ensure that
if integrated into a client’s network, they support most, if not all, regulatory muster.
As with any cloud service, multi-tenancy presents concerns of data leakage between virtual
instances. While customers are concerned about this, the Security as a Service providers are
even more concerned in light of the litigious nature of modern business. As a result, they are
taking extraordinary precautions to ensure data is highly compartmentalized and any data
that is shared is anonymized to protect the identity and source.
Copyright © 2011 Cloud Security Alliance
CSA Guidance Version 3
When utilizing a Security as a Service vendor, an enterprise places some, many or all security
logging, compliance, and reporting into a vendors’ proprietary standard. In the event the
enterprise seeks a new vendor, they must concern themselves with an orderly transition and
somehow find a way for the existing data and log files to be translated correctly and in a
forensically sound manner.
It is important to note that other than multi-tenancy, each of these concerns are not “cloud
unique” but are problems faced by both in-house models and outsourcing models. For this
reason, unified security standards, such as those proposed by the Cloud Security Alliance
Cloud Control Matrix, are needed to help enterprises and vendors benefit from the Security
as a Service environment.
14.3 Advantages when Implementing Security as a Service
Just as cloud computing offers many advantages to both providers and consumers, Cloud
Security as a Service offers many significant benefits due a number of factors to include to
aggregation of knowledge, broad actionable intelligence, along with a full complement of
security professionals on hand at all times, to name a few. One hurdle to greater
implementation and acceptance will be the lack of standards. These standards will provide a
number of benefits to include strategic benefits, competitive advantages, and the
vendor/client relationship.
The potential strategic benefits of leveraging centralized security services are well
understood by technical experts who witness the daily efficiencies gained. Companies that
are actively involved in the centralization and standardization of security best practices
typically gain significant medium and long-term cost-savings and competitive benefits over
their competitors in the market due to the efficiencies gained. Security delivered as a service
enables the users of security services to measure each vendor by a singular security standard
thus better understanding what they are getting.
14.3.1 Competitive Advantages
Companies that participate in the development and implementation of security standards
gain a competitive edge over their peers due to the early access of information.
Furthermore, through the use of a centralized security infrastructure they are batter able to
stem the inclusion of undesirable content. Once holistic security services are adopted and
implemented, providers reap the competitive benefits of being able to assure their clients
that they meet standard security best practice. The clients also have the advantage of being
Copyright © 2011 Cloud Security Alliance
CSA Guidance Version 3
able to point to security standards as a part of their compliance framework and service level
agreement obligations.
14.3.2 Vendor Client Relationship
There are many clear cut benefits of security standards including enabling customers to
understand exactly what they are getting, enabling easier comparison of vendor services,
and being able to hold vendors to clear agreed standards. Moving from one vendor to
another is also eased by the standardization of security delivery. Finally, it allows providers
to better exert market pressures on their tertiary suppliers enhancing the value for the
enterprises that consume the services and securing the supply chain. It is for these reasons
that we strongly support and are leading the drive towards cloud security standards and, in
relation to this work, clear standards for cloud based security as a service solutions in order
that both vendors and clients can work within known and defined frameworks.
14.4 Flavors and Variety of existing Security as a Service Offerings
Security as a service is more than a outsourcing model for security management it is an
essential component in secure business resiliency and continuity. As a business resiliency
control, Security as a Service offers a number of competitive benefits. Due to the elastic
model of services delivered via the cloud, customers need only pay for the amount they
require rather, such as the number of workstations to be protected and not the supporting
infrastructure and staffing to support the various security services. A security focused
provider offers greater security expertise than is typically available within an organization.
Finally the outsourcing of administrative tasks, such as log management, save time and
money and allow an organization to devote more time to its core competencies.
Gartner predicted that cloud-based security controls for messaging applications (such as
anti-malware and anti-spam programs) would generate 60% of the revenue in that industry
sector by 2013 Based on survey results collected from prominent consumers of cloud
services, the following security service categories are of most interest to experienced
industry consumers and security professionals:






Identity and Access Management (IAM)
Data Loss Prevention (DLP)
Web Security
Email Security
Security Assessments
Intrusion Management
Copyright © 2011 Cloud Security Alliance
CSA Guidance Version 3




Security Information and Event Management (SIEM)
Encryption
Business Continuity and Disaster Recovery
Network Security
14.4.1 Identity and Access Management (IAM)
Identity and Access Management (IAM) should provide controls for assured identities, access
and privileges management. IAM includes people, processes, and systems that are used to
manage access to enterprise resources by assuring the identity of an entity is verified, then
granting the correct level of access based on this assured identity. Audit logs of activity such
as successful and failed authentication and access attempts should be managed by the
application / solution. Identity and Access Management is a Protective and Preventative
technical control.
14.4.2 Data Loss Prevention
Monitoring, protecting and demonstrating protection of data at rest, in motion, and in use
both in the cloud and on premises, DLP services offer protection of data usually by running
as some sort of client on desktops / servers and running rules around what can be done.
Where these differ from broad rules like ‘no ftp’ or ‘no uploads to web sites’ is the level to
which they understand data, e.g. you can specify no documents with numbers that look like
credit cards can be emailed, anything saved to USB storage is automatically encrypted and
can only be unencrypted on another office owned machine with a correctly installed DLP
client, and only clients with functioning DLP software can open files from the file server.
Within the cloud DLP services could be offered as something that is provided as part of the
build such that all servers built for that client get the DLP software installed with an agreed
set of rules deployed. This DLP offering is a preventative technical control.
14.4.3 Web Security
Web Security is real-time protection offered either on premise through software / appliance
installation or via the Cloud by proxying or redirecting web traffic to the cloud provider. This
provides an added layer of protection on top of things like antiviruses to prevent malware
from entering the enterprise via activities such as web browsing. Policy rules around types
of web access and the time frames when this is allowed can also be enforced via these
technologies. Web Security is a protective, detective, reactive technical control.
Copyright © 2011 Cloud Security Alliance
CSA Guidance Version 3
14.4.4 Email Security
Email Security should provide control over inbound and outbound email, protecting the
organization from phishing, malicious attachments, enforcing corporate polices such as
acceptable use and spam prevention, and providing business continuity options. In addition,
the solution should allow for policy-based encryption of emails as well as integrating with
various email server solutions. Digital signatures enabling identification and non-repudiation
are also features of many email security solutions. The Email Security offering is a protective,
detective,and reactive technical control.
14.4.5 Security Assessment
Security assessments are third party audits of cloud services, or assessments of on premises
systems via cloud provided solutions based on industry standards. Traditional security
assessments for infrastructure and applications and compliance audits are well defined and
supported by multiple standards such as NIST, ISO and CIS. A relatively mature toolset exists,
and a number of tools have been implemented using the SecaaS delivery model. In the
SecaaS delivery model, subscribers get the typical benefits of this cloud computing variant elasticity, negligible setup time, low administration overhead and pay per use with low initial
investments.
While not the focus of this effort, additional challenges arise when these tools are used to
audit cloud environments. Multiple organizations, including the CSA have been working on
the guidelines to help organizations understand the additional challenges:







Virtualization awareness of the tool, frequently necessary for IaaS platform auditing
Support for common web frameworks in PaaS applications
Compliance Controls for Iaas, PaaS and Saas platforms
Standardized questionnaires for XaaS environments, that helps address:
What should be tested in a cloud environment?
How does one assure data isolation in a multi-tenant environment?
What should appear in a typical infrastructure vulnerability report? Is it acceptable to use
results provided by cloud provider?
Copyright © 2011 Cloud Security Alliance
CSA Guidance Version 3
14.4.6 Intrusion Detection/Prevention (IDS/IPS)
Intrusion Detection/Prevention systems monitor behavior patterns using rule-based,
heuristic, or behavioral models to detect anomalies in activity that present risks to the
enterprise. Network IDS/IPS have become widely used over the past decade because of the
impressive capability to provide a granular view of what is happening within an enterprise
network. The IDS/IPS monitors network traffic and compares the activity via rule engine or
statistical analysis. IDS is typically deployed in a passive mode to passively monitor sensitive
segments of a tenant’s network whereas the IPS is configured to play an active role in the
defense of the tenant’s network. In a traditional infrastructure this could include De
Militarized Zones (DMZs) off the firewall where corporate Web servers are located or
monitoring connections to an internal database. Within the cloud IDS systems often focus
on virtual infrastructure and cross hypervisor activity where coordinated attacks can disrupt
multiple tenants and create system chaos. When implemented in a passive mode, intrusion
detection Security as a Service offering is a Detective technical control.
14.4.7 Security Information & Event Management (SIEM)
Security Information and Event Management (SIEM) systems aggregate (via push or pull
mechanisms) log and event data from virtual and real networks, applications, and systems.
This information is then correlated and analyzed to provide real time reporting and alerting
on information / events that may require intervention or other type of response. The logs
are likely to be collected and archived in a manner that prevents tampering to enable their
use as evidence in any investigations or historical reporting. The SEIM Security as a Service
offering is a Detective technical control but can be configured to be protective and reactive
technical control.
14.4.8 Encryption
Encryption is the process of obfuscating/ encoding data using cryptographic algorithms, the
product of which is encrypted data (usually referred to as ciphertext). Only the intended
recipient or system that is in possession of the correct key can decode (unencrypt) the
ciphertext. In the case of one-way cryptographic functions, a digest or hash is created
instead. Encryption systems typically consist of an algorithm(s) that are computationally
difficult (or infeasible) to break, along with the processes and procedures to manage
encryption and decryption, hashing, digital signatures, certificate generation and renewal,
key exchange, etc. Each part is effectively useless without the other, e.g. the nest algorithm
is easy to ‘crack’ if an attacker can access the keys due to weak processes. Encryption when
outsourced to a Security as a Service provider is classified as a protective technical control.
Copyright © 2011 Cloud Security Alliance
CSA Guidance Version 3
14.4.9 Business Continuity and Disaster Recovery
Business Continuity and Disaster Recovery are the measures designed and implemented to
ensure operational resiliency in the event of any service interruptions. It provides flexible
and reliable failover and DR solutions for required services in the event of a service
interruption, natural or man-made. Make use of the clouds flexibility to minimize cost and
maximize benefits. For example, in the event of a disaster scenario at one location,
applications in that location may be protected by machines at different locations. This
Security as a Service offering is a reactive, protective and detective technical control.
14.4.10 Network Security
Network Security consists of security services that allocate access, distribute, monitor, and
protect the underlying resource services.
Architecturally, network security provides services that address security controls at the
network in aggregate or specifically addressed at the individual network of each underlying
resource. In a Cloud / virtual environment network security is likely to be provided by virtual
devices alongside traditional physical devices. Tight integration with the hypervisor to
ensure full visibility of all traffic on the virtual network layer is key. This Network Security
offering is a detective, protective, and reactive technical control.
Permissions



Pattern recognition of user activities
Secure legal mediation of security metrics for SLA expectation management
Trusted channels for penetration testing
Recommendations





Secure communication channels between tenant and consumer
Automated secure and continuous notification throughout the supply chain on a need-toknow basis
Secured logging of internal operations for service level agreement compliance
Addition of third party audit and SLA mediation services
Continuous Monitoring of all interfaces through standardized security interfaces such as
SCAP(NIST), CYBEX (ITU-T) or RID & IODEF (IETF)
Copyright © 2011 Cloud Security Alliance
CSA Guidance Version 3
Requirements
 For IAM SecaaS: Provisioning/de-provisioning of accounts (of both cloud & onpremise applications and resources)
 For IAM SecaaS: Authentication(multiple forms and factors)
 For IAM SecaaS: Directory services
 For IAM SecaaS: Directory synchronization (multi-lateral as required)
 For IAM SecaaS: Federated SSO
 For IAM SecaaS: Web SSO (granular access enforcement & session management different from Federated SSO)
 For IAM Sec-aaS: Privileged user and password management management
(including administrative, shared, system and application accounts)
 For IAM Sec-aaS: Privileged Session Monitoring
 For IAM Sec-aaS: Granular Access Management
 For IAM Sec-aaS: Tamper-proof storage of audit records (including an option for
non-repudiation)
 For IAM Sec-aaS: Policy management
 For DLP SecaaS: Data labeling and classification
 For DLP SecaaS: Identification of Sensitive Data
 For DLP SecaaS: Predefined policies for major regulatory statues
 For DLP SecaaS: Context Detection Heuristics
 For DLP SecaaS: Structured Data Matching (data-at-rest)
 For DLP SecaaS: SQL regular expression detection
 For DLP SecaaS: Traffic Spanning (data-in-motion) detection
 For DLP SecaaS: Real Time User Awareness
 For DLP SecaaS: Security Level Assignment
 For DLP SecaaS: Custom Attribute Lookup
 For DLP SecaaS: Automated Incident Response
 For DLP SecaaS: Signing of data
 For DLP SecaaS: Cryptographic data protection and access control
 For DLP SecaaS: Machine readable policy language
 For Web Services SecaaS: Web Filtering
 For Web Services SecaaS: Malware, Spyware & Bot Network analyzer and blocking
 For Web Services SecaaS: Phishing site blocker
 For Web Services SecaaS: Instant Messaging Scanning
 For Web Services SecaaS: Email Security
 For Web Services SecaaS: Bandwidth management / traffic control
 For Web Services SecaaS: Data Loss Prevention
 For Web Services SecaaS: Fraud Prevention
 For Web Services SecaaS: Web Access Control
 For Web Services SecaaS: Backup
 For Web Services SecaaS: SSL (decryption / hand off)
 For Web Services SecaaS: Usage policy enforcement
Copyright © 2011 Cloud Security Alliance
CSA Guidance Version 3
 For Email Security SecaaS: Accurate filtering to block spam and phishing
 For Email Security SecaaS: Deep protection against viruses and spyware before
they enter the enterprise perimeter
 For Email Security SecaaS: Flexible policies to define granular mail flow and
encryption
 For Email Security SecaaS: Rich, interactive and correlate real-time reporting
 For Email Security SecaaS: Deep content scanning to enforce policies
 For Email Security SecaaS: Option to encrypt some / all emails based on policy
 For Email Security SecaaS: Integration with various email server solutions
 For Security Assessment SecaaS: Governance — process by which policies are set
and decision making is executed
 For Security Assessment SecaaS: Risk Management — process for ensuring that
important business processes and behaviors remain within the tolerances
associated with those policies and decisions
 For Security Assessment SecaaS: Compliance — process of adherence to policies
and decisions.
 For Security Assessment SecaaS: Policies can be derived from internal directives,
procedures and requirements, or external laws, regulations, standards and
agreements.
 For Security Assessment SecaaS: Technical Compliance Audits - automated auditing
of configuration settings in devices, operating systems, databases, and
applications.
 For Security Assessment SecaaS: Application Security Assessments - automated
auditing of custom applications
 For Security Assessment SecaaS: Vulnerability Assessments - automated probing of
network devices, computers and applications for known vulnerabilities and
configuration issues
 For Security Assessment SecaaS: Penetration Testing - exploitation of
vulnerabilities and configuration issues to gain access to a an environment,
network or computer, typically requiring manual assistance
 For Security Assessment SecaaS: Security rating
 For Intrusion Detection SecaaS: Identification of intrusions and policy violations
 For Intrusion Detection SecaaS: Automatic or manual remediation actions
 For Intrusion Detection SecaaS: Coverage for Workloads, Virtualization Layer
(VMM/Hypervisor) Management Plane
 For Intrusion Detection SecaaS: Deep Packet Inspection using one or more of the
following techniques: statistical, behavioral, signature, heuristic
 For Intrusion Detection SecaaS: System Call Monitoring
 For Intrusion Detection SecaaS: System/Application Log Inspection
 For Intrusion Detection SecaaS: Integrity Monitoring OS (Files, Registry, Ports,
Processes, Installed Software, etc)
 For Intrusion Detection SecaaS: Integrity Monitoring VMM/Hypervisor
 For Intrusion Detection SecaaS: VM Image Repository Monitoring
Copyright © 2011 Cloud Security Alliance
CSA Guidance Version 3
 For SIEM SecaaS: Real time log /event collection, de-duplication, normalization,
aggregation and visualisation
 For SIEM SecaaS: Forensics support
 For SIEM SecaaS: Compliance reporting & support
 For SIEM SecaaS: IR support
 For SIEM SecaaS: Anomaly detection shouldn’t be limited to email
 For SIEM SecaaS: Reporting
 For SIEM SecaaS: Flexible data retention periods and policies management,
compliance policy management
 For Encryption SecaaS: Protection of data in transit
 For Encryption SecaaS: Protection of data at rest
 For Encryption SecaaS: Key and policy management
 For Encryption SecaaS: Protection of cached data
 For Business Continuity & Disaster Recovery SecaaS: Flexible infrastructure
 For Business Continuity & Disaster Recovery SecaaS: Secure backup
 For Business Continuity & Disaster Recovery SecaaS: Monitored operations
 For Business Continuity & Disaster Recovery SecaaS: Third party service
connectivity
 For Business Continuity & Disaster Recovery SecaaS: Replicated infrastructure
component
 For Business Continuity & Disaster Recovery SecaaS: Replicated data (core / critical
systems)
 For Business Continuity & Disaster Recovery SecaaS: Data and/or application
recovery
 For Business Continuity & Disaster Recovery SecaaS: Alternate sites of operation
 For Business Continuity & Disaster Recovery SecaaS: Tested and measured
processes and operations to ensure operational resiliency
 For Business Continuity & Disaster Recovery SecaaS: Geographically distributed
data centers / infrastructure
 For Business Continuity & Disaster Recovery SecaaS: Network survivability
 For Network Security SecaaS: Data Threats
 For Network Security SecaaS: Access Control Threats
 For Network Security SecaaS: Access and Authentication controls
 For Network Security SecaaS: Security Gateways (firewalls, WAF, SOA/API)
 For Network Security SecaaS: Security Products (IDS/IPS, Server Tier Firewall, File
Integrity Monitoring, DLP, Anti-Virus, Anti-Spam
 For Network Security SecaaS: Security Monitoring and IR
 For Network Security SecaaS: DoS protection/mitigation
 For Network Security SecaaS: Secure “base services” like DNSSEC, NTP, OAuth,
SNMP, Management network segmentation and security
 For Network Security SecaaS: Traffic / netflow monitoring
 For Network Security SecaaS: Integration with Hypervisor layer
Copyright © 2011 Cloud Security Alliance
CSA Guidance Version 3
Bibliography
Security and Economic Benefits of Standardization for Security as a Service, United
Nations ITU-T September 2011 Proceedings.
Jens C Laundrup Emagined Security, USA, JensLaundrup@emagined.com;
Marlin Pohlman EMC Corporation, USA Marlin.pohlman@emc.com
Cloud Security Alliance, Defined Categories of Service
Copyright © 2011 Cloud Security Alliance