Our cloud experts have summarized the recently released report from the Cloud Security Alliance, Security Guidance for Critical Areas of Focus in Cloud Computing V3.0. Below are the highlights from the article.
Domain 1 – Cloud Computing Architectural Framework
- What data, services and/or processes will be moved to the cloud?
- What deployment and service models will be leveraged?
- Perform an evaluation and/or risk assessment against the assets involved.
Domain 2 – Governance and Enterprise Risk Management
- Have policies and procedures been created/updated to support moving to the cloud?
- How will cloud service providers be monitored for compliance with corporate governance? What internal groups will be responsible for monitoring the supplier relationships?
- How will third-party relationships that the cloud provider maintains be evaluated and monitored for security and compliance with corporate governance?
- Metrics and standards for measuring performance and effectiveness of information security management should be established prior to moving into the cloud.
Domain 3 – Legal Issues: Contracts and Electronic Discovery
- Consider requirements for E-Discovery. Establish a clear understanding of how data can be accessed if legal discovery is required.
- Build security monitoring and compliance assessments into the cloud provider contract.
Domain 4 – Compliance and Audit Management
- Ensure that the cloud provider can support all applicable laws, regulations, contracts, and policies. Right to audit and right to transparency clauses should be included in all contracts.
- Ensure that legal, procurement, and contract teams are involved to address how the cloud service provider will meet compliance and audit requirements.
- Customers and providers must agree on how to collect, store, and share compliance evidence (e.g., audit logs, activity reports, system configurations).
- Request cloud Provider’s SSAE 16 SOC2 or ISAE 3402 Type 2 report. These will provide a recognizable starting point of reference for auditors and assessors.
Domain 5 – Information Management and Data Security
- Due to the potential regulatory, contractual, and other jurisdictional issues, it is extremely important to understand both the logical and physical locations of data.
- Encrypt all sensitive data moving to or within the cloud at the network layer, or at nodes before network transmission.
- Encrypt sensitive volumes in IaaS to limit exposure due to snapshots or unapproved administrator access.
Domain 6 – Interoperability and Portability
- Whenever possible, use virtualization to remove many hardware level concerns, remembering that virtualization doesn’t necessarily remove all hardware concerns, especially on current systems.
- To maintain interoperability, the network physical hardware and network and security abstraction should be in virtual domains. As far as possible, APIs should have the same functionally.
- Use open virtualization formats, such as OVF, to help ensure interoperability.
- Use open and published APIs to ensure the broadest support for interoperability between components and to facilitate migrating applications and data should changing a service provider become necessary.
- Store unstructured data in an established, portable format.
- Use SAML or WS-Security for authentication so the controls can be interoperable with other standards-based systems.
- Encrypting data before it is placed into the cloud will ensure that it cannot be accessed inappropriately within cloud environments.
- Understand your responsibilities and liabilities should a compromise occur due to unanticipated “gaps” in protection methods offered by your service provider.
Domain 7 – Traditional Security, BCP, and DR
- End consumers must inspect, account for, and fix personnel risks inherited from other members of the cloud supply chain. They must also design and implement active measures to mitigate and contain personnel risks through proper separation of duties and least-privilege access.
- Cloud customers should not depend on a singular provider of services and should have a disaster recovery plan in place that facilitates migration or failover should a supplier fail.
- The customer should conduct an onsite assessment of the cloud service provider’s facility to confirm and verify the asserted controls used to maintain the continuity of the service.
Domain 8 – Date Center Operations
- Organizations buying cloud services must clearly understand and document which parties are responsible for meeting compliance requirements, as well as their role and the role of their cloud provider when assessing compliance.
- If the data center is owned by a provider, audit against a regulatory and security standard template and publish results to the customer.
Domain 9 – Incident Response
- The SLA of each cloud-service provider must guarantee the support required for effective execution of the enterprise incident response plan at each stage of the incident handling process: detection, analysis, containment, eradication, and recovery.
- Testing should be conducted at least annually. Customers should seek to integrate their testing procedures with that of their provider (and other partners) to the greatest extent possible. Ideally, a team (comprising customer and cloud service provider members) should carry out various health check tests on an incident response plan, and accordingly, suggestions should be implemented into a new version of the incident response plan.
Domain 10 – Application Security
- Conduct a detailed assessment to understand the attack vectors and risks in the cloud environment, and integrate mitigation strategies into the requirements.
- Conduct a risk analysis of the applications for security and privacy (confidentiality, integrity and availability), and build and maintain threat models.
- Carry out regular Web Application Penetration Testing to check for OWASP Top 10 vulnerabilities
Domain 11 – Encryption and Key Management
- Use off-the-shelf technology, where possible, to incorporate best practices from a credible source.
- To maintain best practices and pass audits, the organization should manage the custody of its keys or employ a credible cryptographic service provider.
Domain 12 – Identity, Entitlement, and Access Management
- All cloud participants must respect the integrity of the supply chain and existing, in-place Identity and Access Management (IAM) practices. Elements such as privacy, integrity, and auditability must be respected and must be preserved when moving data off-site and/or decoupling the pillars of the solution into web service architecture.
- Implementers must design the common service layers to act independently to enable the removal of application silos without sacrificing existing information security policies and procedures.
Domain 13 – Virtualization
- Customers must be aware of multi-tenancy situations with your VMs where regulatory concerns may warrant segregation.
- Virtualized operating systems must include firewall (inbound/outbound), Host Intrusion Prevention System (HIPS), Network Intrusion Prevention System (NIPS), web application protection, antivirus, file integrity monitoring, and log monitoring, etc. Security countermeasures can be delivered via software in each guest virtual instance or by using an inline virtual machine combined with hypervisor-based APIs.
- Providers must clean any backup and failover systems when deleting and wiping the VM images.
- Providers must have a reporting mechanism in place that provides evidence of isolation and raises alerts if there is a breach of isolation.
Domain 14 – Security as a Service
- Providers should supply automated secure and continuous notification throughout the supply chain on a need-to-know basis.
- Providers should supply secured logging of internal operations for service level agreement compliance.
- Consumers should request a third party audit and SLA mediation services.