Security as a Service Implementation Guidance documents published!

The Security as a Service working group implementation guidance papers have now all been published and are available for free download from the Cloud Security Alliance website.

These provide a great overview of, and guidance around the 10 categories of security as a service that we identified last year.  The 10 documents have all been created using a standard template to ensure they are easy to use and understand.

Each document contains the following sections;

1. Introduction; Brief overview of the service, along with intended audience and the scope of the document.

2. Requirements Addressed; An overview of the business / security requirements that the service can address.

3. Considerations and Concerns; Details of areas to consider and potential risks / concerns when implementing the cloud based service.

4. Implementation Guidance; This section is the meat of the document providing guidance for anyone looking to implement the service usually including diagrams of example architectures or architecture components.

5. References and Useful Links; References used in the creation of the document and useful links for further research.

The documents and their download links are shown below;

Category 1 // Identity and Access Management Implementation Guidance;

https://cloudsecurityalliance.org/wp-content/themes/csa/download-box-secaas-ig-cat1-1.0.php

Category 2 // Data Loss Prevention Implementation Guidance;

https://cloudsecurityalliance.org/wp-content/themes/csa/download-box-secaas-ig-cat2-1.0.php

Category 3 // Web Security Implementation Guidance;

https://cloudsecurityalliance.org/wp-content/themes/csa/download-box-secaas-ig-cat3-1.0.php

Category 4 // Email Security Implementation Guidance;

https://cloudsecurityalliance.org/wp-content/themes/csa/download-box-secaas-ig-cat4-1.0.php

Category 5 // Security Assessments Implementation Guidance;

https://cloudsecurityalliance.org/wp-content/themes/csa/download-box-secaas-ig-cat5-1.0.php

Category 6 // Intrusion Management Implementation Guidance;

https://cloudsecurityalliance.org/wp-content/themes/csa/download-box-secaas-ig-cat6-1.0.php

Category 7 // Security Information and Event Management Implementation Guidance;

https://cloudsecurityalliance.org/wp-content/themes/csa/download-box-secaas-ig-cat7-1.0.php

Category 8 // Encryption Implementation Guidance;

https://cloudsecurityalliance.org/wp-content/themes/csa/download-box-secaas-ig-cat8-1.0.php

Category 9 // Business Continuity / Disaster Recovery Implementation Guidance;

https://cloudsecurityalliance.org/wp-content/themes/csa/download-box-secaas-ig-cat9-1.0.php

Category 10 // Network Security Implementation Guidance;

https://cloudsecurityalliance.org/wp-content/themes/csa/download-box-secaas-ig-cat10-1.0.php

If you are planning on implementing and of the Security as a Service categories, need to evaluate them, or just want to know more, please feel free to download these documents.  I hope you find them interesting and useful.

If you have any feedback for the documents don’t hesitate to provide it either via the comment section of this blog, or directly via the CSA website.  If you are interested in getting involved and contributing to the next steps of this research we are always looking for more volunteers!

Get involved via the ‘get involved’ link;

https://cloudsecurityalliance.org/research/secaas/#_get-involved

K

Amazon cloud outage knocks out Netflix Pinterest and Instagram, or does it?

While the report here;

http://www.cloudpro.co.uk/cloud-essentials/3993/amazon-outage-knocks-out-netflix-pinterest-and-instagram?utm_campaign=itpro_newsletter&utm_medium=email&utm_source=newsletter

is undoubtedly true and factually correct, in that recent storms caused issues with Amazon’s data centre in Ohio, and previously they have had issues when their data centre in Ireland was damaged by lightening, the question should be what could be done differently, rather than ‘cloud services are not robust / safe.

I am a firm advocate for insuring you understand your contract with your cloud provider with and that you pay great attention to things like SLAs and guaranteed uptime.  This is especially true if you are using SaaS or PaaS type services that may in turn rely on another vendors IaaS service – you need to understand the layers to ensure your provider is not offering SLAs that it cannot meet due to them being more stringent than those of the providers of the services on which it relies.

However I question why this is considered an issue particular to ‘cloud’ based services.  These same issues could happen to any co-location / data centre hosting solution, and these along with many more minor issues are likely to cause disruption to anything you host locally in your server room no matter how grand a name you give it.  Sorry that’s one of my other pet hates, businesses with small server rooms that insist on calling them ‘data centres’ or other grandiose names and talking about them as if they are a large and resilient as actual Data Centres etc.

Anyway, back on topic, obviously when a cloud service provider has an issue it is likely to affect many customers so will be news worth, but before you worry too much or begin to dismiss the idea of moving some or all of your service to the cloud, ask yourself is it likely to be more or less robust than hosting things yourself?

Take the necessary precautions;

-Understand the offering you are purchasing, the SLAs and guaranteed uptime in the contract,

-Build BC and DR into your service; ensure it is replicated to multiple servers and disks locally, and to another geographically disparate data centres and you can host a hugely robust solution in the cloud.

K