Security as a Service Implementation Guidance documents published!

The Security as a Service working group implementation guidance papers have now all been published and are available for free download from the Cloud Security Alliance website.

These provide a great overview of, and guidance around the 10 categories of security as a service that we identified last year.  The 10 documents have all been created using a standard template to ensure they are easy to use and understand.

Each document contains the following sections;

1. Introduction; Brief overview of the service, along with intended audience and the scope of the document.

2. Requirements Addressed; An overview of the business / security requirements that the service can address.

3. Considerations and Concerns; Details of areas to consider and potential risks / concerns when implementing the cloud based service.

4. Implementation Guidance; This section is the meat of the document providing guidance for anyone looking to implement the service usually including diagrams of example architectures or architecture components.

5. References and Useful Links; References used in the creation of the document and useful links for further research.

The documents and their download links are shown below;

Category 1 // Identity and Access Management Implementation Guidance;

https://cloudsecurityalliance.org/wp-content/themes/csa/download-box-secaas-ig-cat1-1.0.php

Category 2 // Data Loss Prevention Implementation Guidance;

https://cloudsecurityalliance.org/wp-content/themes/csa/download-box-secaas-ig-cat2-1.0.php

Category 3 // Web Security Implementation Guidance;

https://cloudsecurityalliance.org/wp-content/themes/csa/download-box-secaas-ig-cat3-1.0.php

Category 4 // Email Security Implementation Guidance;

https://cloudsecurityalliance.org/wp-content/themes/csa/download-box-secaas-ig-cat4-1.0.php

Category 5 // Security Assessments Implementation Guidance;

https://cloudsecurityalliance.org/wp-content/themes/csa/download-box-secaas-ig-cat5-1.0.php

Category 6 // Intrusion Management Implementation Guidance;

https://cloudsecurityalliance.org/wp-content/themes/csa/download-box-secaas-ig-cat6-1.0.php

Category 7 // Security Information and Event Management Implementation Guidance;

https://cloudsecurityalliance.org/wp-content/themes/csa/download-box-secaas-ig-cat7-1.0.php

Category 8 // Encryption Implementation Guidance;

https://cloudsecurityalliance.org/wp-content/themes/csa/download-box-secaas-ig-cat8-1.0.php

Category 9 // Business Continuity / Disaster Recovery Implementation Guidance;

https://cloudsecurityalliance.org/wp-content/themes/csa/download-box-secaas-ig-cat9-1.0.php

Category 10 // Network Security Implementation Guidance;

https://cloudsecurityalliance.org/wp-content/themes/csa/download-box-secaas-ig-cat10-1.0.php

If you are planning on implementing and of the Security as a Service categories, need to evaluate them, or just want to know more, please feel free to download these documents.  I hope you find them interesting and useful.

If you have any feedback for the documents don’t hesitate to provide it either via the comment section of this blog, or directly via the CSA website.  If you are interested in getting involved and contributing to the next steps of this research we are always looking for more volunteers!

Get involved via the ‘get involved’ link;

https://cloudsecurityalliance.org/research/secaas/#_get-involved

K

An Awarding Week!

I had planned a wrap up post around my thoughts from the RSA conference for this week, but it has been a very busy and surprisingly rewarding week..  A combination of some University coursework due Monday and some great news have meant little time for writing (well non university writing anyway).  There will still be a wrap up for the RSA, likely early next week, but I wanted to share some exciting news relating to the Security as a Service working group I help lead for the Cloud Security Alliance (CSA).

I found out this week that the CSA are giving me an award for the volunteer work I have done for them over the last year or so.  They are also assisting with getting me to their congress in Orlando from the 6th to 9th November, so I’ll be packing my bags and jetting off to the US for a few days!

The award is called the Ron Knode Service Award in honour of one of the early members of the CSA who passed away earlier this year.  For me this is a great piece of recognition as it is the first year these awards have been given out, and of the ~40000 members of the CSA, only 6 people have been recognised with this award!

Rather than continue on about it myself I thought I would include the emails I was sent confirming the reward as they probably cover if better than I could;

The first was from  Luciano (J.R.) Santos the CSA’s Global Research Director –

Dear Kevin,

It is my great pleasure to inform you that you have been selected to receive the 1st Annual Ron Knode Service Award recognizing excellence in volunteerism. On behalf of the Cloud Security Alliance, I would like to congratulate you on receiving this award for the EMEA Region.  Ron Knode was a information security expert and member of the Cloud Security Alliance family, who passed away on May 31, 2012. Ron was an innovative thinker and the author of the CSA Cloud Trust Protocol. Ron was a cherished member of CSA, with endless energy and humor to guide his volunteer contributions.  In Ron’s memory, the Cloud Security Alliance in 2012 instituted the annual Ron Knode Service Award, recognizing excellence in volunteerism for 6 honorees from the Americas, Asia-Pacific and EMEA regions.

At this time, the ceremonies are being planned, but exact dates and locations have not been confirmed.   Daniele will be in touch with you when additional details become available.  In the meantime, if you have any questions please don’t hesitate to contact me or Daniele.  Warmest thanks for all of your hard work and outstanding contributions as a member of the Cloud Security Alliance.  We recognize how much time and energy you put into our organization, and we deeply appreciate all of your efforts.  

 We are thrilled to present you with this award.  Our PR Manager Kari Walker will be reaching out to you as we put together a press release officially announcing the winners.  In addition, we’ll need you to send a current photo and bio to our webmaster Evan Scoboria.  Evan will be creating a section on the CSA main site honoring the winners of this award.  We value your volunteer contributions and believe that the devotion of volunteers like you will continue to lead CSA into the future.  Congratulations on a job well done!

 Best Regards,

 Luciano (J.R.) Santos

CSA Global | Research Director

———

The second email was from Jim Reavis, the CSA Executive Director

Thank you all for your efforts.  To narrow this list down to 6 globally
was a major chore and you should be proud. Volunteerism for the common
good is among the highest callings in our industry, and the CSA family
appreciates your outstanding contributions.  Please let us know if there
is anything that CSA can do for you.  As we continue to grow, we look
forward to working together and being able to do even more for you.

Best Regards,

Jim Reavis
Executive Director, Cloud Security Alliance

———

As you may have guessed, I am extremely pleased to be receiving this award, it really has helped make the work worthwhile, on top of the satisfaction of seeing it all published of course!

for those of you going to the CSA congress I look forward to seeing / meeting you in a couple of weeks, for everyone else, watch this space for the RSA conference wrap up and further writings on security and architecture.

K

RSA Conference Europe 2012 Keynotes; day two part one

Keynote 1 – Big Data; Threat or Opportunity>

Philippe Courtot, Chairman Qualys Inc.

Big data is everywhere, not just Facebook, Google and CERN.  Organisations from the police with cameras constantly taking photos of license plates to log data from corporate systems and web sites.  Many companies are now having to deal with or plan to deal with big data in order to understand their systems, their customers, and their users.

What is driving this for ‘ordinary’ organisations?

–          Increasingly complex and virtualised IT infrastructures

–          Workload mobility

–          Bring your own device / computer

–          Cloud computing

All require increasing amounts of data to be collected and aggregated in order for an organisation to understand and ensure compliance of their environments.

Cloud computing is both aiding this by making the storage and compute power available to any business that has to deal with big data, and driving this through its scale, virtual and always on nature.

How do we ensure the security and understanding of these complex environments?  We must build security onto to overall cloud and application architecture.  Realise that the cloud has multiple ‘flavours’ from IaaS to SaaS and these are not all the same from a design and architecture perspective.  Stop talking and thinking about the cloud as just ‘the cloud’.

From an infrastructure perspective, cloud data centres are fractal, you need to understand what your assets are, but also realise many are the same for example storage and compute.  You can monitor all your compute nodes with the same method.  Monitoring needs to be in real time and to have analysis and intelligence built in.

If you are running web applications you need to understand how many you have, where they are and how they are being used.  Need to look at hardening and understanding this perimeter and correlate logs across these environments.  How do we manage code issues and potential exploits and varying methods of authentication?  Your developers working on new code and functionality, your support staff may not have enough code experience.  Do we need a new breed of operations support with reasonably in depth coding abilities?

Was Philippe referring to DevOps here?  This is newish, but not a new idea, many organisations are already using or setting up DevOps teams with the skill sets that were talked about.

Mobile devices are also driving both big data and management challenges to organisations.  We need to ensure they are all monitored and managed; Single Sign on, Privacy, Corporate policies.  How do we do this to 100s / 1000s / 1000000s of thin devices that cannot have thick very thick applications installed on them?  Cloud based services for bath device management and aggregation of the collected data can provide these solutions and scale as required.

How do we ensure security remains ‘front and centre’  as we move to the cloud and scale up?  Many existing enterprise point solutions do not scale enough or integrate well enough with the cloud.  This is being solved by providing managed security services from the cloud; Security as a Service (SecaaS).  Obviously blowing my own trumpet here, but this neatly links to my research with the Cloud Security Alliance on SecaaS!

For me the key message of this talk is that real-time ‘Big Data’ is a key element of tomorrow’s security.  We need to understand the implications of this and plan our security strategy to take advantage of this and the insight it will bring.

——-

Keynote 2 – The struggle for control of the internet

Misha Glenny – Author and Journalist

Control of the internet focusses on the debate between security and privacy vs. demand for freedom.  The US identifies four areas that need to be managed and prevented; Crime, Hactivision, Warfare, and Terrorism.

How do we balance the need for people to have freedom with the needs for safety and protection online?  Is the internet morally neutral?

Crime (cybercrime) quickly took advantage of the internet, from card detail sales sites such as Carderplanet and DarkMarket.  Carderplanet was set up >11 years ago.  Both these sites have since been taken down, but they paved the way for much more sophisticated criminal organisations.

Criminals now spend a lot of time watching organisations like SOCA and the FBI in order to understand them and anticipate their next moves.  So while those trying to catch the criminals are watching them, they in turn are being watched!  Hackers have accessed private police files to monitor current investigations and delete intelligence records etc.

There have actually been worldwide ‘carder’ and other criminal activity conferences.  For example Carderplanet organised the first worldwide carder conference in 2002.  The invite to this conference also alluded to the fact that Carderplanet had a deal with the FSB (Russian secret service) would not interfere with their ‘work’ as long as they did not attack financial institutions, and if they would perform attacks on behalf of the Russian government / secret service as required.

The lines between government spies and criminals are becoming increasingly blurred.

Currently the UK secret service (Mi6 / Mi5) is dealing with ~500 targeted attacks every day.  This is up from ~4 per year 10 years ago!  The international spend in the west on cyber security is currently around $100 Billion per year.  This is set to double over the next few years.

The west wants to work with China and Russia to improve the situation; however they want to be allowed to manage the web within their borders in any way they like if they are to cooperate.  This obviously has issues with preventing freedom of speech.

Will the Web brak down into massive intranets?  Iran has already stated its intent to disconnect itself from the Web and set up just such an internal intranet.  China and Russia want to control and largely segregate their internal users from the rest of the Web.

We need original thinking to resolve these issues!

K

News and upcoming events

There are quite a few interesting, and for me exciting, things coming up over the next couple of months so I wanted to provide a brief update around these and some upcoming posts I’ll be making;

1.  I’ll be speaking at the CSA summit at RSA Europe!  This is a cloud security event on the afternoon of Monday 8th October, just prior to the main conference.  I’ll be giving a presentation about SecaaS (Security as a Service) and the SecaaS working / research group covering research we have done, the previous and recent publications and where we plan to go next.  The talk may be recorded, if it is I will post a link to it here, and I’ll also be uploading my slides.  The list of speakers and more information about the event can be found here;

https://cloudsecurityalliance.org/events/csa-summit-at-rsa-europe-2012/#_speakers

2.  I’m attending the Service Technology Symposium in London on the 24th-25th September; this is an annual event covering various aspects of Cloud, SOA (Service Orientated Architecture) and Service Technologies.  Examples of the conference tracks include;

–  Cloud architecture and patterns,

– Enterprise Cloud architecture

– Service Engineering

– Governance frameworks

– REST and web services

I’ll likely be following various portions of the tracks relating to cloud architecture, patterns and governance.  Expect various posts relating what is discussed.

3.  I am attending the RSA conference Europe in London from the 9th through the 11th October.  This years conference heading is ‘The Great Cipher; Mightier than the Sword’.  The premise of this is that sharing knowledge and learning at event such as this is the key to staying ahead of the bad guys.  Looks to be loads of great talks from people like Bruce Schneier et al; again look out for various posts on what I learn and what is discussed during this conference.

4.  Security as a Service Implementation Guidance v1.0 is about to be published.  10 documents covering each of the 10 categories of service we identified last year are going to be published any day now.  This has been a pretty large undertaking bringing a disparate group of predominantly volunteer contributors together across the 10 different subject areas to produce a (relatively) coherent whole!  Although this is just v1.0 and will likely receive various updates it is a great step forward for anyone wanting to implement or just better understand Security as a Service.  I’ll provide an update post when these a officially out the door and available for public downloading.

And of course my Masters and the next steps of the SecaaS research group will also be continuing.

Lots coming up; keep checking back!

K

2012 Update

I had meant to update on how my plans for the year were going around June / July so this is a little late, but I have been pretty busy getting the upcoming Cloud Security Alliance (CSA) – Security as a Service (SecaaS) guidance documents.  These are due for publication at the start of September – watch this space..  It has also taken longer than expected to finalise my Masters project choice, but I think I’ve got there with that one, finally!

In January I listed some goals for the year here;

Some 2012 projects / plans

So where am I with the years goals?

1. Choose a project and complete my Masters.  Project finally chosen and extended project proposal handed in.  My proposed project title is;

‘Increasing authentication factors to improve distributed systems security and privacy’

The plan is to cover the current state of distributed systems authentication and to assess how this could be improved by adding further ‘factors’ to the required authentication.  In this instance factors refer to things like ‘something you know’ such as passwords, ‘something you have’ such as a number generating token, and something you are such as your finger print.  I have completed a project plan outlining how I’ll use the time between now and the hand in date in January 2013, and I’ll keep you posted with progress.

2. Lead / co-chair the CSA SecaaS working group.  While it has been challenging to find the time and keep everyone involved working in the same direction, we are almost ready to release the next piece of work from this research group.  The next publication will be in the form of 10 implementation guidance documents covering the 10 SecaaS categories we defined last year.  These will be released on the CSA web site around the end of August, I’ll post a link once they are available.  This has certainly been a learning experience regarding managing the output of a very very diverse set of international volunteers!

3. Become more familiar with the Xen hypervisor.  I have had limited success with this one, increasing my familiarity with virtualisation and cloud generally, and reading up on Xen.  However I have not had a chance to set up a test environment running the open source Xen hypervisor to get properly acquainted with it.  I’ll be looking to rectify this during October, at which time I’ll provide a run down of my thoughts of this hypervisor’s features and how easy it is to install and configure.

4. Brush up my scripting and secure coding.  Scripting opportunities have been limited this year, and I have not had the tine to create side projects outside of the office due to CSA and Masters related work.  Secure coding, I have reviewed both some code and some development practices against OWASP recommendations and the Microsoft secure development lifecycle (SDLC), so have made some progress in this area and will follow with an update in a future post.

Overall, not as much progress in some areas as I had hoped, but I am reasonably happy with the CSA SecaaS and Master progress, while also holding my own in full time employment.

As mentioned, keep an eye out for the upcoming publication of the SecaaS implementation guidance!

K

Some 2012 projects / plans

Following on from my brief overview of progress during 2011 I thought I would share some of the projects I’ll be undertaking during 2012.  This will give anuone reading this blog an idea of some of the likely content that will appear during this year on top of general thoughts and some book reviews.

1. Complete my masters, which assuming I have passed my most recent module means choosing and completing my project.  Based on the university schedule the bulk of this will be completed between April and September.  Now to decide on a topic!

2. Lead (co-chair) the Cloud Security Alliance – Security as a Service working group through the delivery of the planned implementation guides covering each of the categories detailed in the white paper we published in 2011.

3. Become a lot more familiar with the Xen hypervisor, in addition to the VMWare products in order to better assess virtualisation options for both desktops and servers.  This is for a combination of reasons around expanding my knowledge and better understanding the options around Xen (open source and Citrix variants) and VMWare and the various virtual desktop solutions.  Also with people like Amazon and Rackspace using Xen it must be worth a closer look..

4. Having recently done some study around secure coding I’ve been prompted that I should probably brush up my scripting skills, so I plan to put a little time into Perl this year.

…  Likely a few other things will be added around architecture, potentially some further study / research, databases and security, but these have yet to be finalised and I need to be realistic about what I’ll achieve this year.  I’d rather do less well than try to do too much and not be satisfied with the results!

Expect to see blog posts on the above topics throughout this year, feel free to email or comment if there are any specific areas you would like detailed blog posts on.

K

Cloud Security Alliance; Security Guidance v3 released

The Cloud Security Alliance (CSA) has released the long awaited version 3 of the ‘Security Guidance for Critical Areas of Focus in Cloud Computing’.  This is the first update to the guidance since version 2.1 was released in 2009 and is a major overhaul bringing the guidance up to date in the new and fast moving world that is ‘cloud’ computing.

In addition to updating all of the existing domains of the guidance, there has been the addition of Domain 14 – Security as a Service (SecaaS), this is the domain I have contributed extensively to and has it’s basis in the white paper I co-chaired the publication or a few months ago.

As an overview version 3 comprises of the following domains in the context of cloud security;

Section I. Cloud Architecture

–          Domain 1: Cloud Computing Architectural Framework

Section II. Governing in the Cloud

–          Domain 2: Governance and Enterprise Risk Management

–          Domain 3: Legal Issues: Contracts and Electronic Discovery

–          Domain 4: Compliance and Audit Management

–          Domain 5: Information Management and Data Security

–          Domain 6: Interoperability and Portability

Section III. Operating in the Cloud

–          Domain 7: Traditional Security, Business Continuity, and Disaster Recovery

–          Domain 8: Data Centre Operations

–          Domain 9: Incident Response

–          Domain 10: Application Security

–          Domain 11: Encryption and Key Management

–          Domain 12: Identity, Entitlement, and Access Management

–          Domain 13: Virtualization

–          Domain 14: Security as a Service

The guidance can be freely downloaded from the CSA website here;

https://cloudsecurityalliance.org/research/initiatives/security-guidance/

It is relatively long, but covers a lot of what you need to know about cloud security and things you need to consider if you are planning to move your data to a ‘cloud’ type service.

K