SecaaS V1 0 PDF

Defined Categories of
Service 2011
CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE 2011
Introduction
The permanent and official location for the Cloud Security Alliance Security as a Service
research is:
https://cloudsecurityalliance.org/research/working-groups/security-as-a-service/
2011 Cloud Security Alliance.
All rights reserved. You may download, store, display on your computer, view, print, and link
to the Cloud Security Alliance Security as a Service at https://cloudsecurityalliance.org/wp-
content/uploads/2011/09/SecaaS_V1_0.pdf subject to the following: (a) the Guidance may be
used solely for your personal, informational, non-commercial use; (b) the Guidance may not be
modified or altered in any way; (c) the Guidance may not be redistributed; and (d) the
trademark, copyright or other notices may not be removed. You may quote portions of the
Guidance as permitted by the Fair Use provisions of the United States Copyright Act, provided
that you attribute the portions to the Cloud Security Alliance Security as a Service Version 1.0
(2011).
Copyright 2011 Cloud Security Alliance 2

Table of Contents
Introduction.................................................................................................................................................2
Foreword......................................................................................................................................................4
Acknowledgments......................................................................................................................................5
Executive Summary ...................................................................................................................................7
Category 1: Identity and Access Management .................................................................................8
Category 2: Data Loss Prevention..........................................................................................................10
Category 3: Web Security........................................................................................................................12
Category 4: Email Security......................................................................................................................14
Category 5: Security Assessments.........................................................................................................16
Category 6: Intrusion Management.......................................................................................................18
Category 7: Security Information and Event Management (SIEM)..................................................20
Category 8: Encryption...........................................................................................................................22
Category 9: Business Continuity and Disaster Recovery...................................................................24
Category 10: Network Security..............................................................................................................26

Foreword
Welcome to the Cloud Security Alliances Security as a Service, Version 1.0. This is one of
many research deliverables CSA will release in 2011.
There is currently a lot of work regarding the security of the cloud and data in the cloud, but
until now there has been limited research into the provision of security services in an elastic
cloud model that scales as the client requirements change. This paper is the initial output from
research into how security can be provided as a service (SecaaS).
Also, we encourage you to download and review our flagship research, Security Guidance for
Critical Areas of Focus in Cloud Computing, which you can download at:
http://www.cloudsecurityalliance.org/guidance
Best Regards,
Jerry Archer Alan Boehme Dave Cullinane
Nils Puhlmann Paul Kurtz Jim Reavis
The Cloud Security Alliance Board of Directors

Acknowledgments
Co-chairs
Kevin Fielder: GE, Cameron Smith: Zscaler
Working Group Leaders
Runa Desai Delal: Agama Consulting, Ulrich Lang: ObjectSecurity, Atul Shah: Microsoft, Aaron Bryson:
Cisco, Mark Hahn: TCB Technologies, Wolfgang Kandek: Qualys, John Hearton: Secure Mission
Solutions, Justin Foster: Trend Micro, Ben Chung: HP, Jens Laundrup: Emagined Security, Geoff Webb:
Credant Technologies, Kevin Fielder: GE, Cameron Smith: Zscaler, Ken Owens: Savvis
Steering Committee
Scott Chasin: McAfee, Kevin Fielder: GE Global, Patrick Harding: Ping Indentity, John Hearton: Secure
Mission Solutions, Bernd Jager: Colt, Joe Knape: AT&T, Marlin Pohlman: EMC, Jim Reavis: Cloud
Security Alliance, Archie Reed: HP, J.R. Santos: Cloud Security Alliance, Cameron Smith: Zscaler,
Michael Sutton: Zscaler, Brian Todd: ING
SecaaS Members
Lenin Aboagye: Apollo Group Inc., Ravikanth Anisingaraju: Nexus Informatics, Dave Asprey: Trend
Micro, Karim Benzidane, Aaron Bryson: Cisco, Ben Chung: HP, Joel Cort: Xerox, Ricardo Costa: ESTG,
Runa Desai Dalal: Agama Consulting, Jeff Finch: Interoute, Justin Foster: Trend Micro, Matthew
Gardiner: CA Technologies, Suptrotik Ghose: Microsoft, Mark Hahn: TCB Technologies, Jeff Huegel:
AT&T, Wolfgank Kandek: Qualys, Tuhin Kumar, Vijay Kumar Teki: HCL Technologies, Taiye Lambo:
eFortresses, Jens Laundrup: Emagined Security, David Lingenfelter: Fiberlink, Drew Maness:
Technicolor, Ken Owens: Savvis, Naynesh Patel: Simeio Solutions, Mike Qu, Kanchanna Ramasamy
Balraj, Atul Shah: Microsoft, Said Tabet: EMC, Hassan Takabi: University of Pittsburgh, Danielito
Vizcayno: E*Trade, Geoff Webb: Credant Technologies, Arnold Webster: EC-Council University, Nick
Yoo: McKesson Corp.
Contributors
Jim Beadel: AT&T, Cheng-Yin Lee: CSA, Jie Wang: Converging Stream Technologies, Inc, Kapil
Assudani: HCSC, Valmiki Mukherjee: (ISC)2, JP Morgenthal: Smartronix Cloud Security Alliance DC
Chapter, Vladimir Jirasek: Nokia, Amol Godbole: Cisco Systems, Tuhin Kumar: Oracle Corp., Martin
Lee: Symantec.cloud, Andrey Dulkin: Cyber-Ark Software, John Hearton: Secure Mission Solutions,
Nandakumar: Novell, Bernd Jaeger: Colt Technology Services, Tyson Macaulay: Bell Canada, Lenin
Aboagye: Apollo Group, David Treece: Edgile, Benzidane Karim: NTIQual, Atul Shah: Microsoft, Mark
Hahn: TCB Technologies, Inc., Bradley Anstis: M86 Security, JD Hascup: Weyerhaeuser, Balaji
Ramamoorthy: TCG, Hassan Takabi: University of Pittsburgh, Henry St. Andre: inContact, Faud Khan:
TwelveDot, Inc., MS Prasad: Rediffmail, Gaurav Godhwani: Student, Ang Puay Young, Singapore
Ministry of Health Holdings, Ted Skinner, Harris Corporation

CSA Staff
Jim Reavis: Executive Director, J.R. Santos: Research Director, John Yeoh: Research Analyst, Amy Van
Antwerp: Technical Writer/Editor, Kendall Scoboria: Graphic Designer, Evan Scoboria: Web Developer

Executive Summary
Cloud Computing represents one of the most significant shifts in information technology many
of us are likely to see in our lifetimes. Reaching the point where computing functions as a utility
has great potential, promising innovations we cannot yet imagine.
Customers are both excited and nervous at the prospects of Cloud Computing. They are excited
by the opportunities to reduce capital costs. They are excited for a chance to divest
infrastructure management and focus on core competencies. Most of all, they are excited by the
agility offered by the on-demand provisioning of computing resources and the ability to align
information technology with business strategies and needs more readily. However, customers
are also very concerned about the security risks of Cloud Computing and the loss of direct
control over the security of systems for which they are accountable. Vendors have attempted to
satisfy this demand for security by offering security services in a cloud platform, but because
these services take many forms, they have caused market confusion and complicated the
selection process. This has led to limited adoption of cloud based security services thus far.
However, the future looks bright for SecaaS, with Gartner predicting that cloud-based security
service us will more than triple in many segments by 2013.
To aid both cloud customers and cloud providers, CSA has embarked on a new research project
to provide greater clarity on the area of Security as a Service. Security as a Service refers to the
provision of security applications and services via the cloud either to cloud-based infrastructure
and software or from the cloud to the customers on-premise systems. This will enable
enterprises to make use of security services in new ways, or in ways that would not be cost
effective if provisioned locally.
Numerous security vendors are now leveraging cloud-based models to deliver security
solutions. This shift has occurred for a variety of reasons, including greater economies of scale
and streamlined delivery mechanisms. Consumers are increasingly faced with evaluating
security solutions, which do not run on-premises. Consumers need to understand the unique
nature of cloud-delivered security offerings so they can evaluate the offerings and understand if
they will meet their needs.
Based on survey results collected from prominent consumers of cloud services, the following
security service categories are of most interest to experienced industry consumers and security
professionals:
Identity and Access Security Assessments Encryption

Management (IAM) Intrusion Management Business Continuity
Data Loss Prevention Security Information and Disaster Recovery
(DLP) and Event Management Network Security
Web Security (SIEM)
Email Security

Category #1: Identity and Access Management (IAM)

Description: Identity and Access Management (IAM) should provide controls for assured
identities and access management.
IAM includes people, processes, and systems that are used to manage access to enterprise
resources by assuring the identity of an entity is verified and is granted the correct level of access
based on this assured identity. Audit logs of activity such as successful and failed authentication
and access attempts should be kept by the application / solution.
Class: Protective/Preventative
CORE FUNCTIONALITIES SERVICES
Provisioning/de-provisioning of accounts (of both cloud & Includes: User Centric ID Provider,
on-premise applications and resources) Federated IDs, Web-SSO, Identity
Authentication (multiple forms and factors) Provider, Authorization Management
Directory services Policy Provider, Electronic Signature,
Directory synchronization (multilateral as required) Device Signature, User Managed Access
Federated SSO
Web SSO (e granular access enforcement & session
Related Services: DLP, SIEM
management - different from Federated SSO)
Authorization (both user and application/system)
Related Technologies and Standards:
Authorization token management and provisioning
SAML, SPML, XACML, (MOF/ECORE),
User profile & entitlement management (both user and
application/system) OAuth, OpenID, Active Directory
Support for policy& regulatory compliance monitoring Federated Services (ADFS2), WS-
and/or reporting Federation
Federated Provisioning of Cloud Applications
Self-Service request processing, like password reset, setting Service Model: SaaS, PaaS
up challenge questions, request for role/resource etc.
Privileged user management/privileged user password CSA Domains (v2.1): 4, 12
management
Policy management (incl. authorization management, role
management, compliance policy management) THREATS ADDRESSED
Role Based Access Controls (RBAC) (Where supported by the
underlying system/service) Identity theft
Unauthorized access
Privilege escalation
OPTIONAL FEATURES Insider threat
Non-repudiation
Support for DLP
Granular Activity Auditing broken down by individual Excess privileges / excessive
Segregation of duties based on identity entitlement access
Compliance-centric reporting Delegation of authorizations /
entitlements
Fraud
CHALLENGES
Lack of standards and vendor lock-in
Identity theft
Unauthorized access
Privilege escalation
Continued on the following page

Continued from the previous page
CHALLENGES REFERENCE EXAMPLES

(Products and vendors. Non-exhaustive list)
Insider threat
Non-Repudiation Cloud
Least privilege / need-to-know CA Arcot Webfort
Segregation of administrative (provider) vs. end user (client) CyberArk Software Privileged
interface and access Identity Manager
Delegation of authorizations/entitlements
Novell Cloud Security Services
Attacks on Identity Services such as DDoS
Eavesdropping on Identity Service messaging (Non- ObjectSecurity OpenPMF
Repudiation) (authorization policy automation,
Password management (communication, retrieval) Different for private cloud only)
requirements across clients Symplified
Resource hogging with unauthorized provisioning
Complete removal of identity information at the end of the Non-Cloud
life cycle
Real-time provisioning and de-provisioning
Novell Identity Manager
Lack of interoperable representation of entitlement Oracle Identity Manager
information Oracle Access Manager Suite
Dynamic trust propagation and development of trusted
relationships among service providers
Transparency: security measures must be available to the
customers to gain their trust.
Developing a user centric access control where user requests
to service providers are bundled with their identity and
entitlement information
Interoperability with existing IT systems and existing
solutions with minimum changes
Dynamically scale up and down; scale to hundreds of millions
of transactions for millions of identities and thousands of
connections in a reasonable time
Privacy preservation across multiple tenants
Multi-jurisdictional regulatory requirements
REFERENCES / ADDITIONAL RESOURCES

https://cloudsecurityalliance.org/guidance/csaguide-dom12-v2.10.pdf
CSA Silicon Valley cloud authorization policy automation presentation:
http://www.objectsecurity.com/en-resources-video-20110208-webinar-79898734.htm
(Alternate download: http://www.objectsecurity.com/en-contact-resources.html)

Category #2: Data Loss Prevention

Description: Data Loss Prevention is the monitoring, protecting, and verifying the security of
data at rest, in motion and in use both in the cloud and on-premises.
DLP services offer protection of data usually by running as some sort of client on desktops /
servers and running rules around what can be done. Where these differ from broad rules like
No FTP or No uploads to web sites, etc. is the level to which the services understand data.
A few examples of policies you can specify are No documents with numbers that look like
credit cards can be emailed, Anything saved to USB storage is automatically encrypted and
can only be unencrypted on another office owned machine with a correctly installed DLP
client, and Only clients with functioning DLP software can open files from the fileserver,
etc.
Within the cloud, DLP services could be offered as something that is provided as part of the
build, such that all servers built for that client get the DLP software installed with an agreed set
of rules deployed.
Class: Preventative

Data labeling and classification Includes: Encryption, Meta-data
Identification of Sensitive Data tagging, Data Identification, Multi-
Predefined policies for major regulatory statues
lingual fingerprinting, Data leakage
Context Detection Heuristics
detection, Policy management and
Structured Data Matching (data-at-rest)
SQL regular expression detection classification, Transparent data
Traffic Spanning (data-in-motion) detection encryption, Policy controlled data
Real Time User Awareness access, storage and transportation,
Security Level Assignment Dynamic data masking
Custom Attribute Lookup
Automated Incident Response Related Services: IAM
Signing of Data
Cryptographic data protection and access control Related Technologies and Standards:
Machine readable policy language SAML, SPML, XACML,
(MOF/ECORE), ESG
OPTIONAL FEATURES Service Model: SaaS, PaaS
Rate domains
Smart Response (integrated remediation workflow)
Automated event escalation THREATS ADDRESSED
Automated false positive signature compensation
Unstructured Data Matching Data loss/leakage
File / directory integrity via hashing Unauthorized access
Integration with Intrusion Detection Systems
Malicious compromises of data
Multiple Language Pack
Data privacy integrity
Chain of evidence services to support investigations and Data sovereignty issues
prosecutions Regulatory sanctions and fines


Data may be stolen from the datacenter virtually or even
physically Cloud
Data could be misused by the datacenter operator or others BlueCoat
employees with access IBM
Compliance requires certifying cloud stack at all levels Imperva
repeatedly
Oracle
Data sovereignty issues reduce customer rights with regard
Reconnex
to governments
Encrypted Data RSA
Performance when analyzing and monitoring large / heavily Symantec/Vontu
accessed data sets WebSens
False negatives / false positives (tuning) Zscaler
Rule base may be complex to manage
Outside of known items such as credit card numbers and Non-Cloud
social security numbers, data can only be classified with
Digital Guardian
detailed input from the end user
Lack of data classification standards Palisade Systems PacketSure
Ensuring customer data segregation when multiple tenants Symantec Protection Suite
present Enterprise Edition
REFERENCES
http://www.technewsworld.com/story/66562.html
http://www.datalossbarometer.com/14945.htm
http://community.websense.com/blogs/websense-media-coverage/archive/2010/07/20/channel-
insider-websense-plans-to-tap-microsoft-channel-cloud-dlp-innovatin-in-the-present-and-future.aspx
http://www.asiacloudforum.com/content/vmmare-embeds-rsa-dlp-virtual-environments
http://searchsecuritychannel.techtarget.com/news/1374080/Partner-Engage-2009-VARs-dish-on-DLP-
implementation-and-the-cloud
http://infinite-identities.blogspot.com/2009/12/next-cloud-security-frontier-dlp-for.html

Category #3: Web Security

Description: Web Security is real-time protection offered either on-premise through
software/appliance installation or via the cloud by proxying or redirecting web traffic to the
cloud provider.
This provides an added layer of protection on top of things like AV to prevent malware from
entering the enterprise via activities such as web browsing. Policy rules around the types of
web access and the times this is acceptable can also be enforced via these technologies.
Class: Protective, detective, reactive

Web Filtering Includes: Email Server, Anti-virus,
Malware, Spyware & Bot Network analyzer and blocking Anti-spam, Web Filtering, Web
Phishing site blocker Monitoring, Vulnerability
Instant Messaging Scanning
Management, Anti-phishing
Email Security
Bandwidth management/traffic control
Data Loss Prevention Related Services: Firewalls, Proxy,
Fraud Prevention DLP, Email Security
Web Access Control
Backup Related Technologies and Standards:
SSL (decryption / hand off) HTTP/HTTPS, RuleML, XML, PHP,
Usage policy enforcement anti-virus
Service Model: SaaS, PaaS
OPTIONAL FEATURES CSA Domains (v2.1): 5, 10
Rate domains
Categorize websites by URL/IP address
Rate sites by user requests THREATS ADDRESSED
Transparent updating of user mistakes
Categorize and rate websites as needed Keyloggers
Categorize websites for policy enforcement Domain Content
Recognize multiple languages Malware
Categorize top-level domains Spyware
Block downloads with spoofed file extensions Bot Network
Strip potential spyware downloads from high-risk sites
Phishing
Virus
Bandwidth consumption
CHALLENGES Data Loss Prevention
Constantly evolving threats Spam
Insider circumvention of web security
Compromise of the web filtering service by proxy
Potentially higher cost of real time monitoring
Lack of features vs. premise based solutions
Lack of policy granularity and reporting
Relinquishing control
Encrypted traffic

REFERENCES / ADDITIONAL RESOURCES REFERENCE EXAMPLES

http://www.technewsworld.com/story/66562.html Cloud
BT case study: BlueCoat
http://www.globalservices.bt.com/static/assets/pdf/case_s
RSA
tudies/EN_NEW/edinburgh_cc_web_security_case_study.p
df TrendMicro
W3C Web Security FAQ: Websense
http://www.w3.org/Security/Faq/ zScaler
OWASP: https://www.owasp.org/index.php/Main_Page
Non-Cloud
Barracuda
BlueCoat
Cisco
McAfee
Symantec
Watchguard

Category #4: Email Security

Description: Email Security should provide control over inbound and outbound email, thereby
protecting the organization from phishing, malicious attachments, enforcing corporate polices
such as acceptable use and spam, and providing business continuity options.
In addition, the solution should allow for policy-based encryption of emails, as well as
integrating with various email server solutions.
Digital signatures enabling identification and non-repudiation are also features of many email
security solutions.
Class: Protective, detective, reactive

Accurate filtering to block spam and phishing Includes: Content security, Anti-
Deep protection against viruses and spyware before they virus/Anti-malware, Spam filtering,
enter the enterprise perimeter
Email encryption, DLP for outbound
Flexible policies to define granular mail flow and encryption
email, Web mail, Anti-phishing
Rich, interactive and correlate real-time reporting
Deep content scanning to enforce policies
Option to encrypt some / all emails based on policy Related Services: DLP, Web Security,
Integration with various email server solutions Business Continuity

SMTP (ESMTP, SMTPS), IMAP, POP,
OPTIONAL FEATURES MIME, S/MIME, PGP
Secure archiving
Service Model: SaaS
Web-mail interface
Full integration with in-house identity system (LDAP, Active
CSA Domains (v2.1): 3, 5
Directory, etc.)
Mail encryption, signing & time-stamping
Flexible integration
Data Loss Prevention (DLP) for SMTP and webmail THREATS ADDRESSED
E-discovery
Email system backup (e.g., stores mails on cloud provider Phishing
infrastructure until customer systems restored Intrusion
IDS / IPS for the mail servers Malware
Digital signatures
Spam
Address spoofing
CHALLENGES
Portability
Storage
Use of unauthorized webmail for business purposes
Management of logs and access to logs
Ensuring no access to emails by cloud provider staff


http://www.eweek.com/c/a/Messaging-and-
Collaboration/SAAS-Email-From-Google-Microsoft-Proves- Cloud
Cost-Effective-For-Up-to-15K-Seats/ Barracuda Networks
http://www.symanteccloud.com/datasheet/Technical_doc_ Gmail for Domains (Google
Ext_Web_Global.pdf Apps)
McAfee
Message Labs / Symantec Cloud
Microsoft Cloud Services
Postini (Google)
TrendMicro
Zscaler Email Security
Non-Cloud
Postini
Symantec
WebSense

Category #5: Security Assessment

Description: Security assessments are third-party audits of cloud services or assessments of on-
premises systems via cloud-provided solutions based on industry standards.
Traditional security assessments for infrastructure and applications and compliance audits are
well defined and supported by multiple standards such as NIST, ISO, and CIS. A relatively
mature toolset exists, and a number of tools have been implemented using the SaaS delivery
model. In the SaaS delivery model, subscribers get the typical benefits of this cloud computing
variant - elasticity, negligible setup time, low administration overhead, and pay-per-use with
low initial investments.
While not the focus of this effort, additional challenges arise when these tools are used to audit
cloud environments. Multiple organizations, including the CSA, have been working on the
guidelines to help organizations understand the additional challenges:
Virtualization awareness of the tool, frequently necessary for IaaS platform auditing
Support for common web frameworks in PaaS applications
Compliance Controls for IaaS, PaaS, and SaaS platforms
Standardized questionnaires for XaaS environments, that help address:
o What should be tested in a cloud environment?
o How does one assure data isolation in a multi-tenant environment?
o What should appear in a typical infrastructure vulnerability report? Is it
acceptable to use results provided by cloud provider?
Class: Detective

Governance process by which policies are set and decision Includes: Internal and / or external
making is executed penetration test, Application
Risk Management process for ensuring that important
penetration test, Host and guest
business processes and behaviors remain within the
tolerances associated with those policies and decisions assessments, Firewall / IPS (security
Compliance process of adherence to policies and decisions. components of the infrastructure)
Policies can be derived from internal directives, procedures assessments, Virtual infrastructure
and requirements, or external laws, regulations, standards assessment
and agreements.
Technical Compliance Audits - automated auditing of Related Services: Intrusion
configuration settings in devices, operating systems,
Management
databases, and applications.
Application Security Assessments - automated auditing of
custom applications
SCAP (FDCC), CVSS, CVE, CWE,
Vulnerability Assessments - automated probing of network
devices, computers and applications for known SCAP, CYBEX
vulnerabilities and configuration issues
Penetration Testing - exploitation of vulnerabilities and Service Model: SaaS, PaaS, IaaS
configuration issues to gain access to a an environment,
network or computer, typically requiring manual assistance CSA Domains (v2.1): 2, 4
Security / risk rating - assessment of the overall security /
vulnerability of the systems being tested, e.g. based on the
OWASP Risk Rating Methodology

OPTIONAL FEATURES THREATS ADDRESSED

SI/EM Integration Inaccurate inventory
Physical security assessments Lack of continuous monitoring
Lack of correlation information
Lack of complete auditing
CHALLENGES Failure to meet/prove adherence
to Regulatory/Standards
Standards are on different maturity levels in the various Compliance
sections Insecure / vulnerable
Certification & Accreditation configurations
Boundary definition for any assessments Insecure architectures
Skills of tester(s) / assessors Insecure processes / processes
Accuracy not being followed
Inconsistent ratings from different individuals / vendors
Typically limited to known vulnerabilities
REFERENCE EXAMPLES
REFERENCES / ADDITIONAL RESOURCES Cloud

Agiliance
CSA Guidance: Core Security
https://cloudsecurityalliance.org/research/projects/
Modulo
https://cloudsecurityalliance.org/grcstack.html
Gartner - GRC definition: Qualys
http://blogs.gartner.com/french_caldwell/2010/01/12/we- Veracode
come-to-kill-grc-not-to-praise-it/ WhiteHat
NIST (800-146):
http://csrc.nist.gov/publications/drafts/800-146/Draft- Non-Cloud
NIST-SP800-146.pdf
Agiliance
http://www.owasp.org/images/5/56/OWASP_Testing_Gui
de_v3.pdf Archer
ENISA Information Assurance: Cenzic
http://www.enisa.europa.eu/act/rm/files/deliverables/clo Core Security
ud-computing-information-assurance-framework eEye
BSI Cornerstones cloud Computing (in German): HP
https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI
Immunity
/Mindestanforderungen/Eckpunktepapier-
Sicherheitsempfehlungen-CloudComputing-Anbieter.pdf Modulo
CAMM-common-assurance.com nCircle
http://objectsecurity-mds.blogspot.com/2009/06/model- Rapid7
driven-security-accreditation.html Saint
http://www.oceg.org/
Symantec
Tenable

Category #6: Intrusion Management

Description: Intrusion Management is the process of using pattern recognition to detect and
react to statistically unusual events. This may include reconfiguring system components in real
time to stop / prevent an intrusion.
The methods of intrusion detection, prevention, and response in physical environments are
mature; however, the growth of virtualization and massive multi-tenancy is creating new
targets for intrusion and raises many questions about the implementation of the same protection
in cloud environments.
Examples of how cloud-based Intrusion Management could be offered include:
Provided by the Cloud Service Provider

Provided by a third-party (routing traffic through a SecaaS)
Hybrid SaaS with third-party management and host-based or virtual appliances running
in the cloud consumer's context
Class: Detective, protective, reactive

General Includes: Packet Inspection, Detection,
Prevention, IR
Identification of intrusions and policy violations
Automatic or manual remediation actions
Related Services: Web Security, Secure
Coverage for:
Workloads Cloud & Virtualization Security
Virtualization Layer (VMM/Hypervisor)
Management Plane Related Technologies and Standards:
Cloud and other APIs DPI, Event correlation and pattern
Updates to address new vulnerabilities, exploits and policies recognition
Network Security (NBA, NIPS/NIDS or HIPS/HIDS using Service Model: SaaS, PaaS, IaaS
network)
CSA Domains (v2.1): 13
Deep Packet Inspection using one or more of the following
techniques: statistical, behavioral, signature, heuristic
THREATS ADDRESSED
System/Behavioral
Intrusion
One or more of:
Malware
System Call Monitoring
System/Application Log Inspection
Integrity Monitoring OS (Files, Registry, Ports, Processes, REFERENCE EXAMPLES
Installed Software, etc) (Products and vendors. Non-exhaustive list)
Integrity Monitoring VMM/Hypervisor
Cloud
VM Image Repository Monitoring
Alert Logic Threat Manager
Arbor Peakflow X
Check Point - Security Gateway
Virtual Edition
Cloudleverage Cloud
Continued on the following page IPS/firewall


OPTIONAL FEATURES REFERENCE EXAMPLES

Central Reporting Cloud
SIEM Integration Cymtec Scout
Administrator Notification eEye Digital Security Blink
Customization of policy (automatic or manual) IBM Proventia
Mapping to cloud-layer tenancy McAfee - Host Intrusion
Cloud sourcing information to reduce false positives and Prevention
improve coverage Sourcefire - 3D System
Remote storage or transmission of integrity information, to StoneGate - Virtual IPS
prevent local evasion Symantec Critical System
Protection
Symantec Endpoint Protection
Trend Micro Deep Security
CHALLENGES Trend Micro Threat Detection
General Challenges: Appliance
TrustNet iTrust SaaS Intrusion
Proliferation of SSL required by deployment in public clouds Detection
adds complexity or blocks visibility to network-based IDS/IPS XO Enterprise Cloud Security
Complexity and immaturity of Intrusion Management for APIs
Lack of tools to manage instance-to-instance relationships Non-Cloud
Wire speed with full malware / attack coverage performance AIDE
not meeting expectations CA-eTrust Intrusion Detection
Check Point IPS
Specific to Cloud Consumers: Cerero - Top Layer IPS
Cetacea Networks - OrcaFlow
Current lack of virtual SPAN ports in public cloud providers Cisco Guard / IPS
for typical deployment of NIDS or NBA Detector
Current lack of network-edge TAP interfaces for public cloud DeepNines - BBX
and virtual private cloud for typical deployment of NIPS e-Cop - Cyclops
Inability to utilize hypervisor (vSwitch/vNIC) introspection Enterasys - IPS
Latency, resiliency and bandwidth concerns with proxying HP S IPS
network traffic through virtual appliances or 3rd party services Intrusion SecureNet / Host
Privacy concerns of service-based security iPolicy
Short lived instances (HIDS/HIPS logs can be lost) Juniper Networks IDP
Performance limitations with network traffic in a shared Lancope - StealthWatch
environment McAfee - Network Intrusion
Ownership / managing access to monitoring equipment and Prevention
data
OSSEC
Q1 Labs - QRadar
Specific to Cloud Service Providers:
Radware - DefensePro
Samhain
Policy management in a multi-tenant environment
Policy management for application-layer multi-tenancy (SaaS,
SoftSphere Technologies HIPS
some PaaS services such as Microsoft SQL Azure)
StillSecure - Strata Guard
Complexity of deployment and configuration StoneGate - IPS
Suricata
Symantec Network Security
REFERENCES / ADDITIONAL RESOURCES

Cloud Security Alliance Guidance: https://cloudsecurityalliance.org/guidance/csaguide-dom12-v2.10.pdf
NIST Guide to Intrusion Detection and Prevention Systems (IDPS):
http://csrc.nist.gov/publications/nistpubs/800-94/SP800-94.pdf
Intrusion Detection: http://en.wikipedia.org/wiki/Intrusion_detection_system
Intrusion Prevention: http://en.wikipedia.org/wiki/Intrusion_prevention_system

Category #7: Security Information & Event Management (SIEM)

Description: Security Information and Event Management (SIEM) systems accept (via push or
pull mechanisms) log and event information. This information is then correlated and analyzed
to provide real-time reporting and alerting on incidents / events that may require intervention.
The logs are likely to be kept in a manner that prevents tampering to enable their use as
evidence in any investigations.
Class: Detective

Real time log /event collection, de-duplication, Includes: Log management, Event
normalization, aggregation and visualization correlation, Security/Incident response,
Log normalization Scalability, Log and Event Storage,
Real-time event correlation Interactive searching and parsing of log
Forensics support data, Logs immutable (for legal
Compliance reporting & support investigations)
IR support
Email anomaly detection
Related Services: Architectural
Reporting
considerations, Compliance reporting,
Flexible data retention periods and policies management,
compliance policy management) Software inventory, Non-traditional
correlation, On-traditional monitoring,
Database monitoring, Request
fulfillment
OPTIONAL FEATURES
Heuristic controls
Specialized systems FIPS 140-2 compliant, Common Event
Physical log monitoring Format (CEF), Common Event
Access control system monitoring Expression (CEE), IF-MAP (TCG)
Physical security integration (cameras, alarms, phone, etc.)
Integration with call / ticketing system Service Model: SaaS, PaaS
CSA Domains (v2.1): 2, 3, 4, 5, 7, 9, 12
CHALLENGES
Standardization of log formats THREATS ADDRESSED
Timing lag caused by translations from native log formats
Unwillingness of providers to share logs Abuse and Nefarious Use
Scaling for high volumes Insecure Interfaces and APIs
Identification and visualization of key information Malicious Insiders
Usable, segregated by client interface Shared Technology Issues
Data Loss and Leakage
Account or Service Hijacking
Unknown Risk Profile
REFERENCES
Fraud
http://www.darkreading.com/security-
monitoring/167901086/security/security-
management/228000206/cloud-creates-siem-blind-spot.html
http://securecloudreview.com/2010/08/service-provider-of-
tomorrow-part-9-as-the-cloud-thrives-siem-will-suffer/

REFERENCES REFERENCE EXAMPLES

http://en.wikipedia.org/wiki/Security_information_and_ev
ent_management AccellOps
http://en.wikipedia.org/wiki/Security_event_manager Alien Vault (OSSIM)
ArcSight ESM
eIQnetworks
Loglogic
netForensics nFX One
Novell Cloud Security Services /
E-Sentinel
OSSIM
Prelude-SIEM
Q1 Labs
Quest Software
RSA/EMC enVision
SenSage
Solar Winds Log and Event
Manager
Splunk

Category #8: Encryption

Description: Encryption is the process of obfuscating/encoding data (usually referred to as
plain text) using cryptographic algorithms the product of which is encrypted data (usually
referred to as ciphertext). Only the intended recipient or system that is in possession of the
correct key can decode (unencrypt) this ciphertext. In the case of one-way cryptographic
functions, a digest or hash is created instead.
Encryption systems typically consist of an algorithm(s) that are computationally difficult (or
infeasible) to break, along with the processes and procedures to manage encryption and
decryption, hashing, digital signatures, certificate generation and renewal, key exchange, etc.
Each part is effectively useless without the other, e.g. the best algorithm is easy to crack if an
attacker can access the keys due to weak processes.
Class: Protective

Data protection (at rest and in motion) Includes: VPN services, Encryption
Data validation Key Management, Virtual Storage
Message Authentication Encryption, Communications
Message/data integrity
Encryption, Application Encryption,
Data Time-stamping (digital notary)
Identity validation (certificates to identify IT Database Encryption, digital
assets/endpoints) signatures, Integrity validation
Code Signing
Forgery detection Related Services: VM Architecture,
Identity validation (digital signatures) Hardware protection, Software-based
Digital Fingerprinting protection, remote access validation
Forensic protection (hashing of log files and evidence)
Pseudorandom number generation Related Technologies and Standards:
Data Destruction (throw away the key!)
FIPS 140-2, IPSEC, SSL, Hashing, and
Key/certificate generation and management
algorithms , Symetric and Asymetric
Cryptography
Service Model: PaaS, SaaS, IaaS

OPTIONAL FEATURES
Searching encrypted data CSA Domains (v2.1): 11
Sorting encrypted data
Identity based encryption
Data integrity THREATS ADDRESSED
Mechanism to ensure secure removal of customer data when
term / contract terminated Failure to meet Regulatory
Identity assurance (e.g., the parties involved are who they Compliance requirements
claim to be) Mitigating insider and external
threats to data
Intercepted clear text network
CHALLENGES traffic
Clear text data on stolen /
Risk of compromised keys disposed of hardware
Searching and/or sorting of encrypted data Reducing the risk or and
potentially enabling cross-
border business opportunities

CHALLENGES THREATS ADDRESSED

Separation of duties between data owners, administrators Reducing perceived risks and
and cloud service providers thus enabling Cloud's Adoption
Legal issues by government
Federated trust between providers

http://www.eweek.com/c/a/Security/IBM-Uncovers-
Encryption-Scheme-That-Could-Improve-Cloud-Security- Cloud
Spam-Filtering-135413/ Credant
https://cloudsecurityalliance.org/csaguide.pdf Cypher Cloud
Implementing and Developing Cloud Computing enStratus
Applications by David E.Y. Sarna Novaho
http://www.ctoedge.com/content/new-approach-enteprise-
Perpecsys
data-security-tokenization
http://arstechnica.com/tech-policy/news/2009/09/your- ProtectV
secrets-live-online-in-databases-of-ruin.ars SecureCloud
CSA discussion forums : The Illegality of Exporting SurePassID
Personal Data into the Cloud. Is the following Hypothesis the Vormetric
Answer? Does the following Hypothesis Handle the
Objection? http://www.linkedin.com/e/-njv39e- Non-Cloud
gmdp90wv- Crypo.com
1m/vaq/23764306/1864210/36300812/view_disc/ Sendinc
IETF RFC 5246. The Transport Layer Security (TLS)
Protocol Version 1.2: http://tools.ietf.org/rfc/rfc5246.txt
SP 800-57 Recommendation for Key Management NIST,
January 2011: http://csrc.nist.gov/publications/nistpubs/
800-57/sp800-57-Part1-revised2_Mar08-2007.pdf
http://csrc.nist.gov/publications/nistpubs/800-57/SP800-
57-Part2.pdf http://csrc.nist.gov/publications/nistpubs/800-
57/sp800-57_PART3_key-management_Dec2009.pdf
SP 800-131A Transitions: Recommendation for Transitioning
the Use of Cryptographic Algorithms and Key Lengths
NIST, January 2011:
http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-
131A.pdf
ISO/TR (2010). ISO TR-14742:2010 Financial Services -
Recommendations on Cryptographic Algorithms and their
Use. ISO.
Ferguson, N., Schneier, B., and Kohno T., (2010).
Cryptography Engineering: Design Principles and Practical
Applications. New York: John Wiley and Sons.

Category #9: Business Continuity and Disaster Recovery

Description: Business Continuity and Disaster Recovery are the measures designed and
implemented to ensure operational resiliency in the event of any service interruptions.
BCDR provides flexible and reliable failover for required services in the event of any service
interruptions, including those caused by natural or man-made disasters or disruptions. Cloud-
centric BCDR makes use of the clouds flexibility to minimize cost and maximize benefits. For
example, a tenant could make use of low specification guest machines to replicate applications
and data to the cloud, but with the provision to quickly ramp up the CPU and RAM, etc. of
these machines in a BCDR scenario.
Class: Reactive, Protective, Detective

Flexible infrastructure Includes: File recovery provider, File
Secure backup backup provider, Cold site, Warm site,
Monitored operations Hot site, Insurance, Business partner
Third party service connectivity
agreements, Replication (e.g.
Replicated infrastructure components
Databases)
Replicated data (core / critical systems)
Data and/or application recovery
Alternate sites of operation Related Services: Fail-back to live
Tested and measured processes and operations to ensure systems, Encryption of data in transit,
Geographically distributed data centers / infrastructure Encryption of data at rest, Field level
Network survivability encryption, Realm-based access control

OPTIONAL FEATURES ISO/IEC 24762:2008, BS25999
Support for BC and DR compliance monitoring and/or
reporting or testing flexible infrastructure Service Model: IaaS, SaaS
Authorized post disaster privileged account management
Enable DR Policy management (incl. authorization CSA Domains (v2.1): 7
management, role management, compliance management)
THREATS ADDRESSED
CHALLENGES
Natural disaster
Over-centralization of data Fire
Lack of approved and tested policies, processes, and Power outage
procedures
Terrorism/sabotage
Legal constraints on transportation of data outside affected
Data corruption
region
Network connectivity failures Data deletion
Identification of Recovery Time Objectives / Recovery Point Pandemic/biohazard
Objectives / SLAs
Agreed definition between vendor and client of what DR /
BCP means
Security Data in multiple locations


NIST SP 800-34
ISO/IEC-27031 Cloud
http://en.wikipedia.org/wiki/Disaster_recovery Atmos
http://www.silicon.com/management/cio- Decco
insights/2010/09/30/cloud-computing-is-it-ready-for- Digital Parallels
disaster-recovery-39746406/ Quantix
http://blogs.forrester.com/rachel_dines/11-08-29- Rackspace
disaster_recovery_meet_the_cloud
http://www.usenix.org/event/hotcloud10/tech/full_papers Non-Cloud
/Wood.pdf IBM
Iron Mountain
Sunguard

Category #10: Network Security

Description: Network Security consists of security services that allocate access, distribute,
monitor, and protect the underlying resource services.
Architecturally, network security provides services that address security controls at the
network in aggregate or specifically addressed at the individual network of each underlying
resource.
In a cloud / virtual environment network security is likely to be provided by virtual devices

alongside traditional physical devices. Tight integration with the hypervisor to ensure full
visibility of all traffic on the virtual network layer is key.
Class: Detective, protective, reactive

Data Threats Includes: Firewall (perimeter and
Access Control Threats server tier), Web application firewall,
Access and Authentication controls DDOS protection/mitigation, DLP, IR
Security Gateways (firewalls, WAF, SOA/API, VPN) management, IDS / IPS
Security Products (IDS/IPS, Server Tier Firewall, File
Integrity Monitoring, DLP, Anti-Virus, Anti-Spam Related Services: Identity and Access
Security Monitoring and IR Management, Data Loss Prevention,
DoS protection/mitigation Web Security, Intrusion Management,
Secure base services like DNS and/or DNSSEC, DHCP, Security Information and Event
NTP, RAS, OAuth, SNMP, Management network Management, and Encryption
segmentation and security
Traffic / netflow monitoring
Service Model: IaaS, SaaS, PaaS
Integration with Hypervisor layer
CSA Domains (v2.1): 7,8,9,10,13
OPTIONAL FEATURES
Log correlation/ Secure and Immutable Logging THREATS ADDRESSED
Secure data encryption at rest
Data Threats
Performance monitoring of the network
Access Control Threats
Real-time alerting
Application Vulnerabilities
Change Management
Cloud Platform Threats
Regulatory, Compliance & Law
Enforcement
CHALLENGES
Micro-borders (instead of traditional clearly defined network
boundaries the borders between tenant networks can be
dynamic and potentially blurred in a large scale virtual /
cloud environment)
Virtual Segmentation of Physical Servers
Limited visibility of inter-VM traffic


Non-standard APIs
Management of many virtual networks / VLAN in a complex Cloud
environment reliant on providers policies and procedures CloudFlare
Separation of production and non-production environments HP
Logical and Virtual Segregation of Customer IBM
Network/Systems/Data Imperva - Incapsula
McAfee
Rackspace
Stonesoft
REFERENCES / ADDITIONAL RESOURCES Symantec
CSA
Intel Cloud Security Reference Architecture: Non-Cloud
http://software.intel.com/en-us/articles/Cloud-Security- HP
Reference-Architecture-Guide/ IBM
http://www.intel.com/content/dam/doc/reference-
McAfee
architecture/cloud-computing-enhanced-cloud-security-
hytrust-vmware-architecture.pdf Snort
ENISA Cloud Computing Risk Assessment: Symantec
http://www.enisa.europa.eu/act/rm/files/deliverables/cl
oud-computing-risk-assessment

SecaaS V1 0 PDF

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

SecaaS V1 0 PDF

Hochgeladen von

Copyright:

Verfügbare Formate

Defined Categories of

2011 Cloud Security Alliance.

Copyright 2011 Cloud Security Alliance 2

Copyright 2011 Cloud Security Alliance 3

Jerry Archer Alan Boehme Dave Cullinane

Nils Puhlmann Paul Kurtz Jim Reavis

The Cloud Security Alliance Board of Directors

Copyright 2011 Cloud Security Alliance 4

Kevin Fielder: GE, Cameron Smith: Zscaler

Working Group Leaders

Copyright 2011 Cloud Security Alliance 5

Copyright 2011 Cloud Security Alliance 6

Identity and Access Security Assessments Encryption

Copyright 2011 Cloud Security Alliance 7

Category #1: Identity and Access Management (IAM)

CORE FUNCTIONALITIES SERVICES

Continued on the following page

Copyright 2011 Cloud Security Alliance 8

Continued from the previous page

CHALLENGES REFERENCE EXAMPLES

REFERENCES / ADDITIONAL RESOURCES

Copyright 2011 Cloud Security Alliance 9

Category #2: Data Loss Prevention

CORE FUNCTIONALITIES SERVICES

OPTIONAL FEATURES Service Model: SaaS, PaaS

Continued on the following page

Copyright 2011 Cloud Security Alliance 10

Continued from the previous page

CHALLENGES REFERENCE EXAMPLES

Copyright 2011 Cloud Security Alliance 11

Category #3: Web Security

Class: Protective, detective, reactive

CORE FUNCTIONALITIES SERVICES

Service Model: SaaS, PaaS

OPTIONAL FEATURES CSA Domains (v2.1): 5, 10

Continued on the following page

Copyright 2011 Cloud Security Alliance 12

Continued from the previous page

REFERENCES / ADDITIONAL RESOURCES REFERENCE EXAMPLES

Copyright 2011 Cloud Security Alliance 13

Category #4: Email Security

Class: Protective, detective, reactive

CORE FUNCTIONALITIES SERVICES

Related Technologies and Standards:

Continued on the following page

Copyright 2011 Cloud Security Alliance 14

Continued from the previous page

REFERENCES / ADDITIONAL RESOURCES REFERENCE EXAMPLES

Copyright 2011 Cloud Security Alliance 15

Category #5: Security Assessment

CORE FUNCTIONALITIES SERVICES

Copyright 2011 Cloud Security Alliance 16

Continued from the previous page

OPTIONAL FEATURES THREATS ADDRESSED

REFERENCES / ADDITIONAL RESOURCES Cloud

Copyright 2011 Cloud Security Alliance 17

Category #6: Intrusion Management

Examples of how cloud-based Intrusion Management could be offered include:

Provided by the Cloud Service Provider

Class: Detective, protective, reactive

CORE FUNCTIONALITIES SERVICES

Copyright 2011 Cloud Security Alliance 18

Continued from the previous page