Beruflich Dokumente
Kultur Dokumente
Service 2011
CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE 2011
Introduction
The permanent and official location for the Cloud Security Alliance Security as a Service
research is:
https://cloudsecurityalliance.org/research/working-groups/security-as-a-service/
All rights reserved. You may download, store, display on your computer, view, print, and link
to the Cloud Security Alliance Security as a Service at https://cloudsecurityalliance.org/wp-
content/uploads/2011/09/SecaaS_V1_0.pdf subject to the following: (a) the Guidance may be
used solely for your personal, informational, non-commercial use; (b) the Guidance may not be
modified or altered in any way; (c) the Guidance may not be redistributed; and (d) the
trademark, copyright or other notices may not be removed. You may quote portions of the
Guidance as permitted by the Fair Use provisions of the United States Copyright Act, provided
that you attribute the portions to the Cloud Security Alliance Security as a Service Version 1.0
(2011).
Table of Contents
Introduction.................................................................................................................................................2
Foreword......................................................................................................................................................4
Acknowledgments......................................................................................................................................5
Executive Summary ...................................................................................................................................7
Category 1: Identity and Access Management .................................................................................8
Category 2: Data Loss Prevention..........................................................................................................10
Category 3: Web Security........................................................................................................................12
Category 4: Email Security......................................................................................................................14
Category 5: Security Assessments.........................................................................................................16
Category 6: Intrusion Management.......................................................................................................18
Category 7: Security Information and Event Management (SIEM)..................................................20
Category 8: Encryption...........................................................................................................................22
Category 9: Business Continuity and Disaster Recovery...................................................................24
Category 10: Network Security..............................................................................................................26
Foreword
Welcome to the Cloud Security Alliances Security as a Service, Version 1.0. This is one of
many research deliverables CSA will release in 2011.
There is currently a lot of work regarding the security of the cloud and data in the cloud, but
until now there has been limited research into the provision of security services in an elastic
cloud model that scales as the client requirements change. This paper is the initial output from
research into how security can be provided as a service (SecaaS).
Also, we encourage you to download and review our flagship research, Security Guidance for
Critical Areas of Focus in Cloud Computing, which you can download at:
http://www.cloudsecurityalliance.org/guidance
Best Regards,
Acknowledgments
Co-chairs
Runa Desai Delal: Agama Consulting, Ulrich Lang: ObjectSecurity, Atul Shah: Microsoft, Aaron Bryson:
Cisco, Mark Hahn: TCB Technologies, Wolfgang Kandek: Qualys, John Hearton: Secure Mission
Solutions, Justin Foster: Trend Micro, Ben Chung: HP, Jens Laundrup: Emagined Security, Geoff Webb:
Credant Technologies, Kevin Fielder: GE, Cameron Smith: Zscaler, Ken Owens: Savvis
Steering Committee
Scott Chasin: McAfee, Kevin Fielder: GE Global, Patrick Harding: Ping Indentity, John Hearton: Secure
Mission Solutions, Bernd Jager: Colt, Joe Knape: AT&T, Marlin Pohlman: EMC, Jim Reavis: Cloud
Security Alliance, Archie Reed: HP, J.R. Santos: Cloud Security Alliance, Cameron Smith: Zscaler,
Michael Sutton: Zscaler, Brian Todd: ING
SecaaS Members
Lenin Aboagye: Apollo Group Inc., Ravikanth Anisingaraju: Nexus Informatics, Dave Asprey: Trend
Micro, Karim Benzidane, Aaron Bryson: Cisco, Ben Chung: HP, Joel Cort: Xerox, Ricardo Costa: ESTG,
Runa Desai Dalal: Agama Consulting, Jeff Finch: Interoute, Justin Foster: Trend Micro, Matthew
Gardiner: CA Technologies, Suptrotik Ghose: Microsoft, Mark Hahn: TCB Technologies, Jeff Huegel:
AT&T, Wolfgank Kandek: Qualys, Tuhin Kumar, Vijay Kumar Teki: HCL Technologies, Taiye Lambo:
eFortresses, Jens Laundrup: Emagined Security, David Lingenfelter: Fiberlink, Drew Maness:
Technicolor, Ken Owens: Savvis, Naynesh Patel: Simeio Solutions, Mike Qu, Kanchanna Ramasamy
Balraj, Atul Shah: Microsoft, Said Tabet: EMC, Hassan Takabi: University of Pittsburgh, Danielito
Vizcayno: E*Trade, Geoff Webb: Credant Technologies, Arnold Webster: EC-Council University, Nick
Yoo: McKesson Corp.
Contributors
Jim Beadel: AT&T, Cheng-Yin Lee: CSA, Jie Wang: Converging Stream Technologies, Inc, Kapil
Assudani: HCSC, Valmiki Mukherjee: (ISC)2, JP Morgenthal: Smartronix Cloud Security Alliance DC
Chapter, Vladimir Jirasek: Nokia, Amol Godbole: Cisco Systems, Tuhin Kumar: Oracle Corp., Martin
Lee: Symantec.cloud, Andrey Dulkin: Cyber-Ark Software, John Hearton: Secure Mission Solutions,
Nandakumar: Novell, Bernd Jaeger: Colt Technology Services, Tyson Macaulay: Bell Canada, Lenin
Aboagye: Apollo Group, David Treece: Edgile, Benzidane Karim: NTIQual, Atul Shah: Microsoft, Mark
Hahn: TCB Technologies, Inc., Bradley Anstis: M86 Security, JD Hascup: Weyerhaeuser, Balaji
Ramamoorthy: TCG, Hassan Takabi: University of Pittsburgh, Henry St. Andre: inContact, Faud Khan:
TwelveDot, Inc., MS Prasad: Rediffmail, Gaurav Godhwani: Student, Ang Puay Young, Singapore
Ministry of Health Holdings, Ted Skinner, Harris Corporation
CSA Staff
Jim Reavis: Executive Director, J.R. Santos: Research Director, John Yeoh: Research Analyst, Amy Van
Antwerp: Technical Writer/Editor, Kendall Scoboria: Graphic Designer, Evan Scoboria: Web Developer
Executive Summary
Cloud Computing represents one of the most significant shifts in information technology many
of us are likely to see in our lifetimes. Reaching the point where computing functions as a utility
has great potential, promising innovations we cannot yet imagine.
Customers are both excited and nervous at the prospects of Cloud Computing. They are excited
by the opportunities to reduce capital costs. They are excited for a chance to divest
infrastructure management and focus on core competencies. Most of all, they are excited by the
agility offered by the on-demand provisioning of computing resources and the ability to align
information technology with business strategies and needs more readily. However, customers
are also very concerned about the security risks of Cloud Computing and the loss of direct
control over the security of systems for which they are accountable. Vendors have attempted to
satisfy this demand for security by offering security services in a cloud platform, but because
these services take many forms, they have caused market confusion and complicated the
selection process. This has led to limited adoption of cloud based security services thus far.
However, the future looks bright for SecaaS, with Gartner predicting that cloud-based security
service us will more than triple in many segments by 2013.
To aid both cloud customers and cloud providers, CSA has embarked on a new research project
to provide greater clarity on the area of Security as a Service. Security as a Service refers to the
provision of security applications and services via the cloud either to cloud-based infrastructure
and software or from the cloud to the customers on-premise systems. This will enable
enterprises to make use of security services in new ways, or in ways that would not be cost
effective if provisioned locally.
Numerous security vendors are now leveraging cloud-based models to deliver security
solutions. This shift has occurred for a variety of reasons, including greater economies of scale
and streamlined delivery mechanisms. Consumers are increasingly faced with evaluating
security solutions, which do not run on-premises. Consumers need to understand the unique
nature of cloud-delivered security offerings so they can evaluate the offerings and understand if
they will meet their needs.
Based on survey results collected from prominent consumers of cloud services, the following
security service categories are of most interest to experienced industry consumers and security
professionals:
IAM includes people, processes, and systems that are used to manage access to enterprise
resources by assuring the identity of an entity is verified and is granted the correct level of access
based on this assured identity. Audit logs of activity such as successful and failed authentication
and access attempts should be kept by the application / solution.
Class: Protective/Preventative
Provisioning/de-provisioning of accounts (of both cloud & Includes: User Centric ID Provider,
on-premise applications and resources) Federated IDs, Web-SSO, Identity
Authentication (multiple forms and factors) Provider, Authorization Management
Directory services Policy Provider, Electronic Signature,
Directory synchronization (multilateral as required) Device Signature, User Managed Access
Federated SSO
Web SSO (e granular access enforcement & session
Related Services: DLP, SIEM
management - different from Federated SSO)
Authorization (both user and application/system)
Related Technologies and Standards:
Authorization token management and provisioning
SAML, SPML, XACML, (MOF/ECORE),
User profile & entitlement management (both user and
application/system) OAuth, OpenID, Active Directory
Support for policy& regulatory compliance monitoring Federated Services (ADFS2), WS-
and/or reporting Federation
Federated Provisioning of Cloud Applications
Self-Service request processing, like password reset, setting Service Model: SaaS, PaaS
up challenge questions, request for role/resource etc.
Privileged user management/privileged user password CSA Domains (v2.1): 4, 12
management
Policy management (incl. authorization management, role
management, compliance policy management) THREATS ADDRESSED
Role Based Access Controls (RBAC) (Where supported by the
underlying system/service) Identity theft
Unauthorized access
Privilege escalation
OPTIONAL FEATURES Insider threat
Non-repudiation
Support for DLP
Granular Activity Auditing broken down by individual Excess privileges / excessive
Segregation of duties based on identity entitlement access
Compliance-centric reporting Delegation of authorizations /
entitlements
Fraud
CHALLENGES
Lack of standards and vendor lock-in
Identity theft
Unauthorized access
Privilege escalation
DLP services offer protection of data usually by running as some sort of client on desktops /
servers and running rules around what can be done. Where these differ from broad rules like
No FTP or No uploads to web sites, etc. is the level to which the services understand data.
A few examples of policies you can specify are No documents with numbers that look like
credit cards can be emailed, Anything saved to USB storage is automatically encrypted and
can only be unencrypted on another office owned machine with a correctly installed DLP
client, and Only clients with functioning DLP software can open files from the fileserver,
etc.
Within the cloud, DLP services could be offered as something that is provided as part of the
build, such that all servers built for that client get the DLP software installed with an agreed set
of rules deployed.
Class: Preventative
Rate domains
Smart Response (integrated remediation workflow)
Automated event escalation THREATS ADDRESSED
Automated false positive signature compensation
Unstructured Data Matching Data loss/leakage
File / directory integrity via hashing Unauthorized access
Integration with Intrusion Detection Systems
Malicious compromises of data
Multiple Language Pack
Data privacy integrity
Chain of evidence services to support investigations and Data sovereignty issues
prosecutions Regulatory sanctions and fines
REFERENCES
http://www.technewsworld.com/story/66562.html
http://www.datalossbarometer.com/14945.htm
http://community.websense.com/blogs/websense-media-coverage/archive/2010/07/20/channel-
insider-websense-plans-to-tap-microsoft-channel-cloud-dlp-innovatin-in-the-present-and-future.aspx
http://www.asiacloudforum.com/content/vmmare-embeds-rsa-dlp-virtual-environments
http://searchsecuritychannel.techtarget.com/news/1374080/Partner-Engage-2009-VARs-dish-on-DLP-
implementation-and-the-cloud
http://infinite-identities.blogspot.com/2009/12/next-cloud-security-frontier-dlp-for.html
This provides an added layer of protection on top of things like AV to prevent malware from
entering the enterprise via activities such as web browsing. Policy rules around the types of
web access and the times this is acceptable can also be enforced via these technologies.
Rate domains
Categorize websites by URL/IP address
Rate sites by user requests THREATS ADDRESSED
Transparent updating of user mistakes
Categorize and rate websites as needed Keyloggers
Categorize websites for policy enforcement Domain Content
Recognize multiple languages Malware
Categorize top-level domains Spyware
Block downloads with spoofed file extensions Bot Network
Strip potential spyware downloads from high-risk sites
Phishing
Virus
Bandwidth consumption
CHALLENGES Data Loss Prevention
Constantly evolving threats Spam
Insider circumvention of web security
Compromise of the web filtering service by proxy
Potentially higher cost of real time monitoring
Lack of features vs. premise based solutions
Lack of policy granularity and reporting
Relinquishing control
Encrypted traffic
http://www.technewsworld.com/story/66562.html Cloud
BT case study: BlueCoat
http://www.globalservices.bt.com/static/assets/pdf/case_s
RSA
tudies/EN_NEW/edinburgh_cc_web_security_case_study.p
df TrendMicro
W3C Web Security FAQ: Websense
http://www.w3.org/Security/Faq/ zScaler
OWASP: https://www.owasp.org/index.php/Main_Page
Non-Cloud
Barracuda
BlueCoat
Cisco
McAfee
Symantec
Watchguard
In addition, the solution should allow for policy-based encryption of emails, as well as
integrating with various email server solutions.
Digital signatures enabling identification and non-repudiation are also features of many email
security solutions.
CHALLENGES
Portability
Storage
Use of unauthorized webmail for business purposes
Management of logs and access to logs
Ensuring no access to emails by cloud provider staff
Non-Cloud
Postini
Symantec
WebSense
Traditional security assessments for infrastructure and applications and compliance audits are
well defined and supported by multiple standards such as NIST, ISO, and CIS. A relatively
mature toolset exists, and a number of tools have been implemented using the SaaS delivery
model. In the SaaS delivery model, subscribers get the typical benefits of this cloud computing
variant - elasticity, negligible setup time, low administration overhead, and pay-per-use with
low initial investments.
While not the focus of this effort, additional challenges arise when these tools are used to audit
cloud environments. Multiple organizations, including the CSA, have been working on the
guidelines to help organizations understand the additional challenges:
Virtualization awareness of the tool, frequently necessary for IaaS platform auditing
Support for common web frameworks in PaaS applications
Compliance Controls for IaaS, PaaS, and SaaS platforms
Standardized questionnaires for XaaS environments, that help address:
o What should be tested in a cloud environment?
o How does one assure data isolation in a multi-tenant environment?
o What should appear in a typical infrastructure vulnerability report? Is it
acceptable to use results provided by cloud provider?
Class: Detective
The methods of intrusion detection, prevention, and response in physical environments are
mature; however, the growth of virtualization and massive multi-tenancy is creating new
targets for intrusion and raises many questions about the implementation of the same protection
in cloud environments.
Network Security (NBA, NIPS/NIDS or HIPS/HIDS using Service Model: SaaS, PaaS, IaaS
network)
CSA Domains (v2.1): 13
Deep Packet Inspection using one or more of the following
techniques: statistical, behavioral, signature, heuristic
THREATS ADDRESSED
System/Behavioral
Intrusion
One or more of:
Malware
System Call Monitoring
System/Application Log Inspection
Integrity Monitoring OS (Files, Registry, Ports, Processes, REFERENCE EXAMPLES
Installed Software, etc) (Products and vendors. Non-exhaustive list)
Integrity Monitoring VMM/Hypervisor
Cloud
VM Image Repository Monitoring
Alert Logic Threat Manager
Arbor Peakflow X
Check Point - Security Gateway
Virtual Edition
Cloudleverage Cloud
Continued on the following page IPS/firewall
Class: Detective
CHALLENGES
Standardization of log formats THREATS ADDRESSED
Timing lag caused by translations from native log formats
Unwillingness of providers to share logs Abuse and Nefarious Use
Scaling for high volumes Insecure Interfaces and APIs
Identification and visualization of key information Malicious Insiders
Usable, segregated by client interface Shared Technology Issues
Data Loss and Leakage
Account or Service Hijacking
Unknown Risk Profile
REFERENCES
Fraud
http://www.darkreading.com/security-
monitoring/167901086/security/security-
management/228000206/cloud-creates-siem-blind-spot.html
http://securecloudreview.com/2010/08/service-provider-of-
tomorrow-part-9-as-the-cloud-thrives-siem-will-suffer/
Encryption systems typically consist of an algorithm(s) that are computationally difficult (or
infeasible) to break, along with the processes and procedures to manage encryption and
decryption, hashing, digital signatures, certificate generation and renewal, key exchange, etc.
Each part is effectively useless without the other, e.g. the best algorithm is easy to crack if an
attacker can access the keys due to weak processes.
Class: Protective
BCDR provides flexible and reliable failover for required services in the event of any service
interruptions, including those caused by natural or man-made disasters or disruptions. Cloud-
centric BCDR makes use of the clouds flexibility to minimize cost and maximize benefits. For
example, a tenant could make use of low specification guest machines to replicate applications
and data to the cloud, but with the provision to quickly ramp up the CPU and RAM, etc. of
these machines in a BCDR scenario.
THREATS ADDRESSED
CHALLENGES
Natural disaster
Over-centralization of data Fire
Lack of approved and tested policies, processes, and Power outage
procedures
Terrorism/sabotage
Legal constraints on transportation of data outside affected
Data corruption
region
Network connectivity failures Data deletion
Identification of Recovery Time Objectives / Recovery Point Pandemic/biohazard
Objectives / SLAs
Agreed definition between vendor and client of what DR /
BCP means
Security Data in multiple locations
Architecturally, network security provides services that address security controls at the
network in aggregate or specifically addressed at the individual network of each underlying
resource.
OPTIONAL FEATURES
Log correlation/ Secure and Immutable Logging THREATS ADDRESSED
Secure data encryption at rest
Data Threats
Performance monitoring of the network
Access Control Threats
Real-time alerting
Application Vulnerabilities
Change Management
Cloud Platform Threats
Regulatory, Compliance & Law
Enforcement
CHALLENGES
Micro-borders (instead of traditional clearly defined network
boundaries the borders between tenant networks can be
dynamic and potentially blurred in a large scale virtual /
cloud environment)
Virtual Segmentation of Physical Servers
Limited visibility of inter-VM traffic