Cloud Security Alliance Releases Candidate Mapping of FedRAMP Security Controls

May 5, 2015 | 1 Comment

By the CSA Research Team

Today at the Cloud Security Alliance Federal Summit being held in Washington, DC, the CSA today announced the release of the Candidate Mapping V4 of the FedRAMP security controls to version 3.0.1 of the CSA Cloud Controls Matrix (CCM).

The FedRAMP controls are based on the National Institute of Standards and Technology (NIST) Special Publication 800-53r4 which defines 17 families of Security and Privacy Controls to be used by Federal agencies. The CSA CCM provides a control framework that is aligned to the Cloud Security Alliance guidance in 13 security domains and builds on the foundations of other industry-accepted security standards, regulations and controls frameworks such as the ISO 27001/27002, ISACA COBIT, PCI, Jericho Forum, NERC CIP as well as NIST.

“In closely mapping the two security controls, Federal agencies can now better assess a cloud provider’s security controls and also address what controls need to be in place to ensure the provider is compliant with FedRAMP standards,” said Jim Reavis, CEO of the CSA. “The mapping will also help reduce the burden of getting the assessments and certifications for cloud vendors wanting to serve the Federal agencies.”

The Candidate Mapping shows that 90% of the FedRAMP controls correlate to the controls defined in the CCM. The documentation of this alignment will support a variety of constituents in the Federal cloud marketplace:

  • Cloud Service Providers (CSPs) will be provided with guidance on how their security frameworks can be developed and documented to address the requirements of multiple assessment standards, reducing the level of effort associated with obtaining multiple security certifications;
  • Assessors and auditors will be able to use the alignment to leverage documentation and artifacts to enable them to assess CSP security postures across multiple standards in an efficient manner
  • Federal agencies will be able to evaluate CSPs who have been assessed and certified against the CCM under the CSA Security Trust and Assurance Registry (STAR) program in order to determine the likelihood of a CSP to qualify for FedRAMP certification
  • The FedRAMP Program will be able to leverage the various industry standards that are integrated into the CCM framework to further the alignment of FedRAMP controls with other industry standards.

CSA will continue to collaborate with the FedRAMP Program Office to determine the best ways to leverage the Candidate Mapping to support the goals and objectives of the FedRAMP program to improve the security of cloud services utilized by Federal government agencies.

To access the mapping visit https://cloudsecurityalliance.org/download/fedramp-cloud-controls-matrix-v3-0-1-candidate-mapping/

3 Things Startups Need to Know to Move to the Cloud

May 5, 2015 | Leave a Comment

By Shellye Archambeau, CEO, MetricStream

Shellye_Headshot 2014Despite concerns around data security, businesses are optimistic about the cloud. In fact, software-as-a-service adoption has more than quintupled from 13 percent in 2011 to 72 percent in 2014, according to a cloud computing survey conducted by North Bridge Venture Partners and Gigaom Research.

For startups, the cloud has always been a great equalizer, enabling nascent businesses to compete on par with their larger, more established counterparts. In a Rackspace survey on the economic impact of the cloud, a quarter of small and medium enterprises indicated that they had increased profits by at least 25 percent, and up to 75 percent, as a result of cloud computing. What’s more, 84 percent of companies were able to increase their investment back into the business by up to 50 percent, and 34 percent saved between $7,500 and $45,000 on IT spend—all because of cloud computing.

Lower upfront costs, greater flexibility, and scalability—these are just a few reasons why your startup might be excited about jumping onto the cloud bandwagon. Before you do, here are a few things to think about:

1. Public, Private, or Hybrid Cloud?
Deciding what kind of cloud model to adopt will depend on various factors, such as the mission criticality of your applications and data, regulatory compliance obligations, and the scope of your IT budget.

Most businesses that are just starting out find great value in opting for public clouds, where the core infrastructure is shared by many organizations and hosted by a third party. The perks are many—easy access to computing resources and relatively low costs due to a pay-as-you-go model.

However, the public cloud comes with its own concerns around data security and performance slowdowns. So, if you’re in a highly regulated or sensitive industry such as banking and financial services, healthcare, or online retail, it might be wise to consider a private cloud.

Or better yet, you might opt for a hybrid cloud model which combines the best of both public and private clouds. RightScale’s 2015 State of the Cloud Report indicated that 82 percent of enterprises today have a hybrid cloud strategy, up from 74 percent in 2014.

With the hybrid cloud model, you get to keep confidential customer and financial information and high performance applications on the private cloud, while using the public cloud for less mission-critical operations, like e-mails and data backup.

2. Know Which Services and Applications to Move to the Cloud
According to RightScale’s report, 68 percent of enterprises run less than 20 percent of their applications on the cloud. However, 55 percent of enterprises also reported that a significant portion of their application portfolio is built using cloud-friendly architecture, and is therefore able and ready to be moved to the cloud.

When it comes to cloud workloads, the RightScale report revealed that 38 percent of enterprises run all or most development and testing on the cloud, while 34 percent run all or most websites on the cloud, and 30 percent run all or most Web applications on the cloud.

My advice for startups is to begin your cloud journey with applications that don’t require very low latency or high performance and availability. Once you get a feel for how these apps function in the cloud, you can move your core databases in there.

Generally, most services can be easily migrated to the cloud, including e-mail, messaging, file sharing and backup, as well as accounts, expense reporting, and customer relationship management. However, if you have any critical applications or transaction-intensive systems where the risk of network outages or downtime could seriously hamper your business, you will want to consider this carefully.

So, do the research, and make informed decisions about how the cloud can help your business. Also, don’t neglect to plan a cloud exit strategy. If, for whatever reason, you no longer want to depend on a particular cloud service provider, you need to be able to get your data back as effectively and cost-efficiently as possible.

3. Balance the Rewards and Risks of the Cloud
For startups, the cloud equals low capital expenditure—you don’t have to buy servers, or hire dedicated IT personnel. You can use as much or as little capacity as you need, and you can deploy and scale quickly. One of our customers, Zurich Insurance, discovered the benefits of the cloud when they were able to implement and derive value from the MetricStream Vendor Risk Management App over the MetricStream GRC cloud in just 12 weeks.

The other bonus of the cloud is better collaboration—in today’s global, mobile, social world, the cloud makes it easier to communicate and exchange information with teams and customers across different time zones.

Startups have a lot of options when it comes to the cloud. Cloud service giants like AmazonGoogle, and Rackspace offer a number of incentives including free cloud credit, technical training, and support for new businesses who are looking to get started on the cloud.

Yet, as with everything else, there are risks associated with the cloud—primarily around data security. The good news is that most major cloud service providers have extremely sophisticated security mechanisms built into their offerings, which are much better than what most startups could afford to invest in themselves.

There are things that startups can and must do in order to protect their data and assets in the cloud. Remember, make cloud security a top business priority. Check the credentials and certifications of your cloud service provider. Also, evaluate their security measures against established frameworks such as the Cloud Controls Matrix from Cloud Security Alliance (CSA).

Then, assess your security risks, and prioritize your assets and data accordingly. Establish risk tolerance levels—particularly when using public clouds with multi-tenancy models. For each cloud application, identify potential threats, and define a detection and incident response plan. Also, ensure that there are controls in place to comply with data security laws such as PCI DSS, HIPAA, GLBA, and relevant state regulations.

Conclusion
With attractive incentives, as well as strong security measures, the cloud is becoming an increasingly hospitable environment for startups to get their business up and running. The key is to find a cloud model that suits your unique business needs. Identify which services and applications will work best for you on the cloud. Most importantly, be risk-aware—when you know and understand your risks in the cloud, you can better protect your business, while reaping all the benefits that the cloud has to offer.

(Originally published in Xconomy

Shellye Archambeau is CEO of MetricStream, a Palo Alto, CA-based company offering governance, risk, compliance, and quality management solutions to enterprises in the pharmaceutical, medical device, high tech manufacturing, energy, financial services, healthcare, manufacturing, food and beverage, and automotive industries.

CSA to Hold Inaugural Federal Summit on May 5th in Washington DC

May 4, 2015 | Leave a Comment

The CSA is excited to announce that it will be holding its inaugural Federal Summit 2015 on May 5th in Washington DC. The Cloud Security Alliance Federal Summit is a free for government event, comprised of information security professionals from civilian and defense agencies to share experiences and learn about the best practices for securing cloud computing and emerging security topics.

The one day event will feature security experts from the CSA including Jim Reavis, CEO of the CSA as well as Matt Goodrich, Program Director of FedRAMP and Dr. Michaela Iorga, Sr. Security Technical Lead for Cloud Computing, NIST. In addition to these featured speakers there will also be two panel discussions, the first one the topic of “”Managing Cloud Security: Considerations and Best Practices” and the second on “Cloud Implementation Lessons Learned”. The event will close with a keynote presentation by Keith Trippie , founder of The Trippie Group on the topic of “The Business of Cloud”.

Federal employees who are interested in attending the Federal Summit can register for the event here:

https://cloudsecurityalliance.org/events/csa-federal-summit-2015/#_agenda

CLOUD SECURITY: HOW CAN GRC HELP?

May 1, 2015 | Leave a Comment

By Vibhav Agarwal, Senior Manager of Product Marketing, MetricStream

VibhavAn integrated GRC approach to cloud acceptance, adoption and scale includes the risk perspective from the beginning. Harnessing the power of cloud security with a GRC framework can promote and improve information security practices and drive better business performance.

One of my favorite Dilbert cartoons shows Mordac, the “Preventer of Information Service,” saying, “cloud computing is no good because strangers would have access to our data.” Dilbert tries to explain encryption technology is trustworthy—certainly more trustworthy than Mordac himself. The grain of truth here is that, within any organization, there are still mixed responses to cloud computing.

Today, enterprises are adopting cloud computing in a big way. According to CIO.com, the National Association of State CIOs (NASCIO) recently surveyed its members and reported cloud adoption is the second biggest priority for CIOs, only after cybersecurity. But CIOs today are still choosy about what data they want to place in the cloud. The majority have asserted that they do NOT want to put confidential company financial data or credit card data in the cloud. Makes sense—personal information data leaks are terrible PR.

Simply stated, the perception of cloud computing at most companies is mixed. Those advocating for the cloud speak to its improved agility, flexibility, high performance and lowered costs. Those who are still on the fence are concerned about data security, decentralization of their IT team, service reliability and the loss of control over their IT ecosystem. Both sides of the debate have valid points.

10 Key Imperatives
To increase acceptance and adoption of cloud computing at your organization, there are 10 must-haves that can be sub-divided into two groups – infrastructure imperatives and information security imperatives. The first set is the infrastructure imperatives, which affect the cloud-hosting environment:

  1. Federated identity management & access control– The cloud-based system must permit several users at a time, with differing levels of access to ensure proper segregation of duties.
  2. Centralized control and visibility over the IT landscape– The IT manager should have the capability to monitor and manage the system from a centralized console.
  3. Dynamic failover protection & data replication– The system should guarantee 99.5 percent reliability as a minimum.
  4. Automated application performance management– For a uniform user experience, the system should ensure performance as per the service-level agreement (SLA).
  5. Network segmentation– The ability to segment and segregate the networks, across various customers, will ensure minimal propagation of any cybersecurity issue. Given the proliferation of cybersecurity threats and vulnerabilities, the remaining five are information security imperatives that apply to both hosted and otherwise.
  6. Continuous threat and vulnerability assessments– Data center security needs to be assessed regularly to ensure adherence to latest information and network security standards.
  7. Security upgrades and monitoring on demand– Monitor security posture and ensure that regular updates are being provided as per the latest set of cyber-threats.
  8. Meta-data driven information security– Analysis of meta-data being generated across the security and system logs will identify significant, potentially malicious, patterns.
  9. Continuous control monitoring of policies– It is vital to have continuous monitoring and adherence to security, access and other policies across the cloud.
  10. Virtualized security & perimeter controls– The security and perimeter controls need to percolate to the virtualized machine level.

How can we achieve these imperatives across cloud-based deployments?
The enterprise needs to implement a robust governance-risk management-compliance (GRC) framework across the complete cloud infrastructure, which can act as a the single source of truth across all regulatory compliances, security and access controls as well risk and vulnerability assessments.

Wish list for a GRC Framework

Basic Components
First, let’s look at the “bare minimum” requirements for a GRC framework for cloud computing:

  • Continuous system monitoring– Feed regular system related logs and reports into the GRC framework for continuous risk assessments.
  • Penetration Testing audits– Audit the third-party penetration test results, findings and remediations on a pre-determined schedule.
  • Incident response management– Create and manage a defined workflow within the organization to ensure a coordinated response from various departments such as IT, Legal, Finance, etc. and respond appropriately to any cloud security events.
  • Data portability testing– Perform a yearly or quarterly audit and document the process and audit findings to ensure that the data is portable across data centers.
  • Disaster recovery & business continuity– Ensure that proper disaster recovery and business continuity measures are in place along with regular tests and documentation.
  • Onsite & offsite backup audits– Audit backups to check for their ability to restore data.

Advanced Components
Once the must-haves have been checked off, here is a list of “nice to haves”:

  • Data encryption audits– Audit and document the storage control and key management procedures for encrypted data. This is typically applicable for sensitive data only.
  • Forensics log management and reporting– Analyze meta-data continuously generated by system and security logs, and identifying any adverse patterns.
  • Elasticity & load tolerance testing– Ensure that resources can be augmented in the peak performance periods by performing regular load tolerance and elastic demand management testing.
  • Advanced cyber-attack prevention measures– Monitor and implement cyber attack prevention measures pro-actively by integrating with new threat and vulnerability solutions.
  • Advanced cloud security analytics– Establish an advanced cloud security analytics information center as part of the GRC dashboard and centralize its monitoring and management.

Apart from the components listed above, as the cloud computing world evolves, there is an increasing number of regulations and checklists coming up to ensure its adherence to established standards, including SSAE16 SOC 2 controls, FedRAMP certification, HIPAA regulation and Cloud Security Alliance (CSA). Your organization’s GRC framework for cloud should be able to streamline the audit and checklist-based assessments around these and ensure proper adherence to world-class standards for cloud adoption and security.

Conclusion
An integrated GRC approach to cloud acceptance, adoption and scale includes the risk perspective from the beginning. Harnessing the power of cloud security with a GRC framework can promote and improve information security practices and drive better business performance.