Cloud Security Alliance Guidance Document v2

CSA has released the version 2 of cloud security guidance document. it is available at –

it was privilege working with so many of my peers located in different parts of the world. it is actually amazing that so many of us could collaborate and work collectively on this initiative.


Security, Risk & Compliance for Cloud Computing Model

IT has long struggled with the issue of securing the information and the underlying assets in tradition IT environments. There have been debates around how much security is enough. Over a period of time, various models have evolved to enable an enterprise get a grip over the information security issue. Most approaches encourage taking a risk based approach to measure adequacy of existing controls & identify areas of improvement to bring the risk to an optimum risk level.

Now, with the evolution & popularity of Cloud computing model in the recent time, it has added new dimensions to the concept of information security. There is a lot of discussion is taking place within the IT industry but there is still a haze around the security, risk & compliance issues. I believe that with time, a clearer picture is likely to emerge as Cloud service providers realize the importance to address concerns around information security and emergence & adoption of standards.

In my opinion, key issues around security, risk & compliance in Cloud computing model are:-

Governance – one of the concerns customers have expressed is the loss of governance over the service that is now provided in the Cloud. The control now resides with the Cloud service provider on issues like location of data, implementation of security controls and their functioning etc. This lack of overall control and hence over some of the topics that can potentially impact security, risk & compliance issues is a serious concern for the organizations exploring the use of Cloud based services.

Access Control – how do you control the access to the information residing in the Cloud? While models are emerging to control the end user access like OpenID etc, one of the key issues is around control access for the privileged users like administrators.

Data location within Cloud – this is another important concern since it has lot of regulatory & compliance issues. The location of data residing in Cloud also has implications on legal jurisdiction and implications of regional/country specific data privacy requirements.

For example – some of my customers especially in non-US geography have specifically expressed concerns around the implication of US patriot act on the Cloud computing services.

Securing Data at Rest – how secure is the information residing on the Cloud in a shared environment? Information segregation and encryption are key topics that are being discussed to address concerns around information assets in the Cloud.

Regulatory compliance – Organization do need to understand that while the responsibility of security the underlying assets may rest with the Cloud services providers, the responsibility & accountability to secure the information still rests with the enterprise. Traditional IT organizations are faced with lot of audit (internal & external) & security certifications like ISO27001/SAS 70 etc to demonstrate an acceptable level of presence & effectiveness of security controls. Similarly there will be a need for the Cloud service providers to accommodate their customers internal & external audit requirements along with an acceptable demonstration of presence of security controls within the Cloud services offered by them.

Incident Response & Forensics – another important point of concern is around support during incident response and forensics. Due to the shared nature of the Cloud based services and the fact that the service provider can host the data in any of the data centres, establishing log/audit trails to enable Incident Response and to support forensics can be a challenging task.

Organizations are realizing that when using a Cloud computing services, there is a limit to the security controls that can be implemented and enforced. One needs to rely on the controls that are implemented by the Cloud service provider and trust these controls are adequate and working the way they Ire designed. Similarly, there is also a limitation on how much audit information can be generated, collected in a tamper-proof format, retained and if that is adequate to satisfy an organizations audit requirements.

I believe that while enterprise will continue to use public Clouds, the IT spend on setting up private Clouds will increase over a period of time. Public Cloud services will be used to host non-critical services by the organizations while they will use the Cloud computing model within their organizational boundaries to benefit from the concept of Cloud computing while ensuring security, risk & compliance issues are within their control. I are most likely to see emergence of industry standards and also some guidance movement by government bodies on the topics of security, risk and compliance for Cloud services.

references:-; twitter feeds on cloud

Defining Continuous Data Protection – II

in October this year (2008) i had written about the way  Continuous Data Protection was being defined by some vendors to promote their portfolio of  backup and recovery solutions( in the post i had stressed about evolving a more holistic definition of ‘data protection’ and developing a framework to facilitate the same rather than use the definitions and concepts forwarded by the different OEMs and solution vendors.

I recently came across a blog post from Stephanie Balaouras  from Forrester ( which more or less agrees with my approach. the post highlights how the term “Data Protection” is being interpreted byIT Operations teams and IT Security professionals and the need to look at the term from both, security and recoverability point of view.

Redefining AAA – Anybody, Anywhere, Anytime

i came across an article where the discussion was on how to enable any person access the required information at anytime and independant of the device from which the information is accessed or for that matter, the geography (office/home etc).

it was a nice read and it brought to my mind that perhaps its time to realign the AAA as it is known in the security circles (AAA typically stands for – Authentication, Authorization and Accounting).

now this also has implications for enterprise IT. almost anyone can buy a powerful smartphone with capability to browse internet even while in the office networks, able to use the smart phones as modems to connect to internet, ability to access corporate emails and documents on the smartphones, participate in blogs and social networking sites and share ideas.

the standards way IT typically approaches the topic of access and authorization is to be restrictive and stop the users from brining in phones or not allowing the users to access corporate emails over mobile devices (and allow only a selective bunch of employees to do so). however i am not sure if it would be productive and IT will be looked as hindering the productivity and effeciency of the business users.

there was also an article on similar lines – which touches on the aspects of relaxing the controls and enabling users to use IT in a manner they can enhance their productivity & effeciency.

in my opinion, time has come for IT to move from providing traditional restrictive, controlled environments to provide an AAA (Anybody, Anywhere and Anytime) environment to business users while ensuring they are able to manage the IT risk in an optimum manner.

“Anybody should be able to view the information they are entitled to, use the information in a manner they are authorized to, from Anywhere they desire and at Anytime they want”

this will require a combination of few topic on which i have written about before (and probably few more), namely:-

with the redefined IT-Perimeter and redefined continuous data protection, IT teams can extend the same experience of accessing the required informaiton with necessary controls and rules from anywhere just as they would experience it in the corporate network. at the same time, it will allow them to access the necessary infromation based on their roles and authorization. it will also ensure that the data is protected without being too restrictive thus allowing the end users to extend and enjoy their IT experience.

IT Security Outsourcing Models – III

outsourcing security infrastructure management

in this case, the service provider is responsible for monitoring, management and maintenance of the security infrastructure.

the service provider will usually bring in their tools for security event monitoring like in the previous case (outsourcing security infrastructure monitoring with service provider’s tools & processes). along with being responsible for incident monitoring, the service provider will also be executing the following processes:-

  • change management
  • configuration management
  • version upgrades/maintenance
  • incident management
  • reporting

 in case of stand alone security management outsourcing, the service provider will usually prefer to use their own trouble ticketing tools to open tickets incident and associated tickets on which the customer’s team need to take actions (e.g – remote an virus infected desktop from the LAN etc). the customer’s retained security operation’s organization (if any), is then responsible for taking this ticket and redirecting the work to their internal IT teams.

If the customer prefers to get rid of this hop (of redirecting tickets to their internal IT teams), the may require the service provider to use the customer’s ticketing tools. this can either be achieved by having a two way integration between the service provider’s and the customer’s ticketing tools.or by extending the ticketing console to the service provider to manually open the tickets. a manual way can also mean an increase in the service provider’s response and notification time since the ticketing automation with security event monitoring tools will no longer be possible.

from a delivery perspective, again following models can be explored:-

  • shared tools and shared monitoring & management teams
  • shared tools and shared monitoring teams, dedicated management teams
  • shared tools and dedicated monitoring teams, shared management teams
  • dedicated tools and dedicated monitoring & management teams

as stated in the previous post –  one of the areas that requires attention is the incident management process. what are the expectations from the service provider and how does the hand off happen between the outsourced and the retained teams is a matter that needs to be thought through in detail also

IT Security Outsourcing Models – II

in this post i will talk about what are the various paths i have seen customers walk when it comes to outsourcing security operations.

outsourcing security infrastructure monitoring with service provider’s tools & processes

many IT functions will outsource monitoring only activities. the service provider will bring in their tools and associated processes to perform monitoring of security event logs and also monitoring the health security infrastructure like firewalls, IDS, VPN etc. in a pure monitoring only engagements, service providers are usually responsible for event log aggregation, analysis (in some cases use analytical tools like SIEM etc) and alerting the customer’s retained security teams on detection of an event of interest.

the customer’s team is then responsible for carrying out further analysis of the tickets and do necessar change and configuration management as required. the maintenance of the security infrastructure is also the responsibility of the customer’s retained security ops team.

in most of the cases, to bring in effeciency, improvement in response time and SLA based services and to bring economies of scale, the service provider normally would use a multi tenant tool set for event monitoring and analysis. on detection of an event which requires customer’s attention, the service provider can:-

  • open tickets on service provider’s ticketing tool. the customer retained security ops team has an interfact into this tool.
  • open tickets on customer’s ticketing tool, the service provider’s team needs to have an interface into the customer’s ticketing tool.
  • or in some cases, have a bi-directional interface between service provider’s and customer’s ticketing tools.

if this is a total outsourcing engagement, this decision is simplified since the service provider will be responsible for the entire IT function so the choice of trouble ticketing tools is pretty much straight forward.

now, in a discreet outsourcing engagement, this get little complicated. usually the service aggregator would want the outsourced security function to use the single ticketing tools being used by rest of the service providers. this can put some pressure on the outsourced security service provider to realign their internal delivery processes to accomodate this requirement.

models that can be explored are as follows:-

  • service provider’s multi tenant (shared) tools and multi tenant (shared) delivery teams – should be the cheapest model, financially.
  • Customer’s already bought/developed toolset and service provider’s delivery team dedicated for the customer- basically out-tasking and not exactly outsourcing (usually explored by BFSI segment)
  • service provider’s multi-tenant (shared) tools and a dedicated delivery team for the customer – dedicated team increases the cost of this model.
  • service providers’s provisions dedicated toolset and a dedicated delivery team – should be the most expensive model (usually explored by BFSI segment)

again, one of the areas that requires attention is the incident management process. what are the expectations from the service provider and how does the hand off happen between the outsourced and the retained teams is a matter that needs to be thought through in detail.

IT Security Outsourcing Models – I

i have received few queries and comments on various models of IT security outsourcing. well, in the next few posts, i will try and share my opinion and experiences on this topic.

i will not be discussing how to assess the state of the service provider’s information security related controls.

to start with, let me share my thoughts on state of security operations outsourced in total outsourcing vs discreet out sourcing engagements. therafter i would move to a more tactical subject of various outsourcing models available for exploration for an enterprise.

Security outsourcing in total IT outsourcing engagements

in total outsourcing, the entire IT function is outsourced to a service provider (which may also include the financial ownership of the assets).  the customer may still maintain control over certain policies like – asset refresh cycle, technology standards etc. however in most of such cases, even these decisions can be driven by the service provider.

the service provider is hence responsible for – maintaining the existing controls and ensure that the controls framework (asessment, adequacy and functioning etc) is kept upto date to mitigate the new risks as they emerge, on behalf of the customer.

if you look from ITIL point of view, in total outsourcing, service strategy, design, transition, operations and continuous improvement are all service provider responsibilities. some customers would still (and should) like to be involved or be informed about the service strategy and design activities related to information security.

depending upon the structure of service delivery within the service provider’s organization, the security operations may or may not be performed by a dedicated security function in the service provider’s organization. the way i have seen the outsourcing deal structure, the traditional security operational  responsibilities are now dispersed to respective technology towers (firewalls are part of network team, end user computing teams are responsible for content management etc). the overall security and compliance functions are cross tower areas as it impacts multiple teams and hence, responsibility for the same lies with the team responsible for similar functions like governance, program management, finance management etc.

i have seen many customers take a hands off approach when it comes to outsourcing of security function in an total outsourcing deal. they are not involved with the service provider in risk assessment, service strategy & deisgn phase for information security. i don’t think its a wise approach. many outsourcing rfp’s do not mention clearly how the IT risk, especially due to information security risk would be handled. it is presumed (and at times without much thoughts on the actual “how-to”) that the IT governance function would also report on the risks and subsequent risk management approaches.

what is important is the awareness and acknowledgement by the customers of the fact that they have just outsourced the operations to manage the risk but not the overall ownership of the risk itself. in case there is an incident, it will be the customer who will still have to absorb the impact and pay up any penalty. the customer may have the right to terminate the relationship with the service provider but it would depend how the legal and contract documents are drawn.

Security outsourcing in discreet IT outsourcing engagements

in discreet outsourcing, there are a group of service providers, each responsible for a particular piece of the IT function. there is usually an aggregator role (either retained by the customer or another service provider) to consolidate and manage the other service providers who are also delivering services to the same customer. the service aggregator then becomes responsible to the customer for the delivery of all of the outsourced IT services.

in discreet outsourcing, usually each service provider delivers the security operations for the technology/tower it is responsible for. for example, the network service provider will be responsible for monitoring and managing the firewalls only.

the service aggregator is usually responsible for the enforcement of security policies and ensuring customer’s regulatory and compliance requirements are met. this role also requires tracking the OLA (operational level agreements) between service providers also. for example – network service provider can report high utilization of network and using the logs from routers/firewalls, can point out the source of the traffic to an infected desktop. the provider then opens a ticket on the end user computing team to have the desktop cleaned/removed.

in such an engagement, one of the most important processes that needs to be tracked is the “Incident Management” since it would involve multiple parties in efficient resolution/closure of an incident. along with Incident Management, tracking the enforcement of customer security policies to meet compliance & regulatory requirements across various service provider teams and infrastructure is also a challenge in such an engagement. in my opinion, the service aggregator needs to being in experience and necessary tools to be able to track the OLA’s, track enforcement of policies and deviations.

usually the open ended question, in this type of arrangement is also around the ownership and accountability of driving the overall information security strategy. many a times, it lies with the service aggregator only. but like i mentioned earlier, the customer must get involved in the strategy and risk assessment and mitigation planning phase at-least.

yawn….more…in the next post on the same topic!