What is the CSA Cloud Security Guidance?
The Security Guidance for Critical Areas of Focus in Cloud Computing v4.0 guide published by the CSA defines 14 domains about critical areas of concern regarding the security of cloud assets. The security guidance supports cloud adoption efforts providing prudent advice for businesses managing and mitigating risks associated with migration of legacy environments. The guidance consists of fourteen domains ranging from cloud computing and architecture references to application, data security and identity management.
Domain 1 – Cloud Computing Concepts and Architectures
Domain 1 is concerned with the various cloud computing models, where responsibility for security provisions lies, and how each is to be protected. For the purposes of the CSA Guidance, cloud architecture is defined in terms of Software as a Service (e.g. Salesforce or Office 365), Platform as a Service (e.g. Windows Azure or Heroku), and Infrastructure as a Service (e.g. Amazon AWS or Microsoft Azure).
The Domain then goes on to describe a high-level process that can be used as a model for managing cloud security:
- Identify necessary security and compliance requirements, and any existing controls
- Select your cloud provider, service, and deployment models.
- Define the architecture
- Assess the security controls
- Identify gaps in those security controls
- Design and implement controls to fill the gaps
- Manage changes over time
Domain 2 – Governance and Enterprise Risk Management
Domain 2 explains how the issues of governance and risk management change under the cloud computing model, not least because the cloud provider introduces a third party into the process. To assist with improving governance, the CSA highlights the following tools:
- Contracts that clearly split responsibilities between the cloud provider and customer
- Supplier assessments performed by the customer to verify the suitability of the provider
- Compliance reporting that ensures cloud provider security processes and protections align with the customers
When dealing with cloud technologies, enterprise risk management works on the principle of shared responsibilities. The ultimate responsibility for security remains with the client, but the provider will accept some as part of their service; these will vary according to the cloud deployment model, public, private or hybrid. To assist, the CSA has produced a basic supplier assessment:
- Acquire documentation from the provider.
- Review their security program and documentation.
- Review any legal, regulatory, contractual, and jurisdictional requirements that apply to supplier and customer.
- Evaluate the contracted service in the context of your information assets.
- Evaluate the provider as a whole, including factors such as finances/stability, reputation, and outsourcers.
Domain 3 – Legal Issues, Contracts, and Electronic Discovery
Moving data to the cloud creates several potential issues regarding data protection, sovereignty and the legal implications of sending data between jurisdictions. Cloud adopters must ensure that their deployments fully comply with all relevant legislation to avoid prosecution.
Customers must be familiar with the relevant legislation that applies to their installation. They also need to ensure that service contracts clearly delineate responsibilities between parties. Due diligence testing becomes a regular routine as companies continually assess and confirm compliance. They must also ensure that data is retained correctly in relation to electronic discovery for use in both civil and criminal investigations and court cases.
Domain 4 – Compliance and Audit Management
With the legal issues understood, Domain 4 is concerned with businesses achieving – and maintaining – compliance. As with understanding, compliance remains the responsibility of the client, even when using systems hosted in the cloud.
Proving compliance in the cloud is a two-stage process, first auditing the provider against each regulation or standard. The customer’s apps and services built on top of the provider’s platform must also be assessed. The CSA describes this as a pass-through audit.
Domain 4 concludes with advice relating to audit management. As well as retaining the services of a third party to carry out the audits, cloud users are reminded of the importance of instituting a program of continuous assessment.
Domain 5 – Information Governance
Information governance relates to how data is used. The official CSA definition states: ‘Ensuring the use of data and information complies with organizational policies, standards and strategy — including regulatory, contractual and business objectives.’
The cloud operating model introduces a third party into the governance model. To address this complexity, Domain 5 outlines nine specific areas of interest that businesses should address as they draw up their information governance strategy:
- Information Classification
- Information Management Policies
- Location and Jurisdiction Policies
- Contractual controls
- Security controls
Domain 5 also describes a six-phase data security lifecycle, covering every stage between creation and destruction. These are:
Domain 6 – Management Plane and Business Continuity
The term ‘management plane’ describes the tools and interfaces used to manage infrastructure, platforms and applications – both onsite and in the cloud. Securing these tools against unauthorized access is critical to protecting systems from being exploited by hackers. The CSA recommends following best-practice principles of limiting access permissions to only what is strictly required, for both human operators and automated services.
Cloud platforms are designed to fail-over automatically in the event of an outage, but the customer remains responsible for protecting their data against loss. The CSA recommends building a multi-level business continuity plan that covers data loss/outages including:
- Data stored in their hosted environment
- A total loss of service from their provider
- Provisions for a private cloud failure
Domain 7 – Infrastructure Security
There are two (main) layers of infrastructure to consider in cloud environments: the physical systems and the abstracted application/data layer. To provide virtualization and failover capabilities, the hosted environment makes heavy use of virtual networks (software-defined security – SDSec).
Addressing the two layers of infrastructure requires further examination of:
- Network functionality, such as the use of SDSec to increase separation and impact of a breach
- Network configuration to limit and restrict access to authorized users acting within the limits of their permissions
- Building immutable workloads to secure data against common threats
- Leverage log analysis to detect suspicious behavior and to trigger the required recovery protocols (when required)
Domain 8 – Virtualization and Containers
Virtualization is fundamental to cloud operations, abstracting data and applications from the underlying hardware platform. The CSA has identified two new layers requiring security controls: the virtualization technology itself (typically the hypervisor) and the virtual assets.
When designing security protocols, cloud users must define responsibilities for provider and customer in the following areas:
- Virtualized compute, such as the virtual machines themselves
- Virtualized network resources, including monitoring and filtering. Attention is also drawn to ‘cloud overlay networks’ that link multiple cloud services
- Storage, and how information is held within the virtualized environment
- Software containers, and the use of service and security isolation can be employed to prevent data leakage or theft
Domain 9 – Incident Response
Security breaches are (statistically speaking) a certainty, which means defining an incident response plan is vital to help limit fallout. Domain 9 references a four-stage incident response lifecycle to help identify the various phases of a good plan:
- Preparation – building a response capability in advance of a security incident
- Detection and analysis – deploying tools, systems, and procedures to identify potential breaches, risks, and threats
- Containment, eradication, and recovery – limiting the impact of a breach, removing the threat, and restoring normal operations
- Post-mortem – analysis of the response, and improving future operations based on those observations
Service customers will need to carefully consider the available tools, logs and reports, and the role their cloud provider will play in incident response.
Domain 10 – Application Security
The CSA identifies three major areas for a successful application security program:
- The Secure Software Development Lifecycle (SSDLC) that makes security a critical concern at every stage of the application development process
- Integrate security into application design and architecture
- Build a DevOps / Continuous Deployment (CD) capability to push through security updates, patches and fixes quickly and efficiently
Domain 11 – Data Security and Encryption
Data stored in the cloud must be secured appropriately through measures such as:
- Storing data in the most appropriate location
- Protecting data held in the cloud using access controls, encryption and architecture design
- Monitoring and reporting on data activities
- Enforcing these measures in line with compliance requirements
As well as dealing with data already in the cloud, Domain 11 documents measures to protect the information in transit, particularly during upload. The CSA also emphasizes the importance of using data storage security measures offered by the cloud provider including at-rest encryption and tokenization.
Domain 12 – Identity, Entitlement and Access Management
Restricting access to stored data has always been complicated, but the cloud adds an additional layer of complexity. The systems used to control access to resources are now shared between user and cloud provider for instance.
Domain 12 defines Identity and Access Management as “the security discipline that enables the right individuals to access the right resources at the right times for the right reasons.” To achieve this goal, the CSA recommends the use of technologies like:
- Security Assertion Markup Language (SAML), an XML-based identity management standard that supports authentication and authorization
- OAuth, an HTTP framework for delegating access control between services
- OpenID, a federated authentication service that uses HTTP and URLs to verify user identity
- The eXtensible Access Control Markup Language (XACML) standard for defining access controls – typically used in conjunction with SAML and OAuth
- The System for Cross-domain Identity Management (SCIM) standard exchanges identity information between domains
Domain 13 – Security as a Service
Security as a Service (SecaaS) typically describes security products or services that are delivered from the cloud. They typically exhibit the same characteristics as other cloud services described in Domain 1.
Domain 13 identifies 13 SecaaS categories:
- Identity, Entitlement, and Access Management Services - including Federated Identity Brokers
- Cloud Access and Security Brokers (CASB, also known as Cloud Security Gateways) - like Microsoft Cloud App Security
- Web Security (Web Security Gateways) - such as anti-malware content filters
- Email Security - like anti-spam filters and phishing detection systems
- Security Assessment - systems that audit cloud deployments and on-site infrastructure
- Web Application Firewalls - that redirect and filter DNS traffic to identify and block malicious activity
- Intrusion Detection / Prevention (IDS / IPS) - that use heuristic monitoring to identify and block suspicious network activity
- Security Information & Event Management (SIEM) - to aggregate and analyze event logs from multiple sources in real-time
- Encryption and Key Management - services that encrypt data and manage decryption keys, typically used to protect information held in SaaS platforms.
- Business Continuity and Disaster Recovery - that helps to protect corporate data against loss from cloud storage
- Security Management - services that combine multiple traditional security measures that includes antivirus, mobile device management, network security, etc.
- Distributed Denial of Service Protection - services that reroute network traffic to block or mitigate DDoS attacks.
Domain 14 – Related Technologies
The final CSA domain discusses technologies that are reliant on cloud services to operate, or are typically only seen in cloud environments. Domain 14 lists four such technologies:
- Big Data - applications that use vast, unstructured datasets that need to be processed in real-time
- Internet of Things (IoT) - applications that collate, process and analyze data streamed from a potentially vast array of sensors
- Mobile computing deployments - that use the cloud to simplify management and device security
- Serverless computing models - that rely on PaaS to deliver containerized services and applications