Week 13: Evaluating Cloud Security - An Information Security Framework Flashcards
The framework defines a number of checklists of ___that span the range of activities that together support information security for cloud computing
The goal is to provide an __, which can be used to evaluate the security of a private, community, public, or hybrid cloud
evaluation criteria
organized set of tools
Evaluating the security of a ___ may best be done by managing the evaluation of the two or more cloud instances using one set of checklists per instance
hybrid cloud
The ___and ___of a cloud share responsibility for ensuring that security measures are in place and standards/procedures are followed
owner
operator
The ___ takes a similar approach in detailing security requirements for cloud implementations
Cloud Security Alliance Controls Matrix
A good starting point when you need to measure the presence and effectiveness of cloud security includes having a list of ___
required or recommended security controls
It is not enough that a security control is present
That control also needs to be effective
One can describe this as the ___
degree of trust (or assurance) that can be expected from these controls
Measuring the presence and/or effectiveness of security controls is largely what ___are intended to do
security evaluations
designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider
Cloud Controls Matrix (CCM)
focused on providing industry-accepted ways to document what security controls exist in IaaS, PaaS, and SaaS offerings, providing security control transparency
Consensus Assessments Initiative Questionnaire
presents security guidance for a number of areas in cloud computing: architecture, governance, traditional security, virtualization
Security Guidance for Critical Areas of Focus in Cloud Computing
discusses the major identity management functions as they relate to cloud computing
Guidance for Identity & Access Management
leading the security guidance efforts in Europe, and has produced several publications
European Network and Information Security Agency (ENISA)
A set of assurance criteria addressing the risk of adopting cloud computing
Cloud Computing: Information Assurance Framework
A security policy defines the organization’s overall ___
security goals
Standards
Standards state mandatory actions that support the policy
Guidelines
provide guidance for implementation of standards
___for a cloud is a foundation of operational security
Personnel security
Checklist 1: Policy, Standards, & Guidelines
Has a security policy been clearly documented, approved, and represented to all concerned parties as representing the management’s intent?
Has the security policy had legal, privacy, and other governance review?
Has the security policy been augmented by security standards and/or guidelines?
Has the policy been augmented by a privacy policy?
Are the security and privacy policies, as well as standards and guidelines, consistent with industry standards (such as 27001, CoBIT, etc.)?
Checklist 2: Transparency
Does the CSP provide customers with a copy of the governing policies, standards, and guidelines?
- Are customers notified of changes to these documents?
Does the CSP provide customers visibility into internal and external audits?
Does the CSP provide customers visibility into third party compliance audits?
Does the CSP provide customers visibility into penetration tests?
Does the CSP provide customers visibility into CSP asset management and repurposing of equipment?
Checklist 3: Personnel Security
Are there policies and procedures for:
- Hiring employees with access to or control over cloud components? - Pre-employment checks for personnel with privileged access?
Are personnel security policies consistent across locations?
Is there a security education program, and if so, how extensive is it?
Is personnel security frequently reviewed to determine if employees with access should continue to have access?
Are personnel required to have and maintain security certifications?
Does physical access to the CSP’s facility require background checks?
Checklist 4: Third Party Providers
Are any services or functions provided by a third party?
If any part of a cloud is subcontracted or otherwise outsourced, does the providing party comply with the same policy and standards that the CSP enforces?
If used, are third party providers audited for compliance with the CSPs policies and standards?
Does the CSP security policy (or equivalent) and governance extend to all third party providers?
Business considerations include ___, business ___, and resource ___
legal
continuity
provisioning
Resource provisioning has to do with assuring that the cloud service will be sufficiently resourced as ___
customer demand increases
Checklist 5: Legal
In which jurisdiction is the CSP incorporated?
In which jurisdiction will data be stored?
Does the CSP use third party providers who are not located in the same jurisdiction?
Does the CSP use a customer’s data for secondary purposes?
Does the CSP have a documented procedure for responding to legal requests (such as a subpoena) for customer data?
Is the CSP insured against losses, including remuneration for customer losses due to CSP outages or data exposure?