Part II: Security and Privacy Issues

in Cloud Computing - Big Picture

• Infrastructure Security
• Data Security and Storage
• Identity and Access Management (IAM)
• Privacy

1
 Infrastructure Security
• Network Level
• Host Level
• Application Level

2
 The Network Level
• Ensuring confidentiality and integrity of your organization’s
data-in-transit to and from your public cloud provider
• Ensuring proper access control (authentication,
authorization, and auditing) to whatever resources you are
using at your public cloud provider
• Ensuring availability of the Internet-facing resources in a
public cloud that are being used by your organization, or have
been assigned to your organization by your public cloud
providers
• Replacing the established model of network zones and tiers
with domains

3
 The Network Level - Mitigation
• Note that network-level risks exist regardless
of what aspects of “cloud computing” services
are being used
• The primary determination of risk level is
therefore not which *aaS is being used,
• But rather whether your organization intends
to use or is using a public, private, or hybrid
cloud.

4
 The Network Level - Mitigation
• Availability problems at the network level are far more
difficult to mitigate with cloud computing—unless your
organization is using a private cloud that is internal to your
network topology.
• Even if your private cloud is a private (i.e., non-shared)
external network at a cloud provider’s facility, you will face
increased risk at the network level.
• A public cloud faces even greater risk.

5
 The Host Level
• VM Escape/Configuration Drift/Velocity of
attack
• SaaS/PaaS
– Both the PaaS and SaaS platforms abstract and hide
the host OS from end users
– Host security responsibilities are transferred to the
CSP (Cloud Service Provider)
• You do not have to worry about protecting hosts
– However, as a customer, you still own the risk of
managing information hosted in the cloud services.
6
 IaaS Host Security
• Unlike PaaS and SaaS, IaaS customers are
primarily responsible for securing the hosts. It
is categorised as follows -
– Virtualization software security. (Responsibility of
CSP)
– Customer guest OS or virtual server security
(Following slide)

7
 The Host Level (cont.)
• IaaS Host Security
– Virtualization Software Security
• Hypervisor (also called Virtual Machine Manager (VMM)) security is a key
– a small application that runs on top of the physical machine H/W layer
– implements and manages the virtual CPU, virtual memory, event
channels, and memory shared by the resident VMs
– Also controls I/O and memory access to devices.
• Bigger problem in multitenant architectures
– Customer guest OS or Virtual Server Security
• The virtual instance of an OS
• Vulnerabilities have appeared in virtual instance of an OS
• e.g., VMWare, Xen, and Microsoft’s Virtual PC and Virtual Server
• Customers have full access to virtual servers.

8
 Securing Virtual Servers
• Some recommendations
• Use a secure-by-default configuration. Harden your
image and use a standard hardened image, that
have only the capabilities and services necessary to
support the applications stack, for instantiating VMs
(the guest OS) in a public cloud.
• When a virtual image from the IaaS provider is used
it should undergo the same level of security
verification and hardening as for hosts within the
enterprise.
9
 Securing Virtual Servers
• Protect the integrity of the hardened image from unauthorized
access.
• Safeguard the private keys required to access hosts in the public
cloud.
• In general, isolate the decryption keys from the cloud where the
data is hosted.
• Require passwords for sudo* or role-based access (e.g., Solaris,
SELinux).
• Run a host firewall and open only the minimum ports necessary to
support the services on an instance.
• Run only the required services and turn off the unused services (e.g.,
turn off FTP, print services, network file services, and database
services if they are not required).
10
 Securing Virtual Servers
• Enable system auditing and event logging, and
log the security events to a dedicated log
server. Isolate the log server with higher
security protection, including accessing
controls.
• Periodically review logs for suspicious
activities.

11
 Case study: Amazon's EC2
infrastructure
• “Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party
Compute Clouds”
– Multiple VMs of different organizations with virtual boundaries separating
each VM can run within one physical server
– "virtual machines" still have internet protocol, or IP, addresses, visible to
anyone within the cloud.
– VMs located on the same physical server tend to have IP addresses that
are close to each other and are assigned at the same time
– An attacker can set up lots of his own virtual machines, look at their IP
addresses, and figure out which one shares the same physical resources as
an intended target
– Once the malicious virtual machine is placed on the same server as its
target, it is possible to carefully monitor how access to resources
fluctuates and thereby potentially glean sensitive information about the
victim

12
 Local Host Security
• Are local host machines part of the cloud infrastructure?
– Outside the security perimeter
– While cloud consumers worry about the security on the cloud
provider’s site, they may easily forget to harden their own machines
• The lack of security of local devices can
– Provide a way for malicious services on the cloud to attack local
networks through these terminal devices
– Compromise the cloud and its resources for other users
 Local Host Security (Cont.)
• With mobile devices, the threat may be even stronger
– Users misplace or have the device stolen from them
– Security mechanisms on handheld gadgets are often times insufficient
compared to say, a desktop computer
– Provides a potential attacker an easy avenue into a cloud system.
– If a user relies mainly on a mobile device to access cloud data, the
threat to availability is also increased as mobile devices malfunction or
are lost
• Devices that access the cloud should have
– Strong authentication mechanisms
– Tamper-resistant mechanisms
– Strong isolation between applications
– Methods to trust the OS
– Cryptographic functionality when traffic confidentiality is required

14
 The Application Level
• XSS/SQL-injection/Malicious file execution
• Most exploit programming errors and design
flaws in Web applications
• Financial fraud, intellectual property theft,
converting trusted websites into malicious
servers serving client-side exploits, and
phishing scams

15
 The Application Level
• It has been a common practice to use a combination
of perimeter security controls and network- and
host-based access controls to protect web
applications deployed in a tightly controlled
environment, including corporate intranets and
private clouds, from external hackers.
• Web applications deployed in a public cloud (the SPI
model) must be designed for an Internet threat
model, and security must be embedded into the
Software Development Life Cycle (SDLC)

16
 SDLC for Web Applications
• Security needs to be embedded in SDLC
 The Application Level
• DoS/DDoS
– These attacks typically originate from compromised
computer systems attached to the Internet (routinely,
hackers hijack and control computers infected by way of
viruses/worms/malware and, in some cases, powerful
unprotected servers).
– Application-level DoS attacks could manifest themselves as
high-volume web page reloads, XML web services requests
(over HTTP or HTTPS), or protocol-specific requests
supported by a cloud service. Since these malicious
requests blend with the legitimate traffic, it is extremely
difficult to selectively filter the malicious traffic without
impacting the service as a whole.
18
 The Application Level
• EDoS(Economic Denial of Sustainability)
– An attack against the billing model that underlies
the cost of providing a service with the goal of
bankrupting the service itself.
• End user security
• Who is responsible for Web application security
in the cloud?
– Both Customer and CSP
• SaaS/PaaS/IaaS application security
• Customer-deployed application security
19
 Data Security and Storage
• Several aspects of data security, including:
– Data-in-transit
• Confidentiality + integrity using secured protocol
• Confidentiality with non-secured protocol and
encryption
– Data-at-rest
• Generally, not encrypted , since data is commingled
with other users’ data
• Encryption if it is not associated with applications?
– But how about indexing and searching?
– Then homomorphic encryption vs. predicate encryption?
– Processing of data, including multitenancy
• For any application to process data, not encrypted 20
 Where is (or was) that system located?
What was the state of that physical system?
Data Security and Storage (cont.) How would a customer or auditor verify that
info?

– Data lineage
• Knowing when and where the data was located w/i
cloud is important for audit/compliance purposes
• e.g., Amazon AWS
– Store <d1, t1, ex1.s3.amazonaws.com>
– Process <d2, t2, ec2.compute2.amazonaws.com>
– Restore <d3, t3, ex2.s3.amazonaws.com>
– Data provenance
• Computational accuracy (as well as data integrity)
• E.g., financial calculation: sum ((((2*3)*4)/6) -2) = $2.00
?
– Correct : assuming US dollar
– How about dollars of different countries?
– Correct exchange rate? 21
 Data Security and Storage
• Data remanence
• Inadvertent disclosure of sensitive information is possible
• Data security mitigation?
• Do not place any sensitive data in a public cloud
• Encrypted data is placed into the cloud?
• Provider data and its security: storage
• To the extent that quantities of data from many companies
are centralized, this collection can become an attractive
target for criminals
• Moreover, the physical security of the data center and the
trustworthiness of system administrators take on new
importance.

22
 Why IAM?
• Organization’s trust boundary will become dynamic and will move beyond
the control and will extend into the service provider domain.
• To compensate for the loss of network control and to strengthen risk
assurance, organizations will be forced to rely on other higher-level
software controls, such as strong authentication, authorization and audit.
• Managing access for diverse user populations (employees, contractors,
partners, etc.)
• Increased demand for authentication
– personal, financial, medical data will now be hosted in the cloud
– S/W applications hosted in the cloud requires access control
• Need for higher-assurance authentication
– authentication in the cloud may mean authentication outside F/W
– Limits of password authentication
• Need for authentication from mobile devices

23
 IAM considerations
• The strength of authentication system should be reasonably
balanced with the need to protect the privacy of the users of the
system
– The system should allow strong claims to be transmitted and
verified w/o revealing more information than is necessary for
any given transaction or connection within the service
• Case Study: S3 outage
– authentication service overload leading to unavailability
• 2 hours 2/15/18
• http://www.centernetworks.com/amazon-s3-downtime-update

24
 What is IAM
• Authentication
– Authentication is the process of verifying the identity of a user or
system (e.g., Lightweight Directory Access Protocol [LDAP] verifying
the credentials presented by the user, where the identifier is the
corporate user ID that is unique and assigned to an employee or
contractor). Authentication usually connotes a more robust form of
identification. In some use cases, such as service-to-service
interaction, authentication involves verifying the network service
requesting access to information served by another service (e.g., a
travel web service that is connecting to a credit card gateway to verify
the credit card on behalf of the user).

25
 What is IAM
• Authorization
– Authorization is the process of determining the
privileges the user or system is entitled to once
the identity is established. In the context of digital
services, authorization usually follows the
authentication step and is used to determine
whether the user or service has the necessary
privileges to perform certain operations—in other
words, authorization is the process of enforcing
policies.
26
 What is IAM
• Auditing
– In the context of IAM, auditing entails the process
of review and examination of authentication,
authorization records, and activities to determine
the adequacy of IAM system controls, to verify
compliance with established security policies and
procedures (e.g., separation of duties), to detect
breaches in security services (e.g., privilege
escalation), and to recommend any changes that
are indicated for countermeasures.
27
IAM functional Architecture

28
 IAM functional Architecture
• User management
– Activities for the effective governance and management of
identity life cycles
• Authentication management
– Activities for the effective governance and management of
the process for determining that an entity is who or what it
claims to be
• Authorization management
– Activities for the effective governance and management of
the process for determining entitlement rights that decide
what resources an entity is permitted to access in
accordance with the organization’s policies 29
 IAM functional Architecture
• Access management
– Enforcement of policies for access control in response to a request
from an entity (user, services) wanting to access an IT resource within
the organization
• Data management and provisioning
– Propagation of identity and data for authorization to IT resources via
automated or manual processes
• Monitoring and auditing
– Monitoring, auditing, and reporting compliance by users regarding
access to resources within the organization based on the defined
policies

30
Identity Life Cycle

31
 IAM Operational Activities
• Provisioning
– This is the process of on-boarding users to systems and applications.
These processes provide users with necessary access to data and
technology resources. The term typically is used in reference to
enterprise-level resource management. Provisioning can be thought of
as a combination of the duties of the human resources and IT
departments, where users are given access to data repositories or
systems, applications, and databases based on a unique user identity.
Deprovisioning works in the opposite manner, resulting in the deletion
or deactivation of an identity or of privileges assigned to the user
identity.

32
 IAM Operational Activities
• Credential and attribute management
– These processes are designed to manage the life cycle of credentials
and user attributes— create, issue, manage, revoke—to minimize the
business risk associated with identity impersonation and inappropriate
account use. Credentials are usually bound to an individual and are
verified during the authentication process. The processes include
provisioning of attributes, static (e.g., standard text password) and
dynamic (e.g., one-time password) credentials that comply with a
password standard (e.g., passwords resistant to dictionary attacks),
handling password expiration, encryption management of credentials
during transit and at rest, and access policies of user attributes
(privacy and handling of attributes for various regulatory reasons).

33
 IAM Operational Activities
• Entitlement management
– Entitlements are also referred to as authorization policies. The
processes in this domain address the provisioning and deprovisioning
of privileges needed for the user to access resources including
systems, applications, and databases. Proper entitlement
management ensures that users are assigned only the required
privileges (least privileges) that match with their job functions.
Entitlement management can be used to strengthen the security of
web services, web applications, legacy applications, documents and
files, and physical security systems.

34
 IAM Operational Activities
• Compliance management
– This process implies that access rights and privileges are monitored
and tracked to ensure the security of an enterprise’s resources. The
process also helps auditors verify compliance to various internal
access control policies, and standards that include practices such as
segregation of duties, access monitoring, periodic auditing, and
reporting. An example is a user certification process that allows
application owners to certify that only authorized users have the
privileges necessary to access business-sensitive information.

35
 IAM Operational Activities
• Identity federation management
– Federation is the process of managing the trust relationships
established beyond the internal network boundaries or administrative
domain boundaries among distinct organizations. A federation is an
association of organizations that come together to exchange
information about their users and resources to enable collaborations
and transactions (e.g., sharing user information with the organizations’
benefits systems managed by a third-party provider). Federation of
identities to service providers will support SSO to cloud services.

36
 IAM Operational Activities
• Centralization of authentication (authN) and authorization
(authZ)
– A central authentication and authorization infrastructure alleviates the
need for application developers to build custom authentication and
authorization features into their applications. Furthermore, it
promotes a loose coupling architecture where applications become
agnostic to the authentication methods and policies. This approach is
also called an “externalization of authN and authZ” from applications.

37
 Security Management
• With the adoption of public cloud services, a large part of
your network, system, applications, and data will move under
third-party provider control.
• For this :
– What security controls must the customer provide over
and above the controls inherent in the cloud platform, and
– How must an enterprise’s security management tools and
processes adapt to manage security in the cloud.

38
Security Management

39
 Security Management Standards
• The Information Technology Infrastructure Library (ITIL)
– (ITIL) is a set of best practices and guidelines that define an integrated,
process-based approach for managing information technology
services.
– ITIL can be applied across almost every type of IT environment
including cloud operating environment.
• ITIL breaks information security down into:
– Policies : The overall objectives an organization is attempting to
achieve
– Processes : What has to happen to achieve the objectives
– Procedures :Who does what and when to achieve the objectives
– Work instructions : Instructions for taking specific actions

40
 Security Management Standards
• ISO 27001/27002
• ISO/IEC 27001 formally defines the mandatory requirements for an
Information Security Management System (ISMS).
• ISO/IEC 27002 is merely a code of practice/guideline rather than a
certification standard, organizations are free to select and implement
controls as they see fit.
• It answers two questions
• How does one ensure that the current security levels are appropriate for
ones needs?
• How does one apply a security baseline throughout his operation?

41
Security Management in the Cloud
• Availability management (ITIL)
• Access control (ISO/IEC 27002, ITIL)
• Vulnerability management (ISO/IEC 27002)
• Patch management (ITIL)
• Configuration management (ITIL)
• Incident response (ISO/IEC 27002)
• System use and access monitoring (ISO/IEC 27002)

42
Security Management in the Cloud

43
 Availability
• Factors Impacting Availability
• The cloud service resiliency and availability depend on a few
factors, including the
• CSP’s data center architecture (load balancers, networks,
systems), application architecture, hosting location
redundancy, diversity of Internet service providers (ISPs), and
data storage architecture.
• Following is a list of the major factors:
• SaaS and PaaS application architecture and redundancy.
• Reliability and redundancy of Internet connectivity used by
the customer and the CSP.

44
 Availability
• Customer’s ability to respond quickly and fall back on internal
applications and other processes, including manual
procedures.
• Customer’s visibility of the fault. In some downtime events, if
the impact affects a small subset of users, it may be difficult to
get a full picture of the impact and can make it harder to
troubleshoot the situation.
• Reliability of hardware and software components used in
delivering the cloud service.
• Efficacy of the security and network infrastructure to
withstand a distributed denial of service (DDoS) attack on the
cloud service.
45
 SaaS Availability
• SaaS Health Monitoring :The following options are available
to customers to stay informed on the health of their service:
• Service health dashboard published by the CSP. Usually SaaS
providers, such as Salesforce.com, publish the current state of
the service, current outages that may impact customers, and
upcoming scheduled maintenance services on their website
(e.g., http:// trust.salesforce.com/trust/status/).
• The Cloud Computing Incidents Database (CCID). (This
database is generally community supported, and may not
reflect all CSPs and all incidents that have occurred.)

46
 SaaS Availability
• Customer mailing list that notifies customers of occurring and
recently occurred outages.
• Internal or third-party-based service monitoring tools that
periodically check SaaS provider health and alert customers
when service becomes unavailable (e.g., Nagios monitoring
tool).
• RSS feed hosted at the SaaS service provider.

47
 PaaS Availability Management
• Customer mailing list that notifies customers of occurring and
recently occurred outages.
• Internal or third-party-based service monitoring tools that
periodically check SaaS provider health and alert customers
when service becomes unavailable (e.g., Nagios monitoring
tool).
• RSS feed hosted at the SaaS service provider.

48
 IaaS Availability Management
1. Availability of a CSP network, host, storage, and suppor
application infrastructure. This factor depends on the
following:
– CSP data center architecture, including a geographically diverse and
fault-tolerance architecture.
– Reliability, diversity, and redundancy of Internet connectivity used by
the customer and the CSP.
– Reliability and redundancy architecture of the hardware and software
components used for delivering compute and storage services.
– Availability management process and procedures, including business
continuity processes established by the CSP.

49
 IaaS Availability Management
• Web console or API service availability. The web console and
API are required to manage the life cycle of the virtual
servers. When those services become unavailable, customers
are unable to provision, start, stop, and deprovision virtual
servers.
• SLA. Because this factor varies across CSPs, the SLA should be
reviewed and reconciled, including exclusion clauses.

50
 IaaS Availability Management
2. Availability of your virtual servers and the attached storage
(persistent and ephemeral) for compute services (e.g.,
Amazon Web Services’ S3† and Amazon Elastic Block Store).
3. Availability of virtual storage that your users and virtual
server depend on for storage service. This includes both
synchronous and asynchronous storage access use cases.
4. Availability of your network connectivity to the Internet or
virtual network connectivity to IaaS services. In some cases,
this can involve virtual private network (VPN) connectivity
between your internal private data center and the public IaaS
cloud (e.g., hybrid clouds).

51
 IaaS Availability Management
5. Availability of network services, including a DNS, routing
services, and authentication services required to connect to
the IaaS service.

52
 What is Privacy?
• The concept of privacy varies widely among (and sometimes within)
countries, cultures, and jurisdictions.
• It is shaped by public expectations and legal interpretations; as
such, a concise definition is elusive if not impossible.
• Privacy rights or obligations are related to the collection, use,
disclosure, storage, and destruction of personal data (or Personally
Identifiable Information—PII).
• Any information relating to an identified or identifiable individual
(data subject).At the end of the day, privacy is about the
accountability of organizations to data subjects, as well as the
transparency to an organization’s practice around personal
information.
• The rights and obligations of individuals and organizations with
respect to the collection, use, retention, and disclosure of personal
information.

53
 What is the data life cycle?

• Personal information should be managed as part of the

data used by the organization
• Protection of personal information should consider the
impact of the cloud on each phase

54
 Generation of the information

• Ownership: Who in the organization owns PII, and

how is the ownership maintained if the organization
uses cloud computing?
• Classification: How and when is PII classified? Are
there limitations on the use of cloud computing for
specific data classes?
• Governance: Is there a governance structure to
ensure that PII is managed and protected through its
life cycle, even when it is stored or processed in a
cloud computing environment?
55
 Use
• Internal versus external: Is PII used only within the collecting
organization, or is it used outside the organization (e.g., in a
public cloud)?
• Third party: Is the information shared with third parties (e.g.,
subcontractors or CSPs)?
• Appropriateness: Is the use of the information consistent with
the purpose for which it was collected? Is the use within the
cloud appropriate based on the commitments the
organization made to the data subjects?
• Discovery/subpoena: Is the information managed in the cloud
in a way that will enable the organization to comply with legal
requirements in case of legal proceedings?
56
 Transfer
• Public versus private networks: When information is
transferred to a cloud is the organization using public
networks, and is it protected appropriately? (PII should always
be protected to address the risk level and legal requirements.)
• Encryption requirements: Is the PII encrypted? Some laws
require that PII will be encrypted when transmitted via a
public network (and this will be the case when the
organization is using a public cloud).
• Access control: Are there appropriate access controls over PII
when it is in the cloud?

57
 Transformation
• Derivation: Are the original protection and use
limitations maintained when data is transformed
or further processed in the cloud?
• Aggregation: Is data in the cloud aggregated so
that it is no longer related to an identifiable
individual (and hence is no longer considered
PII)?
• Integrity: Is the integrity of PII maintained when it
is in the cloud?

58
 Destruction
• Secure: Does the CSP destroy PII obtained by
customers in a secure manner to avoid
potential breach of the information?
• Complete: Is the information completely
destroyed? Does the destruction completely
erase the data, or can it be recovered?

59
 What Are the Key Privacy Concerns?

• Typically mix security and privacy

• Some considerations to be aware of:
– Storage
– Retention
– Destruction
– Auditing, monitoring and risk management
– Privacy breaches
– Who is responsible for protecting privacy?

60
 Storage
• Is it commingled with information from other
organizations that use the same CSP?
• The aggregation of data raises new privacy issues
– Some governments may decide to search through
data without necessarily notifying the data owner,
depending on where the data resides
• Whether the cloud provider itself has any right to see
and access customer data?
• Some services today track user behaviour for a range
of purposes, from sending targeted advertising to
improving services
61
 Retention
• How long is personal information (that is
transferred to the cloud) retained?
• Which retention policy governs the data?
• Does the organization own the data, or the
CSP?
• Who enforces the retention policy in the
cloud, and how are exceptions to this policy
(such as litigation holds) managed?

62
 Destruction
• How does the cloud provider destroy PII at the end of the retention
period?
• How do organizations ensure that their PII is destroyed by the CSP
at the right point and is not available to other cloud users?
• Cloud storage providers usually replicate the data across multiple
systems and sites—increased availability is one of the benefits they
provide.
– How do you know that the CSP didn’t retain additional copies?
– Did the CSP really destroy the data, or just make it inaccessible
to the organization?
– Is the CSP keeping the information longer than necessary so that
it can mine the data for its own use?

63
 Auditing, monitoring and risk
management
• How can organizations monitor their CSP and provide
assurance to relevant stakeholders that privacy requirements
are met when their PII is in the cloud?
• Are they regularly audited?
• What happens in the event of an incident?
• If business-critical processes are migrated to a cloud
computing model, internal security processes need to evolve
to allow multiple cloud providers to participate in those
processes, as needed.
– These include processes such as security monitoring,
auditing, forensics, incident response, and business
continuity

64
 Privacy breaches
• How do you know that a breach has occurred?
• How do you ensure that the CSP notifies you when a breach
occurs?
• Who is responsible for managing the breach notification
process (and costs associated with the process)?
• If contracts include liability for breaches resulting from
negligence of the CSP?
– How is the contract enforced?
– How is it determined who is at fault?

65
Who is responsible for protecting privacy?
e.g., Suppose a hacker breaks into Cloud Provider A and steals data from Company X.
Assume that the compromised server also contained data from Companies Y and Z.

• Who investigates this crime?

• Is it the Cloud Provider, even though Company X may fear that
the provider will try to absolve itself from responsibility?
• Is it Company X and, if so, does it have the right to see other data on that server,
including logs that may show access to the data of Companies Y and Z?

• Data breaches have a cascading effect

• Full reliance on a third party to protect personal data?
• In-depth understanding of responsible data stewardship
• Organizations can transfer liability, but not accountability
• Risk assessment and mitigation throughout the data life cycle is critical.
• Many new risks and unknowns
– The overall complexity of privacy protection in the cloud represents a bigger challenge.

66
 Audit and Compilance
AUDIT AND COMPLIANCE REFERS TO THE INTERNAL AND EXTERNAL
PROCESSES that an Organization implements to:

• Identify the requirements with which it must abide—whether

those requirements are driven by business objectives, laws
and regulations, customer contracts, internal corporate
policies and standards, or other factors
• Put into practice policies, procedures, processes, and systems
to satisfy such requirements
• Monitor or check whether such policies, procedures, and
processes are consistently followed

67
 Internal Policy Compliance
• Address the requirements of their current and planned
customer base
• Establish a strong control foundation that will substantially
meet customer requirements, thereby minimizing the need
for infrastructure customization that could reduce efficiencies
and diminish the value proposition of the CSP’s services
• Set a standard that is high enough to address those
requirements
• Define standardized processes to drive efficiencies

68
CSP Life Cycle Approach

69
Governance, Risk, and Compliance
(GRC)

A programmatic approach to
compliance 70
 Benefits of GRC
GRC approach helps a CSP to:
• Reduce risks through a structured risk
management approach
• Improve monitoring of IT compliance
• Improve security
• Rationalize compliance requirements and
control assessment processes
• Reduce the burden of compliance monitoring
and testing
71
Regulatory/External Compliance

72
 Cloud Security Alliance
• The primary objective of CSA are:
• Promote a common level of understanding between the
consumers and providers of cloud computing regarding the
necessary security requirements and attestation of assurance.
• Promote independent research into best practices for cloud
computing security.
• Launch awareness campaigns and educational programs on the
appropriate uses of cloud computing and cloud security
solutions.
• Create consensus lists of issues and guidance for cloud security
assurance.

73