Category 5 //
Security Assessments
July 2012
© 2012 Cloud Security Alliance
All rights reserved. You may download, store, display on your computer, view, print, and link to the Cloud Security Alliance Security as a Service Implementation Guidance at http://www.cloudsecurityalliance.org, subject to the following: (a) the Guidance may be used solely for your personal, informational, non-commercial use; (b) the Guidance may not be modified or altered in any way; (c) the Guidance may not be redistributed; and (d) the trademark, copyright or other notices may not be removed. You may quote portions of the Guidance as permitted by the Fair Use provisions of the United States Copyright Act, provided that you attribute the portions to the Cloud Security Alliance Security as a Service Implementation Guidance Version 1.0 (2012).
Table of Contents
Section 1: Introduction 6
1.1 Intended Audience 7
1.2 Scope 8
Section 2: Requirements Addressed 9
2.1 Common Requirements 9
Section 3: Implementation considerations and concerns 12
3.1 Considerations 12
3.1.1 Accuracy and Coverage 12
3.1.2 Security Assessments of Public Cloud Environments/Systems 12
3.1.3 Data Ownership 12
3.1.4 Integration with GRC Tools 13
3.1.5 Programmatic Access and Control of the Service 13
3.1.6 Updates 13
3.1.7 Standardized Ratings 13
3.2 Concerns 14
3.2.1 Legality & Non-Disclosure Agreement 14
3.2.2 User Authentication and Account Management 14
3.2.3 Data Security 14
3.2.4 Security Assessment Credentials 15
3.2.5 Secure Communication 15
3.2.6 Penetration Testing 16
Section 4: Implementation 17
4.1 Architectural overview 17
4.1.1 Internet vs. Internal Enterprise Assessments 17
4.2 Guidance and Implementation steps 19
4.2.1 User Authentication and Account Management 19
4.2.2 Network and System Vulnerability Assessments 20
4.2.3 Server/Workstation Compliance Assessments 21
4.2.4 Network/Security System Compliance Assessment 21
4.2.5 Web Application Security Assessments 22
4.2.6 Overall Testing 22
4.2.7 Virtual Infrastructure Assessment (Cloud/Hypervisor infrastructure) 22
4.2.8 Penetration Testing 23
4.2.9 Reporting and Sharing Resulting Data 23
Section 5: References and Useful Links 24
5.1 References 24
5.2 Useful Links 25
Section 1: Introduction
Organizations rely upon information and information technology to support business decisions and processes, as well as ensuring compliance with legal, regulatory and statutory requirements. To ensure that these business objectives are achieved, organizations must ensure the confidentiality, integrity and availability of information assets. Security assessments are one mechanism that can be used to provide information assurance to an organization.
Security assessments are third-party or internal audits (by an independent department of an organization) of on-premise or cloud-based systems. Traditional security assessments for infrastructure or applications and compliance audits are well defined and supported by multiple standards such as NIST, ISO, HIPAA, GLBA, PCI and CIS. Over the last several years, security as a service (SecaaS) solutions have been developed that provide and support security assessments in which a cloud-hosted solution performs the assessments and stores the resulting data. Today, a relatively mature technology exists, and tools for a number of security assessment areas have been implemented using the SecaaS delivery model. In the SecaaS delivery model, subscribers get the typical benefits of this cloud computing variant - elasticity, negligible setup time, low administrative overhead, and pay-per-use with low initial investment.
There are many choices for an assessment framework standard and there is no "one size fits all" solution for security assessments. One could reasonably expect that as cloud technology and governance evolves, a much smaller subset will emerge - with a cloud focus. The Cloud Security Alliance (CSA) is taking a leading role in promoting a cloud based assessment framework that maps well with others currently in widespread use today, such as ISO 2700X, PCI DSS, or COBIT.
CSA provides a security guidance framework that can be used to help assess the security of cloud based business processes, and ensure the continued confidentiality, integrity and availability of those processes. CSA’s Cloud Control Matrix provides an excellent cross-reference document that maps closely to many standard security frameworks, including: COBIT 4.1; HIPAA/HITECH; ISO/IEC 27002-2005; NIST SP800-53 R3; FedRAMP; PCI DSS v2.0; BITS Shared Assessments SIG v6.0 and BITS Shared Assessments AUP v5.0; GAPP (Aug 2009); Jericho Forum; and NERC CIP.
Traditional Security Assessments follow a specific methodology such as ISO 27000. SaaS based Security Assessments can be used to execute some of the assessment activities in the Communications and Operations Management and Applications sections.
Traditional Security Assessments and SaaS Supported Assessments
This document provides guidance on the evaluation and use of SaaS-based services to conduct security assessments on both enterprise and cloud based networks, infrastructure and applications.
1.1 Intended Audience
The target audience of this document is Chief Information Security Officers, Information Security Officers, IT security managers, technical assessors and auditors who are responsible for performing security assessments on their or their client organizations’ infrastructure and applications.
Section 2 presents a high-level overview of the processes and procedures inherent in a cloud based assessment service offering.
Section 3 is of particular interest to all levels of personnel involved in the assessments decision. Considerations and concerns that should be part of the decision making discussion are laid out in detail.
Section 4 enters into a more in-depth technical discussion of both the architecture and the implementation process.
1.2 Scope
This document discusses the following security assessment areas:
· Network and System Vulnerability Assessments
· Server/Workstation Compliance Assessments
· Network/Security System Compliance Assessments
· Virtual Infrastructure Assessment (Cloud/Hypervisor infrastructure)
· Web Application Security Assessments
· Internal/External penetration testing
· Security Controls Assessments
Section 2: Requirements Addressed
Organizations face a number of challenges when ensuring the confidentiality, integrity and availability of their information and information technology assets. In addition, depending on their industry, they may have to respond to external auditing standards. Security assessments can help organizations manage many of these challenges, including:
· Proving Adherence to Regulatory Standards
· Securing Computing Architectures
· Assuring Accurate Inventory
· Securing Baseline Configurations
· Verifying Process Flow
· Comprehensive Logging
· Continuous Monitoring
Cloud based security assessments provide the information necessary for an intelligent, risk-based decision making process, while relieving IT staff of the operational burdens of managing the assessment tool infrastructure. Organizations must establish policies, processes, and procedures, and implement controls to ensure the confidentiality, integrity and availability of the information and information technology upon which their critical business processes depend. This section provides an executive level overview of the processes and requirements of cloud based security assessments.
2.1 Common Requirements
Information often is the most important asset within a business, and data security is a high priority for executive management. Security assessments are key to maintaining data security, and therefore are of interest to many executives. Companies also hold regulatory responsibility for adequately protecting personal information both for employees and customers, again elevating the importance of securing data.
Key business processes and the assets that run them should be identified prior to the start of an assessment. All parties should agree to and document any and all rules of engagement to be used during the assessment, for example asset exclusions, time windows, level of attacks, social engineering techniques, etc.
Assessments usually are safe to run even on production systems, but a service provider should have mechanisms in place to be able to stop an assessment at any time if something happens that could be destructive to a server or workstation, or disruptive to key business processes. Both parties should sign an appropriate Non-Disclosure Agreement (NDA). The NDA should limit disclosure of all information obtained, either in preparation for the assessment or through the assessment results, to only those with a verified need to know.
The data that results from cloud based security assessment services is very sensitive in nature and must be properly safeguarded. Cloud based security assessment services must ensure the confidentiality of this sensitive data and ensure that only authorized parties can access the data. Data must be secured at all stages: at creation, in storage, in transit in processing, or at deletion. Additionally, because cloud based security assessment services are typically offered as multi-tenant solutions, SecaaS providers must offer adequate attestation (see Section 4.1.3) for the isolation of tenant data.
The customer of the cloud based service should retain sole ownership of any data that results from the use of the service, and there should be a mechanism for the customer to request the data for purposes of moving to another cloud based service or to an enterprise-based service. Data retention properties should be configurable by the service customer. To ensure the security of data entrusted to a security assessment service, there should be a process for ensuring for the permanent destruction/deletion of the data upon request, as well as at the end of the assessment or at a predetermined time following the assessment.
Organizations should determine whether normal user authentication meets their needs or if there is a need to require stronger authentication protocols such as multi-factor authentication. Service providers should be able to produce detailed records or logs for user sessions and have the ability to store the records/logs to meet typical industry log retention standards.
Authentication credentials are extremely confidential and a cloud based security assessment service provider should be able to ensure the confidentiality of these credentials. Credentials that are no longer required should be deleted after use. A log of deleted users, as well as the roles that they possessed, should be held for log retention standards compliance.
Cloud based security assessment services are able to assess any system that is accessible via the Internet, but frequently there are systems that are internal to an organization that require assessments. These internal systems are often isolated from the Internet by security policies enforced by network security appliances such as firewalls. Cloud based security assessment services usually offer a solution for assessing internal systems using appliances or software agents.
Network and system vulnerability assessments attempt to identify vulnerabilities through the use of IP scanning techniques combined with a detailed understanding of vulnerabilities and specially coded vulnerability signatures. The assessments include the identification of systems and the IP services listening, as well as information about the system acquired through network scanning.
As with all assessment activities, understand what tools the provider will use. In many cases, the provider may actually use a cloud based scanning tool. If they are using a cloud based tool the guidance in this section applies directly, but may still be helpful even in cases where traditional tools are being used.
Coordinate with the cloud provider to conduct testing in accordance with CSA Guidance. Determine if the cloud hosting provider offers such a service. If not, understand the limitations of performing such actions in hosted cloud environments. Scope and limitation will vary based on which stack of the SPI model the cloud-hosted application seems to fit.
Compliance scanning attempts to verify the compliance status of the devices in your environment. Server and workstation compliance assessments allow for the discovery of server/workstation configurations, as well as the comparison of the results against industry best practices and any customized configuration standards. Typical server/workstation compliance assessments include:
· The ability to conduct authenticated scans or a resident agent to detect the server/workstation configuration.
· The ability to compare discovered configurations with industry best practices or custom configuration standards to determine compliance.
· The ability to periodically check authorized or unauthorized changes in the configuration of a system.
Similar to server/workstation system compliance assessments, network and security system compliance assessments audit the configuration of security appliances (firewalls, IDS/IPS, WAF, Routers, Switches, etc.) against both industry best practices and custom configuration standards.
Other considerations should include support for a wide range of network and security devices, and the ability to assess not only the device configuration, but also any specific security or network policies implemented by the device (routing policies, firewall policies, IDS policies, etc.).
Cloud and virtual environments typically have their own management interface that is used to configure the environment. As with any type of computer system, there are best practices and, often times, defined organizational configuration standards for the use of cloud and virtual environments. Virtual infrastructure assessments seek to identify configurations and compare them to industry defined best practices or custom defined configuration standards. Service providers should allow for the ability to view and manipulate the data found during an assessment, as well as the provide access to the mechanisms used within assessments, to allow for validation of compliance with all standards and/or vulnerabilities scanned against.
A vendor should be able to access the management interface for the cloud/virtualization solution in place (e.g., VMware, vCenter, Amazon EC2, Azure, etc.) to retrieve configuration information automatically. A service provider also should be able to compare configurations with vendor/industry best practices, as well as custom created configuration standards.
Web application security assessments automate the process of scanning web applications for security vulnerabilities. Testing web applications is a complex task, especially if the web application utilizes multiple cloud services or a combination of public and private cloud resources (i.e., Rackspace hosting, S3 storage, etc.). Additionally, there may be layered dependencies (e.g., front end, database server, content distribution network) that require testing. Web application security assessments should cover aspects from the guidelines of OWASP, SANS, OSSTMM, and include known CVEs irrespective of whether it is a third party testing a cloud web application, or a cloud based assessment tool testing the web application.
Section 3: Implementation considerations and concerns
Security assessments can be a complex task. The use of a SecaaS security assessment provider can simplify the execution of certain types of security assessments. However, there are considerations and concerns that should be taken into account when implementing a SecaaS security assessment. This section details some considerations and concerns that should be part of the decision-making conversation. This list is not meant to be all-inclusive, but is meant to trigger appropriate discussion.