Security Guidance for Critical Areas of Focus in Cloud Computing V4.0
Total Page:16
File Type:pdf, Size:1020Kb
The permanent and official location for Cloud Security Alliance’security S Guidance for Critical Areas of Focus in Cloud Computing v4.0 is https://cloudsecurityalliance.org/download/security- guidance-v4/. Official Study Guide for the © 2017 Cloud Security Alliance – All Rights Reserved. The Security Guidance for Critical Areas of Focus in Cloud Computing v4.0 (“Guidance v4.0”) is licensed by the Cloud Security Alliance under a Creative Commons Attribution-NonCommercial- ShareAlike 4.0 International License (CC-BY-NC-SA 4.0). Sharing - You may share and redistribute the Guidance in any medium or any format, only for non- commercial purposes. Adaptation - You may adapt, transform, modify and build upon the Guidance v4 and distribute the modified Guidance v4.0, only for non-commercial purposes. Attribution - You must give credit to the Cloud Security Alliance, link to Guidance v4.0 webpage located at https://cloudsecurityalliance.org/download/security-guidance-v4/, and indicate whether changes were made. You may not suggest that CSA endorsed you or your use. Share-Alike - All modifications and adaptations must be distributed under the same license as the original Guidance v4.0. No additional restrictions - You may not apply legal terms or technological measures that restrict others from doing anything that this license permits. Commercial Licenses - If you wish to adapt, modify, share or distribute copies of the Guidance v4.0 for revenue generating purposes you must first obtain an appropriate license from the Cloud Security Alliance. Please contact us at [email protected]. Notices: All trademark, copyright or other notices affixed onto the Guidance v4.0 must be reproduced and may not be removed. Security Guidance v4.0 © Copyright 2017, Cloud Security Alliance. All rights reserved 2 FOREWORD Welcome to the fourth version of the Cloud Security Alliance’s Security Guidance for Critical Areas of Focus in Cloud Computing. The rise of cloud computing as an ever-evolving technology brings with it a number of opportunities and challenges. With this document, we aim to provide both guidance and inspiration to support business goals while managing and mitigating the risks associated with the adoption of cloud computing technology. The Cloud Security Alliance promotes implementing best practices for providing security assurance within the domain of cloud computing and has delivered a practical, actionable roadmap for organizations seeking to adopt the cloud paradigm. The fourth version of the Security Guidance for Critical Areas of Focus in Cloud Computing is built on previous iterations of the security guidance, dedicated research, and public participation from the Cloud Security Alliance members, working groups, and the industry experts within our community. This version incorporates advances in cloud, security, and supporting technologies; reflects on real-world cloud security practices; integrates the latest Cloud Security Alliance research projects; and offers guidance for related technologies. The advancement toward secure cloud computing requires active participation from a broad set of globally-distributed stakeholders. CSA brings together this diverse community of industry partnerships, international chapters, working groups, and individuals. We are profoundly grateful to all who contributed to this release. Please visit cloudsecurityalliance.com to learn how you can work with us to identify and promote best practices to ensure a secure cloud computing environment. Best regards, Luciano (J.R.) Santos Executive Vice President of Research Cloud Security Alliance Security Guidance v4.0 © Copyright 2017, Cloud Security Alliance. All rights reserved 3 ACKNOWLEDGEMENTS Lead Authors Rich Mogull James Arlen Francoise Gilbert Adrian Lane David Mortman Gunnar Peterson Mike Rothman Editors John Moltz Dan Moren Evan Scoboria CSA Staff Jim Reavis Luciano (J.R.) Santos Hillary Baron Ryan Bergsma Daniele Catteddu Victor Chin Frank Guanco Stephen Lumpe (Design) John Yeoh Contributors On behalf of the CSA Board of Directors and the CSA Executive Team, we would like to thank all of the individuals who contributed time and feedback to this version of the CSA Security Guidance for Critical Areas of Focus in Cloud Computing. We value your volunteer contributions and believe that the devotion of volunteers like you will continue to lead the Cloud Security Alliance into the future. Security Guidance v4.0 © Copyright 2017, Cloud Security Alliance. All rights reserved 4 LETTER FROM THE CEO I am thrilled by this latest contribution to the community’s knowledge base of cloud security best practices that began with Cloud Security Alliance’s initial guidance document released in April of 2009. We hope that you will carefully study the issues and recommendations outlined here, compare with your own experiences and provide us with your feedback. A big thank you goes out to all who participated in this research. Recently, I had the opportunity to spend a day with one of the industry experts who helped found Cloud Security Alliance. He reflected that for the most part CSA has completed its initial mission, which was to prove that cloud computing could be made secure and to provide the necessary tools to that end. Not only did CSA help make cloud computing a credible secure option for information technology, but today cloud computing has become the default choice for IT and is remaking the modern business world in very profound ways. The resounding success of cloud computing and CSA’s role in leading the trusted cloud ecosystem brings with it even greater challenges and urgency into our renewed mission. Cloud is now becoming the back end for all forms of computing, including the ubiquitous Internet of Things. Cloud computing is the foundation for the information security industry. New ways of organizing compute, such as containerization and DevOps are inseparable from cloud and accelerating our revolution. At Cloud Security Alliance, we are committed to providing you the essential security knowledge you need for this fast moving IT landscape and staying at the forefront of next-generation assurance and trust trends. We welcome your participation in our community, always. Best regards, Jim Reavis Co-Founder & CEO Cloud Security Alliance Security Guidance v4.0 © Copyright 2017, Cloud Security Alliance. All rights reserved 5 TABLE OF CONTENTS DOMAIN 1 DOMAIN 2 DOMAIN 3 DOMAIN 4 Cloud Computing Governance and Enterprise Legal Issues, Contracts and Compliance and Concepts and Architectures Risk Management Electronic Discovery Audit Management DOMAIN 5 DOMAIN 6 DOMAIN 7 DOMAIN 8 Information Governance Management Plane and Infrastructure Virtualization and Containers Business Continuity Security DOMAIN 9 DOMAIN 10 DOMAIN 11 DOMAIN 12 Incident Response Application Security Data Security and Encryption Identity, Entitlement, and Access Management DOMAIN 13 DOMAIN 14 Security as a Service Related Technologies Security Guidance v4.0 © Copyright 2017, Cloud Security Alliance. All rights reserved 6 DOMAIN 1 Cloud Computing Concepts and Architectures 1.0 Introduction This domain provides the conceptual framework for the rest of the Cloud Security Alliance’s guidance. It describes and defines cloud computing, sets our baseline terminology, and details the overall logical and architectural frameworks used in the rest of the document. There are many different ways of viewing cloud computing: It’s a technology, a collection of technologies, an operational model, a business model, just to name a few. It is, at its essence, transformative and disruptive. It’s also growing very, very quickly, and shows no signs of slowing down. While the reference models we included in the first version of this Guidance are still relatively accurate, they are most certainly no longer complete. And even this update can’t possibly account for every possible evolution in the coming years. Cloud computing offers tremendous potential benefits inagility , resiliency, and economy. Organizations can move faster (since they don’t have to purchase and provision hardware, and everything is software defined), reduce downtime (thanks to inherent elasticity and other cloud characteristics), and save money (due to reduced capital expenses and better demand and capacity matching). We also see security benefits since cloud providers have significant economic incentives to protect customers. However, these benefits only appear if you understand and adoptcloud-native models and adjust your architectures and controls to align with the features and capabilities of cloud platforms. In fact, taking an existing application or asset and simply moving it to a cloud provider without any changes will often reduce agility, resiliency, and even security, all while increasing costs. The goal of this domain is to build the foundation that the rest of the document and its recommendations are based on. The intent is to provide a common language and understanding of cloud computing for security professionals, begin highlighting the differences between cloud and traditional computing, and help guide security professionals towards adopting cloud-native approaches that result in better security (and those other benefits), instead of creating more risks. Security Guidance v4.0 © Copyright 2017, Cloud Security Alliance. All rights reserved 7 This domain includes 4 sections: • Defining cloud computing • The cloud logical model • Cloud conceptual, architectural, and reference model • Cloud security and compliance scope,