Вы находитесь на странице: 1из 11

AOSSL and CCM Technote

Use of Always On SSL to satisfy select control objectives of


CSA Cloud Controls Matrix
December 2014

CLOUD SECURITY ALLIANCE AOSSL and CCM

2014 Cloud Security Alliance


All rights reserved. You may download, store, display on your computer, view, print, and link to the Cloud
Security Alliance AOSSL and CCM Technote at https://www.cloudsecurityalliance.org/research/ccm, subject to
the following: (a) the Document may be used solely for your personal, informational, non-commercial use; (b)
the Document may not be modified or altered in any way; (c) the Document may not be redistributed; and (d)
the trademark, copyright or other notices may not be removed. You may quote portions of the Document as
permitted by the Fair Use provisions of the United States Copyright Act, provided that you attribute the portions
to the Cloud Security Alliance.

Copyright 2014, Cloud Security Alliance. All rights reserved. CONFIDENTIAL: NOT FOR DISTRIBUTION

CLOUD SECURITY ALLIANCE AOSSL and CCM

Contents
Acknowledgments ..................................................................................................................................................... 4
1.0 AOSSL and Cloud ................................................................................................................................................. 5
1.1 What is Always On SSL? ................................................................................................................................... 5
1.2 Introduction to the CSA Security, Trust and Assurance Registry (STAR) Program and CCM .......................... 6
1.3 Using AOSSL to satisfy select control objectives of the Cloud Controls Matrix .............................................. 7
1.4 Summary ........................................................................................................................................................ 10
2.0 References and Useful Links .............................................................................................................................. 11
2.1 Useful Links .................................................................................................................................................... 11

Copyright 2014, Cloud Security Alliance. All rights reserved. CONFIDENTIAL: NOT FOR DISTRIBUTION

CLOUD SECURITY ALLIANCE AOSSL and CCM

Acknowledgments
Authors
Rick Andrews
Aloysius Cheang
Geoffrey Noakes
Jim Reavis

CSA Global Staff


Luciano J.R. Santos, Global Research Director, CSA
Kendall Cline Scoboria, Graphic Designer, Shea Media
Evan Scoboria, Co-Founder, Shea Media; Webmaster, CSA

Copyright 2014, Cloud Security Alliance. All rights reserved. CONFIDENTIAL: NOT FOR DISTRIBUTION

CLOUD SECURITY ALLIANCE AOSSL and CCM

1.0 AOSSL and Cloud


Use of Always On SSL to satisfy select control objectives of CSA Cloud Controls Matrix
Cloud computing is the future, and in many cases, the present of Information Technology. Always On SSL
(AOSSL) is rapidly becoming an essential practice to help secure Internet communications and transactions. In
this technical note, we explain how the implementation of AOSSL can satisfy the specifications of selected
control objectives of Cloud Security Alliances Cloud Controls Matrix.

1.1 What is Always On SSL?


Secure Sockets Layer/Transport Layer Security (SSL/TLS) is a set of protocols used to provide Internet security by
authenticating the endpoints via digital certificates and encrypting communications between these same
systems. As used on the World Wide Web, it is implemented as Hypertext Transfer Protocol Secure (HTTPS).
Simply put, this adds SSL/TLS to the original web communications protocol, Hypertext Transfer Protocol (HTTP).
From the point of view of a web browser, HTTP://webaddress/ will indicate an insecure web connection, while
HTTPS://webaddress/ will indicate a secure web connection. Often, browsers will use a lock icon in the address
bar to denote a web connection protected by SSL/TLS.
Historically, SSL/TLS was only implemented when deemed absolutely necessary. Old computer systems did not
have the processing power to perform the extra computations required to encrypt all traffic and maintain
acceptable user response times. Thus, developers would make suboptimal compromises. For example, a
website may choose to encrypt credit card information, but may choose to leave user enrollment pages
unencrypted, meaning that personally identifiable information (PII) would be transmitted in plaintext.
Always On SSL (AOSSL) is a best practice that dictates that SSL/TLS should be used at all times to protect webbased communications. As compute power has grown exponentially, the performance penalty associated with
SSL/TLS has become negligible and even invisible. AOSSL is a critical part of cloud security, as cloud services will
be in a location separate from cloud users. For anyone evaluating, building, operating a public/private/hybrid
cloud, or using Software as a Service (SaaS) applications, or connecting one cloud to another, SSL/TLS should be
considered a basic requirement, and AOSSL should be considered a fundamental best practice.

Copyright 2014, Cloud Security Alliance. All rights reserved. CONFIDENTIAL: NOT FOR DISTRIBUTION

CLOUD SECURITY ALLIANCE AOSSL and CCM

1.2 Introduction to the CSA Security, Trust and Assurance


Registry (STAR) Program and Cloud Controls Matrix
The CSA Security, Trust and Assurance Registry (STAR) Program is a comprehensive set of offerings for cloud
provider trust and assurance. The CSA STAR Program is a publicly accessible registry designed to recognize the
varying assurance requirements and maturity levels of providers and consumers, and is used by customers,
providers, industries and governments around the world.
CSA STAR is based upon the comprehensive list of cloud-centric control objectives in CSAs Cloud Controls Matrix
(CCM). CCM is the only meta-framework of cloud-specific security controls, mapped to leading standards, best
practices and regulations. CCM is widely used by auditors and certification bodies to perform cloud provider
assessments. It is also used by cloud providers as a benchmarking framework for their own information security
programs and to simplify compliance with multiple requirements. Finally, it is used by cloud customers to align
their own information security best practices with the practices of their cloud providers to assure a secure
migration to cloud computing.
As of this writing, version 3.0.1 of the CCM consists of 133 control specifications within 16 discrete domains,
mapped against over 30 different external requirements, such as ISO/IEC 27001, HIPAA and PCI/DSS versions 2.0
and 3.0. The nature of each control specification may differ in the level of guidance it provides to the reader
seeking to comply with it. This provides the needed flexibility to select the best fit of security controls, as cloud
services will vary greatly in their form, function and architecture. Thus, going forward it will become useful for
the industry to provide greater elaboration on detailed controls that meet the desired control objectives. What
follows is an explanation of where AOSSL is an appropriate control for specific CCM control objectives

Copyright 2014, Cloud Security Alliance. All rights reserved. CONFIDENTIAL: NOT FOR DISTRIBUTION

CLOUD SECURITY ALLIANCE AOSSL and CCM

1.3 Using AOSSL to satisfy select control objectives of the


Cloud Controls Matrix
The following control specifications within the Cloud Controls Matrix have been identified as being addressed by
AOSSL.

Control Name

Application &
Interface Security
Data Security /
Integrity

Data Security &


Information Lifecycle
Management
eCommerce
Transactions

CCM
V3.0.1
Control ID

AIS-04

DSI-03

Control Specification

SSL/TLS as a relevant control

Policies and procedures shall be


established and maintained in
support of data security to include
(confidentiality, integrity and
availability) across multiple system
interfaces, jurisdictions and
business functions to prevent
improper disclosure, alteration, or
destruction.

SSL/TLS is the preferred


mechanism for encrypting data in
transmission and it insures the
integrity of data exchanged.
SSL/TLS meets the PCI
requirements for compliance.
AOSSL is a best practice and
ensures that all data in motion is
encrypted. Use of HSTS (HTTP
Strict Transport Security) is a best
practice and effectively instructs
browsers to only communicate
using SSL/TLS. The selected key
length should following industry
guidelines to be sufficiently large to
be resilient to mathematic attacks
over the anticipated usage of the
system.

Data related to electronic commerce


(e-commerce) that traverses public
networks shall be appropriately
classified and protected from
fraudulent activity, unauthorized
disclosure, or modification in such a
manner to prevent contract dispute
and compromise of data.

SSL/TLS is the preferred


mechanisms to ensure
authentication, non-repudiation,
confidentiality, and integrity of user
communications. Use of HSTS is a
best practice and effectively
instructs browsers to only
communicate using SSL/TLS.

Copyright 2014, Cloud Security Alliance. All rights reserved. CONFIDENTIAL: NOT FOR DISTRIBUTION

CLOUD SECURITY ALLIANCE AOSSL and CCM

Control Name

Encryption & Key


Management
Key Generation

Encryption & Key


Management
Sensitive Data
Protection

CCM V3.0.1
Control ID

EKM-02

EKM-03

Control Specification

SSL/TLS as a relevant control

Policies and procedures shall be


established for the management of
cryptographic keys in the service's
cryptosystem (e.g., lifecycle
management from key generation to
revocation and replacement, public
key infrastructure, cryptographic
protocol design and algorithms
used, access controls in place for
secure key generation, and
exchange and storage including
segregation of keys used for
encrypted data or sessions). Upon
request, provider shall inform the
customer (tenant) of changes within
the cryptosystem, especially if the
customer (tenant) data is used as
part of the service, and/or the
customer (tenant) has some shared
responsibility over implementation
of the control.

For SSL/TLS-related encryption,


key management is provided by all
Certificate Authorities for public
keys in customer certificates. The
customers private keys remains the
management responsibility of the
customer.

Policies and procedures shall be


established, and supporting
business processes and technical
measures implemented, for the use
of encryption protocols for
protection of sensitive data in
storage (e.g., file servers,
databases, and end-user
workstations), data in use
(memory), and data in transmission
(e.g., system interfaces, over public
networks, and electronic
messaging) as per applicable legal,
statutory, and regulatory compliance
obligations.

SSL/TLS is the preferred


mechanism for encrypting data in
transmission. AOSSL is a best
practice and ensures that all data in
motion is encrypted. Use of HSTS
is a best practice and effectively
instructs browsers to only
communicate using SSL/TLS.

Copyright 2014, Cloud Security Alliance. All rights reserved. CONFIDENTIAL: NOT FOR DISTRIBUTION

CLOUD SECURITY ALLIANCE AOSSL and CCM

Control Name

Infrastructure &
Virtualization
Security
Network Security

CCM
V3.0.1
Control ID

IVS-06

Control Specification

Network environments and virtual


instances shall be designed and
configured to restrict and monitor
traffic between trusted and
untrusted connections, reviewed at
planned intervals, supported by
documented business justification
for use of all services, protocols,
and ports allowed, including
rationale or compensating controls
implemented for those protocols
considered to be insecure. Network
architecture diagrams must clearly
identify high-risk environments and
data flows that may have legal,
statutory, and regulatory compliance
impacts. Technical measures shall
be implemented to apply defensein-depth techniques (e.g., deep
packet analysis, traffic throttling,
and packet black-holing) for
detection and timely response to
network-based attacks associated
with anomalous ingress or egress
traffic patterns (e.g., MAC spoofing
and ARP poisoning attacks) and/or
distributed denial-of-service (DDoS)
attacks.

SSL/TLS as a relevant control

Any network environments and


related technologies, for trusted as
well as untrusted networks, must
support SSL/TLS 1.1. Some
implementations of SSL/TLS can
prevent deep packet analysis. The
implementation should be
scrutinized to determine if proxied
solutions allowing inspection are
appropriate and necessary.

Copyright 2014, Cloud Security Alliance. All rights reserved. CONFIDENTIAL: NOT FOR DISTRIBUTION

CLOUD SECURITY ALLIANCE AOSSL and CCM

Control Name

Infrastructure &
Virtualization
Security
Wireless Security

CCM
V3.0.1
Control ID

IVS-12

Control Specification

Policies and procedures shall be


established, and supporting
business processes and technical
measures implemented, to protect
wireless network environments,
including the following:
Perimeter firewalls implemented
and configured to restrict
unauthorized traffic
Security settings enabled with
strong encryption for authentication
and transmission, replacing vendor
default settings (e.g., encryption
keys, passwords, and SNMP
community strings)
User access to wireless network
devices restricted to authorized
personnel
The capability to detect the
presence of unauthorized (rogue)
wireless network devices for a
timely disconnect from the network

SSL/TLS as a relevant control

Any wireless network environments


and related technologies, for trusted
as well as untrusted networks, must
support SSL/TLS; all
communications that flow over
wireless networks will by definition
be encrypted by SSL/TLS and will
therefore be protected from
eavesdropping and malicious
content insertion/modification.

1.4 Summary
AOSSL is a critical best practice that improves the overall security baseline for cloud computing and reduces the
attack surface that can lead to systems compromise and data breach. Cloud Security Alliance recognizes the
importance of using SSL/TLS pervasively and recommends its usage as an important part of any organizations
catalog of controls to address compliance with our Cloud Controls Matrix.

Copyright 2014, Cloud Security Alliance. All rights reserved. CONFIDENTIAL: NOT FOR DISTRIBUTION

10

CLOUD SECURITY ALLIANCE AOSSL and CCM

2.0 References and Useful Links


2.1 Useful Links
Electronic Frontier Foundation HTTPS Everywhere: https://www.eff.org/https-everywhere
Online Trust Alliance Always On SSL: https://otalliance.org/resources/always-ssl-aossl

Copyright 2014, Cloud Security Alliance. All rights reserved. CONFIDENTIAL: NOT FOR DISTRIBUTION

11

Вам также может понравиться