The Inner Circle

 View Only
Expand all | Collapse all

CSA Security Guidance [version 5] Proposals

Michael O. Bayere, AWS CCP, CCSK, CIA, CISA, CISSP, CITP, CPA

Michael O. Bayere, AWS CCP, CCSK, CIA, CISA, CISSP, CITP, CPAJan 18, 2021 08:25:00 AM

  • 1.  CSA Security Guidance [version 5] Proposals

    Posted Jan 07, 2021 01:10:00 PM
      |   view attached
    CSA Security Guidance v4 has become a fundamental source for best practices in the cloud. In 2021, we plan on updating this core research to integrate the latest best practices in cloud and aligning with the upcoming version 4 of the CCM and CAIQ.

    The following is a proposal to restructure the fifth version of Guidance in 2021 with details around each option. Add comments in this thread and let me know which option you prefer.

    Attachment(s)

    pdf
    Guidance v5 Proposal.pdf   513 KB 1 version


  • 2.  RE: CSA Security Guidance [version 5] Proposals

    Posted Jan 08, 2021 09:20:00 AM

    Good morning John, v.4 has been very fundamental for many organizations and its exciting that v.5 will build upon that.  I think option #2 is very well aligned to how most companies align their security practices/programs.  It will allow for both strategic alignment to overarching risk reduction efforts as well as tactical areas of focus on a team/program level. Cloud concepts and cloud related technologies could be subsections for each of the 5 high level areas since each of those would be unique per area of focus.  

    Happy to provide any additional information/feedback if it is valuable. 



    ------------------------------
    Ian Sharpe
    Product
    AppOmni
    ------------------------------



  • 3.  RE: CSA Security Guidance [version 5] Proposals

    Posted Jan 08, 2021 07:02:00 PM
    At the risk of upsetting your cart, I think there is a 4th option, which seems to make sense to me: instead of taking the three items in red at the bottom right of Option 2, and moving them to the orange branch on the left, which is what you did to get to Option 3, merge them into the green branch (Secure Development and Delivery).

    Thus, in this putative Option 4, you would have, at the bottom right of the mindmap:
    • Secure Development and Delivery
      • DevSecOps WG
      • ERP WG
      • Application and Interface security Domain
      • Containers and Microservices WG
      • Infrastructure and Virtualization Security Domain
      • Serverless WG

    Another point is, three related technologies (Blockchain, IoT, IA) are listed because there are WGs associated with them. But does this really belong in the Guidance document? Would it make more sense to call out the vertical domains and their specific requirements for security? Healthcare, Finance (which would probably include Blockchain, although of course there are other use cases for DLTs), Industrial Automation (which would include IoT), Power Distribution, Transportation, ...

    Feel free to criticize or ignore...

    ------------------------------
    Claude Baudoin
    cébé IT Knowledge Management
    Co-Chair, OMG Cloud Working Group
    https://www.omg.org/cloud
    ------------------------------



  • 4.  RE: CSA Security Guidance [version 5] Proposals

    Posted Jan 08, 2021 11:37:00 PM
    Hi

    I think covering topics like DevOps or Secure development could be left to the specialists in that field, there is plenty of good practice available from OWASP, BSIMM, ISO and other organisations in this area. DevOps is also cultural, and a series of processes. It might make the guidance overly complicated with little gain (given there is a lot of guidance out there already).

    I think option 2 sounds good, and coverse the vast majority of what is needed.
    Operational security - we can look to blend items from COBIT or similar as needed, as cloud providers don't really talk abou the "run" of cloud, which is a key theme missing in all of their onboarding frameworks.

    ------------------------------
    Abhishek Vyas CISSP ¦ CCSP ¦ TOGAF
    ------------------------------



  • 5.  RE: CSA Security Guidance [version 5] Proposals

    CSA Instructor
    Posted Jan 09, 2021 07:21:00 AM
    Hi John
    I like where this is going, but could you change the PDF so that it is actually readable when printed out? 
    It is really small now.

    ------------------------------
    Peter HJ van Eijk
    CCSK & CCAK trainer
    https://www.clubcloudcomputing.com/
    ------------------------------



  • 6.  RE: CSA Security Guidance [version 5] Proposals

    CSA Instructor
    Posted Jan 11, 2021 04:20:00 AM
    Hi John,
    I like option number 3 the most.
    Why?
    Because the domains are  consistent to the different areas/disciplines that we got in information security (grc, appsec, devsecops, etc)

    good work



    ------------------------------
    Moshe Ferber
    ------------------------------



  • 7.  RE: CSA Security Guidance [version 5] Proposals

    Posted Jan 11, 2021 10:26:00 AM
    Edited by Rajeev Gupta Jan 12, 2021 11:41:10 AM
    That's a nice ice breaker to get ideas flowing John. Can I bring one fact to the table? This guidance is not going to be a standalone document but will be used in conjunction with CAIQ. I still think that Option 1 is "granular" enough given this fact and also that - cloud architectures can have several permuation/ combinations. It does sound a looong list in Option 1 but I think its more "manageable" if you get what I mean. Let's keep those thoughts coming.

    ------------------------------
    Rajeev Gupta Risk Taker
    ------------------------------



  • 8.  RE: CSA Security Guidance [version 5] Proposals

    Posted Jan 12, 2021 07:24:00 AM
    Edited by Erik Johnson Jan 12, 2021 07:27:49 AM
    I'd recommend that significantly enhancing cloud Shared Security Responsibility Model (SSRM) guidance to align with and support the SSRM STA controls and corresponding CCM and CAIQ template content should be a top priority. In developing that CCM & CAIQ content we identified the need for more comprehensive SSRM guidance (above and beyond individual control guidance) to support proper execution and management of the SSRM over the full service lifecycle for all the different service models by the applicable roles (CSP, CSC, audit/assessment, etc.). The CSA Security Guidance doc definitely seems like the right home for it.

    The CSA has long been a champion (and even a pioneer?) in the SSRM space.  It's time to take SSRM guidance to the next level.  I'd be glad to assist in its development.

    To this end I'd suggest the Hybrid option #3.​

    ------------------------------
    Erik Johnson CISSP, CCSK, CCSP, PMP
    Erik Johnson | LinkedIn
    ------------------------------



  • 9.  RE: CSA Security Guidance [version 5] Proposals

    Posted Jan 12, 2021 09:32:00 AM
    Hi, all.

    I vote for option 3.

    In my opinion, Operational security is a mandatory part. Operational security is ultimately responsible for the protection of cloud infrastructure. Too broad definitions of governance, risk and compliance are of little help for engineers. There should be tangible recommendations for engineers.

    I like that Serverless and Containers security have their own sections in the 3rd option.

    Best regards,
    Dmitrijs Mohoviks

    ------------------------------
    Dmitrijs Mohoviks
    Head of Security Operations
    4finance
    ------------------------------



  • 10.  RE: CSA Security Guidance [version 5] Proposals

    Posted Jan 13, 2021 07:45:00 PM
    Hello John,

    I agree with you that the CSA Security Guidance v4 has become the go-to guide for cloud security best practices.  Aligning it with the upcoming version 4 of the CCM and CAIQ makes sense.

    I feel that the five high level areas in the option#2 make the guidance easier to understand since it maps well with the organizational security programs across the industry.

    Also, I like the option#2 since, Infrastructure and Platform Security is a separate domain and not included as part of operational security, as in option#3.

    ------------------------------
    Vani Murthy, CISSP CRISC PMP ITIL
    Cloud Security Architect
    Akamai Technologies, MA, USA
    ------------------------------



  • 11.  RE: CSA Security Guidance [version 5] Proposals

    Posted Jan 18, 2021 07:24:00 AM
    Hello John
    I like Option 2 as it is aligned with CCM v4 Domains. I'd recommend to add the cloud Shared Security Responsibility Model (SSRM) as Erik Johnson suggested.

    ------------------------------
    Mamane IBRAHIM
    ------------------------------



  • 12.  RE: CSA Security Guidance [version 5] Proposals

    Posted Jan 18, 2021 08:25:00 AM
    Hi John,

    Option 2 appears to be the best of all because of its alignment and clarity.

    Thank you!

    ------------------------------
    Michael Bayere
    Principal Officer
    CAS Assurance, LLC (CPA)
    Miramar FL
    ------------------------------



  • 13.  RE: CSA Security Guidance [version 5] Proposals

    Posted Jan 20, 2021 02:02:00 PM
    I like option 2.

    ------------------------------
    Brian Dorsey
    ------------------------------



  • 14.  RE: CSA Security Guidance [version 5] Proposals

    Posted Jan 26, 2021 11:52:00 AM
    Like several others, I vote for Option 2. 

    Also, I would love to be a contributor for this new release, as I think it is much needed and will continue to be an excellent resource for the community. How do I go about doing so @John Yeoh

    ------------------------------
    Christopher Hughes
    ------------------------------



  • 15.  RE: CSA Security Guidance [version 5] Proposals

    Posted Jan 31, 2021 11:01:00 AM
    I would opt for option 2 - as this relates more to common domains.
    However I also agree with Abishek's comment on DevOps/secure development and the overlap with other organizations.

    ------------------------------
    Saan Vandendriessche CCSP | CISSP | CRISC
    Brussels - Belgium
    ------------------------------



  • 16.  RE: CSA Security Guidance [version 5] Proposals

    Posted Feb 01, 2021 01:03:00 PM

    From a GRC and Policy viewpoint, Option 2 headings/categories make a sound logical construct of the whole landscape.

    Option 3 concerns me in that the 'Infrastructure and Platforms' components have been hidden away somewhere; but the Application component gets a top-level mention. Why?

    I also agree with the various comments around DevSecOps (which is a better topic than just DevOps) being well covered by other organisations that specialise in those disciplines; and the comments around including the SSRM viewpoint somehwere in the structure.



    ------------------------------
    Phil Cutforth
    Manager, Policy & Research, and GCISO Office
    NCSC NZ
    ------------------------------



  • 17.  RE: CSA Security Guidance [version 5] Proposals

    Posted Feb 02, 2021 02:56:00 AM
    Option 2 is more related to prevailing domains.


    ------------------------------
    Manuel Dantas
    ------------------------------



  • 18.  RE: CSA Security Guidance [version 5] Proposals

    Posted Feb 04, 2021 06:59:00 AM
    Good Morning John

    I would go more for option 2.
    I see that the points are very aligned to the new CCM, also the proposed model of the SSRM would be very interesting

    Regards

    ------------------------------
    Alfredo Alva
    Head of Cybersecurity at Niubiz
    VP CSA, Peru Chapter
    ------------------------------


    ------------------------------
    Alfredo Alva
    Head of Cybersecurity & Innovation
    Niubiz
    ------------------------------



  • 19.  RE: CSA Security Guidance [version 5] Proposals

    Posted Feb 05, 2021 07:25:00 AM
    In line with all the other responses, CSA guidance is the go to resource for best practices and actionable guidance on all things cloud. I really liked Option 2 as it covers the most critical elements from security domains & lifecycle as it relates to day to day responsibilities of securing workloads.

    ------------------------------
    Satyajeet Rattan
    VP, Information Security Architecture & Engineering
    Synchrony
    ------------------------------



  • 20.  RE: CSA Security Guidance [version 5] Proposals

    Posted Feb 05, 2021 01:18:00 PM
    On the note of version 5, how do those interested in contributing signup to participate for specific sections?

    Chris Hughes 





  • 21.  RE: CSA Security Guidance [version 5] Proposals

    Posted Feb 24, 2021 10:40:00 AM
    Hello, for those of us who would like to contribute to the latest release, how do we ensure we get the opportunity to do so?

    ------------------------------
    Christopher Hughes
    ------------------------------