The Trusted Cloud Initiative Reference Architecture

Published Date: 02 Nov 2017

Architecture must be guided by business requirements. In the case of the Trusted Cloud Initiative, these requirements come from a controls matrix guided by regulations such as Sarbanes-Oxley and Gramm-Leach-Bliley, standards frameworks such as ISO-27002, the Payment Card Industry Data Security Standards, and the IT Audit Frameworks, such as COBIT, all in the context of cloud delivery models such as Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Services (IaaS).

From these requirements, a set of security capabilities have been defined and organized according to best practice architecture frameworks. The Sherwood Business Security Architecture (SABSA) defines security capabilities from a business perspective. The Information Technology Infrastructure Library (ITIL) defines the capabilities needed to manage the IT services of the company, and thus the security capabilities necessary to manage those services securely. The Jericho Forum defines technical security capabilities that arise from the reality of the traditional in-the-datacenter technology environments shifting to one where solutions span the internet across multiple datacenters, some owned by the business and some purely used as outsourced services. Lastly, The Open Group Architecture Framework (TOGAF) provides an enterprise architecture framework and methodology for planning, designing and governing information architectures, and thus a common framework to integrate the work of the security architect with the enterprise architecture of an organization.

You can interact with and learn more about the TCI Reference Architecture online at https://research.cloudsecurityalliance.org/tci/.

TCI Reference Architecture

How to Use the TCI Reference Architecture

The TCI Reference Architecture can be used in multiple enterprise security design phases, from assessing opportunities for improvement and creating road maps for technology adoption, to defining reusable security patterns and assessing various cloud providers and security technology vendors against a common set of capabilities.

Security and Risk Management

 Protecting data and managing risk

Security and Risk Management includes the passwords, firewalls and encryption that protect computer systems and data. It is the processes that define policies and audit systems against those policies. It uses ethical hackers and tools to test for weak spots in the systems. These services are what most people think of when they think of cyber security.

DESCRIPTION

The Security and Risk Management domain provides the core components of an organization’s Information Security.

Programs are set in place to safeguard assets, detect, assess and monitor risks inherent in operating activities. Capabilities include Identity and Access Management, GRC (Governance, Risk Management and Compliance), Policies and Standards, Threat and Vulnerability Management, Infrastructure and Data Protection.

EXAMPLE

An employee working from home must log into the corporate VPN using the one-time password token on his key fob. A new website being built is tested for compliance with corporate security policies. A thief cannot read data on a stolen laptop if its hard drive has been encrypted.

SERVICES PROVIDED

Governance Risk and Compliance: The GRC encompasses, integrates and aligns activities such as corporate governance, enterprise risk management, and corporate compliance with applicable laws and regulations. Components include:

Compliance management assures compliance with all internal information security policies and standards;

Vendor management ensures that service providers and outsourcers adhere to intended and contractual information security policies applying concepts of ownership and custody;

Audit management highlights areas for improvement;

IT risk management ensures that risk of all types are identified, understood, communicated, and either accepted, remediated, transferred or avoided;

Policy management maintains an organizational structure and process that supports the creation, implementation, exception handling and management of policies that represent business requirements;

Technical awareness and training increases the ability to select and implement effective technical security mechanisms, products, process and tools.

Information Security Management: The main objective of Information Security Management is to implement the appropriate measurements in order to minimize or eliminate the impact that security-related threats and vulnerabilities might have on an organization. Measurements include:

Capability Maturity Models identify stages of development of an organization, from an immature state through several levels of maturity as the organization gains experience and knowledge;

Capability Mapping Models describe what a business does to reach its objectives, and promote a strong relationship between the business model and the technical infrastructure that supports the business requirements, resulting in a view that can be understood by both the business and IT;

Roadmaps in the form of security architectures provide a road map to be followed by individual projects serving individual business initiatives;

Risk Portfolios are where identified risks are registered, monitored and reported.

Dashboards for security management and risk management are used to measure and report the level of effectiveness of decisions and help the organization make new decisions that are to maintain and improve that effectiveness. Analysis and plans for remediating residual risks are also part of the overall risk management framework.

Privilege Management Infrastructure: Privilege Management Infrastructure ensures users have access and privileges required to execute their duties and responsibilities with Identity and Access Management (IAM) functions such as identity management, authentication services, authorization services and privilege usage management. This security discipline enables the right individuals to access the right resources at the right times for the right reasons. It addresses the mission-critical need to ensure appropriate access to resources across increasingly heterogeneous technology environments and meet increasingly rigorous compliance requirements.

The technical controls of Privilege Management Infrastructure focus on identity provisioning, password, multi-factor authentication and policy management. This security practice is a crucial undertaking for any enterprise. It is also increasingly business-aligned, and it requires business skills, not just technical expertise.

Threat and Vulnerability Management: This discipline deals with core security, such as vulnerability management, threat management, compliance testing and penetration testing. Vulnerability management is a complex endeavor in which enterprises track their assets, monitor and scan for known vulnerabilities, and take action by patching the software, changing configurations, or deploying other controls in an attempt to reduce the attack surface at the resource layer. Threat modeling and security testing are also part of activities in order to effectively identify the vulnerabilities.

Infrastructure Protection Services: Infrastructure Protection Services secure Server, End-Point, Network and Application layers. This discipline uses a traditional defense in-depth approach to make sure containers and pipes of data are healthy. The controls of Infrastructure Protection Services are usually considered as preventive technical controls such as IDS/IPS, Firewall, Anti-Malware, White/Black Listing and more. They are relatively cost-effective in defending against the majority of traditional or non-advanced attacks.

Data Protection: In the information age, data is an asset. However, most data remains valuable only if it is protected. Data protection needs to cover all data lifecycle stages, data types and data states. Data stages include creation, storage, access, roaming, share and retirement. Data types include unstructured data such as word processing documents, structured data such as data within databases, and semi-structured data such as emails. Data states include data at rest (DAR), data in transit (DIT), also known as "data in motion" or "data in flight", and data in use (DIU). The controls of Data Protection are data lifecycle management, data leakage prevention, intellectual property protection with digital rights management, and cryptographic services such as key management and PKI/symmetric encryption.

Policies and Standards: Security policies are part of a logical abstraction of Enterprise Security Architecture. They are derived from risk-based business requirements and exist in a number of different levels, including Information Security Policy, Physical Security Policy, Business Continuity Policy, Infrastructure Security Policies, Application Security Policies as well as the overarching Business Operational Risk Management Policy. Security Policies are statements that capture requirements specifying what type of security and how much should be applied to protect the business. Policies typically state what should be done, while avoiding reference to particular technical solutions. Security Standards are an abstraction at the component level and are needed to ensure that the many different components can be integrated into systems.

Internationally recognized standards for various aspects of security from standards bodies include ISO, IETF, IEEE, ISACA, OASIS and TCG. Direction can also be provided in the form of operational security baselines, job aid guidelines, best practices, correlation of regulatory requirements, and role-based awareness. One way to approach security policy and its implementation is to classify information and associate policies with the resulting classes of data.

RELATIONSHIPS TO OTHER DOMAINS

SRM provides the security context for IT Operations and Support. Security aspects of ITOS capabilities and functions are critical to the delivery of IT services supporting a business. SRM is a key component of Operational Risk Management under Business Operation Support Services, as Security Risks are crucial data points of the organization’s business intelligence, which supplies information necessary to make sound business decisions. Human Resources supports the SRM agenda through vigilant attention to the workforce. SRM provides Identity and Access Management services that are prerequisite to the presentation of data to users. Protection of data in transit, at rest and in use is a critical underpinning to the processing and manipulation of data by application services. SRM has a dependency on the core components and capabilities provided by Infrastructure Services, including physical security of facilities and patch management.

Information Technology Operation & Support

 Managing IT Processes

ITOS is the IT Department. It is the help desk that takes the call when a problem is found. It is the teams that coordinate changes and roll them out in the middle of the night. It is the planning and process that keep the systems going even in the event of a disaster.

DESCRIPTION

ITOS outlines all the necessary services an IT organization needs to have in order to support its business needs. This domain provides alignment of industry standards and best practices (PM BOK, CMMi, ISO/IEC 27002, COBIT and ITIL v3), providing a reference from two main perspectives that enable the organization to support its business needs.

However, relationships between technology components are not intended to be a one-on-one match to the process touch points described in PM BOK, ISO/IEC 27002, CMMi, COBIT and ITIL v3.

EXAMPLE

An employee receives a suspicious email, which she thinks may contain a malware program. She notifies the help desk. The help desk opens a security incident, and a response team works to block the sender, identify other affected users, and restore any damage that may have been done.

SERVICES PROVIDED

IT Operation: IT Operation defines the organizational structure, skill requirements of an IT organization, and standard operational management procedures and practices to allow the organization to manage an IT operation and the associated infrastructure.

IT Operation capabilities are oriented to align the business and IT strategies. The management of the project and technological portfolios ensure architecture governance throughout IT.

Service Delivery: Service Delivery deals with technologies essential in maintaining uninterrupted technical services. Services in this category typically include those that are more appropriate to the technical staff, such as availability management, service level management, service continuity and capacity management.

Although those categories alone are enough to satisfy ITIL service management guidelines, a number of other IT disciplines are closely aligned with service support and delivery, such as project management, service provisioning and portfolio management.

Service Delivery is primarily concerned with the proactive and forward-looking services that the business requires from Information Technology in order to provide adequate support to the business users. It is focused on the business as the customer of the IT services.

Service Support: Service Support is focused on the users and is primarily concerned with ensuring that they have access to the appropriate services to support the business functions.

To the business customers and users, Service Support is the entry point for service request. Users become involved in service support by:

Asking for changes;

Needing communication and updates;

Having difficulties and queries.

The service desk is the single contact point for customers to record their problems. The service desk tries to resolve problems if there is a direct solution, or it creates an incident. Incidents initiate a chain of processes: Incident Management, Problem Management, Change Management, Release Management and Configuration Management (see following sections for details). This chain of processes is tracked using the Configuration Management Database (CMDB), which records each process and creates output documents for traceability (Quality Management).

Incident Management: Architectural patterns for incident management include services for trouble ticketing and incident classification. Incident Management interacts with other areas of the architecture either directly as with the service desk, indirectly through manipulation of common data, or asynchronously as part of a business process for incident management. Incidents begin their lives either as a phone-in incident from a human, a detected error in the environment usually as a result of event correlation from the Systems Management domain, or via incident messaging from another applications.

Problem Management: Problem Management deals with the incident after it has started to cycle through the remediation process. Problem Management architecture interacts with the service desk. Problem Management offers advanced root cause analysis tools and technologies, and interfaces with the information repositories to perform trending and prevention services within the environment.

Knowledge Management: Usually, as incidents are resolved and the root cause analysis takes place, a significant amount of knowledge could be lost, causing delays as some of these incidents appear again throughout time.

The Knowledge Management Process accumulates root cause solutions, or information regarding how incidents were resolved. Once this knowledge is collected, it is transformed to Frequent Asked Questions or Self-Service Capabilities that the user and technical support communities can reuse to resolve issues with the IT services.

Change Management: Change Management is a major pattern that acts as an intermediary between request, release and configuration/provisioning. It allows for management of scope, impact analysis, as well as scheduling of change. Change Management provides one of the primary inputs into configuration management from a data maintenance perspective to keep application data up-to-date.

Release Management: The Release Management architecture is the set of conceptual patterns that support the movement of pre-production technical resources into production. Pre-production includes all the activities that are necessary to prove that a particular resource is appropriate for the technical, business, and operational environment and does not exceed a risk profile for a particular task. Significant Release Management patterns include those for release scheduling, release acceptance, and audit. Release Management plays a vital role both as a process and as a set of technologies, and it provides a vital control point for request, change, and configuration management processes and architectures.

RELATIONSHIPS TO OTHER DOMAINS

The use of the ITOS analytic services such as data warehousing, data marts, and common operational data stores are key to enabling an effective business operation service.

ITOS supports the Business Operation Support Services, in order to maintain tactical and strategic alignment between the business and IT.

ITOS implements Presentation, Application, Information and Infrastructure services.

Business Operation Support Services

 Partners with the business

The BOSS domain is all the corporate support functions such as Human Resources, Compliance and Legal that are critical to a security program. It is also the place where the operations of the company and its systems are monitored for any signs of abuse or fraud.

DESCRIPTION

BOSS is designed based on best practices and reference frameworks with proven success of aligning the business and transforming the information security practice across organizations into a business enabler.

Most of the security architectures focus only on technical capabilities, missing the opportunity to create a dynamic synergy with the business, transforming reactive practices into proactive areas that eventually can enable business command centers that provide relevant information about the health around information assets and business processes.

A common concern when organizations decide to integrate services with cloud providers is the level of security the provider is to offer, as well as the amount of exposure when data is hosted on a multi-tenant model. This domain outlines aspects that must be considered besides the technological solutions, such as legal guidance, compliance and auditing activities, human resources and monitoring capabilities with a focus on fraud prevention.

EXAMPLE

The security monitoring tool alerts an analyst that a customer withdrawal transaction is initiated from a workstation in the IT department instead of the customer contact center. A special investigation is held with the help of HR and Legal to determine that a disgruntled system administrator has been stealing from the company.

SERVICES PROVIDED

Compliance: The main focus for Compliance capabilities is to track internal, external, third parties such as customers, audit activities and related findings. For compliance, it is necessary to have a common repository that allows the organization to track and remediate the technical or operational gaps outlined by these findings.

Audit activities should include the development of an annual plan that can simplify the audit process throughout the year preventing redundant tasks.

The use of a regulatory mapping process is to help the organization to organize and simplify control evidence that each capability or process generates, and store it on the risk registry (Information Services Domain).

Data Governance: As the organization manages data between Applications, Services and Enterprise Information Integration activities, there is a need to have a well-defined governance model that outlines and looks for compliance on how data is massaged, transformed and stored throughout the IT infrastructure, including internal and external services (i.e. SaaS, PaaS, IaaS, ASP or others).

Processes included as part of Data Governance include data ownership, how data should be classified, and responsibilities that data/asset owners have for their applications and services, as well the necessary controls for data throughout the lifecycle.

Operational Risk Management: Operational Risk Management provides a holistic perspective for risk evaluation from the business perspective. Using the Risk Management framework gives insight to risks and threats to the organization, and the framework is to provide means to assess, manage and control the different risks across the organization.

The use of an Operational Risk Committee (ORC) should be in place to periodically discuss the threat and compliance landscape that the organization has throughout time. Usually, the participants for this committee are grouped by business (i.e. CEO, COO, CIO and CFO), compliance (CRO and Compliance Officers) and control personnel (Audit, Security and Risk Management).

The use of business impact assessment methodologies are to help the organization identify which processes are critical for the organization and plan accordingly to protect them, ensure proper continuity plans and measure the associated risk using Key Risk Indicators.

Key Risk Indicators can be monitored periodically through a risk scorecard, integrating information from security monitoring services or information consolidated on the Information Services Domain.

Human Resources Security: Often, security incidents and breaches happen to organizations because there are no formal controls, awareness, and guidelines for the most important asset that organizations have — people.

This section is created to make sure that formal procedures, codes of conduct, personnel screening, and other best practices are in place for the organization, especially for third parties that supports the cloud services that an organization may have.

Security Monitoring Services: The security and availability monitoring services are positioned in the Business Operations and Support Services Domain to ensure that the business is the focus, not the events or hardware. It is a common mistake not to focus the security function on the business operations, the processes, and the human behavior behind those processes. Transforming typical infrastructure monitoring into a business operations center, focused on fraud prevention, alignment with the business strategy, business impacts, and operational needs, is the goal of a successful security monitoring service.

Organizations usually concentrate their monitoring activities only on the reactive mode, losing the opportunity to become a business partner. By using monitoring services, businesses are able to identify new opportunities for process improvement as knowledge about employees’ behavior is collected.

In many institutions there are employees that have more access than others to the most critical information, such as customer data, credit cards, etc. If the Security Monitoring Services focus on those users and their behavior, potential fraudulent activities can be prevented.

As the monitoring services start to be less reactive, and more proactive, the focus of Security Monitoring Services is to shift from internal to external threats. This architecture outlines several capabilities oriented on cyber intelligence, looking to prevent threats before they become security incidents.

Legal Services: As security incidents occur, the need for legal counsel is critical for organizations. There are several capabilities included that may help legal counsels lead compliance activities, deal with lawsuits, and track preventive awareness across the organization.

Capabilities that can help increase, track and manage regulatory compliance are also included and detailed in this section.

Internal Investigation: The role for Internal Investigations varies across organizations; some companies have their information security teams performing forensic activities, and more mature companies may have a dedicated team focused on internal and/or external fraud activities.

To better assist investigators, capabilities are oriented to better enable Security Incident Response, Cyber Intelligence, Legal, Security Monitoring, HR and Information Security teams.

RELATIONSHIPS TO OTHER DOMAINS

Business Operations Support Services defines the high-level policy requirements for IT Operation Support Services, Presentation Services, Application Services, Information Services, Infrastructure Services and Security & Risk Management. BOSS embodies the direction of the business and objectives of the cloud consumer. BOSS is embodied in the Compliance objectives, Legal objectives, Human Resource requirements, Operational Risk tolerance, and Security Monitoring services that are required to satisfy a client’s service-level objectives and jurisdictional legislative mandates.

The BOSS domain works to align the ITOS and the SRM domains with the business’ desired strategy, capabilities and risk portfolio.

Technology Solution Domains

DESCRIPTION

IT solutions can be thought of as a stack of technology: the computers and networks are the bottom layer, followed by the data that runs on them, the applications that manipulate the data, and the actual interactions that the users have with the stack. The four technology solution domains (Presentation Services, Application Services, Information Services and Infrastructure Services) are based on the standard multi-tier architecture that is used to build these solutions. The CSA Reference Architecture does not get into all the details of how that architecture works, but instead gets into the details of the security concerns and required services for each tier in the solution.

Presentation Services

 Interaction with the user

Presentation is the website you see when you go to the online bank. It is the voice on the phone when you call the airline reservation system.

DESCRIPTION

The Presentation Services domain is where the end-user interacts with an IT solution. The security requirements for the Presentation Domain vary on the type of user and the type of service being provided. For instance, a Business-to-Consumer (B2C) website is to have different security concerns comparing to a social media website. The security requirements are also to vary based on the types of endpoints being used by the end-user.

EXAMPLE

A mobile device provides the risk of locally-stored data being lost with the device, and a shared public kiosk provides the risk of subsequent end-users having access to prior users’ data.

SERVICES PROVIDED

Presentation Modality: The Presentation Modality Services focus on the security concerns that differ based on the type of user and type of service. The two major types are consumer service platforms like Social Media, Collaboration, Search, Email, e-Readers and Enterprise Service Platforms like Business-to-Consumer (B2C), Business-to-Employee (B2E), Business-to-Business (B2B) and more.

Presentation Platform: The Presentation Platform Services focus on the different types of end-points that end-users utilize to interact with a solution such as desktops, mobile devices such as smart phones and tablets, portable devices such as laptops, or special purposes devices such as medical devices or smart appliances. The presentation platform also includes the different interaction technologies such as Speech Recognition or Handwriting Recognition that could be used to interact with a solution.

RELATIONSHIPS TO OTHER DOMAINS

Presentation Services utilizes the Security and Risk Management domain to authenticate and authorize the end user, to protect the data on the end-point device and in-transit to the Application Services domain, and to protect the end-point device itself from tampering, theft and malware. The Information Technology Operation and Support domain supplies services to deploy and make changes to the end points and to manage problems and incidences that the end users experience. The Business Operation Support Services provides security monitoring of the end-points, HR and Compliance policies for end-user usage of IT solutions.