www.cloudsecurityalliance.

org Copyright 2013 Cloud Security Alliance

A view from the Cloud Security Alliance peephole
www.cloudsecurityalliance.org Copyright 2013 Cloud Security Alliance www.cloudsecurityalliance.org Copyright 2013 Cloud Security Alliance
Cloud
One million new
mobile devices -
each day!
Social Networking
Digital Natives
www.cloudsecurityalliance.org Copyright 2013 Cloud Security Alliance www.cloudsecurityalliance.org Copyright 2013 Cloud Security Alliance
State Sponsored Cyberattacks?
Organized Crime?
Legal J urisdiction & Data Sovereignty?
Global Security Standards?
Privacy Protection for Citizens?
Transparency & Visibility from Cloud Providers?
www.cloudsecurityalliance.org Copyright 2013 Cloud Security Alliance www.cloudsecurityalliance.org Copyright 2013 Cloud Security Alliance
Shift the balance of power to consumers of IT
Enable innovation to solve difficult problems of
humanity
Give the individual the tools to control their digital
destiny
Do this by creating confidence, trust and
transparency in IT systems
Security is not overhead, it is the enabler
www.cloudsecurityalliance.org Copyright 2013 Cloud Security Alliance www.cloudsecurityalliance.org Copyright 2013 Cloud Security Alliance
Global, not-for-profit organization, founded 2009
Geographically divided into Americas, EMEA and
APAC regions to meet strategic objectives
200 member driven organization with over 48,000
individual members in 64 chapters worldwide
Established with the aim of bringing trust to the
cloud
Develop a global trusted cloud ecosystem
Building best practices and standards for next-gen IT
Grounded in an agile philosophy, rapid development of applied
research that supports all activities
www.cloudsecurityalliance.org Copyright 2013 Cloud Security Alliance www.cloudsecurityalliance.org Copyright 2013 Cloud Security Alliance
www.cloudsecurityalliance.org Copyright 2013 Cloud Security Alliance www.cloudsecurityalliance.org Copyright 2013 Cloud Security Alliance
Corporate HQ is established in
Singapore
Global CSA Research Centre
Global Standards Secretariat
CCSK Global Centre of Excellence
Secondary hub is established in Hong
Kong anchored by
CloudCERT APAC Operational Base
Both locations also serve as
APAC business centre
Serving as a regional hub and operations
magnet our members
Subsequently satellite hubs are
established in Thailand, Taiwan and
New Zealand
www.cloudsecurityalliance.org Copyright 2013 Cloud Security Alliance www.cloudsecurityalliance.org Copyright 2013 Cloud Security Alliance
www.cloudsecurityalliance.org Copyright 2013 Cloud Security Alliance www.cloudsecurityalliance.org Copyright 2013 Cloud Security Alliance
www.cloudsecurityalliance.org Copyright 2013 Cloud Security Alliance www.cloudsecurityalliance.org Copyright 2013 Cloud Security Alliance
CSA research is organized
under a framework based on
CSA Security Guidance for
Critical Area of Focus in
Cloud Computing
Total of 14 domains
organised under 3 key areas
of focus Architecture,
Governance and Operational
Security
www.cloudsecurityalliance.org Copyright 2013 Cloud Security Alliance www.cloudsecurityalliance.org Copyright 2013 Cloud Security Alliance
Our research includes
fundamental projects needed
to define and implement trust
within the future of
information technology
CSA continues to be
aggressive in producing
critical research, education
and tools
Sponsorship opportunities
Selected research projects in
following slides
www.cloudsecurityalliance.org Copyright 2013 Cloud Security Alliance www.cloudsecurityalliance.org Copyright 2013 Cloud Security Alliance
GRC Stack
Family of 4 research projects
Cloud Controls Matrix (CCM)
Consensus Assessments Initiative
(CAI)
Cloud Audit
Cloud Trust Protocol (CTP)
Impact to the Industry
Developed tools for governance,
risk and compliance management
in the cloud
Technical pilots
Provider certification through
STAR program
Control
Requirements
Provider
Assertions
Private,
Community &
Public Clouds
www.cloudsecurityalliance.org Copyright 2013 Cloud Security Alliance www.cloudsecurityalliance.org Copyright 2013 Cloud Security Alliance
Previously known as Trusted Cloud
Initiative
Security reference architecture for cloud
Architecture in use by early adopters of cloud in
Global 2000
Cloud brokering
To do:
Management tools
Technical implementation guides
Documented case studies & use cases
https://cloudsecurityalliance.org/research/architecture/
www.cloudsecurityalliance.org Copyright 2013 Cloud Security Alliance www.cloudsecurityalliance.org Copyright 2013 Cloud Security Alliance
1. Data Breaches
2. Data Loss
3. Account Hijacking
4. Insecure APIs
5. Denial of Service
6. Malicious Insiders
7. Abuse of Cloud Services
8. Insufficient Due Diligence
9. Shared Technology Issues
https://cloudsecurityalliance.org/research/top-
threats/
www.cloudsecurityalliance.org Copyright 2013 Cloud Security Alliance www.cloudsecurityalliance.org Copyright 2013 Cloud Security Alliance
1. Data loss from lost, stolen or decommissioned devices.
2. Information-stealing mobile malware.
3. Data loss and data leakage through poorly written third-party apps.
4. Vulnerabilities within devices, OS, design and third-party applications.
5. Unsecured WiFi, network access and rogue access points.
6. Unsecured or rogue marketplaces.
7. Insufficient management tools, capabilities and access to APIs (includes
personas).
8. NFC and proximity-based hacking.
www.cloudsecurityalliance.org Copyright 2013 Cloud Security Alliance www.cloudsecurityalliance.org Copyright 2013 Cloud Security Alliance
Security as a Service
Research for gaining greater understanding
for how to deliver security solutions via
cloud models.
Information Security Industry Re-invented
Identify Ten Categories within SecaaS
Implementation Guidance for each SecaaS
Category
Align with international standards and other CSA
research
Industry Impact
Defined 10 Categories of Service and
Developed Domain 14 of CSA Guidance
V.3
www.cloudsecurityalliance.org Copyright 2013 Cloud Security Alliance www.cloudsecurityalliance.org Copyright 2013 Cloud Security Alliance
Mobile
Securing application stores and other public entities
deploying software to mobile devices
Analysis of mobile security capabilities and features
of key mobile operating systems
Cloud-based management, provisioning, policy, and
data management of mobile devices to achieve
security objectives
Guidelines for the mobile device security framework
and mobile cloud architectures
Solutions for resolving multiple usage roles related to
BYOD, e.g. personal and business use of a common
device
Best practices for secure mobile application
development
www.cloudsecurityalliance.org Copyright 2013 Cloud Security Alliance www.cloudsecurityalliance.org Copyright 2013 Cloud Security Alliance
Big Data
Identifying scalable techniques for
data-centric security and privacy
problems
Lead to crystallization of best practices
for security and privacy in big data
Help industry and government on
adoption of best practices
Establish liaisons with other
organizations in order to coordinate the
development of big data security and
privacy standards
Accelerate the adoption of novel
research aimed to address security
and privacy issues
www.cloudsecurityalliance.org Copyright 2013 Cloud Security Alliance www.cloudsecurityalliance.org Copyright 2013 Cloud Security Alliance
Expert-led community resource for global legal
issues impacting cloud computing.
Ask the Expert advice column
Regular in-person seminars and webcasts
Expert opinion whitepapers, initial postings
Government Access to Data Held by US Cloud Service
Providers
Proposed EU Data Protection Regulation Implications for
Cloud Users
Article 29 for Cloud Computing
https://cloudsecurityalliance.org/research/clic
www.cloudsecurityalliance.org Copyright 2013 Cloud Security Alliance www.cloudsecurityalliance.org Copyright 2013 Cloud Security Alliance
CSA Working Group based in Europe
Define baselines for compliance with data protection
legislation via a Privacy Level Agreement mechanism
A clear and effective way to communicate to (potential) cloud
customers the level of personal data protection provided by a CSP.
A tool to assess the level of a CSPs compliance with data protection
legislative requirements and best practices.
A way to offer contractual protection against possible financial
damages due to lack of compliance.
https://cloudsecurityalliance.org/research/pla/
www.cloudsecurityalliance.org Copyright 2013 Cloud Security Alliance www.cloudsecurityalliance.org Copyright 2013 Cloud Security Alliance
www.cloudsecurityalliance.org Copyright 2013 Cloud Security Alliance
Public visibility into Providers
Corporate Governance
Supply Chain
Information Security Program
Policies Impacting Customers
Consumer right to know
Public will demand better
Sunlight is the best disinfectant, U.S. Supreme
Court J ustice Louis Brandeis
www.cloudsecurityalliance.org Copyright 2013 Cloud Security Alliance www.cloudsecurityalliance.org Copyright 2013 Cloud Security Alliance
Control
Requirements
Provider
Assertions
Private,
Community &
Public Clouds
www.cloudsecurityalliance.org Copyright 2013 Cloud Security Alliance www.cloudsecurityalliance.org Copyright 2013 Cloud Security Alliance
The CSA Open Certification Framework (OCF) is
an industry initiative to allow global, accredited,
trusted certification of cloud providers.
The CSA Open Certification Framework is a
program for flexible, incremental and multi-
layered certification
Based on CSA best practices
Integrating with popular third-party assessment
and attestation statements, initially ISO 27001 &
AICPA SSAE16 (SOC2)
Project initiative is called OCF, the certification
mark is STAR
www.cloudsecurityalliance.org Copyright 2013 Cloud Security Alliance www.cloudsecurityalliance.org Copyright 2013 Cloud Security Alliance
OPEN CERTIFICATION FRAMEWORK
LEVEL 3 - CONTINUOUS
LEVEL 2 - ATTESTATION | CERTIFICATION
LEVEL 1:- SELF ASSESSMENT
T
R
A
N
S
P
E
R
A
N
C
Y
A
S
S
U
R
A
N
C
E
www.cloudsecurityalliance.org Copyright 2013 Cloud Security Alliance www.cloudsecurityalliance.org Copyright 2013 Cloud Security Alliance
Clear GRC objectives
3
rd
Party
Assessment
Real time,
continuous
monitoring
+
+
Self Assessment
+
www.cloudsecurityalliance.org Copyright 2013 Cloud Security Alliance www.cloudsecurityalliance.org Copyright 2013 Cloud Security Alliance
CSA STAR (Security, Trust and Assurance Registry)
Public Registry of Cloud Provider self assessments
Based on Consensus Assessments Initiative Questionnaire
Provider may substitute documented Cloud Controls Matrix
compliance
Voluntary industry action promoting transparency
Security as a market differentiator
www.cloudsecurityalliance.org/star
STAR Demand it from your providers!
www.cloudsecurityalliance.org Copyright 2013 Cloud Security Alliance www.cloudsecurityalliance.org Copyright 2013 Cloud Security Alliance
2 Registered
(December 2012)
22 Registered
(February 2013)
www.cloudsecurityalliance.org Copyright 2013 Cloud Security Alliance www.cloudsecurityalliance.org Copyright 2013 Cloud Security Alliance
Completion of APAC pilots @ Alibaba and New
Taipei City (G-Cloud)
Target launch for Level 2 certification @ CSA
EMEA Congress on Sep 25
Also announced harmonization of Singapore
Standard (Multi-tier Cloud Security)
certification scheme against CSAs OCF
www.cloudsecurityalliance.org Copyright 2013 Cloud Security Alliance www.cloudsecurityalliance.org Copyright 2013 Cloud Security Alliance
www.cloudsecurityalliance.org Copyright 2013 Cloud Security Alliance www.cloudsecurityalliance.org Copyright 2013 Cloud Security Alliance
The industrys first user certification program
for secure cloud computing
Based on CSA research framework,
specifically the Security Guidance for Critical
Area of Focus in Cloud Computing
Designed to ensure that a broad range of
professionals with responsibility related to
cloud computing have a demonstrated
awareness of the security threats and best
practices for securing the cloud
www.cloudsecurityalliance.org Copyright 2013 Cloud Security Alliance www.cloudsecurityalliance.org Copyright 2013 Cloud Security Alliance
CCSK Basic
One day course to enable student to pass CCSK
CCSK Plus
Two day course includes practical cloud lab work
CCSK Train-the-Trainer
Three day course including CCSK Plus
GRC Stack Training
Additional one day course to use GRC Stack components
PCI/DSS In the Cloud
Additional one day course focusing on achieving PCI compliance in cloud computing
http://cloudsecurityalliance.org/education/training/
www.cloudsecurityalliance.org Copyright 2013 Cloud Security Alliance www.cloudsecurityalliance.org Copyright 2013 Cloud Security Alliance
CCSK for IT & Security Architects
Whitepaper: Security best practices for security architecture in the cloud derived from CSA Domain
1, Trusted Cloud Initiative Reference Architecture model and new materials.
Courseware: Development of 3 day courseware derived from above whitepaper and other CSA
materials.
CCSK for Software Developers
Whitepaper: Security best practices for software development in the cloud and recommended
industry curriculum.
Courseware: Development of 3 day courseware derived from above whitepaper and other CSA
materials.
CCSK for Cloud Auditing/Assurance (GRC Stack)
Whitepaper: Security best practices for assurance in the cloud derived from CSA Guidance 3 and
components of the GRC Stack research projects.
Courseware: Development of 3 day courseware derived from existing GRC Stack courseware, above
whitepaper and other CSA materials.
www.cloudsecurityalliance.org Copyright 2013 Cloud Security Alliance www.cloudsecurityalliance.org Copyright 2013 Cloud Security Alliance
www.cloudsecurityalliance.org Copyright 2013 Cloud Security Alliance www.cloudsecurityalliance.org Copyright 2013 Cloud Security Alliance
Engage international standards bodies on
behalf of CSA
Propose key CSA research for standardization
Working with NBs and tracking SDOs
A.4 and A.5 liaison relationship with ITU-T
Category A liaison with ISO/IEC SC27 & SC38
www.cloudsecurityalliance.org Copyright 2013 Cloud Security Alliance www.cloudsecurityalliance.org Copyright 2013 Cloud Security Alliance
www.cloudsecurityalliance.org Copyright 2013 Cloud Security Alliance www.cloudsecurityalliance.org Copyright 2013 Cloud Security Alliance
Industry thought leadership
Traditional Monday start to RSA Conference
2011: White House launches Federal Cloud
Strategy
2012: Keynote from Former NSA Director Mike
McConnell, announce CSA Mobile
2013: DHS Undersecretary for Cybersecurity
and Presiding Director of Coca Cola Company,
James Robinson III
www.cloudsecurityalliance.org Copyright 2013 Cloud Security Alliance www.cloudsecurityalliance.org Copyright 2013 Cloud Security Alliance
One day conferences in conjunction with
chapters
Engage with local thought leaders
Project CSA best practices globally
2013 Regional Summits (so far)
16 in Asia Pacific
4 in Americas
4 in EMEA
http://www.csathailand.org
www.cloudsecurityalliance.org Copyright 2013 Cloud Security Alliance www.cloudsecurityalliance.org Copyright 2013 Cloud Security Alliance
Only multi-track, multi-day conference
focused on cloud security
Key venue for new research
Primarily attended by enterprise end users
2013 CSA Congress Plans
CSA Congress APAC, Singapore, May 14-17
CSA Congress EMEA, Edinburgh, September 24 - 27
CSA Congress US, Orlando, December 3 - 6
www.cloudsecurityalliance.org Copyright 2013 Cloud Security Alliance www.cloudsecurityalliance.org Copyright 2013 Cloud Security Alliance
www.cloudsecurityalliance.org Copyright 2013 Cloud Security Alliance www.cloudsecurityalliance.org Copyright 2013 Cloud Security Alliance
Challenges remain, there will always be
insecurity
Global collaboration, public & private
Innovation can make policy restrictions
obsolete
Major focus on identity needed
The Internet of Things is a ticking bomb
Must solve tomorrows problems today
Transparency must be our guide
www.cloudsecurityalliance.org Copyright 2013 Cloud Security Alliance www.cloudsecurityalliance.org Copyright 2013 Cloud Security Alliance
Be Pragmatic, Be Agile
Follow the law, but do not concede to poor
interpretations of the law. Defend the spirit of the
law forcefully.
More tools available than you think
Advocate through procurement
Waiting not an option, but dont forget
Strategy
Risk Management
Cloud-ready Enterprise Architecture
Be Educated
www.cloudsecurityalliance.org Copyright 2013 Cloud Security Alliance www.cloudsecurityalliance.org Copyright 2013 Cloud Security Alliance
For more information on the Cloud
Security Alliance, please contact:
Global/Americas
J im Reavis
jreavis@cloudsecurityalliance.org
EMEA
Daniele Catteddu
dcatteddu@cloudsecurityalliance.org
APAC
Aloysius Cheang
acheang@cloudsecurityalliance.org
www.cloudsecurityalliance.org Copyright 2012 Cloud Security Alliance www.cloudsecurityalliance.org Copyright 2013 Cloud Security Alliance