Open Certificatio. Framewor. Daniele Catteddu, CSA Managing Director EMEA and OCF Project Director. CSO Interchange 2

Transcription

1 Framewor Open Certificatio CSO Interchange 2 Paris, M Daniele Catteddu, CSA Managing Director EMEA and OCF Project Director

2 Global, not-for-profit organisation Over 40,000 individual members, more than 160 corporate members, over 60 chapters Building best practices and a trusted cloud ecosystem Agile philosophy, rapid development of applied research GRC: Balance compliance with risk management Reference models: build using existing standards Identity: a key foundation of a functioning cloud economy Champion interoperability Enable innovation Advocacy of prudent public policy To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud

3 loud computing is becoming a mature business mode any companies and governments around the globe re implementing their strategies to embrace effectively nd efficiently cloud services. rowing adoption of cloud services by large banks, anufacturers, healthcare organizations and other large orporations and small and medium businesses.

4

5 ite the simplicity of the idea of ICT services ered as utility, on demand and pay-as-you-go, cloud computing model is based on a complex ain of interactions between multiple parties whic erate in different countries and legal isdictions. The complexity and opacity that metimes characterize this cloud supply-chain ve generated some barriers to faster adoption of ud computing.

6 f clarity around the definition and bution of responsibilities and lities, lties achieving accountability ss the cloud supply chain, rent global (and even sometimes onal and national) legal framework compliance regimes ck of transparency of some ice providers or brokers, icularly around security and risk agement

7 lties in performing internal and rnal due diligence f clarity in Service Level ements f interoperability. f awareness and expertise.

8

9 sers need to understand the shift in the balance f responsibility and accountability for key unctions such as governance and control over ata and IT operations, ensuring compliance with ws and regulations. loud computing requires a new model for ssessing organisational risks related to security nd resilience.

10

11

12 nsumers do not have ple, cost effective ways to aluate and compare ir providers resilience, data otection capabilities and rvice portability.

13

14 ! Stimulating a wider use of standards! Certification of cloud services to show they meet these standards and! Endorsement of such certificates by regulatory authorities as indicating compliance with legal obligations.

15 Increase consumer trust and confidence in cloud systems the future of IT Improve overall security and transparency of the ecosystem Assist cloud providers and consume in achieving regulatory compliance

16 Already part of the cloud strategy in countries such USA, Singapore, Thailand, China, Honk Kong, Taiwan, In Europe various Member States are looking at a certification/accreditation schema for cloud service (especially in Public Procurement) The UK G-Cloud is based on a logic of companies accredited to offer service in the App Store

17 Provide a globally relevant certification to reduce duplication efforts Address localized, national-state and regional compliance needs Address industry specific requirements Address different assurance requirements Address certification staleness assure provider is still secu after point in time certification Do all of the above while recognizing the dynamic and fastchanging world that is cloud

18

19 The open certification framework is structured on 3 LEVELs of TRUST, each one of them providing an incremental level of visibility and transparency into the operations of the Cloud Service Provider and a higher level of assurance to the Cloud consumer.

20 essment egistry Certification Framework Certification : 3 rd Party Assessment- Certification Certification Continuous monitoring 011 Q Q

21 A STAR (Security, Trust and Assurance Registry) blic Registry of Cloud Provider self assessments sed on Consensus Assessments Initiative estionnaire rovider may substitute documented Cloud Controls Matrix ompliance luntary industry action promoting transparency e market competition to provide quality sessments rovider may elect to provide assessments from third parties ailable since October 2011

22

23 The concept of the scheme is to use to the ISO/IEC 27001:2 certification integrated with the CSA Cloud Control Matrix (C as additional or compensating controls as applicable and the organization s own internal requirements or specifications to assess how advanced their systems are. The scheme will be compliant with ISO and ISO Will be open to all 3rd party Certified Bodies (CB) Will be an additional scheme to the CB organizations interna ISO scheme requirements. It is not meant to be a replacement of ISO 27001, but integrates the ISO with Cloud-specific controls

24 STAR CERTIFICATION evaluates the efficiency of an organization ISMS and ensures the scope, processes and objectives are Fit for Purpose. Help organizations prioritize areas for improvement and lead the towards business excellence. Enables effective comparison across other organizations in the applicable sector. Based upon the Plan, Do, Check, Act (PDCA) approach and the controls outlined in the Cloud Controls Matrix (CCM) Enables the auditor to assess a company s performance, on long term sustainability and risks, in addition to ensuring they are SLA driven, allowing senior management to quantify and measure improvement year on year. It gives a prospective customer of the certified organisation a greater understanding of the level of control the organisation they are buying

25 CCM is specifically designed to provide fundamental security ciples to guide cloud vendors and to assist prospective cloud omers in assessing the overall security risk of a cloud provide Cloud Controls Matrix is meant to be integrated into the ssment by the auditor, referencing the applicable CCM contro e associated ISO controls (SOA) The output will be the lt of the overall performance of the organization within the e of certification.

26 ISO requires the organisation to evaluate their custom requirements and expectation, and contractual requirements requires that they have implemented a system to achieve thi ISO requires the organisation has conducted a risk analysis that identifies the risks to meeting their customer s expectations. The Cloud Controls Matrix requires the organisation to addr the specific issues that are critical to cloud security. The maturity model assesses how well managed activities in control areas are.

27 ertification can ever guarantee information is 100% secure wever STAR certification ensures an organisation has an propriate system for the type of information it is dealing with d that it is well managed and focused on cloud specific ncerns.

28 n an organisation is audited a Management Capability Score w assigned to each of the control areas in the CCM. This will dicate the capability of the management in this area to ensure e control is operating effectively. management capability of the controls will be scored on a sca These scores have been divided into 5 different tegories that describe the type of approach characteristic of ch group of scores.

29 a control area to be awarded a certain score it must at a inimum of that level across 5 management principles: mmary there are 11 control areas on the CCM v1.4. that wil be awarded a management capability score on a scale of 1-1 ecide what the score is each control area will be considered nst 5 capability factors.

30 lient will be awarded a certificate following the assessment. pending on the capability level they achieved they will either g No Award A Bronze Award A Silver Award A Gold Award e CAPABILITY MATURITY LEVEL will NOT be PUBBLIC, will be a information provider only to the candidate company. e ONLY public information available on the CSA STAR web site will be: STAR Certificate CERTIFICATE

31 Pilots finalised with ALIBABA and New TAPEI City Governm PC): Proof of concept using ISO CCM as a foundatio STAR Certification valuate and gather supporting information and data on the turity model ather feedback from actual clients on their experiences and ue of STAR Certification nalyze data and lessons learned mprove process and finalize for full launch

32 oth Pilots went as planned and both organizations had a good perience oth organizations did well, proving that good risk assessmen bits and continual improvement are key in the process he maturity model proved to be valuable in validating proper pe and level of process optimization he maturity model is key in the transparency process. he maturity model requires more detailed data gathering whi value add for the CSP and its customers NFIRMED that OCF / STAR CERTIFICATION ORKS in real life implementation

33 en LEAD AUDITOR training to certified bodies and the general blic globally in SEPTEMBER 2013 UNCHING STAR CERTIFICATION in SEPTEMBER 2013 R TARGET OBJECTIVE is to have 10 ORGANIZATIONS STAR RTIFIED by END OF 2013 OT Cloud Audit and Cloud Trust Protocol during 2014 RODUCE STAR Continuous Monitoring in 2015

34 Certification, InteRnationalisation and standardization in clou curity (CIRRUS) Consortium and Advisory Board bring together yers in the cloud landscape: users, law enforcement, cloud se viders, auditors, DPAs, policy makers, software developers, a re. It encompasses private and public partners that balance th eds of cloud consumers, providers, and law enforcement while intaining high-level objectives such as bringing research proj ults to market or improving trust in cyberspace US is an EU FP7 project with 6 partners under the Support Act ding scheme. Partners include the ATOS, the Austrian Standa titute (ASI), and the Japanese IT Promotion Agency (IPA).

35 ey objectives of the project include the following: Analyse (understand, describe, measure and monitor) the complexity of the cloud service delivery supply chain and security implications at each stage (e.g. offshoring) Coalesce differing perspectives (e.g. consumer requests for transparency and provider needs to protect confidential business) and provide consolidated opinions as an advisor to EU policy making Identify and describe proper measures and actions that increase trust and accelerate cloud adoption (e.g. link trust t trustworthiness by international certification scheme)

36 elp Us Secure Cloud Computing! LinkedIn:

37