GRC Stack Research Sponsorship

Transcription

1 GRC Stack Research Sponsorship

2 Overview Achieving Governance, Risk Management and Compliance (GRC) goals requires appropriate assessment criteria, relevant control objectives and timely access to necessary supporting data. Whether implementing private, public or hybrid clouds, the shift to compute as a service presents new challenges across the spectrum of GRC requirements. Cloud Security Alliance is leading the charge in addressing these challenges within our GRC Stack research portfolio. This brochure outlines GRC Stack research we will be undertaking in the next year and describes the unique opportunity for a limited number of companies to sponsor this research and become CSA GRC Stack Research Partners About the Cloud Security Alliance The Cloud Security Alliance is a not for profit, vendor neutral organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing. The Cloud Security Alliance is led by a broad coalition of industry practitioners, corporations, associations and other key stakeholders. CSA has grown tremendously since we publicly launched in April 2009, and we continue to set the pace as the industry leader in research and best practices for developing the trusted cloud ecosystem. 35,000 members worldwide, in over 60 chapters Not for profit organization registered as a 501(c)6 corporation with the US Internal Revenue Service Developed first comprehensive best practices for secure cloud computing, Security Guidance for Critical Areas of Focus for Cloud Computing (April 2009, updated December 2010 and October 2011) First and only user certification for cloud security, the CCSK (Certificate of Cloud Security Knowledge, September 2010) Tools for managing Governance, Risk and Compliance in the Cloud (GRC Stack) Registry of cloud provider security practices, the CSA STAR (Security, Trust & Assurance Registry, Q4 2011) Industry leading security practices, education and tools developed by 20 working groups Selection of CSA venue by US White House to announce the US Federal Cloud Strategy in 2011 Leadership in developing new security standards addressing cloud computing Trusted advisor to governments and Global 2000 firms around the world Copyright 2012 Cloud Security Alliance 1

3 The CSA Portfolio CSA quickly captured industry thought leadership by being the first mover in several areas due to our philosophy of agility, community and meritocracy. Cloud computing can be seen as a generation shift towards creating a global compute utility,, even if it will create several different global and local clouds. Cloud s dynamism and the criticall decisions being made by the public and private sector today with a long tail of impact have createdd a growing sense of urgency within CSA to continue our aggressive production of critical research, education and tools. Our research includes fundamental projects needed to define and implement trust within the future of information technology, which include cloud computing, mobile and big data. Copyright 2012 Cloud Security Alliance 2

4 GRC Stack Initiatives The Cloud Security Alliance GRC Stack provides a toolkit for enterprises, cloud providers, security solution providers, IT auditors and other key stakeholders s to instrument and assess both private and public clouds against industry established best practices, standards and critical compliance requirements. CloudAudit The goal of CloudAudit is to provide a common interface and namespace that allows cloud computing providers to automate the Audit, Assertion, Assessment, and Assurance (A6) of their infrastructure (IaaS), platform (PaaS), and application (SaaS) environments and allow authorized consumers of their services to do likewise via an open, extensible and secure interface and methodology. CloudAudit provides the technical foundation to enable transparency and trust in private and public cloud systems. Copyright 2012 Cloud Security Alliance 3

5 Cloud Controls Matrix (CCM) The Cloud Security Alliance Cloud Controls Matrix (CCM) is specifically designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider. The Cloud Controls Matrix provides a controls framework that gives detailed understanding of security concepts and principles that are aligned to the Cloud Security Alliance guidance in 13 domains. The foundations of the Cloud Security Alliance Cloud Controls Matrix rest on its customized relationship to other industryaccepted security standards, regulations, and controls frameworks such as the HITRUST CSF, ISO 27001/27002, ISACA COBIT, PCI, HIPAA and NIST, and will augment or provide internal control direction for SAS 70 attestations provided by cloud providers. As a framework, the CSA CCM provides organizations with the needed structure, detail and clarity relating to information security tailored to the cloud industry. The CSA CCM strengthens existing information security control environments by emphasizing business information security control requirements, reduces and identifies consistent security threats and vulnerabilities in the cloud, provides standardize security and operational risk management, and seeks to normalize security expectations, cloud taxonomy and terminology, and security measures implemented in the cloud. Consensus Assessments Initiative Questionnaire (CAIQ) The Cloud Security Alliance Consensus Assessments Initiative (CAI) was launched to perform research, create tools and create industry partnerships to enable cloud computing assessments. We are focused on providing industry accepted ways to document what security controls exist in IaaS, PaaS, and SaaS offerings, providing security control transparency. This effort by design is integrated with and will support other projects from our research partners. The initial deliverable of this project is the Consensus Assessments Initiative Questionnaire (CAIQ). This questionnaire is available in spreadsheet format, and provides a set of questions a cloud consumer and cloud auditor may wish to ask of a cloud provider. It provides a series of yes or no control assertion questions which can then be tailored to suit each unique cloud customer s evidentiary requirements. Cloud Trust Protocol (CTP) The CloudTrust Protocol (CTP) is the mechanism by which cloud service consumers (also known as cloud users or cloud service owners ) ask for and receive information about the elements of transparency as applied to cloud service providers. The primary purpose of the CTP and the elements of transparency is to generate evidence based confidence that everything that is claimed to be happening in the cloud is indeed happening as described,, and nothing else. This is a classic application of the definition of digital trust. Assured of such evidence, cloud consumers become liberated to bring more sensitive and valuable business functions to the cloud, and reap even larger payoffs. With the CTP cloud consumers are provided a way to find out important pieces of Copyright 2012 Cloud Security Alliance 4

6 information concerning the compliance, security, privacy, integrity, and operational security history of service elements being performed in the cloud. Security Trust and Assurance Registry (STAR) The CSA Security, Trust & Assurance Registry (STAR) is a publicly accessible registry that documents the security controls provided by various cloud computing offerings, thereby helping users assess the security of cloud providers they currently use or are considering contracting with. It is a simple but powerful idea, cloud providers post self assessments of their cloud services, CSA makes these assessments publicly available and cloud consumers can use this data to make informed purchasing decisions. GRC Stack 2012 Research Projects The Cloud Security Alliance GRC Stack provides a toolkit for enterprises, cloud providers, security solution providers, IT auditors and other key stakeholders to instrument and assess both private and public clouds against industry established best practices, standards and critical compliance requirements. GRC Stack Implementation Pilots and Use Case Documentation The need for greater industry transparency and a better understanding of governance, risk and compliance issues within cloud environments is the single greatest consideration stalling full scale adoption of cloud computing. There exists tremendous industry interest in CSA s GRC Stack set of research projects as the foundation for assurance, attestation and certification of cloud providers. The key to accelerating adoption of the CSA GRC Stack and consequentially increasing adoption of cloud computing in general is the completion and documentation of strategic pilot projects that clearly articulate the benefits of GRC Stack and also explain how to implement the GRC Stack successfully. The GRC Stack pilot project will consist of the participation of a cloud provider, enterprise class customer and CSA experts to implement the four GRC Stack research projects within a customerprovider environment. Use of CAIQ and CCM tools to demonstrate alignment with CSA controls framework for both provider and customer. Updating of CCM 2.0 for new mappings, control objectives and a database structure Use of CloudAudit and CTP tools to enable GRC automation and continuous controls monitoring within the pilot environment. Documentation of lessons learned and three unique use cases of the GRC Stack that represent geographical and industry diversity. Documentation of ROI achieved within assurance and compliance due to the project. Creation of an implementation guide for use by both customers and cloud providers. Copyright 2012 Cloud Security Alliance 5

7 The GRC Stack pilots and use case documentation will have whitepaper deliverables in Q3 2012, Q4 2012, Q and Q Open Certification Framework The CSA Open Certification Framework is a program for flexible, incremental and multi layered cloud provider certification according to the Cloud Security Alliance s industry leading security guidance and control objectives. The program will integrate with popular third party assessment and attestation statements developed within the public accounting community to avoid duplication of effort and cost. The CSA Open Certification Framework is based upon the control objectives and continuous monitoring structure as defined within the CSA GRC (Governance, Risk and Compliance) Stack research projects. The CSA Open Certification Framework will support several tiers, recognizing the varying assurance requirements and maturity levels of providers and consumers. These will range from the CSA Security, Trust and Assurance Registry (STAR) self assessment to high assurance specifications that are continuously monitored. The CSA Open Certification Framework provides: A path for any region to address compliance concerns with trusted, global best practices. For example, we expect governments to be heavy adopters of the CSA Open Certification Framework to layer their own unique requirements on top of the GRC Stack and provide agile certification of public sector cloud usage. An explicit guidance for providers on how to use GRC Stack tools for multiple certification efforts. For example, scoping documentation will articulate the means by which a provider may follow an ISO/IEC certification path that incorporates the CSA Cloud Controls Matrix (CCM). A "recognition scheme" that would allow us to support ISO, AICPA and potentially others that incorporate CSA IP inside of their certifications. The timeline for OCF is as follows: LEVEL 1 is currently available through STAR The Open Certification Framework will be available in Q The Auditor Certification scheme will be available in Q The LEVEL 2 Third Party Assessment certification for provider will be available in Q The LEVEL 3 Continuous Monitoring is planned for Copyright 2012 Cloud Security Alliance 6

8 GRC Stack 2012 Research Benefits CLOUD SECURITY ALLIANCE: GRC Stack Research Sponsorship Sponsored Research Listing Sponsor will be permanently listed as a charter sponsor with logo and URL link at initiative website and related areas, such as printed collateral. Press activity Sponsor will be included in press release activity related to key project milestones, including the opportunity to provide supporting quotes for the project. Whitepaper & GRC Stack Download Information Sponsor will receive monthly list of individuals opting in when downloading the individual whitepapers or GRC Stack modules. Blogging, Twitter & Webcasts Sponsor will participate in communications related to the project, including CSA funded webcasts, project blogs and use of the CSA corporate Twitter account. Project Observer Status Sponsor will be allowed the opportunity to monitor the project and will be provided regular updates from the project leadership. Sponsor will also be allowed the opportunity to interview customer participants. Branded Deliverables Whitepapers, presentations and related project deliverables will include an acknowledgement of sponsor and will include sponsor logo. Sponsor will also be allowed to incorporate project deliverables into sponsor s own whitepapers and related collateral with appropriate acknowledgements to CSA. Events The Research Initiative will be highlighted in CSA events, providing exposure for sponsors of the initiative. Signing Up Please contact Jim Reavis at jreavis@cloudsecurityalliance.org for more information, pricing and terms for this Research Sponsorship. Copyright 2012 Cloud Security Alliance 7