A view from the Cloud Security Alliance peephole
Cloud One million new mobile devices - each day! Social Networking Digital Natives
State Sponsored Cyberattacks? Organized Crime? Legal Jurisdiction & Data Sovereignty? Global Security Standards? Privacy Protection for Citizens? Transparency & Visibility from Cloud Providers?
Shift the balance of power to consumers of IT Enable innovation to solve difficult problems of humanity Give the individual the tools to control their digital destiny Do this by creating confidence, trust and transparency in IT systems Security is not overhead, it is the enabler
Global, not-for-profit organization, founded 2009 Geographically divided into Americas, EMEA and APAC regions to meet strategic objectives 200 member driven organization with over 48,000 individual members in 64 chapters worldwide Established with the aim of bringing trust to the cloud Develop a global trusted cloud ecosystem Building best practices and standards for next-gen IT Grounded in an agile philosophy, rapid development of applied research that supports all activities
Corporate HQ is established in Singapore Global CSA Research Centre Global Standards Secretariat CCSK Global Centre of Excellence Secondary hub is established in Hong Kong anchored by CloudCERT APAC Operational Base Both locations also serve as APAC business centre Serving as a regional hub and operations magnet our members Subsequently satellite hubs are established in Thailand, Taiwan and New Zealand
CSA research is organized under a framework based on CSA Security Guidance for Critical Area of Focus in Cloud Computing Total of 14 domains organised under 3 key areas of focus Architecture, Governance and Operational Security
Our research includes fundamental projects needed to define and implement trust within the future of information technology CSA continues to be aggressive in producing critical research, education and tools Sponsorship opportunities Selected research projects in following slides
GRC Stack Family of 4 research projects Cloud Controls Matrix (CCM) Consensus Assessments Initiative (CAI) Cloud Audit Cloud Trust Protocol (CTP) Impact to the Industry Developed tools for governance, risk and compliance management in the cloud Technical pilots Provider certification through STAR program Control Requirements Private, Community & Public Clouds Provider Assertions
Previously known as Trusted Cloud Initiative Security reference architecture for cloud Architecture in use by early adopters of cloud in Global 2000 Cloud brokering To do: Management tools Technical implementation guides Documented case studies & use cases https://cloudsecurityalliance.org/research/architecture/
1. Data Breaches 2. Data Loss 3. Account Hijacking 4. Insecure APIs 5. Denial of Service 6. Malicious Insiders 7. Abuse of Cloud Services 8. Insufficient Due Diligence 9. Shared Technology Issues https://cloudsecurityalliance.org/research/topthreats/
1. Data loss from lost, stolen or decommissioned devices. 2. Information-stealing mobile malware. 3. Data loss and data leakage through poorly written third-party apps. 4. Vulnerabilities within devices, OS, design and third-party applications. 5. Unsecured WiFi, network access and rogue access points. 6. Unsecured or rogue marketplaces. 7. Insufficient management tools, capabilities and access to APIs (includes personas). 8. NFC and proximity-based hacking.
Security as a Service Research for gaining greater understanding for how to deliver security solutions via cloud models. Information Security Industry Re-invented Identify Ten Categories within SecaaS Implementation Guidance for each SecaaS Category Align with international standards and other CSA research Industry Impact Defined 10 Categories of Service and Developed Domain 14 of CSA Guidance V.3
Mobile Securing application stores and other public entities deploying software to mobile devices Analysis of mobile security capabilities and features of key mobile operating systems Cloud-based management, provisioning, policy, and data management of mobile devices to achieve security objectives Guidelines for the mobile device security framework and mobile cloud architectures Solutions for resolving multiple usage roles related to BYOD, e.g. personal and business use of a common device Best practices for secure mobile application development
Big Data Identifying scalable techniques for data-centric security and privacy problems Lead to crystallization of best practices for security and privacy in big data Help industry and government on adoption of best practices Establish liaisons with other organizations in order to coordinate the development of big data security and privacy standards Accelerate the adoption of novel research aimed to address security and privacy issues
Expert-led community resource for global legal issues impacting cloud computing. Ask the Expert advice column Regular in-person seminars and webcasts Expert opinion whitepapers, initial postings Government Access to Data Held by US Cloud Service Providers Proposed EU Data Protection Regulation Implications for Cloud Users Article 29 for Cloud Computing https://cloudsecurityalliance.org/research/clic
CSA Working Group based in Europe Define baselines for compliance with data protection legislation via a Privacy Level Agreement mechanism A clear and effective way to communicate to (potential) cloud customers the level of personal data protection provided by a CSP. A tool to assess the level of a CSP s compliance with data protection legislative requirements and best practices. A way to offer contractual protection against possible financial damages due to lack of compliance. https://cloudsecurityalliance.org/research/pla/
Public visibility into Providers Corporate Governance Supply Chain Information Security Program Policies Impacting Customers Consumer right to know Public will demand better Sunlight is the best disinfectant, U.S. Supreme Court Justice Louis Brandeis
Control Requirements Private, Community & Public Clouds Provider Assertions
The CSA Open Certification Framework (OCF) is an industry initiative to allow global, accredited, trusted certification of cloud providers. The CSA Open Certification Framework is a program for flexible, incremental and multilayered certification Based on CSA best practices Integrating with popular third-party assessment and attestation statements, initially ISO 27001 & AICPA SSAE16 (SOC2) Project initiative is called OCF, the certification mark is STAR
ASSURANCE OPEN CERTIFICATION FRAMEWORK LEVEL 3 - CONTINUOUS LEVEL 2 - ATTESTATION CERTIFICATION LEVEL 1:- SELF ASSESSMENT TRANSPERANCY
+ Real time, continuous monitoring + Clear GRC objectives + Self Assessment 3 rd Party Assessment
CSA STAR (Security, Trust and Assurance Registry) Public Registry of Cloud Provider self assessments Based on Consensus Assessments Initiative Questionnaire Provider may substitute documented Cloud Controls Matrix compliance Voluntary industry action promoting transparency Security as a market differentiator /star STAR Demand it from your providers!
22 Registered (February 2013) 2 Registered (December 2012)
Completion of APAC pilots @ Alibaba and New Taipei City (G-Cloud) Target launch for Level 2 certification @ CSA EMEA Congress on Sep 25 Also announced harmonization of Singapore Standard (Multi-tier Cloud Security) certification scheme against CSA s OCF
The industry s first user certification program for secure cloud computing Based on CSA research framework, specifically the Security Guidance for Critical Area of Focus in Cloud Computing Designed to ensure that a broad range of professionals with responsibility related to cloud computing have a demonstrated awareness of the security threats and best practices for securing the cloud
CCSK Basic One day course to enable student to pass CCSK CCSK Plus Two day course includes practical cloud lab work CCSK Train-the-Trainer Three day course including CCSK Plus GRC Stack Training Additional one day course to use GRC Stack components PCI/DSS In the Cloud Additional one day course focusing on achieving PCI compliance in cloud computing http://cloudsecurityalliance.org/education/training/
CCSK for IT & Security Architects Whitepaper: Security best practices for security architecture in the cloud derived from CSA Domain 1, Trusted Cloud Initiative Reference Architecture model and new materials. Courseware: Development of 3 day courseware derived from above whitepaper and other CSA materials. CCSK for Software Developers Whitepaper: Security best practices for software development in the cloud and recommended industry curriculum. Courseware: Development of 3 day courseware derived from above whitepaper and other CSA materials. CCSK for Cloud Auditing/Assurance (GRC Stack) Whitepaper: Security best practices for assurance in the cloud derived from CSA Guidance 3 and components of the GRC Stack research projects. Courseware: Development of 3 day courseware derived from existing GRC Stack courseware, above whitepaper and other CSA materials.
Engage international standards bodies on behalf of CSA Propose key CSA research for standardization Working with NBs and tracking SDOs A.4 and A.5 liaison relationship with ITU-T Category A liaison with ISO/IEC SC27 & SC38
Industry thought leadership Traditional Monday start to RSA Conference 2011: White House launches Federal Cloud Strategy 2012: Keynote from Former NSA Director Mike McConnell, announce CSA Mobile 2013: DHS Undersecretary for Cybersecurity and Presiding Director of Coca Cola Company, James Robinson III
One day conferences in conjunction with chapters Engage with local thought leaders Project CSA best practices globally 2013 Regional Summits (so far) 16 in Asia Pacific 4 in Americas 4 in EMEA http://www.csathailand.org
Only multi-track, multi-day conference focused on cloud security Key venue for new research Primarily attended by enterprise end users 2013 CSA Congress Plans CSA Congress APAC, Singapore, May 14-17 CSA Congress EMEA, Edinburgh, September 24-27 CSA Congress US, Orlando, December 3-6
Challenges remain, there will always be insecurity Global collaboration, public & private Innovation can make policy restrictions obsolete Major focus on identity needed The Internet of Things is a ticking bomb Must solve tomorrow s problems today Transparency must be our guide
Be Pragmatic, Be Agile Follow the law, but do not concede to poor interpretations of the law. Defend the spirit of the law forcefully. More tools available than you think Advocate through procurement Waiting not an option, but don t forget Strategy Risk Management Cloud-ready Enterprise Architecture Be Educated
For more information on the Cloud Security Alliance, please contact: Global/Americas Jim Reavis jreavis@cloudsecurityalliance.org EMEA Daniele Catteddu dcatteddu@cloudsecurityalliance.org APAC Aloysius Cheang acheang@cloudsecurityalliance.org
Copyright 2013 2012 Cloud Security Alliance