A view from the Cloud Security Alliance peephole Preso - APKIC...Cloud-based management,...
Transcript of A view from the Cloud Security Alliance peephole Preso - APKIC...Cloud-based management,...
www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
A view from the Cloud Security Alliance peephole
www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
Cloud
One million new mobile devices -each day!
Social Networking
Digital Natives
www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
State Sponsored Cyberattacks?
Organized Crime?
Legal Jurisdiction & Data Sovereignty?
Global Security Standards?
Privacy Protection for Citizens?
Transparency & Visibility from Cloud Providers?
www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
Shift the balance of power to consumers of IT
Enable innovation to solve difficult problems of humanity
Give the individual the tools to control their digital destiny
Do this by creating confidence, trust and transparency in IT systems
Security is not overhead, it is the enabler
www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
Global, not-for-profit organization, founded 2009Geographically divided into Americas, EMEA and APAC regions to meet strategic objectives200 member driven organization with over 48,000 individual members in 64 chapters worldwideEstablished with the aim of bringing trust to the cloud
Develop a global trusted cloud ecosystem
Building best practices and standards for next-gen IT
Grounded in an agile philosophy, rapid development of applied research that supports all activities
www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
Corporate HQ is established in Singapore
Global CSA Research Centre
Global Standards Secretariat
CCSK Global Centre of Excellence
Secondary hub is established in Hong Kong anchored by
CloudCERT APAC Operational Base
Both locations also serve as
APAC business centre
Serving as a regional hub and operations magnet our members
Subsequently satellite hubs are established in Thailand, Taiwan and New Zealand
www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
CSA research is organized under a framework based on CSA Security Guidance for Critical Area of Focus in Cloud Computing
Total of 14 domains organised under 3 key areas of focus – Architecture, Governance and Operational Security
www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
Our research includes fundamental projects needed to define and implement trust within the future of information technology
CSA continues to be aggressive in producing critical research, education and tools
Sponsorship opportunities
Selected research projects in following slides
www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
GRC Stack Family of 4 research projects
Cloud Controls Matrix (CCM)
Consensus Assessments Initiative (CAI)
Cloud Audit
Cloud Trust Protocol (CTP)
Impact to the IndustryDeveloped tools for governance, risk and compliance management in the cloud
Technical pilots
Provider certification through STAR program
Control Requirements
Provider Assertions
Private, Community & Public Clouds
www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
Previously known as Trusted Cloud Initiative
Security reference architecture for cloud
Architecture in use by early adopters of cloud in Global 2000
Cloud brokering
To do:
Management tools
Technical implementation guides
Documented case studies & use cases
https://cloudsecurityalliance.org/research/architecture/
www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
1. Data Breaches
2. Data Loss
3. Account Hijacking
4. Insecure APIs
5. Denial of Service
6. Malicious Insiders
7. Abuse of Cloud Services
8. Insufficient Due Diligence
9. Shared Technology Issues
https://cloudsecurityalliance.org/research/top-threats/
www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
1. Data loss from lost, stolen or decommissioned devices.
2. Information-stealing mobile malware.
3. Data loss and data leakage through poorly written third-party apps.
4. Vulnerabilities within devices, OS, design and third-party applications.
5. Unsecured WiFi, network access and rogue access points.
6. Unsecured or rogue marketplaces.
7. Insufficient management tools, capabilities and access to APIs (includes
personas).
8. NFC and proximity-based hacking.
www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
Security as a ServiceResearch for gaining greater understanding for how to deliver security solutions via cloud models.
Information Security Industry Re-invented
Identify Ten Categories within SecaaS
Implementation Guidance for each SecaaSCategory
Align with international standards and other CSA research
Industry ImpactDefined 10 Categories of Service and Developed Domain 14 of CSA Guidance V.3
www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
MobileSecuring application stores and other public entities deploying software to mobile devices
Analysis of mobile security capabilities and features of key mobile operating systems
Cloud-based management, provisioning, policy, and data management of mobile devices to achieve security objectives
Guidelines for the mobile device security framework and mobile cloud architectures
Solutions for resolving multiple usage roles related to BYOD, e.g. personal and business use of a common device
Best practices for secure mobile application development
www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
Big Data Identifying scalable techniques for data-centric security and privacy problems
Lead to crystallization of best practices for security and privacy in big data
Help industry and government on adoption of best practices
Establish liaisons with other organizations in order to coordinate the development of big data security and privacy standards
Accelerate the adoption of novel research aimed to address security and privacy issues
www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
Expert-led community resource for global legal issues impacting cloud computing.
“Ask the Expert” advice column
Regular in-person seminars and webcasts
Expert opinion whitepapers, initial postingsGovernment Access to Data Held by US Cloud Service Providers
Proposed EU Data Protection Regulation Implications for Cloud Users
Article 29 for Cloud Computing
https://cloudsecurityalliance.org/research/clic
www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
CSA Working Group based in Europe
Define baselines for compliance with data protection legislation via a Privacy Level Agreement mechanism
A clear and effective way to communicate to (potential) cloud customers the level of personal data protection provided by a CSP.
A tool to assess the level of a CSP’s compliance with data protection legislative requirements and best practices.
A way to offer contractual protection against possible financial damages due to lack of compliance.
https://cloudsecurityalliance.org/research/pla/
www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
Public visibility into ProvidersCorporate Governance
Supply Chain
Information Security Program
Policies Impacting Customers
Consumer right to knowPublic will demand better
Sunlight is the best disinfectant,” U.S. Supreme Court Justice Louis Brandeis
www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
Control Requirements
Provider Assertions
Private, Community & Public Clouds
www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
The CSA Open Certification Framework (OCF) is an industry initiative to allow global, accredited, trusted certification of cloud providers.
The CSA Open Certification Framework is a program for flexible, incremental and multi-layered certification
Based on CSA best practices
Integrating with popular third-party assessment and attestation statements, initially ISO 27001 & AICPA SSAE16 (SOC2)
Project initiative is called OCF, the certification mark is STAR
www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
OPEN CERTIFICATION FRAMEWORKLEVEL 3 - CONTINUOUS
LEVEL 2 - ATTESTATION | CERTIFICATION
LEVEL 1:- SELF ASSESSMENT TRA
NSP
ERA
NC
Y
ASS
UR
AN
CE
www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
Clear GRC objectives
3rd Party Assessment
Real time, continuous monitoring
+
+
Self Assessment
+
www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
CSA STAR (Security, Trust and Assurance Registry)
Public Registry of Cloud Provider self assessments
Based on Consensus Assessments Initiative Questionnaire
Provider may substitute documented Cloud Controls Matrix compliance
Voluntary industry action promoting transparency
Security as a market differentiator
www.cloudsecurityalliance.org/star
STAR – Demand it from your providers!
www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
2 Registered (December 2012)
22 Registered (February 2013)
www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
Completion of APAC pilots @ Alibaba and New Taipei City (G-Cloud)
Target launch for Level 2 certification @ CSA EMEA Congress on Sep 25
Also announced harmonization of Singapore Standard (Multi-tier Cloud Security) certification scheme against CSA’s OCF
www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
The industry’s first user certification program for secure cloud computing
Based on CSA research framework, specifically the Security Guidance for Critical Area of Focus in Cloud Computing
Designed to ensure that a broad range of professionals with responsibility related to cloud computing have a demonstrated awareness of the security threats and best practices for securing the cloud
www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
CCSK Basic
One day course to enable student to pass CCSK
CCSK Plus
Two day course includes practical cloud lab work
CCSK Train-the-Trainer
Three day course including CCSK Plus
GRC Stack Training
Additional one day course to use GRC Stack components
PCI/DSS In the Cloud
Additional one day course focusing on achieving PCI compliance in cloud computing
http://cloudsecurityalliance.org/education/training/
www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
CCSK for IT & Security Architects
Whitepaper: Security best practices for security architecture in the cloud derived from CSA Domain 1, Trusted Cloud Initiative Reference Architecture model and new materials.
Courseware: Development of 3 day courseware derived from above whitepaper and other CSA materials.
CCSK for Software Developers
Whitepaper: Security best practices for software development in the cloud and recommended industry curriculum.
Courseware: Development of 3 day courseware derived from above whitepaper and other CSA materials.
CCSK for Cloud Auditing/Assurance (GRC Stack)
Whitepaper: Security best practices for assurance in the cloud derived from CSA Guidance 3 and components of the GRC Stack research projects.
Courseware: Development of 3 day courseware derived from existing GRC Stack courseware, above whitepaper and other CSA materials.
www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
Engage international standards bodies on behalf of CSA
Propose key CSA research for standardization
Working with NBs and tracking SDOs
A.4 and A.5 liaison relationship with ITU-T
Category A liaison with ISO/IEC SC27 & SC38
www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
Industry thought leadership Traditional Monday start to RSA Conference2011: White House launches Federal Cloud Strategy 2012: Keynote from Former NSA Director Mike McConnell, announce CSA Mobile2013: DHS Undersecretary for Cybersecurityand Presiding Director of Coca Cola Company, James Robinson III
www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
One day conferences in conjunction with chaptersEngage with local thought leadersProject CSA best practices globally2013 Regional Summits (so far)
16 in Asia Pacific4 in Americas4 in EMEA
http://www.csathailand.org
www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
Only multi-track, multi-day conference focused on cloud securityKey venue for new researchPrimarily attended by enterprise end users2013 CSA Congress Plans
CSA Congress APAC, Singapore, May 14-17CSA Congress EMEA, Edinburgh, September 24 - 27CSA Congress US, Orlando, December 3 - 6
www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
Challenges remain, there will always be insecurityGlobal collaboration, public & privateInnovation can make policy restrictions obsoleteMajor focus on identity neededThe Internet of Things is a ticking bombMust solve tomorrow’s problems todayTransparency must be our guide
www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
Be Pragmatic, Be AgileFollow the law, but do not concede to poor interpretations of the law. Defend the spirit of the law forcefully.More tools available than you thinkAdvocate through procurementWaiting not an option, but don’t forget
StrategyRisk ManagementCloud-ready Enterprise ArchitectureBe Educated
www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
For more information on the Cloud Security Alliance, please contact:
Global/AmericasJim Reavis [email protected]
EMEA Daniele Catteddu [email protected]
APACAloysius [email protected]
www.cloudsecurityalliance.orgCopyright © 2012 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance