Csa security-assurance-at-the-speed-of-cloud-russia

26
www.cloudsecurityalliance.or Copyright © 2016 Cloud Security Alliance Jim Reavis, CEO October 2016 “Cloudifying” Information Security

  • Upload

    -

  • Category

    Business

  • view

    110

  • download

    0

Transcript of Csa security-assurance-at-the-speed-of-cloud-russia

Cloud Security Alliance

Jim Reavis, CEOOctober 2016Cloudifying Information Security

www.cloudsecurityalliance.orgCopyright 2016 Cloud Security Alliance

www.cloudsecurityalliance.orgAbout Jim ReavisCEO and Founder of Cloud Security Alliance

25 years experience in information security

Honored to be a presenter, thank you ASTRA for inviting me

www.cloudsecurityalliance.orgCopyright 2016 Cloud Security Alliance

www.cloudsecurityalliance.org

2

About the Cloud Security AllianceGlobal, not-for-profit organizationBuilding security best practices for next generation ITResearch and Educational ProgramsCloud Provider Certification CSA STARUser Certification - CCSKThe globally authoritative source for Trust in the CloudTo promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.

www.cloudsecurityalliance.orgCopyright 2016 Cloud Security Alliance

www.cloudsecurityalliance.org

3

CSA Fast FactsFounded in 2009 Membership stats as of October 201680,000 individual members, 80 chapters globally330 corporate membersOperates in 3 DivisionsCSA Americas headquarters in SeattleCSA APAC, headquarters in SingaporeCSA Europe (responsible for Europe/Middle East/Africa), headquarters in Edinburgh UKOver 30 research projects in 25 working groupsStrategic partnerships with governments, research institutions, professional associations and industrywww.cloudsecurityalliance.org

www.cloudsecurityalliance.orgCopyright 2016 Cloud Security Alliance

www.cloudsecurityalliance.org

4

We will never solve information securityState of permanent warfare

Battlefields change

Weapons change

Create enough security to ensure a profitable outcome

www.cloudsecurityalliance.orgCopyright 2016 Cloud Security Alliance

www.cloudsecurityalliance.org

5

Tech consumerizationChanging compute, changing the world

www.cloudsecurityalliance.orgCopyright 2016 Cloud Security Alliance

www.cloudsecurityalliance.orgCSA MaximsAs IT moves into the Cloud, so must Security

As IT loses control of the endpoint, Cloud is the only Security option

As the Internet of Things scales upwards, Cloud computing will be its data repository, application engine, provisioning system, Security platform and organizing concept

Security has a new battlefield

www.cloudsecurityalliance.orgCopyright 2016 Cloud Security Alliance

www.cloudsecurityalliance.org

7

CSA Top Threats to Cloud for 2016APTsData LossDue DiligenceNefarious Use and AbuseDenial of ServiceShared Technology Issues

Data BreachesCompromised Credentials and IAMInsecure APIsSystem and App VulnerabilitiesAccount HijackingMalicious Insiders

https://cloudsecurityalliance.org/group/top-threats/

www.cloudsecurityalliance.orgCopyright 2016 Cloud Security Alliance

www.cloudsecurityalliance.orgCloud in the Enterprise 2016Awareness: Capturing data on current cloud usage within organizationOpportunistic: Identifying strong cloud adoption opportunities (Cloud First!)Strategic: Building cloud adoption program security program, architecture, frameworks & business alignmentInnovators: DevOps, DevSecOps, IoT, Big Data, Analytics

www.cloudsecurityalliance.orgCopyright 2016 Cloud Security Alliance

www.cloudsecurityalliance.orgFindings of first State of Cloud Security reportGood and Bad: cloud provider security is unevenBetter alignment between providers and enterprises neededNeed provider collaboration and transparencyGlobal regulatory issuesMajor industry skills gapCloud is changing nature of information security

www.cloudsecurityalliance.orgCopyright 2016 Cloud Security Alliance

www.cloudsecurityalliance.orgWhat have leading organizations learned?Understanding different types of Clouds and your RoleDue diligence is critical, Data is key Identity is very importantForcing legacy tools & architectures on cloud security problems doesnt workHeavy-handed blocking of cloud services backfires on infosecLooking for infosec capabilities delivered as a service

www.cloudsecurityalliance.orgCopyright 2016 Cloud Security Alliance

www.cloudsecurityalliance.orgDifferent types of cloudsCloud as a layered model (eg OSI)SaaS has implicit IaaS layersMarket impacts architectureBusinesses occupy individual layers (e.g. cloud brokers)Layers of abstraction emergeInnovation/optimization in layersEverything becomes virtualized

CSA Cloud Reference Model

www.cloudsecurityalliance.orgCopyright 2016 Cloud Security Alliance

www.cloudsecurityalliance.orgCustomer role in different cloudsIn all clouds it is a shared responsibilityIaaS is a greater responsibility for the customer to harden the serviceProvider is responsible for implementing most security in SaaSIdentity & data governance may still be in the tenants realmCustomer has the ultimate responsibility for security assurance

www.cloudsecurityalliance.orgCopyright 2016 Cloud Security Alliance

www.cloudsecurityalliance.org

How CSA delivers the secure cloud

www.cloudsecurityalliance.orgCopyright 2016 Cloud Security Alliance

www.cloudsecurityalliance.org

14

CCSK User Certification

Certificate of Cloud Security Knowledge (CCSK)Benchmark of cloud security competencyBased on CSA guidanceOnline web-based examinationwww.cloudsecurityalliance.org/education/ccsk/ Partnered with (ISC)2 to develop complementary certification: CCSPClose cloud security knowledge gaps

www.cloudsecurityalliance.orgCopyright 2016 Cloud Security Alliance

www.cloudsecurityalliance.org

15

CSA STAR Provider CertificationCSA STAR (Security, Trust and Assurance Registry), 3 Level Provider Certification ProgramManaged by CSA in partnership with world leading ISO certification bodies and audit firmsAdopted Worldwide by Providers, Enterprises and Governments www.cloudsecurityalliance.org/star

www.cloudsecurityalliance.orgCopyright 2016 Cloud Security Alliance

www.cloudsecurityalliance.org

CSA STAR: Assisting Due DiligenceLevel 1 STAR Self-AssessmentPublic Registry of Cloud Provider self assessments based on CSA standardsLevel 2 STAR 3rd Party AuditsSTAR Certification: Integrates ISO/IEC 27001:2013 STAR Attestation: Based upon Type 2 SOCComing in Q4 2016: STARWatchAsk for providers STAR entryIf unavailable, ask provider to fill out CSAs Cloud Controls Matrix or Consensus Assessments Initiative Questionnairewww.cloudsecurityalliance.org/research/ccmwww.cloudsecurityalliance.org/research/cai

www.cloudsecurityalliance.orgCopyright 2016 Cloud Security Alliance

www.cloudsecurityalliance.org

17

Research for 2016Guidance V4Global Enterprise Advisory BoardSoftware Defined PerimeterFinancial Services PlatformCCM/CAIQ/CTP/CloudAuditSecurity as a ServiceInternet of ThingsQuantum-Safe ComputingCASB enablement: OpenAPIOtherIt is all free! https://cloudsecurityalliance.org/research

www.cloudsecurityalliance.orgCopyright 2016 Cloud Security Alliance

www.cloudsecurityalliance.org

18

Emerging Trends We Are EvaluatingBlockchainContainers, micro servicesInternet of Things DevSecOps: DevOps applied to securityAnalyticsAutonomous computingArtificial IntelligenceQuantum-Safe Computing

www.cloudsecurityalliance.orgCopyright 2016 Cloud Security Alliance

www.cloudsecurityalliance.org

19

A New Day forComputingandTrust

www.cloudsecurityalliance.orgCopyright 2016 Cloud Security Alliance

www.cloudsecurityalliance.orgApply the knowledge (1/3) baseline & foundationUse egress monitoring, CASB or similar to gain visibility and build a report of your cloud usageSurvey your staffs cloud experienceHands on experience with at least 2 IaaS, at least 1 PaaS and Security as a Service?Do you have any CCSKs on staff (Certificate of Cloud Security Knowledge)?Build your cloud security frameworkCloud Controls Matrix (CCM) is a good startAssign a team member to map CCM to your own Information Security Management System (ISMS)

www.cloudsecurityalliance.orgCopyright 2016 Cloud Security Alliance

www.cloudsecurityalliance.orgApply the knowledge (2/3) gentle policing of cloud usage Gain visibility into the use and risk of cloud servicesEducate employees to use low risk services leveraging existing infrastructureIntegrate anomaly detection with SOC for investigation and remediationIdentify sensitive data stored in sanctioned servicesSecure data in sanctioned services with encryption, DLP and access control policiesEncourage/require providers to list in CSA STAR or minimally fill out CCM/CAIQ for you

www.cloudsecurityalliance.orgCopyright 2016 Cloud Security Alliance

www.cloudsecurityalliance.orgApply the knowledge (3/3) build your future cloud strategyEducate security team that cloud requires greater agilityShorter risk assessment cycles, constant state of change is the new normIdentify bottleneck processes that dont scale to cloud speeds and fix themBuild new, cloud-native security strategiesNew approaches for anti-DDoS, forensics, patch mgt, malware, etc. Identity federation dialtoneAudit security architecture for physical dependenciesLeverage Security as a Service to secure *aaSResearch new technologies before business adopts, e.g. containersDemand transparency from the cloud provider industry

www.cloudsecurityalliance.orgCopyright 2016 Cloud Security Alliance

www.cloudsecurityalliance.orgCloudified information security is literalNew class of information security solutions born in the cloudSecurity must be delivered from the cloudCloudified information security is figurativeAgile, on demandAttitude be a revolutionary!New technology, new skillsets, new cultureLots of free tools and research to make your transition easier www.cloudsecurityalliance.org Summary

www.cloudsecurityalliance.orgCopyright 2016 Cloud Security Alliance

www.cloudsecurityalliance.orgTITLEMIS Training Institute Section # - Page 24XXXXXX XXX

ContactJoin us to solve tomorrows problems todayEmailinfo@cloudsecurityalliance.orgWWWwww.cloudsecurityalliance.orgTwitter@cloudsa

www.cloudsecurityalliance.orgCopyright 2016 Cloud Security Alliance

www.cloudsecurityalliance.orgTHANK YOU

www.cloudsecurityalliance.orgCopyright 2016 Cloud Security Alliance

www.cloudsecurityalliance.orgCopyright 2016 Cloud Security Alliance

26


Contractor Sourcing Application (CSA) Training · Acceptance of Letter of Assurance (LOA) ... GCC will use this option to grant CSA access to a new user who has not been set up for

Contractor Sourcing Application (CSA) Training · Acceptance of Letter of Assurance (LOA) ... GCC will use this option to grant CSA access to a new user who has not been set up for

E-URAL of activities...226517 E-URAL CSA-SA ... Russia, Ukraine, Bulgaria, Romania, etc. 5. Voronezh State ... National Nuclear Research University (MIFI) Russia,

E-URAL of activities...226517 E-URAL CSA-SA ... Russia, Ukraine, Bulgaria, Romania, etc. 5. Voronezh State ... National Nuclear Research University (MIFI) Russia,

Office 365 Mapping of CSA Cloud Control Matrix 3.0 · Feedback: CXP Risk Assurance Documentation – cxprad@microsoft.com Introduction Office 365 provides a set of productivity applications

Office 365 Mapping of CSA Cloud Control Matrix 3.0 · Feedback: CXP Risk Assurance Documentation – [email protected] Introduction Office 365 provides a set of productivity applications

CSA 201 CSA Basics-Can CSA Pay?...CSA 201 CSA Basics-Can CSA Pay? 2019 Children’s Services Act Conference Resiliency: Achieving the Possible Presented by Carol Wilson OCS Program

CSA 201 CSA Basics-Can CSA Pay?...CSA 201 CSA Basics-Can CSA Pay? 2019 Children’s Services Act Conference Resiliency: Achieving the Possible Presented by Carol Wilson OCS Program

CSA Training

CSA Training

Cloud Security Alliance...Achieving Security Assurance and Compliance in the Cloud Jason Witty Executive Committee, CSA International Info Security Exec, Bank of America

Cloud Security Alliance...Achieving Security Assurance and Compliance in the Cloud Jason Witty Executive Committee, CSA International Info Security Exec, Bank of America

Accelerated CSA

Accelerated CSA

CSA Complete

CSA Complete

QUALITY ASSURANCE PROJECT - USAID ASSIST...with Pregnancy-Induced Hypertension Abstract Reduces Costs in Tver, Russia The Quality Assurance Project/ Russia implemented a quality improvement

QUALITY ASSURANCE PROJECT - USAID ASSIST...with Pregnancy-Induced Hypertension Abstract Reduces Costs in Tver, Russia The Quality Assurance Project/ Russia implemented a quality improvement

Csa overview

Csa overview

Report (CSA)

Report (CSA)

CSA Investor Index - Canadian Securities Administrators| CSA

CSA Investor Index - Canadian Securities Administrators| CSA

Annie's CSA

Annie's CSA

Csa guidebook

Csa guidebook

Materi CSA

Materi CSA

MSS. NACE. AWWA. BSI. CSA. Etc. Oil ... - Process and … Valve Engineering and Design ... MSS. NACE. AWWA. BSI. CSA. Etc. ... The Walworth® Quality assurance System is documented

MSS. NACE. AWWA. BSI. CSA. Etc. Oil ... - Process and … Valve Engineering and Design ... MSS. NACE. AWWA. BSI. CSA. Etc. ... The Walworth® Quality assurance System is documented

Fuel Cell TEsting, Safety and Quality Assurance · 2006-10-06 · Further work. JRC-IE – 27 .04 ( ) ... DICP, China RRC-KI, Russia IPPE, Russia KIST, Korea NEDO, Japan DoE, US.

Fuel Cell TEsting, Safety and Quality Assurance · 2006-10-06 · Further work. JRC-IE – 27 .04 ( ) ... DICP, China RRC-KI, Russia IPPE, Russia KIST, Korea NEDO, Japan DoE, US.

2017 CSA Certification Handbook - c.ymcdn.comc.ymcdn.com/.../resource/resmgr/Docs/CSA_Certification_Handbook… · 2017 CSA Certification Handbook . CSA Certification Council . 720

2017 CSA Certification Handbook - c.ymcdn.comc.ymcdn.com/.../resource/resmgr/Docs/CSA_Certification_Handbook… · 2017 CSA Certification Handbook . CSA Certification Council . 720

Cloud Security Alliance - etouches€¦ · Achieving Security Assurance and Compliance in the Cloud Jason Witty Executive Committee, CSA International Info Security Exec, Bank of

Cloud Security Alliance - etouches€¦ · Achieving Security Assurance and Compliance in the Cloud Jason Witty Executive Committee, CSA International Info Security Exec, Bank of

CSA Program

CSA Program