Csa security-assurance-at-the-speed-of-cloud-russia
Transcript of Csa security-assurance-at-the-speed-of-cloud-russia
Cloud Security Alliance
Jim Reavis, CEOOctober 2016Cloudifying Information Security
www.cloudsecurityalliance.orgCopyright 2016 Cloud Security Alliance
www.cloudsecurityalliance.orgAbout Jim ReavisCEO and Founder of Cloud Security Alliance
25 years experience in information security
Honored to be a presenter, thank you ASTRA for inviting me
www.cloudsecurityalliance.orgCopyright 2016 Cloud Security Alliance
www.cloudsecurityalliance.org
2
About the Cloud Security AllianceGlobal, not-for-profit organizationBuilding security best practices for next generation ITResearch and Educational ProgramsCloud Provider Certification CSA STARUser Certification - CCSKThe globally authoritative source for Trust in the CloudTo promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.
www.cloudsecurityalliance.orgCopyright 2016 Cloud Security Alliance
www.cloudsecurityalliance.org
3
CSA Fast FactsFounded in 2009 Membership stats as of October 201680,000 individual members, 80 chapters globally330 corporate membersOperates in 3 DivisionsCSA Americas headquarters in SeattleCSA APAC, headquarters in SingaporeCSA Europe (responsible for Europe/Middle East/Africa), headquarters in Edinburgh UKOver 30 research projects in 25 working groupsStrategic partnerships with governments, research institutions, professional associations and industrywww.cloudsecurityalliance.org
www.cloudsecurityalliance.orgCopyright 2016 Cloud Security Alliance
www.cloudsecurityalliance.org
4
We will never solve information securityState of permanent warfare
Battlefields change
Weapons change
Create enough security to ensure a profitable outcome
www.cloudsecurityalliance.orgCopyright 2016 Cloud Security Alliance
www.cloudsecurityalliance.org
5
Tech consumerizationChanging compute, changing the world
www.cloudsecurityalliance.orgCopyright 2016 Cloud Security Alliance
www.cloudsecurityalliance.orgCSA MaximsAs IT moves into the Cloud, so must Security
As IT loses control of the endpoint, Cloud is the only Security option
As the Internet of Things scales upwards, Cloud computing will be its data repository, application engine, provisioning system, Security platform and organizing concept
Security has a new battlefield
www.cloudsecurityalliance.orgCopyright 2016 Cloud Security Alliance
www.cloudsecurityalliance.org
7
CSA Top Threats to Cloud for 2016APTsData LossDue DiligenceNefarious Use and AbuseDenial of ServiceShared Technology Issues
Data BreachesCompromised Credentials and IAMInsecure APIsSystem and App VulnerabilitiesAccount HijackingMalicious Insiders
https://cloudsecurityalliance.org/group/top-threats/
www.cloudsecurityalliance.orgCopyright 2016 Cloud Security Alliance
www.cloudsecurityalliance.orgCloud in the Enterprise 2016Awareness: Capturing data on current cloud usage within organizationOpportunistic: Identifying strong cloud adoption opportunities (Cloud First!)Strategic: Building cloud adoption program security program, architecture, frameworks & business alignmentInnovators: DevOps, DevSecOps, IoT, Big Data, Analytics
www.cloudsecurityalliance.orgCopyright 2016 Cloud Security Alliance
www.cloudsecurityalliance.orgFindings of first State of Cloud Security reportGood and Bad: cloud provider security is unevenBetter alignment between providers and enterprises neededNeed provider collaboration and transparencyGlobal regulatory issuesMajor industry skills gapCloud is changing nature of information security
www.cloudsecurityalliance.orgCopyright 2016 Cloud Security Alliance
www.cloudsecurityalliance.orgWhat have leading organizations learned?Understanding different types of Clouds and your RoleDue diligence is critical, Data is key Identity is very importantForcing legacy tools & architectures on cloud security problems doesnt workHeavy-handed blocking of cloud services backfires on infosecLooking for infosec capabilities delivered as a service
www.cloudsecurityalliance.orgCopyright 2016 Cloud Security Alliance
www.cloudsecurityalliance.orgDifferent types of cloudsCloud as a layered model (eg OSI)SaaS has implicit IaaS layersMarket impacts architectureBusinesses occupy individual layers (e.g. cloud brokers)Layers of abstraction emergeInnovation/optimization in layersEverything becomes virtualized
CSA Cloud Reference Model
www.cloudsecurityalliance.orgCopyright 2016 Cloud Security Alliance
www.cloudsecurityalliance.orgCustomer role in different cloudsIn all clouds it is a shared responsibilityIaaS is a greater responsibility for the customer to harden the serviceProvider is responsible for implementing most security in SaaSIdentity & data governance may still be in the tenants realmCustomer has the ultimate responsibility for security assurance
www.cloudsecurityalliance.orgCopyright 2016 Cloud Security Alliance
www.cloudsecurityalliance.org
How CSA delivers the secure cloud
www.cloudsecurityalliance.orgCopyright 2016 Cloud Security Alliance
www.cloudsecurityalliance.org
14
CCSK User Certification
Certificate of Cloud Security Knowledge (CCSK)Benchmark of cloud security competencyBased on CSA guidanceOnline web-based examinationwww.cloudsecurityalliance.org/education/ccsk/ Partnered with (ISC)2 to develop complementary certification: CCSPClose cloud security knowledge gaps
www.cloudsecurityalliance.orgCopyright 2016 Cloud Security Alliance
www.cloudsecurityalliance.org
15
CSA STAR Provider CertificationCSA STAR (Security, Trust and Assurance Registry), 3 Level Provider Certification ProgramManaged by CSA in partnership with world leading ISO certification bodies and audit firmsAdopted Worldwide by Providers, Enterprises and Governments www.cloudsecurityalliance.org/star
www.cloudsecurityalliance.orgCopyright 2016 Cloud Security Alliance
www.cloudsecurityalliance.org
CSA STAR: Assisting Due DiligenceLevel 1 STAR Self-AssessmentPublic Registry of Cloud Provider self assessments based on CSA standardsLevel 2 STAR 3rd Party AuditsSTAR Certification: Integrates ISO/IEC 27001:2013 STAR Attestation: Based upon Type 2 SOCComing in Q4 2016: STARWatchAsk for providers STAR entryIf unavailable, ask provider to fill out CSAs Cloud Controls Matrix or Consensus Assessments Initiative Questionnairewww.cloudsecurityalliance.org/research/ccmwww.cloudsecurityalliance.org/research/cai
www.cloudsecurityalliance.orgCopyright 2016 Cloud Security Alliance
www.cloudsecurityalliance.org
17
Research for 2016Guidance V4Global Enterprise Advisory BoardSoftware Defined PerimeterFinancial Services PlatformCCM/CAIQ/CTP/CloudAuditSecurity as a ServiceInternet of ThingsQuantum-Safe ComputingCASB enablement: OpenAPIOtherIt is all free! https://cloudsecurityalliance.org/research
www.cloudsecurityalliance.orgCopyright 2016 Cloud Security Alliance
www.cloudsecurityalliance.org
18
Emerging Trends We Are EvaluatingBlockchainContainers, micro servicesInternet of Things DevSecOps: DevOps applied to securityAnalyticsAutonomous computingArtificial IntelligenceQuantum-Safe Computing
www.cloudsecurityalliance.orgCopyright 2016 Cloud Security Alliance
www.cloudsecurityalliance.org
19
A New Day forComputingandTrust
www.cloudsecurityalliance.orgCopyright 2016 Cloud Security Alliance
www.cloudsecurityalliance.orgApply the knowledge (1/3) baseline & foundationUse egress monitoring, CASB or similar to gain visibility and build a report of your cloud usageSurvey your staffs cloud experienceHands on experience with at least 2 IaaS, at least 1 PaaS and Security as a Service?Do you have any CCSKs on staff (Certificate of Cloud Security Knowledge)?Build your cloud security frameworkCloud Controls Matrix (CCM) is a good startAssign a team member to map CCM to your own Information Security Management System (ISMS)
www.cloudsecurityalliance.orgCopyright 2016 Cloud Security Alliance
www.cloudsecurityalliance.orgApply the knowledge (2/3) gentle policing of cloud usage Gain visibility into the use and risk of cloud servicesEducate employees to use low risk services leveraging existing infrastructureIntegrate anomaly detection with SOC for investigation and remediationIdentify sensitive data stored in sanctioned servicesSecure data in sanctioned services with encryption, DLP and access control policiesEncourage/require providers to list in CSA STAR or minimally fill out CCM/CAIQ for you
www.cloudsecurityalliance.orgCopyright 2016 Cloud Security Alliance
www.cloudsecurityalliance.orgApply the knowledge (3/3) build your future cloud strategyEducate security team that cloud requires greater agilityShorter risk assessment cycles, constant state of change is the new normIdentify bottleneck processes that dont scale to cloud speeds and fix themBuild new, cloud-native security strategiesNew approaches for anti-DDoS, forensics, patch mgt, malware, etc. Identity federation dialtoneAudit security architecture for physical dependenciesLeverage Security as a Service to secure *aaSResearch new technologies before business adopts, e.g. containersDemand transparency from the cloud provider industry
www.cloudsecurityalliance.orgCopyright 2016 Cloud Security Alliance
www.cloudsecurityalliance.orgCloudified information security is literalNew class of information security solutions born in the cloudSecurity must be delivered from the cloudCloudified information security is figurativeAgile, on demandAttitude be a revolutionary!New technology, new skillsets, new cultureLots of free tools and research to make your transition easier www.cloudsecurityalliance.org Summary
www.cloudsecurityalliance.orgCopyright 2016 Cloud Security Alliance
www.cloudsecurityalliance.orgTITLEMIS Training Institute Section # - Page 24XXXXXX XXX
ContactJoin us to solve tomorrows problems todayEmailinfo@cloudsecurityalliance.orgWWWwww.cloudsecurityalliance.orgTwitter@cloudsa
www.cloudsecurityalliance.orgCopyright 2016 Cloud Security Alliance
www.cloudsecurityalliance.orgTHANK YOU
www.cloudsecurityalliance.orgCopyright 2016 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright 2016 Cloud Security Alliance
26