www.cloudsecurityalliance.org Copyright © 2017 Cloud Security Alliance

Jim Reavis, CEO

June 2017

www.cloudsecurityalliance.org www.cloudsecurityalliance.org Copyright © 2017 Cloud Security Alliance

Global, not-for-profit organization

Building security best practices for next generation IT

Research and Educational Programs

Cloud Provider Certification – CSA STAR

User Certification - CCSK

The globally authoritative source for Trust in the

Cloud

“To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.”

www.cloudsecurityalliance.org www.cloudsecurityalliance.org Copyright © 2017 Cloud Security Alliance

Get out of the datacenter business, focus on

the core business

Accelerate time to market for products One line of code creates a datacenter!

Leverage leading edge technology Software is eating the world, Developers are the mouth!

Greater comfortable with “Tier 1” cloud provider

security

The question is not “if”, but “how much, how

soon?”

www.cloudsecurityalliance.org www.cloudsecurityalliance.org Copyright © 2017 Cloud Security Alliance

Regulatory & compliance concerns

Data protection & data sovereignty

Loss of control

Performance and uptime

Fear of being tied into one provider

Security, particularly for lesser known cloud

entities

www.cloudsecurityalliance.org www.cloudsecurityalliance.org Copyright © 2017 Cloud Security Alliance

Cloud as a layered model (eg OSI)

SaaS has implicit IaaS & PaaS layers

Market impacts architecture

Businesses occupy individual layers (e.g.

cloud brokers)

Layers of abstraction emerge

Innovation/optimization in layers

Everything becomes virtualized CSA Cloud Reference Model

www.cloudsecurityalliance.org www.cloudsecurityalliance.org Copyright © 2017 Cloud Security Alliance

Phenomenal Growth Amazon AWS 55% YoY, $11B+ business

Public Cloud 44% YoY 2014-2019 (Cisco)

Private Cloud 17% YoY 2014-2019 (Cisco)

Most heavily used IaaS services: virtual

machine computing & storage

Major IaaS players tend to be PaaS leaders AWS, Azure, Heroku & Force.com (Salesforce), Google

App Engine

Enterprise “Cloud First” policy common

www.cloudsecurityalliance.org www.cloudsecurityalliance.org Copyright © 2017 Cloud Security Alliance

Public cloud surpassing private cloud

Servers are dead, virtual servers are dying,

long live services and microservices!

Microsegmentation, Software-defined

everything

APIs everywhere

Automation, DevOps & DevSecOps changing

how security implemented

“Born in the cloud” security companies

High growth expected to continue

www.cloudsecurityalliance.org www.cloudsecurityalliance.org Copyright © 2017 Cloud Security Alliance

IaaS

PaaS

SaaS

!

www.cloudsecurityalliance.org www.cloudsecurityalliance.org Copyright © 2017 Cloud Security Alliance

Cloud is global, nations and industries enforce localized requirements

Need to harmonize & normalize control objectives for global players

Data sovereignty treated as a physical issue in a virtual world

Enterprises pushing to approve new apps in days and HOURS!

Continuous auditing/monitoring needs to address security “between audits”

Audit scopes change in multi-cloud

SaaS providers within large IaaS clouds should “inherit” underlying controls

Customers must be assured the “entire stack” is secure

Innovation, Automation & Transparency create tremendous opportunities

www.cloudsecurityalliance.org www.cloudsecurityalliance.org Copyright © 2017 Cloud Security Alliance

Cloud specific risk considerations

www.cloudsecurityalliance.org www.cloudsecurityalliance.org Copyright © 2017 Cloud Security Alliance

7. APTs

8. Data Loss

9. Due Diligence

10. Nefarious Use and

Abuse

11. Denial of Service

12. Shared Technology

Issues

1. Data Breaches

2. Compromised

Credentials and IAM

3. Insecure APIs

4. System and App

Vulnerabilities

5. Account Hijacking

6. Malicious Insiders

https://cloudsecurityalliance.org/group/top-threats/

www.cloudsecurityalliance.org www.cloudsecurityalliance.org Copyright © 2017 Cloud Security Alliance

In all clouds it is a shared responsibility

IaaS is a greater responsibility for the customer to harden the service

Provider is responsible for implementing most security in SaaS

Identity & data governance may still be in the tenant’s realm

Customer has the ultimate responsibility for security assurance

www.cloudsecurityalliance.org www.cloudsecurityalliance.org Copyright © 2017 Cloud Security Alliance

Visibility into cloud usage today and plans for tomorrow

Data security: think about the entire data lifecycle and

address security in all phases

Strong Identity & Access Management strategy

Gentle policing: encourage secure cloud options to insecure

cloud choices

Due diligence with your providers

Have an intermediary strategy

Fill the Education Gap – gain cloud security expertise today

and start addressing “next generation” trends

“Cloudify” information security – Virtual, Agile, Automation,

Service-oriented vs Appliance-centric

www.cloudsecurityalliance.org www.cloudsecurityalliance.org Copyright © 2017 Cloud Security Alliance

Tools for your secure cloud

journey

www.cloudsecurityalliance.org www.cloudsecurityalliance.org Copyright © 2017 Cloud Security Alliance

Certificate of Cloud Security Knowledge (CCSK)

Most valuable IT certification 2016 – Certification Magazine

Benchmark of cloud security competency

Based on CSA guidance

Online web-based examination

www.cloudsecurityalliance.org/education/ccsk/

Also partnered with (ISC)2 on complementary CCSP

www.cloudsecurityalliance.org www.cloudsecurityalliance.org Copyright © 2017 Cloud Security Alliance

Level 1 STAR Self-Assessment

Public Registry of Cloud Provider self assessments based on CSA standards

Level 2 STAR 3rd Party Audits

STAR Certification: Integrates ISO/IEC 27001:2013

STAR Attestation: Based upon Type 2 SOC

CSA SaaS Tool: STARWatch

Ask for provider’s STAR entry

If unavailable, ask provider to fill out CSA’s Cloud Controls Matrix or Consensus Assessments Initiative Questionnaire

www.cloudsecurityalliance.org/research/ccm

www.cloudsecurityalliance.org/research/cai

www.cloudsecurityalliance.org www.cloudsecurityalliance.org Copyright © 2017 Cloud Security Alliance

CSA STAR (Security, Trust and Assurance Registry), 3 Level Provider Certification Program

Managed by CSA in partnership with world leading ISO certification bodies and audit firms

Adopted Worldwide by Providers, Enterprises and Governments

Promotes Transparency within Cloud Ecosystem

www.cloudsecurityalliance.org www.cloudsecurityalliance.org Copyright © 2017 Cloud Security Alliance

First ever baseline control framework specifically designed for Cloud supply chain risk management:

Delineates control ownership (Provider, Customer)

Ranks applicability to cloud provider type (SaaS vs PaaS vs IaaS)

An anchor for security and compliance posture measurement

Provides a framework of 16 control domains

Controls map to global regulations and security standards: e.g. NIST, ISO 27001, COBIT, PCI, HIPAA, FISMA, FedRAMP – mappings growing virally

www.cloudsecurityalliance.org www.cloudsecurityalliance.org Copyright © 2017 Cloud Security Alliance

www.cloudsecurityalliance.org www.cloudsecurityalliance.org Copyright © 2017 Cloud Security Alliance

Companion to CSA Cloud Controls Matrix (CCM)

Series of Yes/No/NA questions used to assess compliance with CCM

Narrative may be included for each question to explain why the particular answer is given

Helps organizations build assessment processes for cloud providers

Helps cloud providers assess their own security posture

Core team that originally built this were from the financial services industry

www.cloudsecurityalliance.org www.cloudsecurityalliance.org Copyright © 2017 Cloud Security Alliance

Guidance V4

Global Enterprise Advisory Board

Software Defined Perimeter

Security as a Service

Big Data

Internet of Things

Privacy Level Agreement

Incident Response / Threat Intelligence

SaaS Governance

Financial Services

Other

https://cloudsecurityalliance.org/research

www.cloudsecurityalliance.org www.cloudsecurityalliance.org Copyright © 2017 Cloud Security Alliance

Jim’s overly simplified view of the

future

www.cloudsecurityalliance.org www.cloudsecurityalliance.org Copyright © 2017 Cloud Security Alliance

World Population

Internet connected devices

We are in here

currently

Thousands of

computers per

human

www.cloudsecurityalliance.org www.cloudsecurityalliance.org Copyright © 2017 Cloud Security Alliance

Cloud computing is the back end

Internet of Things is the endpoint

Compute is Everywhere …

But, you won’t know where

Anything is

Applications, topologies, security

configurations in constant state of

change

www.cloudsecurityalliance.org www.cloudsecurityalliance.org Copyright © 2017 Cloud Security Alliance

www.cloudsecurityalliance.org www.cloudsecurityalliance.org Copyright © 2017 Cloud Security Alliance

Self Driving Information Security: moving

humans to the (high value & strategic)

periphery

Automation

AI/Machine learning

Continuous

Analytics

Software defined everything

Standards

Trust marks

Inherited security

Blockchain

Quantum

etc

…plus the technology we

already depend on

Peopl

e

Other stuff

Peopl

e

Now

Soon

www.cloudsecurityalliance.org www.cloudsecurityalliance.org Copyright © 2017 Cloud Security Alliance

Blockchain

Containers, micro services

Internet of Things

DevSecOps: DevOps applied to

security

Analytics

Autonomous computing

Artificial Intelligence

Quantum-Safe Computing https://cloudsecurityalliance.org/research

www.cloudsecurityalliance.org www.cloudsecurityalliance.org Copyright © 2017 Cloud Security Alliance

Summary

www.cloudsecurityalliance.org www.cloudsecurityalliance.org Copyright © 2017 Cloud Security Alliance

Cloud is the future of IT and a competitive advantage today

Awareness, Opportunism, Strategy in cloud adoption Understand Cloud and the wide variety of providers on the market

Learn how to protect your data

Make your organization cloud ready

Due diligence with your providers

Understand how software development is different in cloud

Understand how cloud is changing security best practices

Track emerging trends

Education is a key gap to address

Tier 1 providers are better at security than you, so know who you are

in a relationship with

Lots of free tools and research to make your transition easier

CSA is here to answer your questions

www.cloudsecurityalliance.org www.cloudsecurityalliance.org Copyright © 2017 Cloud Security Alliance

Email

jreavis@cloudsecurityalliance.org

WWW

www.cloudsecurityalliance.org

Twitter

@cloudsa

www.cloudsecurityalliance.org Copyright © 2017 Cloud Security Alliance www.cloudsecurityalliance.org Copyright © 2017 Cloud Security Alliance