Nils Puhlmann Ncoic Slides

NCOIC

Federal Cloud Storefront Workshop

Nils PuhlmannCo-Founder

September 21st, 2009

www.cloudsecurityalliance.orgCopyright © 2009 Cloud Security Alliance

Security is a concern

http://www.cloudsecurityalliance.org


S-P-I Model

IaaS

PaaS

SaaS

You build

security in

You “RFP”

security in



Security and the SPI model



Risk Examples• Geo-location of sensitive data

• Inability to deploy security services (e.g. scanning)

• Risk with shared computing platform (multi-tenant)

• Data confidentiality

• Access via internet – untrusted

• Cloud vendors for the most part non-committal on security

• Company data on 3rd party machine

• Compliance lacking – inability to satisfy auditors

• Vendors not up to speed from a guidance and auditing perspective

• Inability to perform forensic investigation



Meet the Cloud Security Alliance

• Global, not-for-profit organization, started Nov. 2008, individual members (free), corporate members and affiliated organizations

• Inclusive membership, supporting broad spectrum of subject matter expertise: cloud experts, security, legal, compliance, virtualization, and on and on…

• We believe Cloud Computing has a robust future, we want to make it better

“To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud

Computing to help secure all other forms of computing.”



Current corporate members


http://www.fiberlink.com/

http://www.forumsys.com/

http://www.hcl.in/

http://www.hp.com/

http://www.mcafee.com/

http://www.novell.com/

http://www.pgp.com/

http://www.pingidentity.com/

http://www.qualys.com/

http://www.rsasecurity.com/

http://www.sonoasystems.com/

http://terremark.com/

http://trendmicro.com/

http://verizonbusiness.com/

http://www.vmware.com/

http://www.websense.com/

http://www.zscaler.com/

http://www.absolute.com/


Current affiliates

Cloud-Standards.org


http://www.bdigital.org/

http://www.enisa.eu/

http://www.isaca.org/

http://www.opengroup.org/jericho/

http://www.owasp.org/

http://www.aspicjapan.org/


Individual Members

• 4,174 as of September 15th

• Broad Geographical Distribution

• Active Working Groups

• Editorial

• Educational Outreach

• Architecture

• Governance, Risk Mgt, Compliance, Business

Continuity

• Legal & E-Discovery

• Portability, Interoperability and Application Security

• Identity and Access Mgt, Encryption & Key Mgt

• Data Center Operations and Incident Response

• Information Lifecycle Management & Storage

• Virtualization and Technology Compartmentalization

• New Working Groups

• Healthcare

• Cloud Threat Analysis

• US Federal Government

• Financial Services



Project Roadmap

• April 2009: Security Guidance for Critical Areas of Focus for Cloud Computing – Version 1

• July 2009: Version 1 translated into Japanese

• October 2009: Security Guidance for Critical Areas of Focus for Cloud Computing – Version 2

• October 2009: Top Ten Cloud Threats (monthly)

• November 2009: Provider & Customer Checklists

• December 2009: eHealth Guidance

• Global CSA Executive Summits

• Q1 2010 – Europe

• Q1 or Q2 2010 - US



Security Guidance for Critical Areas of Focus in

Cloud Computing

Download at:

www.cloudsecurityalliance.org/guidance



Overview of Guidance

Governing in the Cloud

2. Governance & Risk Mgt

3. Legal

4. Electronic Discovery

5. Compliance & Audit

6. Information Lifecycle Mgt

7. Portability & Interoperability

Operating in the Cloud

8. Traditional, BCM, DR

9. Data Center Operations

10. Incident Response

11. Application Security

12. Encryption & Key Mgt

13. Identity & Access Mgt

14. Storage

15. Virtualization

1. Architecture & Framework



Contact

• www.cloudsecurityalliance.org

• [email protected]

• Twitter: @cloudsa, #csaguide

• LinkedIn: www.linkedin.com/groups?gid=1864210


www.cloudsecurityalliance.org

Thank You!


Nils Puhlmann Ncoic Slides

Technology

Transcript of Nils Puhlmann Ncoic Slides