• No results found

Cloud Security Alliance and Standards. Jim Reavis Executive Director March 2012

N/A
N/A
Protected

Academic year: 2021

Share "Cloud Security Alliance and Standards. Jim Reavis Executive Director March 2012"

Copied!
15
0
0

Loading.... (view fulltext now)

Full text

(1)

Cloud Security Alliance

Cloud Security Alliance

and Standards

and Standards

Jim

Jim

Reavis

Reavis

Executive Director

Executive Director

March 2012

(2)

About the CSA

Global, not‐for‐profit, 501(c)6 organization

Over 32,000 individual members, 120 corporate members, 60 chapters

Building best practices and a trusted cloud ecosystem

Agile philosophy, rapid development of applied research

Research www.cloudsecurityalliance.org/research

Education www.cloudsecurityalliance.org/education/training/

Certification • CCSK (individual) www.cloudsecurityalliance.org/certifyme • CSA STAR (provider) www.cloudsecurityalliance.org/star

“To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other

(3)

Copyright © 2012 Cloud Security Alliance

One view of CSA: Cloud Security Standards Incubator

One view of CSA: Cloud Security Standards Incubator

CSA is not an SDO

CSA research projects last 2-6 months

Research artifacts made available to SDOs

In some cases, SDOs may assume ownership

CSA a neutral community for all SDOs

Gives industry a fast track to standards alignment

> >

Rapid Research

Accredited Standard

(4)

CSA Guidance Research

CSA Guidance Research

www.cloudsecurityalliance.org/research/guidance

Governance and Enterprise Risk Management

Governance and Enterprise Risk Management

Legal and Electronic Discovery

Legal and Electronic Discovery

Compliance and Audit

Compliance and Audit

Information Lifecycle Management

Information Lifecycle Management

Portability and Interoperability

Portability and Interoperability

Security, Bus. Cont,, and Disaster Recovery

Security, Bus. Cont,, and Disaster Recovery

Data Center Operations

Data Center Operations

Incident Response, Notification, Remediation

Incident Response, Notification, Remediation

Application Security

Application Security

Encryption and Key Management

Encryption and Key Management

Identity and Access Management

Identity and Access Management

Virtualization Virtualization Cloud Architecture Cloud Architecture Operatin g in the Cloud Governing the Cloud

Popular best practices for Popular best practices for securing cloud computing securing cloud computing

Flagship research projectFlagship research project

V2.1 released 12/2009V2.1 released 12/2009

V3 released 11/2011V3 released 11/2011

Over 250k downloads Over 250k downloads

Security as a Service

(5)

www.cloudsecurityalliance.org

Copyright © 2012 Cloud Security Alliance

CSA GRC Stack

CSA GRC Stack

Control Requirements Provider Assertions Private, Community & Public Clouds Private, Community & Public Clouds

Family of 4 research projectsFamily of 4 research projects

Cloud Controls MatrixCloud Controls Matrix

Consensus Assessments Consensus Assessments Initiative

Initiative

Cloud AuditCloud Audit

Cloud Trust ProtocolCloud Trust Protocol

Tools for governance, risk and Tools for governance, risk and compliance mgt

(6)

Cloud Controls Matrix Tool

Cloud Controls Matrix Tool

Controls derived from guidance

Mapped to familiar frameworks:

ISO 27001, COBIT, PCI,

HIPAA, FISMA, FedRAMP

Rated as applicable to S-P-I

Customer vs Provider role

Help bridge the “cloud gap” for

IT & IT auditors

(7)

www.cloudsecurityalliance.org

Copyright © 2012 Cloud Security Alliance

Consensus Assessment Initiative

Consensus Assessment Initiative

Research tools and processes to perform shared

assessments of cloud providers

Integrated with Controls Matrix

CAI Questionnaire released Oct 2010, over 140

provider questions to identify presence of security

controls or practices

Use to assess cloud providers today, procurement

negotiation, contract inclusion, quantify SLAs

(8)

CloudAudit

CloudAudit

Open standard and API to automate provider audit

assertions

Change audit from data gathering to data analysis

Necessary to provide audit & assurance at the scale

demanded by cloud providers

Uses Cloud Controls Matrix as controls namespace

Use to instrument cloud for continuous controls

monitoring

(9)

www.cloudsecurityalliance.org

Copyright © 2012 Cloud Security Alliance

Cloud Trust Protocol (CTP)

Cloud Trust Protocol (CTP)

Developed by CSC, transferred to CSA

Open standard and API to verify control assertions

“Question and Answer” asynchronous protocol,

leverages SCAP (Secure Content Automation

Protocol)

Integrates with Cloud Audit

Now we have all the components for continuous

controls monitoring

(10)

CSA STAR Registry

CSA STAR Registry

• CSA STAR (Security, Trust and Assurance Registry)

• Public Registry of Cloud Provider self assessments

• Based on Consensus Assessments Initiative Questionnaire

• Provider may substitute documented Cloud Controls Matrix compliance

• Voluntary industry action promoting transparency

• Free market competition to provide quality assessments

• Provider may elect to provide assessments from third parties

(11)

www.cloudsecurityalliance.org

Copyright © 2012 Cloud Security Alliance

Trusted Cloud Initiative

Trusted Cloud Initiative

Comprehensive Cloud Security Reference Architecture

Secure & interoperable Identity in the cloud

Getting SaaS, PaaS to be “Relying Parties” for corporate

directories

Scalable federation

Outline responsibilities for Identity Providers

Assemble reference architectures with existing standards

(12)

Security as a Service

Security as a Service

Information Security Industry Re-invented

Define Security as a Service – security delivered via the

cloud

Articulate solution categories within Security as a Service

Guidance for adoption of Security as a Service

Align with other CSA research

Delivered as the14

th

domain within CSA Guidance version

3.

https://cloudsecurityalliance.org/research/working-

groups/secaas/

(13)

www.cloudsecurityalliance.org

Copyright © 2012 Cloud Security Alliance

CSA Mobile

CSA Mobile

Mobile – the Portal to the Cloud

•BYOD, New OSes, application stores, mobile clouds…

Our Initiative 

•Security Guidance for Critical Areas of Focus in Mobile Computing •Secure application stores •Solutions for personal and business use of a common mobile device •Cloud‐based security mgt of mobile devices •Security frameworks and architecture •Scalable authentication and secure mobile app development •www.cloudsecurityalliance.org/mobile

(14)

• Contributions of Cloud Controls Matrix to ISO/IEC SC27, ITU-T FG 17

• Informal collaboration between TCI & NIST

• Contribution of Security as a Service to ITU-T FG 17

• Contribution of CloudAudit to ITU-T FG 17, possibly IETF track

• Alignment of Cloud Controls Matrix and FedRAMP, FISMA

• Security Guidance 3.0 submission as a Publicly Referenceable Standard at ISO/IEC

Standards

(15)

www.

www.cloudsecurityalliancecloudsecurityalliance.org.org

Thank you!

Thank you!

References

Related documents

La ratio decidendi, por último, será la siguiente: “How and why the sentence of silence was imposed” 75, es decir, que el artículo se propone elucidar de qué manera y por qué

The aim is to estimate inter-annual variations in the effect of heat for a fixed temperature range, on mortality in 9 European cities included in the PHASE (Public Health

The fitness of the anchors for the intended use is given under the following conditions: The anchorages are designed in accordance with the “Guideline for European Technical

The radiographs were measured using standard techni- ques to obtain the following parameters from the two different radiographs: occipital– C2 angle, C2 –C7 angle, C7–sternal

Our supply-side surveys, homeowner surveys, and reviews of Internet search metrics consistently reveal that, when considering a water heater purchase, a significant share of

¹ Calculated as implied daily cost of helicopter/divided by typical day rate for offshore rig; implied daily cost of helicopter calculated by dividing FY2013 HE rate of $8.73M by

Indirect ionisation stems from the radiolysis of water molecules inside the cell, which then results in the rapid formation of reactive free radicals, mainly

Marshak quibbles with the district court’s reliance on the res judicata effect of the Nevada actions—the 2011 default judgment against FPI and the 2012 preliminary