A view from the Cloud Security Alliance peephole

Cloud

One million new

mobile devices

-each day!

Social Networking

Digital Natives

State Sponsored Cyberattacks?

Organized Crime?

Legal Jurisdiction & Data Sovereignty?

Global Security Standards?

Privacy Protection for Citizens?

Shift the balance of power to consumers of IT

Enable innovation to solve difficult problems of

humanity

Give the individual the tools to control their digital

destiny

Do this by creating confidence, trust and

transparency in IT systems

Global, not-for-profit organization, founded 2009

Geographically divided into Americas, EMEA and

APAC regions to meet strategic objectives

200 member driven organization with over 48,000

individual members in 64 chapters worldwide

Established with the aim of bringing trust to the

cloud

Develop a global trusted cloud ecosystem

Building best practices and standards for next-gen IT

Grounded in an agile philosophy, rapid development of applied

research that supports all activities

Corporate HQ is established in

Singapore

Global CSA Research Centre

Global Standards Secretariat

CCSK Global Centre of Excellence

Secondary hub is established in Hong

Kong anchored by

CloudCERT APAC Operational Base

Both locations also serve as

APAC business centre

Serving as a regional hub and operations

magnet our members

Subsequently satellite hubs are

established in Thailand, Taiwan and

New Zealand

CSA research is organized

under a framework based on

CSA Security Guidance for

Critical Area of Focus in

Cloud Computing

Total of 14 domains

organised under 3 key areas

of focus – Architecture,

Governance and Operational

Security

Our research includes

fundamental projects needed

to define and implement trust

within the future of

information technology

CSA continues to be

aggressive in producing

critical research, education

and tools

Sponsorship opportunities

Selected research projects in

following slides

GRC Stack

Family of 4 research projects

Cloud Controls Matrix (CCM)

Consensus Assessments Initiative

(CAI)

Cloud Audit

Cloud Trust Protocol (CTP)

Impact to the Industry

Developed tools for governance,

risk and compliance management

in the cloud

Technical pilots

Provider certification through

STAR program

Control

Requirements

Provider

Assertions

Private,

Community &

Public Clouds

Previously known as Trusted Cloud

Initiative

Security reference architecture for cloud

Architecture in use by early adopters of cloud in

Global 2000

Cloud brokering

To do:

Management tools

Technical implementation guides

Documented case studies & use cases

1. Data Breaches

2. Data Loss

3. Account Hijacking

4. Insecure APIs

5. Denial of Service

6. Malicious Insiders

7. Abuse of Cloud Services

8. Insufficient Due Diligence

9. Shared Technology Issues

https://cloudsecurityalliance.org/research/top-threats/

1.

Data loss from lost, stolen or decommissioned devices.

2.

Information-stealing mobile malware.

3.

Data loss and data leakage through poorly written third-party apps.

4.

Vulnerabilities within devices, OS, design and third-party applications.

5.

Unsecured WiFi, network access and rogue access points.

6.

Unsecured or rogue marketplaces.

7.

Insufficient management tools, capabilities and access to APIs (includes

personas).

Security as a Service

Research for gaining greater understanding

for how to deliver security solutions via

cloud models.

Information Security Industry Re-invented

Identify Ten Categories within SecaaS

Implementation Guidance for each SecaaS

Category

Align with international standards and other CSA

research

Industry Impact

Defined 10 Categories of Service and

Developed Domain 14 of CSA Guidance

V.3

Mobile

Securing application stores and other public entities

deploying software to mobile devices

Analysis of mobile security capabilities and features

of key mobile operating systems

Cloud-based management, provisioning, policy, and

data management of mobile devices to achieve

security objectives

Guidelines for the mobile device security framework

and mobile cloud architectures

Solutions for resolving multiple usage roles related to

BYOD, e.g. personal and business use of a common

device

Best practices for secure mobile application

development

Big Data

Identifying scalable techniques for

data-centric security and privacy

problems

Lead to crystallization of best practices

for security and privacy in big data

Help industry and government on

adoption of best practices

Establish liaisons with other

organizations in order to coordinate the

development of big data security and

privacy standards

Accelerate the adoption of novel

research aimed to address security

and privacy issues

Expert-led community resource for global legal

issues impacting cloud computing.

“Ask the Expert” advice column

Regular in-person seminars and webcasts

Expert opinion whitepapers, initial postings

Government Access to Data Held by US Cloud Service

Providers

Proposed EU Data Protection Regulation Implications for

Cloud Users

Article 29 for Cloud Computing

CSA Working Group based in Europe

Define baselines for compliance with data protection

legislation via a Privacy Level Agreement mechanism

A clear and effective way to communicate to (potential) cloud

customers the level of personal data protection provided by a CSP.

A tool to assess the level of a CSP’s compliance with data protection

legislative requirements and best practices.

A way to offer contractual protection against possible financial

damages due to lack of compliance.

Public visibility into Providers

Corporate Governance

Supply Chain

Information Security Program

Policies Impacting Customers

Consumer right to know

Public will demand better

Sunlight is the best disinfectant

,” U.S. Supreme

Control

Requirements

Provider

Assertions

Private,

Community &

Public Clouds

The CSA Open Certification Framework (OCF) is

an industry initiative to allow global, accredited,

trusted certification of cloud providers.

The CSA Open Certification Framework is a

program for flexible, incremental and

multi-layered certification

Based on CSA best practices

Integrating with popular third-party assessment

and attestation statements, initially ISO 27001 &

AICPA SSAE16 (SOC2)

Project initiative is called OCF, the certification

mark is STAR

OPEN CERTIFICATION FRAMEWORK

LEVEL 3 - CONTINUOUS

LEVEL 2 - ATTESTATION | CERTIFICATION

LEVEL 1:- SELF ASSESSMENT

TRANSPERANCY

Clear GRC objectives

3

rd

_Party

Assessment

Real time,

continuous

monitoring

+

+

Self Assessment

+

CSA STAR (Security, Trust and Assurance Registry)

Public Registry of Cloud Provider self assessments

Based on Consensus Assessments Initiative Questionnaire

Provider may substitute documented Cloud Controls Matrix

compliance

Voluntary industry action promoting transparency

Security as a market differentiator

www.cloudsecurityalliance.org/star

2

Registered

(December 2012)

22

Registered

(February 2013)

Completion of APAC pilots @ Alibaba and New

Taipei City (G-Cloud)

Target launch for Level 2 certification @ CSA

EMEA Congress on Sep 25

Also announced harmonization of Singapore

Standard (Multi-tier Cloud Security)

The industry’s first user certification program

for secure cloud computing

Based on CSA research framework,

specifically the Security Guidance for Critical

Area of Focus in Cloud Computing

Designed to ensure that a broad range of

professionals with responsibility related to

cloud computing have a demonstrated

awareness of the security threats and best

practices for securing the cloud

CCSK Basic

One day course to enable student to pass CCSK

CCSK Plus

Two day course includes practical cloud lab work

CCSK Train-the-Trainer

Three day course including CCSK Plus

GRC Stack Training

Additional one day course to use GRC Stack components

PCI/DSS In the Cloud

Additional one day course focusing on achieving PCI compliance in cloud computing

CCSK for IT & Security Architects

Whitepaper: Security best practices for security architecture in the cloud derived from CSA Domain

1, Trusted Cloud Initiative Reference Architecture model and new materials.

Courseware: Development of 3 day courseware derived from above whitepaper and other CSA

materials

.

CCSK for Software Developers

Whitepaper: Security best practices for software development in the cloud and recommended

industry curriculum.

Courseware: Development of 3 day courseware derived from above whitepaper and other CSA

materials.

CCSK for Cloud Auditing/Assurance (GRC Stack)

Whitepaper: Security best practices for assurance in the cloud derived from CSA Guidance 3 and

components of the GRC Stack research projects.

Engage international standards bodies on

behalf of CSA

Propose key CSA research for standardization

Working with NBs and tracking SDOs

A.4 and A.5 liaison relationship with ITU-T

Category A liaison with ISO/IEC SC27 & SC38

Industry thought leadership

Traditional Monday start to RSA Conference

2011: White House launches Federal Cloud

Strategy

2012: Keynote from Former NSA Director Mike

McConnell, announce CSA Mobile

2013: DHS Undersecretary for Cybersecurity

and Presiding Director of Coca Cola Company,

James Robinson III

One day conferences in conjunction with

chapters

Engage with local thought leaders

Project CSA best practices globally

2013 Regional Summits (so far)

16 in Asia Pacific

4 in Americas

4 in EMEA

Only multi-track, multi-day conference

focused on cloud security

Key venue for new research

Primarily attended by enterprise end users

2013 CSA Congress Plans

CSA Congress APAC, Singapore, May 14-17

CSA Congress EMEA, Edinburgh, September 24 - 27

CSA Congress US, Orlando, December 3 - 6

Challenges remain, there will always be

insecurity

Global collaboration, public & private

Innovation can make policy restrictions

obsolete

Major focus on identity needed

The Internet of Things is a ticking bomb

Must solve tomorrow’s problems today

Transparency must be our guide

Be Pragmatic, Be Agile

Follow the law, but do not concede to poor

interpretations of the law. Defend the spirit of the

law forcefully.

More tools available than you think

Advocate through procurement

Waiting not an option, but don’t forget

Strategy

Risk Management

For more information on the Cloud

Security Alliance, please contact:

Global/Americas

Jim Reavis

[email protected]

EMEA

Daniele Catteddu

[email protected]

APAC

Aloysius Cheang

[email protected]