Más contenido relacionado La actualidad más candente (20) Similar a CSA Atlanta Chapter Meeting Q1'2013 and RSA Conference 2013 CSA Announcements (20) Más de Phil Agcaoili (20) CSA Atlanta Chapter Meeting Q1'2013 and RSA Conference 2013 CSA Announcements1. Cloud Security Alliance Research & Roadmap
RSA Conference 2013 Announcements
Copyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.org
2. Copyright ©© 2013 Cloud Security Alliance
Copyright 2012 Cloud Security Alliance
2011
2013 www.cloudsecurityalliance.org
www.cloudsecurityalliance.org
3. Developed first comprehensive best practices for secure cloud computing,
Security Guidance for Critical Areas of Focus for Cloud Computing
(updated October 2011)
First and only user certification for cloud security, the CCSK
(Certificate of Cloud Security Knowledge, September 2010)
Tools for managing Governance, Risk and Compliance in the Cloud
Registry of cloud provider security practices, the CSA STAR
(Security, Trust & Assurance Registry, Q4 2011)
First and only multi-tenant security controls framework adapted for cloud (CSA
CCM)
Industry leading security practices, education and tools developed by 20+
working groups
Selection of CSA venue by US White House to announce the US Federal Cloud
Strategy in 2011
Leadership in developing new security standards addressing cloud computing
Trusted advisor to governments and Global 2000 firms around the world
“To promote the use of best practices for providing security assurance within Cloud
Computing, and provide education on the uses of Cloud Computing to help
secure all other forms of computing.”
www.cloudsecurityalliance.org
5. 60 chapters and growing
Every continent except Antarctica
Translating guidance
Adapting research to local needs
Creating their own research projects
Copyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org
12. Our research includes
fundamental projects needed
to define and implement trust
within the future of
information technology
CSA continues to be
aggressive in producing
critical research, education
and tools
22 Active Work Groups and
10 in the pipeline
Copyright © 2011 Cloud Security Alliance
Copyright © 2012 Cloud Security Alliance www.cloudsecurityalliance.org
www.cloudsecurityalliance.org
Copyright © 2012 Cloud Security Alliance
13. Global resource and research
coverage through our corporate
membership, affiliate
members, chapters and
Connected to great minds:
Research contributors represent
some of the top minds in
information security and cloud
computing
Copyright © 2011 Cloud Security Alliance
Copyright © 2012 Cloud Security Alliance www.cloudsecurityalliance.org
www.cloudsecurityalliance.org
Copyright © 2012 Cloud Security Alliance
14. Security Guidance for Critical
Areas of Cloud Computing
Popular best practices for securing
cloud computing
Flagship research project
V 3.0 Released (November 2011)
In alignment with international
standards
Impact to the Industry
Developed first comprehensive best
practices for secure cloud
computing, Security Guidance for
Critical Areas of Focus for Cloud
Computing (updated October 2011)
Copyright © 2012 Cloud Security Alliance www.cloudsecurityalliance.org
15. GRC Stack
Family of 4 research projects
Cloud Controls Matrix (CCM)
Consensus Assessments Initiative
(CAI)
Cloud Audit
Cloud Trust Protocol (CTP)
Control Provider
Requirements Assertions
Copyright © 2012 Cloud Security Alliance www.cloudsecurityalliance.org
16. Controls derived from
guidance
Mapped to familiar
frameworks: ISO
27001, COBIT, PCI, HIPAA,
FISMA, FedRAMP, etc.
Rated as applicable to S-P-I
Customer vs. Provider role
Help bridge the “cloud gap”
for IT & IT auditors
Copyright © 2012 Cloud Security Alliance www.cloudsecurityalliance.org
17. Research tools and processes to
perform shared assessments of
cloud providers
Integrated with Controls Matrix
Version 1 CAI Questionnaire
released Oct 2010, approximately
140 provider questions to identify
presence of security controls or
practices
Use to assess cloud providers today,
procurement negotiation, contract
inclusion, quantify SLAs
Copyright © 2012 Cloud Security Alliance www.cloudsecurityalliance.org
18. Open standard and API to
automate provider audit
assertions
Change audit from data
gathering to data analysis
Necessary to provide audit &
assurance at the scale
demanded by cloud providers
Uses Cloud Controls Matrix as
controls namespace
Use to instrument cloud for
continuous controls monitoring
Copyright © 2012 Cloud Security Alliance www.cloudsecurityalliance.org
19. Developed by CSC, transferred to
CSA
Open standard and API to verify
control assertions
“Question and Answer”
asynchronous protocol, leverages
SCAP (Secure Content
Automation Protocol)
Integrates with Cloud Audit
Now we have all the components
for continuous controls monitoring
Copyright © 2012 Cloud Security Alliance www.cloudsecurityalliance.org
20. CSA STAR
(Security, Trust and Assurance Registry)
Public Registry of Cloud Provider self assessments
Based on Consensus Assessments Initiative Questionnaire
Provider may substitute documented Cloud Controls Matrix compliance
Voluntary industry action promoting transparency
Free market competition to provide quality assessments
Provider may elect to provide assessments from third parties
Copyright © 2012 Cloud Security Alliance www.cloudsecurityalliance.org
22. Security as a Service
Research for gaining greater understanding
for how to deliver security solutions via
cloud models.
Information Security Industry Re-invented
Identify Ten Categories within SecaaS
Implementation Guidance for each SecaaS
Category
Align with international standards and other CSA
research
Copyright © 2012 Cloud Security Alliance www.cloudsecurityalliance.org
23. Mobile
Securing application stores and other public entities
deploying software to mobile devices
Analysis of mobile security capabilities and features
of key mobile operating systems
Cloud-based management, provisioning, policy, and
data management of mobile devices to achieve
security objectives
Guidelines for the mobile device security framework
and mobile cloud architectures
Solutions for resolving multiple usage roles related to
BYOD, e.g. personal and business use of a common
device
Best practices for secure mobile application
development
Copyright © 2012 Cloud Security Alliance www.cloudsecurityalliance.org
24. Big Data
Identifying scalable techniques for
data-centric security and privacy
problems
Lead to crystallization of best practices
for security and privacy in big data
Help industry and government on
adoption of best practices
Establish liaisons with other
organizations in order to coordinate the
development of big data security and
privacy standards
Accelerate the adoption of novel
research aimed to address security
and privacy issues
Copyright © 2012 Cloud Security Alliance www.cloudsecurityalliance.org
25. Cloud Data Governance
Cloud Data Governance Maturity Survey of
current Cloud Provider practices in the market
(e.g. backup, encryption, secure deletion, etc.)
Structure based on Domain 5: Information
Lifecycle Management
Re-define Data Life Cycle Model
Identify Key Concerns for Stakeholders
Data Governance in Emerging Technologies in
the Cloud
Copyright © 2012 Cloud Security Alliance www.cloudsecurityalliance.org
26. Telecom Working Group
Industry a key stakeholder in future of cloud
CSA’s liaison to ITU-T
5 Telecom Initiatives
Telecom and the GRC Stack
ISO 27017 Interviews to CSP’s
SIEM
Compliance Monitoring
Cloud Forensics and Legal
Copyright © 2012 Cloud Security Alliance www.cloudsecurityalliance.org
27. CloudCERT
Consensus research for emergency response in
Cloud
Enhance community’s ability to respond to
incidents
Standardized processes
Supplemental best practices for CERTs
Hosted Community of Cloud CERTs
Copyright © 2012 Cloud Security Alliance www.cloudsecurityalliance.org
28. Health Information Management
(NEW)
Provide direct influence on how health
information service providers deliver secure
cloud solutions (services, transport,
applications and storage) to their clients, and
foster cloud awareness within all aspects of
healthcare and related industries
2 Health Initiatives
HIPAA and HiTech Best Practices
Healthcare Recommendations Guidance to V.3
Copyright © 2012 Cloud Security Alliance www.cloudsecurityalliance.org
29. Privacy Level Agreement
(PLA)
PLA = SLA for privacy.
In the PLA (typically an attachment to the
Service Agreement) the cloud service
provider (CSP) clearly declares the level of
privacy and data protection that it
undertakes to maintain with respect to the
relevant data processing.
Provide cloud customers with a tool to
assess a CSP’s commitment to address
personal data protection.
Offer contractual protection against possible
economical damages due to lack of
compliance or commitment of the CSP
privacy and data protection regulation.
Copyright © 2012 Cloud Security Alliance www.cloudsecurityalliance.org
30.
www.cloudsecurityalliance.org
31. ISACA/CSA Cloud Security
Maturity Project
The Cloud Security Alliance (CSA) and
ISACA announced the availability of a new
survey on cloud market maturity
This is the first collaborative project
between the two organizations
A report based off of the survey results will
be published
Copyright © 2012 Cloud Security Alliance www.cloudsecurityalliance.org
32. Top Threats
Provide needed context to assist
organizations in making educated
risk management decisions
regarding their cloud adoption
strategies
V.2 of Top Threats Report
released in October 2012
Copyright © 2012 Cloud Security Alliance www.cloudsecurityalliance.org
33. CSA has been awarded 4 FP7 Projects
Helix Nebula - The HELIX NEBULA Project is a
preliminary step towards a European cloud‐based
scientific e‐ infrastructure: HELIX NEBULA – the Science
Cloud.
Cumulus - The overall aim of the project is to develop a
framework for hybrid, incremental and multi-layer
certification for all services in cloud computing stacks,
including infrastructure (IaaS), platform (PaaS) and
software services (SaaS
Cirrus – Cirrus pretends to bring together different
stakeholders (industry, research, service providers, end-
users, standardization bodies…) and perform an
analysis of implications for overall E2E (end-to-end)
Cloud Security with the special attention to issues of
assurance and trustworthiness.
A4 Cloud - This project aims to clarify regulatory
expectations with regard to cloud and also provide
mechanisms that enable provision of accountable
services in the cloud.
Copyright © 2012 Cloud Security Alliance www.cloudsecurityalliance.org
34. Most of our Research Projects
are ideas from professionals like
you
Do you have an idea for a
research project on a cloud
security topic?
If so, please take the time to
describe your concept by filling
out the our online form. This
form is monitored by the CSA
research team, who will review
your proposal and respond to you
with feedback.
Copyright © 2011 Cloud Security Alliance
Copyright © 2012 Cloud Security Alliance www.cloudsecurityalliance.org
www.cloudsecurityalliance.org
Copyright © 2012 Cloud Security Alliance
35. Contribute to the
CSA library
The Cloud Security Alliance is a community non-profit
which is driven by its members. Have a white paper or
information on a cloud security product you want to
contribute?
https://cloudsecurityalliance.org/education/white-papers-and-
educational-material/
Copyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org
36. Learn how you can participate in Cloud
Security Alliance's goals to promote the
use of best practices for providing security
assurance within Cloud Computing
http://www.linkedin.com/groups?gid=1864210
https://cloudsecurityalliance.org/get-involved/
Copyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org
37. RSA Conference 2013 Announcements
Copyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org
38. Released a draft of the latest version of the
Cloud Control Matrix, CCM v3.0
Realigns the CCM control domains to achieve
tighter integration with the CSA’s “Security
Guidance for Critical Areas of Focus in Cloud
Computing version 3”
Introduced three new control domains
Mobile Security
Supply Change Management, Transparency and
Accountability
Interoperability & Portability
Available for peer review through the CSA
https://interact.cloudsecurityalliance.org/index.php/ccm/v3_group_1
Interact website with the peer review period https://interact.cloudsecurityalliance.org/index.php/ccm/v3_group_2
closing March 31, 2013, and final release of https://interact.cloudsecurityalliance.org/index.php/ccm/v3_group_3
CCM v3.0 on April 17, 2013
Copyright © 2012 Cloud Security Alliance www.cloudsecurityalliance.org
39. CSA Big Data Working Group released an initial report--The Top 10 Big Data Security and Privacy Challenges at CSA Congress
2012
2013 RSA announcement expanded this to Top Ten Big Data Security and Privacy Challenges report
The 35-page report outlines the unique challenges presented by Big Data
The Top 10 Big Data Security and Privacy Challenges have been enumerated as follows:
1. Secure computations in distributed programming frameworks
2. Security best practices for non-relational data stores
3. Secure data storage and transactions logs
4. End-point input validation/filtering
5. Real-time security monitoring
6. Scalable and composable privacy-preserving data mining and analytics
7. Cryptographically enforced data centric security
8. Granular access control
9. Granular audits
10. Data provenance
The goal of outlining these challenges is to raise awareness among security practitioners and researchers
To review the report and provide comments, please visit
https://interact.cloudsecurityalliance.org/index.php/bigdata/top_ten_big_data_2013 .
Copyright © 2012 Cloud Security Alliance www.cloudsecurityalliance.org
40. Released a position paper on the American Institute of CPAs’ reporting framework
Educating members and providing guidance on selecting the most appropriate reporting option
Latest step in CSA’s previously announced Open Certification Framework and STAR Attestation initiatives
AICPA’s reporting framework, known as Service Organization Control Reports, consists of three major document
types
The first – the SOC 1 report – deals with controls over financial reporting
The SOC 2 report focuses on controls that bear on a service provider’s security, processing integrity and
operating availability, as well as the confidentiality and privacy of data moving through its systems.
A third report, SOC 3, is a compressed version of the SOC 2 and is designed for public distribution.
Highlights that for most cloud providers, a SOC 2 Type 2 attestation examination conducted in accordance with
AICPA standard AT Section 101 (AT 101) utilizing the CSA Cloud Controls Matrix (CCM) as additional suitable
criteria is likely to meet the assurance and reporting needs of the majority of users of cloud services
The Cloud Controls Matrix is designed to be used in conjunction with existing standards, and this is one such
example where the combination provides a comprehensive view that should suit most users reporting needs
Position paper also offers guidance to members on the following:
When a SOC 1 report is necessary,
When a SOC 2 report is called for, and
When both engagement types may be required
The full position paper can be found at https://cloudsecurityalliance.org/research/collaborate/#_aicpa
Copyright © 2012 Cloud Security Alliance www.cloudsecurityalliance.org
41. The CSA PLA Working Group formed in 2012 to help transpose the Art. 29 WP and EU National Data Protection
Regulators’ recommendations on Cloud Computing into an easy to use outline that CSPs can use to disclose personal
data handling practices
The Cloud Security Alliance (CSA) Privacy Level Agreement (PLA) Working Group released the Privacy Level
Agreement (PLA) Outline for Cloud Service Providers providing services in the European Union
The Outline provides a structure for Cloud Service Providers (CSP) to disclose, in a consistent matter, information
about the privacy and data protection policies, procedures and practices used when processing personal data that
customers upload or store in the CSP’s servers
Once a PLA outline is completed by a CSP, it will provide current and potential customers with a new tool to assess
that CSP’s disclosure of its practices.
This knowledge, in turn, will allow companies to evaluate the extent to which the use of a particular CSP will allow
them to achieve compliance with applicable data protection laws, including, in particular, their transparency and
accountability obligations, a positive shift for both the customer and provider alike.
Key elements covered in the outline include:
Cloud customer internal and external due diligence
Categories of personal data that may be uploaded to the service
Ways which data should be processed in the cloud
Data location, transfer, retention, monitoring and security measures
Personal data breach notification
Data portability, migration, and transfer back assistance
Accountability
Law enforcement access
Remedies
To learn more, download the PLA Initiative Research Sponsorship Outline.
Copyright © 2012 Cloud Security Alliance www.cloudsecurityalliance.org
42. The Cloud Security Alliance (CSA) Top Threats Working Group released The Notorious Nine: Cloud Computing Top
Threats in 2013
A revised report aimed to provide organizations with up-to-date, expert-informed understanding of cloud security
threats in order to make educated risk-management decisions regarding cloud adoption strategies
Report focuses on threats specifically related to the shared, on-demand nature of cloud computing
Serves as an up-to-date threat identification guide that will help cloud users and providers make informed decisions
about risk mitigation within a cloud strategy
The Top Threats Working Group used these survey results alongside their expertise to craft the final The Notorious
Nine: Cloud Computing Top Threats in 2013.
Identified the following nine critical threats to cloud security:
1. Data Breaches
2. Data Loss
3. Account Hijacking
4. Insecure APIs
5. Denial of Service
6. Malicious Insiders
7. Abuse and Nefarious Use
8. Insufficient Due Diligence
9. Shared Technology Issues
Intended to be utilized in conjunction with the best practices guides “Security Guidance for Critical Areas in Cloud
Computing V.3” and “Security as a Service Implementation Guidance”
Companies and individuals interested in learning more or joining the group can visit
https://cloudsecurityalliance.org/research/top-threats/.
Copyright © 2012 Cloud Security Alliance www.cloudsecurityalliance.org
43. Formation of the Legal Information Center (CLIC), a new online resource.
The launch of the CLIC is part of an ongoing effort on behalf of the CSA to help individuals and organizations better
understand and address the various and often complicated legal issues related to cloud computing
The CLIC will be an open resource for cloud computing practitioners, regulators, and legal experts with a mission to
provide unbiased information about the applicability of existing laws and also identify laws that are being impacted by
technology trends that may require modification
As part of this new initiative, CSA and Box hosted a panel discussion entitled, “US and Foreign Laws Regulating
Government Access to Data Held in the Cloud” on Thursday, February 28th
Panel participants included legal and regulatory experts from seven countries
Moderated by Francoise Gilbert, Founder and General Manager of the IT Law Group as well as General Counsel
for the CSA.
The panel explored a wide range of issues related to the rule of laws governing access of governments to data
held in the cloud
More information on the CLIC: https://cloudsecurityalliance.org/research/clic/
Copyright © 2012 Cloud Security Alliance www.cloudsecurityalliance.org
44. Announced the launch of a new global training program called the CSA Master Training Program
HP named as the initial partner of this new program
The CSA Master Training Program is designed to accelerate worldwide access and adoption of the CSA Certificate of
Cloud Security Knowledge (CCSK) Certification
With assistance from HP, CSA will invest in the global expansion of CCSK training availability,
A key focus on the Asia Pacific region.
CSA and HP will also work closely to collaborate on a curriculum roadmap through the CCSK Center of Excellence
based in Singapore
HP will adapt existing CCSK lab-based training to include HP cloud solutions
HP Education Services will certify any HP CCSK training staff based on HP’s CSA-certified courseware
At the annual CSA Congress in October 2012, the CSA published version 3 of its CCSK
Included two principal updates, including an update to the CCSK Training Materials as well as a new CCSK exam
The CCSK is aligned with the latest release of CSA’s Security Guidance as well as other intellectual property,
which comprises the CSA Common Body of Knowledge (CBK)
Copyright © 2012 Cloud Security Alliance www.cloudsecurityalliance.org
Notas del editor Research is the crown jewel of CSAThe objective of CSA research is to develop best practices, guidelines, white papers and frameworks that will be conducive in building trust into the CloudAs a result, consumers can go to the cloud securely with confidence. Cloud service provider can use our work as a baseline to address interoperability and security issues, where assurance is assessable continuously and automatically. Switching costs to consumers is reduced to a minimum and a dynamic cloud eco-system is hence created to allow for acceleration of cloud adoption The CSA Guidance is our flagship research that provides a broad catalog of best practices. It contains 13 domains to address both broad governance and specific operational issues. This Guidance is used as a foundation for the other research projects in the following slides that relate to compliance. Do visit the websiteDo join the LinkedIn Groups – you will receive regular email updates