SlideShare una empresa de Scribd logo

CSA Introduction 2013 David Ross

Graeme Wood
Graeme Wood

CSA

TecnologíaEmpresariales
1 de 36
Compliance in the Public Cloud and the Cloud Security Alliance's Open Certification Framework Dr David Ross CISO, Bridge Point Communications Founding Director, Cloud Security Alliance Australia Chapter
• Security issues encountered with cloud services • Trust Issues • Governance, Compliance, Control, Assurance and Certification • Open Certification Framework – STAR Certification – STAR Attestation 2 A collaboration of a number of security experts from the Cloud Security Alliance in Australia
Security issues encountered with cloud services • #1 The Cloud Consumer assumes the Cloud Service is “secure” without understanding the contract. – Real Example: Cloud Service includes “automatic backup service that copies customer data to an external backup service, providing a further level of security to customer data … stored for 3 months after being made … can be extended to up to 7 years if required” • Perfectly legitimate, but there are 2 meanings for “secure” here – By default, the backup is overwritten after 3 months … no restores over 3 months old! – The backups go to a third party … with whom you have no contract for handling your data! – The backups are … NOT encrypted! 3 Copyright © 2013 Bridge Point Communications
Security issues encountered with cloud services • #2 Insecure management or administration interfaces – Real Example: Cloud Service uses insecure, clear-text protocol (HTTP) for remote administration logins. – The username and password are transmitted in clear-text and may be intercepted by a network sniffer, relay, server logs, proxy or firewall logs, or a man-in-the-middle attack to provide credentials for a subsequent attack. 4 Copyright © 2013 Bridge Point Communications
Security issues encountered with cloud services • #3 No separation of duties, detection of abuse, or escalation of privilege – Real Example: Cloud Service Systems Administrator has access to all layers, from Application down to Physical hardware. – The entire security of the Cloud Consumers’ data relies on the integrity and expertise of a single person with no checks or balances to prevent malicious or accidental compromise of security controls. The Systems Administrator can do anything with the hosts, networks, and storage … including the audit trails that detail just what has been done. 5 Copyright © 2013 Bridge Point Communications
Issues particular to cloud services in the GRC space • #4 Weak, vague, or one-sided SLAs and contracts – Real Example: “The following list presents an overview of some of the audits and assessments that the” Cloud Service “undergoes on a regular basis”... – The Cloud Service did indeed undergo regular audits … but only held certifications for two of the five in their list in that year. – Difference between ‘undergo audits’ and ‘meet requirements’. – Require certification 6 Copyright © 2013 Bridge Point Communications
Impacts on the typical IT governance model • Require a trust relationship with the Cloud Service Provider • Require indirect administrative and contractual controls over the CSP in place of the direct controls over in-house infrastructure and personnel • Require transparency and assurance of the CSP operations • Therefore -> Require independent verification of CSP assertions 7 Copyright © 2013 Bridge Point Communications
What are the Trust Issues? 8 Copyright © 2013 Bridge Point Communications ( I just ordered this from zazzle.com.au )
What are the Trust Issues? • Will the CSP be transparent about governance and operational issues? • Will the user be considered compliant? • Does the user know what legislation applies? • Will a lack of standards drive unexpected obsolescence? • Is cloud really better at security than traditional IT solution? 9 Copyright © 2013 Cloud Security Alliance
A new Governance Model • Users need to understand the shift in the balance of responsibility and accountability for key functions such as governance and control over data and IT operations, ensuring compliance with laws and regulations. • Cloud computing requires a new model for assessing organisational risks related to security and resilience. 10 Copyright © 2013 Cloud Security Alliance
Assurance • Consumers do not have simple, cost effective ways to evaluate and compare their providers’ resilience, data protection capabilities and service portability. 11 Copyright © 2013 Cloud Security Alliance
Certification Challenges • Provide a globally relevant certification to reduce duplication of efforts • Address localised, national-state and regional compliance needs • Address industry specific requirements • Address different assurance requirements • Address “certification staleness” – assure provider is still secure after “point in time” certification • Do all of the above while recognising the dynamic and fast changing world that is cloud 12 Copyright © 2013 Cloud Security Alliance
Certification Challenges This gap of trust mainly lies down in the difficulties of cloud users in addressing fundamental assurance issues with cloud providers, such as: • Understanding legal compliance and contractual liabilities, • Defining and allocating responsibilities • Enforcing accountability • Translating requirements into cloud language/controls/checks • Identifying means for an ex-ante analysis assessment of cloud services and for a • Continuous monitoring of cloud service contract execution 13 Copyright © 2013 Cloud Security Alliance
How do we build Trust and Transparency? • The Cloud Security Alliance’s Open Certification Framework for cloud services 14 Copyright © 2013 Cloud Security Alliance
The Cloud Security Alliance’s Open Certification Framework • Daniele Catteddu, CSA Managing Director EMEA • Open Certification Framework for cloud services • Announced 9May2012 Frankfurt (DE),detail 20Aug2012 Edinburgh (UK) 15 Copyright © 2013 Cloud Security Alliance
The Cloud Security Alliance (CSA) • Global, not-for-profit organisation • Over 40,000 individual members, more than 160 corporate members, over 60 chapters • Building best practices and a trusted cloud ecosystem • Agile philosophy, rapid development of applied research 16 Copyright © 2013 Cloud Security Alliance The Cloud Security Alliance – not-for-profitorganisation with a mission… “To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.”
Open Certification Framework Vision Statement • The CSA Open Certification Framework is an industry initiative to allow global, accredited, trusted certification of cloud providers. • The CSA Open Certification Framework is a program for flexible, incremental and multi-layered cloud provider certification according to the Cloud Security Alliance’s industry leading security guidance and control objectives. • The program will integrate with popular third-party assessment and attestation statements developed within the public accounting community to avoid duplication of effort and cost. ~Jim Reavis & Daniele Catteddu; CSA~ 17 Copyright © 2013 Cloud Security Alliance
OCF: The structure • The open certification framework is structured on 3 LEVELs of TRUST, each one of them providing an incremental level of visibility and transparency into the operations of the Cloud Service Provider and a higher level of assurance to the Cloud consumer. 18 Copyright © 2013 Cloud Security Alliance
OCF Governance 19 Copyright © 2013 Cloud Security Alliance
OCF Level 1: CSA STAR Registry • CSA STAR (Security, Trust and Assurance Registry) • Public Registry of Cloud Provider self assessments • Based on Consensus Assessments Initiative Questionnaire • Provider may substitute documented Cloud Controls Matrix compliance • Voluntary industry action promoting transparency • Free market competition to provide quality assessments • Provider may elect to provide assessments from third parties • Available since October 2011 20 Copyright © 2013 Cloud Security Alliance
OCF Level 2: 21 Copyright © 2013 Cloud Security Alliance Certification
What is STAR Certification? • Continuous monitoring of cloud service contract execution • STAR CERTIFICATION evaluates the efficiency of an organization’s ISMS and ensures the scope, processes and objectives are “Fit for Purpose.” • Help organizations prioritize areas for improvement and lead them towards business excellence. • Enables effective comparison across other organizations in the applicable sector. • Focused on the strategic & operational business benefits as well as effective partnership relationships. • Based upon the Plan, Do, Check, Act (PDCA) approach and the controls outlined in the Cloud Controls Matrix (CCM) • Enables the auditor to assess a company’s performance, on long-term sustainability and risks, in addition to ensuring they are SLA driven, allowing senior management to quantify and measure improvement year on year. 22 Copyright © 2013 Cloud Security Alliance
The Cloud Security Alliance’s STAR Certification • The concept of the scheme is to use to the ISO/IEC 27001:2005 certification integrated with the CSA Cloud Control Matrix (CCM) as additional or compensating controls as applicable and the organisation’s own internal requirements or specifications to assess how advanced their systems are. • The scheme will be compliant with ISO 17021 and ISO 27006. • Will be open to all 3rd party Certified Bodies (CB) • Will be an additional scheme to the CB organisations internal ISO 27001 scheme requirements. It is not meant to be a replacement. 23 Copyright © 2013 Cloud Security Alliance
PDCA Model for an ISMS 24 Copyright © 2013 Cloud Security Alliance
STAR Certification 25 Copyright © 2013 Cloud Security Alliance
STAR Certification: the role of CCM • The CCM is specifically designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider. • The Cloud Controls Matrix is meant to be integrated into the assessment by the auditor, referencing the applicable CCM control to the associated ISO 27001 controls (SOA) The output will be the result of the overall performance of the organization within the scope of certification. 26 Copyright © 2013 Cloud Security Alliance
Benefits of STAR Certification Sales and Marketing Benefits: • Added to the current management system. • A ISO 27001 certification plus a STAR certificate as evidence of both compliance and performance to both suppliers, customers and other interested parties. • The ability to benchmark your organization’s performance and gauge your improvement from year to year. • An independently validated report from an external Certified Body (CB) body which can be used to demonstrate an organisation’s progress & performance levels. • Exclusive to the STAR Registry. 27 Copyright © 2013 Cloud Security Alliance
Benefits of STAR Certification Strategic Benefits: • A 360º enhanced assessment giving senior management full visibility to evaluate the effectiveness of both their management system and the roles and responsibilities of personnel within the organisation. • A flexible assessment that can be tailored through the Statement of Applicability. This guarantees the results and measurements of assessments are both relevant and necessary in helping organisations manage their business. • A comprehensive business report that goes beyond a usual assessment report and gives a strategic and accurate overview of an organisations performance to enabling senior management to the identify action areas needed. • A set of improvement targets to encourage an organisation to move beyond compliance toward continued improvement. 28 Copyright © 2013 Cloud Security Alliance
Benefits of STAR Certification Operational Benefits: • Scalable to organisations of all sizes. Provides information that allows you to know where they are now and measure any improvements, internally benchmark their sites and potentially externally benchmark their supply chain to stimulate healthy competition. • A visual representation of the status of a business and instantly highlights where the strengths, weaknesses, allowing clients to maximize resources, improve operational efficiencies and reduce costs • Independent reassurance to prove to senior management where the risks, threats, opportunities lie within a business 29 Copyright © 2013 Cloud Security Alliance
OCF Level 2: 30 Copyright © 2013 Cloud Security Alliance Attestation
What is STAR Attestation? Star Attestation (through the type 2 SOC attestation examination) helps companies meet the assessment and reporting needs of the majority of users of cloud services, when the criteria for the engagement are supplemented by the criteria in the CSA Cloud Controls Matrix (CCM). This assessment: • Is based on a mature attest standard • Allows for immediate adoption of the CCM as additional criteria and the flexibility to update the criteria as technology and market requirements change • Does not require the use of any criteria that were not designed for, or readily accepted by cloud providers • Provides for robust reporting on the service provider’s description of its system, and on the service provider’s controls, including a description of the service auditor’s tests of controls in a format very similar to the now obsolete SAS 70 reporting format, and current SSAE 16 (SOC 1) reporting, thereby facilitating market acceptance 31 Copyright © 2013 Cloud Security Alliance
AICPA SOC Reporting Options 32 Copyright © 2013 Cloud Security Alliance
STAR Attestation • SOC 2SM Report • If the report will be used by customers and/or stakeholders to gain confidence and place trust in a service organisation’s system: • Need to understand the details of processing and controls at your organisation, the tests performed & results of those tests? 33 Copyright © 2013 Cloud Security Alliance
SOC 2 (AT 101): Key strengths • AT 101 is a mature attest standard (it serves as the standard for SOC 2 and SOC 3 reporting ) • Provides for robust reporting on the service provider’s description of its system, and on the service provider’s controls, including a description of the service auditor’s tests of controls in a format very similar to the now obsolete SAS 70 reporting format, and current SSAE 16 (SOC 1) reporting, thereby facilitating market acceptance • Evaluation over a period of time rather than a point in time • Recognition with an AICPA Logo 34 Copyright © 2013 Cloud Security Alliance
Contact Help Us Secure Cloud Computing: • www.cloudsecurityalliance.org • https://chapters.cloudsecurityalliance.org/australia/ • http://www.linkedin.com/groups?gid=3966724 • Archie Reed archer@hp.com • David Ross David_Ross@bridgepoint.com.au 35 Copyright © 2013 Cloud Security Alliance
Thank You 36

Recomendados

The CSA STAR Program: Certification & Attestation
The CSA STAR Program: Certification & AttestationThe CSA STAR Program: Certification & Attestation
The CSA STAR Program: Certification & AttestationSchellman & Company
 
CSA STAR Program
CSA STAR ProgramCSA STAR Program
CSA STAR ProgramSchellman & Company
 
Everything You Need To Know About SOC 1
Everything You Need To Know About SOC 1Everything You Need To Know About SOC 1
Everything You Need To Know About SOC 1Schellman & Company
 
PA-DSS and Application Penetration Testing
PA-DSS and Application Penetration TestingPA-DSS and Application Penetration Testing
PA-DSS and Application Penetration TestingSchellman & Company
 
SOC Certification Runbook Template
SOC Certification Runbook TemplateSOC Certification Runbook Template
SOC Certification Runbook TemplateMark S. Mahre
 
TrustedAgent and Defense Industrial Base (DIB)
TrustedAgent and Defense Industrial Base (DIB)TrustedAgent and Defense Industrial Base (DIB)
TrustedAgent and Defense Industrial Base (DIB)Tuan Phan
 
TrustedAgent GRC for Public Sector
TrustedAgent GRC for Public SectorTrustedAgent GRC for Public Sector
TrustedAgent GRC for Public SectorTuan Phan
 
Industry Reliability and Security Standards Working Together
Industry Reliability and Security Standards Working TogetherIndustry Reliability and Security Standards Working Together
Industry Reliability and Security Standards Working TogetherEnergySec
 

Recomendados

The CSA STAR Program: Certification & Attestation
The CSA STAR Program: Certification & AttestationThe CSA STAR Program: Certification & Attestation
The CSA STAR Program: Certification & AttestationSchellman & Company
 
CSA STAR Program
CSA STAR ProgramCSA STAR Program
CSA STAR ProgramSchellman & Company
 
Everything You Need To Know About SOC 1
Everything You Need To Know About SOC 1Everything You Need To Know About SOC 1
Everything You Need To Know About SOC 1Schellman & Company
 
PA-DSS and Application Penetration Testing
PA-DSS and Application Penetration TestingPA-DSS and Application Penetration Testing
PA-DSS and Application Penetration TestingSchellman & Company
 
SOC Certification Runbook Template
SOC Certification Runbook TemplateSOC Certification Runbook Template
SOC Certification Runbook TemplateMark S. Mahre
 
TrustedAgent and Defense Industrial Base (DIB)
TrustedAgent and Defense Industrial Base (DIB)TrustedAgent and Defense Industrial Base (DIB)
TrustedAgent and Defense Industrial Base (DIB)Tuan Phan
 
TrustedAgent GRC for Public Sector
TrustedAgent GRC for Public SectorTrustedAgent GRC for Public Sector
TrustedAgent GRC for Public SectorTuan Phan
 
Industry Reliability and Security Standards Working Together
Industry Reliability and Security Standards Working TogetherIndustry Reliability and Security Standards Working Together
Industry Reliability and Security Standards Working TogetherEnergySec
 
Utility Cybersecurity Compliance Capabilities
Utility Cybersecurity Compliance CapabilitiesUtility Cybersecurity Compliance Capabilities
Utility Cybersecurity Compliance CapabilitiesBooz Allen Hamilton
 
TrustedAgent GRC for Public Sector
TrustedAgent GRC for Public SectorTrustedAgent GRC for Public Sector
TrustedAgent GRC for Public SectorTri Phan
 
Presentation to MHF Regulator on RiskView Risk Management Solutions
Presentation to MHF Regulator on RiskView Risk Management SolutionsPresentation to MHF Regulator on RiskView Risk Management Solutions
Presentation to MHF Regulator on RiskView Risk Management SolutionsPeter Lacey
 
Layer 7: Automated SOA Policy Enforcement
Layer 7: Automated SOA Policy EnforcementLayer 7: Automated SOA Policy Enforcement
Layer 7: Automated SOA Policy EnforcementCA API Management
 
Spur Infrastructure Performance With Proactive IT Monitoring
Spur Infrastructure Performance With Proactive IT MonitoringSpur Infrastructure Performance With Proactive IT Monitoring
Spur Infrastructure Performance With Proactive IT MonitoringCA Technologies
 
Acfe williamsburg 2013 jmk
Acfe williamsburg 2013 jmkAcfe williamsburg 2013 jmk
Acfe williamsburg 2013 jmkJim Kaplan CIA CFE
 
Efficient Document Control is Essential to Positive Audit Outcomes
Efficient Document Control is Essential to Positive Audit Outcomes Efficient Document Control is Essential to Positive Audit Outcomes
Efficient Document Control is Essential to Positive Audit Outcomes Veeva Systems
 
SABSA Implementation(Part III)_ver1-0
SABSA Implementation(Part III)_ver1-0SABSA Implementation(Part III)_ver1-0
SABSA Implementation(Part III)_ver1-0Maganathin Veeraragaloo
 
SOC 2: Build Trust and Confidence
SOC 2: Build Trust and ConfidenceSOC 2: Build Trust and Confidence
SOC 2: Build Trust and ConfidenceSchellman & Company
 
Firehost Webinar: Validating your Cardholder Data Envirnment
Firehost Webinar: Validating your Cardholder Data EnvirnmentFirehost Webinar: Validating your Cardholder Data Envirnment
Firehost Webinar: Validating your Cardholder Data EnvirnmentArmor
 
Using IP Cameras and Advanced Analytics to help Protect Critical Infrastructure
Using IP Cameras and Advanced Analytics to help Protect Critical InfrastructureUsing IP Cameras and Advanced Analytics to help Protect Critical Infrastructure
Using IP Cameras and Advanced Analytics to help Protect Critical InfrastructureEnergySec
 
How Can You Obtain Assurance around Financial Information Posted on a Website?
How Can You Obtain Assurance around Financial Information Posted on a Website?How Can You Obtain Assurance around Financial Information Posted on a Website?
How Can You Obtain Assurance around Financial Information Posted on a Website?Tia Tes
 
Beijaflore inc. white paper IT compliance program v1.0
Beijaflore inc. white paper IT compliance program v1.0Beijaflore inc. white paper IT compliance program v1.0
Beijaflore inc. white paper IT compliance program v1.0Maxime de Jabrun
 
G6 independent certification for CSP v3
G6 independent certification for CSP v3G6 independent certification for CSP v3
G6 independent certification for CSP v3Ummey Humayra
 
20141203 akjk
20141203 akjk20141203 akjk
20141203 akjkJim Kaplan CIA CFE
 
Foreign Corrupt Practices Act of 1977 UK Anti-Bribery Act
Foreign Corrupt Practices Act of 1977 UK Anti-Bribery Act Foreign Corrupt Practices Act of 1977 UK Anti-Bribery Act
Foreign Corrupt Practices Act of 1977 UK Anti-Bribery Act easy2comply
 
Chetan Siddaramu_Jun 2016
Chetan Siddaramu_Jun 2016Chetan Siddaramu_Jun 2016
Chetan Siddaramu_Jun 2016Chetan Siddaramu
 
Lessons Learned For NERC CIPv5 Compliance & Configuration Change Management
Lessons Learned For NERC CIPv5 Compliance & Configuration Change ManagementLessons Learned For NERC CIPv5 Compliance & Configuration Change Management
Lessons Learned For NERC CIPv5 Compliance & Configuration Change ManagementEnergySec
 
Rapid7 NERC-CIP Compliance Guide
Rapid7 NERC-CIP Compliance GuideRapid7 NERC-CIP Compliance Guide
Rapid7 NERC-CIP Compliance GuideRapid7
 
collateral_datasheet_sungard
collateral_datasheet_sungardcollateral_datasheet_sungard
collateral_datasheet_sungardCheryl Goldberg
 
The Art of Cloud Auditing - ISACA ID
The Art of Cloud Auditing - ISACA IDThe Art of Cloud Auditing - ISACA ID
The Art of Cloud Auditing - ISACA IDEryk Budi Pratama
 
Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...
Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...
Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...Alan Yau Ti Dun
 

Más contenido relacionado

La actualidad más candente

Utility Cybersecurity Compliance Capabilities
Utility Cybersecurity Compliance CapabilitiesUtility Cybersecurity Compliance Capabilities
Utility Cybersecurity Compliance CapabilitiesBooz Allen Hamilton
 
TrustedAgent GRC for Public Sector
TrustedAgent GRC for Public SectorTrustedAgent GRC for Public Sector
TrustedAgent GRC for Public SectorTri Phan
 
Presentation to MHF Regulator on RiskView Risk Management Solutions
Presentation to MHF Regulator on RiskView Risk Management SolutionsPresentation to MHF Regulator on RiskView Risk Management Solutions
Presentation to MHF Regulator on RiskView Risk Management SolutionsPeter Lacey
 
Layer 7: Automated SOA Policy Enforcement
Layer 7: Automated SOA Policy EnforcementLayer 7: Automated SOA Policy Enforcement
Layer 7: Automated SOA Policy EnforcementCA API Management
 
Spur Infrastructure Performance With Proactive IT Monitoring
Spur Infrastructure Performance With Proactive IT MonitoringSpur Infrastructure Performance With Proactive IT Monitoring
Spur Infrastructure Performance With Proactive IT MonitoringCA Technologies
 
Efficient Document Control is Essential to Positive Audit Outcomes
Efficient Document Control is Essential to Positive Audit Outcomes Efficient Document Control is Essential to Positive Audit Outcomes
Efficient Document Control is Essential to Positive Audit Outcomes Veeva Systems
 
SOC 2: Build Trust and Confidence
SOC 2: Build Trust and ConfidenceSOC 2: Build Trust and Confidence
SOC 2: Build Trust and ConfidenceSchellman & Company
 
Firehost Webinar: Validating your Cardholder Data Envirnment
Firehost Webinar: Validating your Cardholder Data EnvirnmentFirehost Webinar: Validating your Cardholder Data Envirnment
Firehost Webinar: Validating your Cardholder Data EnvirnmentArmor
 
Using IP Cameras and Advanced Analytics to help Protect Critical Infrastructure
Using IP Cameras and Advanced Analytics to help Protect Critical InfrastructureUsing IP Cameras and Advanced Analytics to help Protect Critical Infrastructure
Using IP Cameras and Advanced Analytics to help Protect Critical InfrastructureEnergySec
 
How Can You Obtain Assurance around Financial Information Posted on a Website?
How Can You Obtain Assurance around Financial Information Posted on a Website?How Can You Obtain Assurance around Financial Information Posted on a Website?
How Can You Obtain Assurance around Financial Information Posted on a Website?Tia Tes
 
Beijaflore inc. white paper IT compliance program v1.0
Beijaflore inc. white paper IT compliance program v1.0Beijaflore inc. white paper IT compliance program v1.0
Beijaflore inc. white paper IT compliance program v1.0Maxime de Jabrun
 
G6 independent certification for CSP v3
G6 independent certification for CSP v3G6 independent certification for CSP v3
G6 independent certification for CSP v3Ummey Humayra
 
Foreign Corrupt Practices Act of 1977 UK Anti-Bribery Act
Foreign Corrupt Practices Act of 1977 UK Anti-Bribery Act Foreign Corrupt Practices Act of 1977 UK Anti-Bribery Act
Foreign Corrupt Practices Act of 1977 UK Anti-Bribery Act easy2comply
 
Lessons Learned For NERC CIPv5 Compliance & Configuration Change Management
Lessons Learned For NERC CIPv5 Compliance & Configuration Change ManagementLessons Learned For NERC CIPv5 Compliance & Configuration Change Management
Lessons Learned For NERC CIPv5 Compliance & Configuration Change ManagementEnergySec
 
Rapid7 NERC-CIP Compliance Guide
Rapid7 NERC-CIP Compliance GuideRapid7 NERC-CIP Compliance Guide
Rapid7 NERC-CIP Compliance GuideRapid7
 
collateral_datasheet_sungard
collateral_datasheet_sungardcollateral_datasheet_sungard
collateral_datasheet_sungardCheryl Goldberg
 

La actualidad más candente (20)

Utility Cybersecurity Compliance Capabilities
Utility Cybersecurity Compliance CapabilitiesUtility Cybersecurity Compliance Capabilities
Utility Cybersecurity Compliance Capabilities
 
TrustedAgent GRC for Public Sector
TrustedAgent GRC for Public SectorTrustedAgent GRC for Public Sector
TrustedAgent GRC for Public Sector
 
Presentation to MHF Regulator on RiskView Risk Management Solutions
Presentation to MHF Regulator on RiskView Risk Management SolutionsPresentation to MHF Regulator on RiskView Risk Management Solutions
Presentation to MHF Regulator on RiskView Risk Management Solutions
 
Layer 7: Automated SOA Policy Enforcement
Layer 7: Automated SOA Policy EnforcementLayer 7: Automated SOA Policy Enforcement
Layer 7: Automated SOA Policy Enforcement
 
Spur Infrastructure Performance With Proactive IT Monitoring
Spur Infrastructure Performance With Proactive IT MonitoringSpur Infrastructure Performance With Proactive IT Monitoring
Spur Infrastructure Performance With Proactive IT Monitoring
 
Acfe williamsburg 2013 jmk
Acfe williamsburg 2013 jmkAcfe williamsburg 2013 jmk
Acfe williamsburg 2013 jmk
 
Efficient Document Control is Essential to Positive Audit Outcomes
Efficient Document Control is Essential to Positive Audit Outcomes Efficient Document Control is Essential to Positive Audit Outcomes
Efficient Document Control is Essential to Positive Audit Outcomes
 
SABSA Implementation(Part III)_ver1-0
SABSA Implementation(Part III)_ver1-0SABSA Implementation(Part III)_ver1-0
SABSA Implementation(Part III)_ver1-0
 
SOC 2: Build Trust and Confidence
SOC 2: Build Trust and ConfidenceSOC 2: Build Trust and Confidence
SOC 2: Build Trust and Confidence
 
Firehost Webinar: Validating your Cardholder Data Envirnment
Firehost Webinar: Validating your Cardholder Data EnvirnmentFirehost Webinar: Validating your Cardholder Data Envirnment
Firehost Webinar: Validating your Cardholder Data Envirnment
 
Using IP Cameras and Advanced Analytics to help Protect Critical Infrastructure
Using IP Cameras and Advanced Analytics to help Protect Critical InfrastructureUsing IP Cameras and Advanced Analytics to help Protect Critical Infrastructure
Using IP Cameras and Advanced Analytics to help Protect Critical Infrastructure
 
How Can You Obtain Assurance around Financial Information Posted on a Website?
How Can You Obtain Assurance around Financial Information Posted on a Website?How Can You Obtain Assurance around Financial Information Posted on a Website?
How Can You Obtain Assurance around Financial Information Posted on a Website?
 
Beijaflore inc. white paper IT compliance program v1.0
Beijaflore inc. white paper IT compliance program v1.0Beijaflore inc. white paper IT compliance program v1.0
Beijaflore inc. white paper IT compliance program v1.0
 
G6 independent certification for CSP v3
G6 independent certification for CSP v3G6 independent certification for CSP v3
G6 independent certification for CSP v3
 
20141203 akjk
20141203 akjk20141203 akjk
20141203 akjk
 
Foreign Corrupt Practices Act of 1977 UK Anti-Bribery Act
Foreign Corrupt Practices Act of 1977 UK Anti-Bribery Act Foreign Corrupt Practices Act of 1977 UK Anti-Bribery Act
Foreign Corrupt Practices Act of 1977 UK Anti-Bribery Act
 
Chetan Siddaramu_Jun 2016
Chetan Siddaramu_Jun 2016Chetan Siddaramu_Jun 2016
Chetan Siddaramu_Jun 2016
 
Lessons Learned For NERC CIPv5 Compliance & Configuration Change Management
Lessons Learned For NERC CIPv5 Compliance & Configuration Change ManagementLessons Learned For NERC CIPv5 Compliance & Configuration Change Management
Lessons Learned For NERC CIPv5 Compliance & Configuration Change Management
 
Rapid7 NERC-CIP Compliance Guide
Rapid7 NERC-CIP Compliance GuideRapid7 NERC-CIP Compliance Guide
Rapid7 NERC-CIP Compliance Guide
 
collateral_datasheet_sungard
collateral_datasheet_sungardcollateral_datasheet_sungard
collateral_datasheet_sungard
 

Similar a CSA Introduction 2013 David Ross

The Art of Cloud Auditing - ISACA ID
The Art of Cloud Auditing - ISACA IDThe Art of Cloud Auditing - ISACA ID
The Art of Cloud Auditing - ISACA IDEryk Budi Pratama
 
Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...
Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...
Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...Alan Yau Ti Dun
 
Transforming cloud security into an advantage
Transforming cloud security into an advantageTransforming cloud security into an advantage
Transforming cloud security into an advantageMoshe Ferber
 
Ensuring PCI DSS Compliance in the Cloud
Ensuring PCI DSS Compliance in the CloudEnsuring PCI DSS Compliance in the Cloud
Ensuring PCI DSS Compliance in the CloudCognizant
 
CCSK Certificate of Cloud Computing Knowledge - overview
CCSK Certificate of Cloud Computing Knowledge - overviewCCSK Certificate of Cloud Computing Knowledge - overview
CCSK Certificate of Cloud Computing Knowledge - overviewPeter HJ van Eijk
 
Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0David Spinks
 
A Question of Trust: How Service Providers Can Attract More Customers by Deli...
A Question of Trust: How Service Providers Can Attract More Customers by Deli...A Question of Trust: How Service Providers Can Attract More Customers by Deli...
A Question of Trust: How Service Providers Can Attract More Customers by Deli...SafeNet
 
Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...
Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...
Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...Happiest Minds Technologies
 
2014 2nd me cloud conference trust in the cloud v01
2014 2nd me cloud conference trust in the cloud v012014 2nd me cloud conference trust in the cloud v01
2014 2nd me cloud conference trust in the cloud v01promediakw
 
Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Standards Customer Council
 
Public Cloud Service Agreements: What to Expect and What to Negotiate V2.0
Public Cloud Service Agreements: What to Expect and What to Negotiate V2.0Public Cloud Service Agreements: What to Expect and What to Negotiate V2.0
Public Cloud Service Agreements: What to Expect and What to Negotiate V2.0Cloud Standards Customer Council
 
Overcoming Operational & Financial Barriers to Cloud
Overcoming Operational & Financial Barriers to CloudOvercoming Operational & Financial Barriers to Cloud
Overcoming Operational & Financial Barriers to CloudTrustmarque
 
Becomming a cloud governance ninja linthicum interop fall 2013
Becomming a cloud governance ninja linthicum interop fall 2013Becomming a cloud governance ninja linthicum interop fall 2013
Becomming a cloud governance ninja linthicum interop fall 2013David Linthicum
 
Security for Cloud Computing: 10 Steps to Ensure Success V3.0
Security for Cloud Computing: 10 Steps to Ensure Success V3.0Security for Cloud Computing: 10 Steps to Ensure Success V3.0
Security for Cloud Computing: 10 Steps to Ensure Success V3.0Cloud Standards Customer Council
 
The Cloud Crossover
The Cloud CrossoverThe Cloud Crossover
The Cloud CrossoverArmor
 
Cloud is not an option, but is security?
Cloud is not an option, but is security?Cloud is not an option, but is security?
Cloud is not an option, but is security?Jody Keyser
 

Similar a CSA Introduction 2013 David Ross (20)

The Art of Cloud Auditing - ISACA ID
The Art of Cloud Auditing - ISACA IDThe Art of Cloud Auditing - ISACA ID
The Art of Cloud Auditing - ISACA ID
 
Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...
Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...
Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...
 
Transforming cloud security into an advantage
Transforming cloud security into an advantageTransforming cloud security into an advantage
Transforming cloud security into an advantage
 
Ensuring PCI DSS Compliance in the Cloud
Ensuring PCI DSS Compliance in the CloudEnsuring PCI DSS Compliance in the Cloud
Ensuring PCI DSS Compliance in the Cloud
 
CCSK Certificate of Cloud Computing Knowledge - overview
CCSK Certificate of Cloud Computing Knowledge - overviewCCSK Certificate of Cloud Computing Knowledge - overview
CCSK Certificate of Cloud Computing Knowledge - overview
 
Does cloud technology belong at your law firm?
Does cloud technology belong at your law firm?Does cloud technology belong at your law firm?
Does cloud technology belong at your law firm?
 
Cloud Security.ppt
Cloud Security.pptCloud Security.ppt
Cloud Security.ppt
 
Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0
 
A Question of Trust: How Service Providers Can Attract More Customers by Deli...
A Question of Trust: How Service Providers Can Attract More Customers by Deli...A Question of Trust: How Service Providers Can Attract More Customers by Deli...
A Question of Trust: How Service Providers Can Attract More Customers by Deli...
 
Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...
Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...
Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...
 
2014 2nd me cloud conference trust in the cloud v01
2014 2nd me cloud conference trust in the cloud v012014 2nd me cloud conference trust in the cloud v01
2014 2nd me cloud conference trust in the cloud v01
 
Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0
 
Public Cloud Service Agreements: What to Expect and What to Negotiate V2.0
Public Cloud Service Agreements: What to Expect and What to Negotiate V2.0Public Cloud Service Agreements: What to Expect and What to Negotiate V2.0
Public Cloud Service Agreements: What to Expect and What to Negotiate V2.0
 
Overcoming Operational & Financial Barriers to Cloud
Overcoming Operational & Financial Barriers to CloudOvercoming Operational & Financial Barriers to Cloud
Overcoming Operational & Financial Barriers to Cloud
 
3.pptx
3.pptx3.pptx
3.pptx
 
Becomming a cloud governance ninja linthicum interop fall 2013
Becomming a cloud governance ninja linthicum interop fall 2013Becomming a cloud governance ninja linthicum interop fall 2013
Becomming a cloud governance ninja linthicum interop fall 2013
 
cloud Resilience
cloud Resilience cloud Resilience
cloud Resilience
 
Security for Cloud Computing: 10 Steps to Ensure Success V3.0
Security for Cloud Computing: 10 Steps to Ensure Success V3.0Security for Cloud Computing: 10 Steps to Ensure Success V3.0
Security for Cloud Computing: 10 Steps to Ensure Success V3.0
 
The Cloud Crossover
The Cloud CrossoverThe Cloud Crossover
The Cloud Crossover
 
Cloud is not an option, but is security?
Cloud is not an option, but is security?Cloud is not an option, but is security?
Cloud is not an option, but is security?
 

Más de Graeme Wood

TechCatalyst free assessment
TechCatalyst free assessment TechCatalyst free assessment
TechCatalyst free assessment Graeme Wood
 
TechCatalyst Corporate Overview
TechCatalyst Corporate Overview TechCatalyst Corporate Overview
TechCatalyst Corporate Overview Graeme Wood
 
How does semantic technology work?
How does semantic technology work? How does semantic technology work?
How does semantic technology work? Graeme Wood
 
AI and the Financial Service Segment
AI and the Financial Service SegmentAI and the Financial Service Segment
AI and the Financial Service SegmentGraeme Wood
 
Ai and Legal Industy - Executive Overview
Ai and Legal Industy - Executive OverviewAi and Legal Industy - Executive Overview
Ai and Legal Industy - Executive OverviewGraeme Wood
 
Semantic Computing Executive Briefing
Semantic Computing Executive Briefing Semantic Computing Executive Briefing
Semantic Computing Executive Briefing Graeme Wood
 
Introduction to Semantic Computing
Introduction to Semantic ComputingIntroduction to Semantic Computing
Introduction to Semantic ComputingGraeme Wood
 
AIIA_DataAnalytics_Project_External_20160721
AIIA_DataAnalytics_Project_External_20160721AIIA_DataAnalytics_Project_External_20160721
AIIA_DataAnalytics_Project_External_20160721Graeme Wood
 
Jd sherry howard a. schmidt cyber crime, cyberspy, cyberwar - taking the le...
Jd sherry howard a. schmidt cyber crime, cyberspy, cyberwar - taking the le...Jd sherry howard a. schmidt cyber crime, cyberspy, cyberwar - taking the le...
Jd sherry howard a. schmidt cyber crime, cyberspy, cyberwar - taking the le...Graeme Wood
 
Raimund genes from traditional malware to targeted attacks
Raimund genes from traditional malware to targeted attacksRaimund genes from traditional malware to targeted attacks
Raimund genes from traditional malware to targeted attacksGraeme Wood
 
andrew milroy - top security trends and takeaways for 2013
andrew milroy - top security trends and takeaways for 2013andrew milroy - top security trends and takeaways for 2013
andrew milroy - top security trends and takeaways for 2013Graeme Wood
 
Anz campaign creative 11 sept 2010
Anz campaign creative 11 sept 2010Anz campaign creative 11 sept 2010
Anz campaign creative 11 sept 2010Graeme Wood
 
Anz cloud thought leadership 16 mar
Anz cloud thought leadership 16 marAnz cloud thought leadership 16 mar
Anz cloud thought leadership 16 marGraeme Wood
 
Vmware Seminar Security & Compliance for the cloud with Trend Micro
Vmware Seminar Security & Compliance for the cloud with Trend MicroVmware Seminar Security & Compliance for the cloud with Trend Micro
Vmware Seminar Security & Compliance for the cloud with Trend MicroGraeme Wood
 
Trend Micro VForum Agentless Scanning Presentation
Trend Micro VForum Agentless Scanning PresentationTrend Micro VForum Agentless Scanning Presentation
Trend Micro VForum Agentless Scanning PresentationGraeme Wood
 

Más de Graeme Wood (15)

TechCatalyst free assessment
TechCatalyst free assessment TechCatalyst free assessment
TechCatalyst free assessment
 
TechCatalyst Corporate Overview
TechCatalyst Corporate Overview TechCatalyst Corporate Overview
TechCatalyst Corporate Overview
 
How does semantic technology work?
How does semantic technology work? How does semantic technology work?
How does semantic technology work?
 
AI and the Financial Service Segment
AI and the Financial Service SegmentAI and the Financial Service Segment
AI and the Financial Service Segment
 
Ai and Legal Industy - Executive Overview
Ai and Legal Industy - Executive OverviewAi and Legal Industy - Executive Overview
Ai and Legal Industy - Executive Overview
 
Semantic Computing Executive Briefing
Semantic Computing Executive Briefing Semantic Computing Executive Briefing
Semantic Computing Executive Briefing
 
Introduction to Semantic Computing
Introduction to Semantic ComputingIntroduction to Semantic Computing
Introduction to Semantic Computing
 
AIIA_DataAnalytics_Project_External_20160721
AIIA_DataAnalytics_Project_External_20160721AIIA_DataAnalytics_Project_External_20160721
AIIA_DataAnalytics_Project_External_20160721
 
Jd sherry howard a. schmidt cyber crime, cyberspy, cyberwar - taking the le...
Jd sherry howard a. schmidt cyber crime, cyberspy, cyberwar - taking the le...Jd sherry howard a. schmidt cyber crime, cyberspy, cyberwar - taking the le...
Jd sherry howard a. schmidt cyber crime, cyberspy, cyberwar - taking the le...
 
Raimund genes from traditional malware to targeted attacks
Raimund genes from traditional malware to targeted attacksRaimund genes from traditional malware to targeted attacks
Raimund genes from traditional malware to targeted attacks
 
andrew milroy - top security trends and takeaways for 2013
andrew milroy - top security trends and takeaways for 2013andrew milroy - top security trends and takeaways for 2013
andrew milroy - top security trends and takeaways for 2013
 
Anz campaign creative 11 sept 2010
Anz campaign creative 11 sept 2010Anz campaign creative 11 sept 2010
Anz campaign creative 11 sept 2010
 
Anz cloud thought leadership 16 mar
Anz cloud thought leadership 16 marAnz cloud thought leadership 16 mar
Anz cloud thought leadership 16 mar
 
Vmware Seminar Security & Compliance for the cloud with Trend Micro
Vmware Seminar Security & Compliance for the cloud with Trend MicroVmware Seminar Security & Compliance for the cloud with Trend Micro
Vmware Seminar Security & Compliance for the cloud with Trend Micro
 
Trend Micro VForum Agentless Scanning Presentation
Trend Micro VForum Agentless Scanning PresentationTrend Micro VForum Agentless Scanning Presentation
Trend Micro VForum Agentless Scanning Presentation
 

Último

Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 

Último (20)

Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 

CSA Introduction 2013 David Ross

  • 1. Compliance in the Public Cloud and the Cloud Security Alliance's Open Certification Framework Dr David Ross CISO, Bridge Point Communications Founding Director, Cloud Security Alliance Australia Chapter
  • 2. • Security issues encountered with cloud services • Trust Issues • Governance, Compliance, Control, Assurance and Certification • Open Certification Framework – STAR Certification – STAR Attestation 2 A collaboration of a number of security experts from the Cloud Security Alliance in Australia
  • 3. Security issues encountered with cloud services • #1 The Cloud Consumer assumes the Cloud Service is “secure” without understanding the contract. – Real Example: Cloud Service includes “automatic backup service that copies customer data to an external backup service, providing a further level of security to customer data … stored for 3 months after being made … can be extended to up to 7 years if required” • Perfectly legitimate, but there are 2 meanings for “secure” here – By default, the backup is overwritten after 3 months … no restores over 3 months old! – The backups go to a third party … with whom you have no contract for handling your data! – The backups are … NOT encrypted! 3 Copyright © 2013 Bridge Point Communications
  • 4. Security issues encountered with cloud services • #2 Insecure management or administration interfaces – Real Example: Cloud Service uses insecure, clear-text protocol (HTTP) for remote administration logins. – The username and password are transmitted in clear-text and may be intercepted by a network sniffer, relay, server logs, proxy or firewall logs, or a man-in-the-middle attack to provide credentials for a subsequent attack. 4 Copyright © 2013 Bridge Point Communications
  • 5. Security issues encountered with cloud services • #3 No separation of duties, detection of abuse, or escalation of privilege – Real Example: Cloud Service Systems Administrator has access to all layers, from Application down to Physical hardware. – The entire security of the Cloud Consumers’ data relies on the integrity and expertise of a single person with no checks or balances to prevent malicious or accidental compromise of security controls. The Systems Administrator can do anything with the hosts, networks, and storage … including the audit trails that detail just what has been done. 5 Copyright © 2013 Bridge Point Communications
  • 6. Issues particular to cloud services in the GRC space • #4 Weak, vague, or one-sided SLAs and contracts – Real Example: “The following list presents an overview of some of the audits and assessments that the” Cloud Service “undergoes on a regular basis”... – The Cloud Service did indeed undergo regular audits … but only held certifications for two of the five in their list in that year. – Difference between ‘undergo audits’ and ‘meet requirements’. – Require certification 6 Copyright © 2013 Bridge Point Communications
  • 7. Impacts on the typical IT governance model • Require a trust relationship with the Cloud Service Provider • Require indirect administrative and contractual controls over the CSP in place of the direct controls over in-house infrastructure and personnel • Require transparency and assurance of the CSP operations • Therefore -> Require independent verification of CSP assertions 7 Copyright © 2013 Bridge Point Communications
  • 8. What are the Trust Issues? 8 Copyright © 2013 Bridge Point Communications ( I just ordered this from zazzle.com.au )
  • 9. What are the Trust Issues? • Will the CSP be transparent about governance and operational issues? • Will the user be considered compliant? • Does the user know what legislation applies? • Will a lack of standards drive unexpected obsolescence? • Is cloud really better at security than traditional IT solution? 9 Copyright © 2013 Cloud Security Alliance
  • 10. A new Governance Model • Users need to understand the shift in the balance of responsibility and accountability for key functions such as governance and control over data and IT operations, ensuring compliance with laws and regulations. • Cloud computing requires a new model for assessing organisational risks related to security and resilience. 10 Copyright © 2013 Cloud Security Alliance
  • 11. Assurance • Consumers do not have simple, cost effective ways to evaluate and compare their providers’ resilience, data protection capabilities and service portability. 11 Copyright © 2013 Cloud Security Alliance
  • 12. Certification Challenges • Provide a globally relevant certification to reduce duplication of efforts • Address localised, national-state and regional compliance needs • Address industry specific requirements • Address different assurance requirements • Address “certification staleness” – assure provider is still secure after “point in time” certification • Do all of the above while recognising the dynamic and fast changing world that is cloud 12 Copyright © 2013 Cloud Security Alliance
  • 13. Certification Challenges This gap of trust mainly lies down in the difficulties of cloud users in addressing fundamental assurance issues with cloud providers, such as: • Understanding legal compliance and contractual liabilities, • Defining and allocating responsibilities • Enforcing accountability • Translating requirements into cloud language/controls/checks • Identifying means for an ex-ante analysis assessment of cloud services and for a • Continuous monitoring of cloud service contract execution 13 Copyright © 2013 Cloud Security Alliance
  • 14. How do we build Trust and Transparency? • The Cloud Security Alliance’s Open Certification Framework for cloud services 14 Copyright © 2013 Cloud Security Alliance
  • 15. The Cloud Security Alliance’s Open Certification Framework • Daniele Catteddu, CSA Managing Director EMEA • Open Certification Framework for cloud services • Announced 9May2012 Frankfurt (DE),detail 20Aug2012 Edinburgh (UK) 15 Copyright © 2013 Cloud Security Alliance
  • 16. The Cloud Security Alliance (CSA) • Global, not-for-profit organisation • Over 40,000 individual members, more than 160 corporate members, over 60 chapters • Building best practices and a trusted cloud ecosystem • Agile philosophy, rapid development of applied research 16 Copyright © 2013 Cloud Security Alliance The Cloud Security Alliance – not-for-profitorganisation with a mission… “To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.”
  • 17. Open Certification Framework Vision Statement • The CSA Open Certification Framework is an industry initiative to allow global, accredited, trusted certification of cloud providers. • The CSA Open Certification Framework is a program for flexible, incremental and multi-layered cloud provider certification according to the Cloud Security Alliance’s industry leading security guidance and control objectives. • The program will integrate with popular third-party assessment and attestation statements developed within the public accounting community to avoid duplication of effort and cost. ~Jim Reavis & Daniele Catteddu; CSA~ 17 Copyright © 2013 Cloud Security Alliance
  • 18. OCF: The structure • The open certification framework is structured on 3 LEVELs of TRUST, each one of them providing an incremental level of visibility and transparency into the operations of the Cloud Service Provider and a higher level of assurance to the Cloud consumer. 18 Copyright © 2013 Cloud Security Alliance
  • 19. OCF Governance 19 Copyright © 2013 Cloud Security Alliance
  • 20. OCF Level 1: CSA STAR Registry • CSA STAR (Security, Trust and Assurance Registry) • Public Registry of Cloud Provider self assessments • Based on Consensus Assessments Initiative Questionnaire • Provider may substitute documented Cloud Controls Matrix compliance • Voluntary industry action promoting transparency • Free market competition to provide quality assessments • Provider may elect to provide assessments from third parties • Available since October 2011 20 Copyright © 2013 Cloud Security Alliance
  • 21. OCF Level 2: 21 Copyright © 2013 Cloud Security Alliance Certification
  • 22. What is STAR Certification? • Continuous monitoring of cloud service contract execution • STAR CERTIFICATION evaluates the efficiency of an organization’s ISMS and ensures the scope, processes and objectives are “Fit for Purpose.” • Help organizations prioritize areas for improvement and lead them towards business excellence. • Enables effective comparison across other organizations in the applicable sector. • Focused on the strategic & operational business benefits as well as effective partnership relationships. • Based upon the Plan, Do, Check, Act (PDCA) approach and the controls outlined in the Cloud Controls Matrix (CCM) • Enables the auditor to assess a company’s performance, on long-term sustainability and risks, in addition to ensuring they are SLA driven, allowing senior management to quantify and measure improvement year on year. 22 Copyright © 2013 Cloud Security Alliance
  • 23. The Cloud Security Alliance’s STAR Certification • The concept of the scheme is to use to the ISO/IEC 27001:2005 certification integrated with the CSA Cloud Control Matrix (CCM) as additional or compensating controls as applicable and the organisation’s own internal requirements or specifications to assess how advanced their systems are. • The scheme will be compliant with ISO 17021 and ISO 27006. • Will be open to all 3rd party Certified Bodies (CB) • Will be an additional scheme to the CB organisations internal ISO 27001 scheme requirements. It is not meant to be a replacement. 23 Copyright © 2013 Cloud Security Alliance
  • 24. PDCA Model for an ISMS 24 Copyright © 2013 Cloud Security Alliance
  • 25. STAR Certification 25 Copyright © 2013 Cloud Security Alliance
  • 26. STAR Certification: the role of CCM • The CCM is specifically designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider. • The Cloud Controls Matrix is meant to be integrated into the assessment by the auditor, referencing the applicable CCM control to the associated ISO 27001 controls (SOA) The output will be the result of the overall performance of the organization within the scope of certification. 26 Copyright © 2013 Cloud Security Alliance
  • 27. Benefits of STAR Certification Sales and Marketing Benefits: • Added to the current management system. • A ISO 27001 certification plus a STAR certificate as evidence of both compliance and performance to both suppliers, customers and other interested parties. • The ability to benchmark your organization’s performance and gauge your improvement from year to year. • An independently validated report from an external Certified Body (CB) body which can be used to demonstrate an organisation’s progress & performance levels. • Exclusive to the STAR Registry. 27 Copyright © 2013 Cloud Security Alliance
  • 28. Benefits of STAR Certification Strategic Benefits: • A 360º enhanced assessment giving senior management full visibility to evaluate the effectiveness of both their management system and the roles and responsibilities of personnel within the organisation. • A flexible assessment that can be tailored through the Statement of Applicability. This guarantees the results and measurements of assessments are both relevant and necessary in helping organisations manage their business. • A comprehensive business report that goes beyond a usual assessment report and gives a strategic and accurate overview of an organisations performance to enabling senior management to the identify action areas needed. • A set of improvement targets to encourage an organisation to move beyond compliance toward continued improvement. 28 Copyright © 2013 Cloud Security Alliance
  • 29. Benefits of STAR Certification Operational Benefits: • Scalable to organisations of all sizes. Provides information that allows you to know where they are now and measure any improvements, internally benchmark their sites and potentially externally benchmark their supply chain to stimulate healthy competition. • A visual representation of the status of a business and instantly highlights where the strengths, weaknesses, allowing clients to maximize resources, improve operational efficiencies and reduce costs • Independent reassurance to prove to senior management where the risks, threats, opportunities lie within a business 29 Copyright © 2013 Cloud Security Alliance
  • 30. OCF Level 2: 30 Copyright © 2013 Cloud Security Alliance Attestation
  • 31. What is STAR Attestation? Star Attestation (through the type 2 SOC attestation examination) helps companies meet the assessment and reporting needs of the majority of users of cloud services, when the criteria for the engagement are supplemented by the criteria in the CSA Cloud Controls Matrix (CCM). This assessment: • Is based on a mature attest standard • Allows for immediate adoption of the CCM as additional criteria and the flexibility to update the criteria as technology and market requirements change • Does not require the use of any criteria that were not designed for, or readily accepted by cloud providers • Provides for robust reporting on the service provider’s description of its system, and on the service provider’s controls, including a description of the service auditor’s tests of controls in a format very similar to the now obsolete SAS 70 reporting format, and current SSAE 16 (SOC 1) reporting, thereby facilitating market acceptance 31 Copyright © 2013 Cloud Security Alliance
  • 32. AICPA SOC Reporting Options 32 Copyright © 2013 Cloud Security Alliance
  • 33. STAR Attestation • SOC 2SM Report • If the report will be used by customers and/or stakeholders to gain confidence and place trust in a service organisation’s system: • Need to understand the details of processing and controls at your organisation, the tests performed & results of those tests? 33 Copyright © 2013 Cloud Security Alliance
  • 34. SOC 2 (AT 101): Key strengths • AT 101 is a mature attest standard (it serves as the standard for SOC 2 and SOC 3 reporting ) • Provides for robust reporting on the service provider’s description of its system, and on the service provider’s controls, including a description of the service auditor’s tests of controls in a format very similar to the now obsolete SAS 70 reporting format, and current SSAE 16 (SOC 1) reporting, thereby facilitating market acceptance • Evaluation over a period of time rather than a point in time • Recognition with an AICPA Logo 34 Copyright © 2013 Cloud Security Alliance
  • 35. Contact Help Us Secure Cloud Computing: • www.cloudsecurityalliance.org • https://chapters.cloudsecurityalliance.org/australia/ • http://www.linkedin.com/groups?gid=3966724 • Archie Reed archer@hp.com • David Ross David_Ross@bridgepoint.com.au 35 Copyright © 2013 Cloud Security Alliance