www.cloudsecurityalliance.orgCopyright 2013 Cloud Security Alliance

A view from the Cloud Security Alliance peephole

www.cloudsecurityalliance.orgCopyright 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright 2013 Cloud Security Alliance

Cloud

One million new mobile devices -each day!

Social Networking

Digital Natives

www.cloudsecurityalliance.orgCopyright 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright 2013 Cloud Security Alliance

State Sponsored Cyberattacks?

Organized Crime?

Legal Jurisdiction & Data Sovereignty?

Global Security Standards?

Privacy Protection for Citizens?

Transparency & Visibility from Cloud Providers?

www.cloudsecurityalliance.orgCopyright 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright 2013 Cloud Security Alliance

Shift the balance of power to consumers of IT

Enable innovation to solve difficult problems of humanity

Give the individual the tools to control their digital destiny

Do this by creating confidence, trust and transparency in IT systems

Security is not overhead, it is the enabler

www.cloudsecurityalliance.orgCopyright 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright 2013 Cloud Security Alliance

Global, not-for-profit organization, founded 2009Geographically divided into Americas, EMEA and APAC regions to meet strategic objectives200 member driven organization with over 48,000 individual members in 64 chapters worldwideEstablished with the aim of bringing trust to the cloud

Develop a global trusted cloud ecosystem

Building best practices and standards for next-gen IT

Grounded in an agile philosophy, rapid development of applied research that supports all activities

www.cloudsecurityalliance.orgCopyright 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright 2013 Cloud Security Alliance

www.cloudsecurityalliance.orgCopyright 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright 2013 Cloud Security Alliance

Corporate HQ is established in Singapore

Global CSA Research Centre

Global Standards Secretariat

CCSK Global Centre of Excellence

Secondary hub is established in Hong Kong anchored by

CloudCERT APAC Operational Base

Both locations also serve as

APAC business centre

Serving as a regional hub and operations magnet our members

Subsequently satellite hubs are established in Thailand, Taiwan and New Zealand

www.cloudsecurityalliance.orgCopyright 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright 2013 Cloud Security Alliance

www.cloudsecurityalliance.orgCopyright 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright 2013 Cloud Security Alliance

www.cloudsecurityalliance.orgCopyright 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright 2013 Cloud Security Alliance

CSA research is organized under a framework based on CSA Security Guidance for Critical Area of Focus in Cloud Computing

Total of 14 domains organised under 3 key areas of focus Architecture, Governance and Operational Security

www.cloudsecurityalliance.orgCopyright 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright 2013 Cloud Security Alliance

Our research includes fundamental projects needed to define and implement trust within the future of information technology

CSA continues to be aggressive in producing critical research, education and tools

Sponsorship opportunities

Selected research projects in following slides

www.cloudsecurityalliance.orgCopyright 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright 2013 Cloud Security Alliance

GRC Stack Family of 4 research projects

Cloud Controls Matrix (CCM)

Consensus Assessments Initiative (CAI)

Cloud Audit

Cloud Trust Protocol (CTP)

Impact to the IndustryDeveloped tools for governance, risk and compliance management in the cloud

Technical pilots

Provider certification through STAR program

Control Requirements

Provider Assertions

Private, Community & Public Clouds

www.cloudsecurityalliance.orgCopyright 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright 2013 Cloud Security Alliance

Previously known as Trusted Cloud Initiative

Security reference architecture for cloud

Architecture in use by early adopters of cloud in Global 2000

Cloud brokering

To do:

Management tools

Technical implementation guides

Documented case studies & use cases

https://cloudsecurityalliance.org/research/architecture/

www.cloudsecurityalliance.orgCopyright 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright 2013 Cloud Security Alliance

1. Data Breaches

2. Data Loss

3. Account Hijacking

4. Insecure APIs

5. Denial of Service

6. Malicious Insiders

7. Abuse of Cloud Services

8. Insufficient Due Diligence

9. Shared Technology Issues

https://cloudsecurityalliance.org/research/top-threats/

www.cloudsecurityalliance.orgCopyright 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright 2013 Cloud Security Alliance

1. Data loss from lost, stolen or decommissioned devices. 2. Information-stealing mobile malware. 3. Data loss and data leakage through poorly written third-party apps. 4. Vulnerabilities within devices, OS, design and third-party applications.5. Unsecured WiFi, network access and rogue access points. 6. Unsecured or rogue marketplaces. 7. Insufficient management tools, capabilities and access to APIs (includes

personas).

8. NFC and proximity-based hacking.

www.cloudsecurityalliance.orgCopyright 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright 2013 Cloud Security Alliance

Security as a ServiceResearch for gaining greater understanding for how to deliver security solutions via cloud models.

Information Security Industry Re-invented

Identify Ten Categories within SecaaS

Implementation Guidance for each SecaaSCategory

Align with international standards and other CSA research

Industry ImpactDefined 10 Categories of Service and Developed Domain 14 of CSA Guidance V.3

www.cloudsecurityalliance.orgCopyright 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright 2013 Cloud Security Alliance

MobileSecuring application stores and other public entities deploying software to mobile devices

Analysis of mobile security capabilities and features of key mobile operating systems

Cloud-based management, provisioning, policy, and data management of mobile devices to achieve security objectives

Guidelines for the mobile device security framework and mobile cloud architectures

Solutions for resolving multiple usage roles related to BYOD, e.g. personal and business use of a common device

Best practices for secure mobile application development

www.cloudsecurityalliance.orgCopyright 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright 2013 Cloud Security Alliance

Big Data Identifying scalable techniques for data-centric security and privacy problems

Lead to crystallization of best practices for security and privacy in big data

Help industry and government on adoption of best practices

Establish liaisons with other organizations in order to coordinate the development of big data security and privacy standards

Accelerate the adoption of novel research aimed to address security and privacy issues

www.cloudsecurityalliance.orgCopyright 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright 2013 Cloud Security Alliance

Expert-led community resource for global legal issues impacting cloud computing.

Ask the Expert advice column

Regular in-person seminars and webcasts

Expert opinion whitepapers, initial postingsGovernment Access to Data Held by US Cloud Service Providers

Proposed EU Data Protection Regulation Implications for Cloud Users

Article 29 for Cloud Computing

https://cloudsecurityalliance.org/research/clic

www.cloudsecurityalliance.orgCopyright 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright 2013 Cloud Security Alliance

CSA Working Group based in Europe

Define baselines for compliance with data protection legislation via a Privacy Level Agreement mechanism

A clear and effective way to communicate to (potential) cloud customers the level of personal data protection provided by a CSP.

A tool to assess the level of a CSPs compliance with data protection legislative requirements and best practices.

A way to offer contractual protection against possible financial damages due to lack of compliance.

https://cloudsecurityalliance.org/research/pla/

www.cloudsecurityalliance.orgCopyright 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright 2013 Cloud Security Alliance

www.cloudsecurityalliance.orgCopyright 2013 Cloud Security Alliance

Public visibility into ProvidersCorporate Governance

Supply Chain

Information Security Program

Policies Impacting Customers

Consumer right to knowPublic will demand better

Sunlight is the best disinfectant, U.S. Supreme Court Justice Louis Brandeis

www.cloudsecurityalliance.orgCopyright 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright 2013 Cloud Security Alliance

Control Requirements

Provider Assertions

Private, Community & Public Clouds

www.cloudsecurityalliance.orgCopyright 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright 2013 Cloud Security Alliance

The CSA Open Certification Framework (OCF) is an industry initiative to allow global, accredited, trusted certification of cloud providers.

The CSA Open Certification Framework is a program for flexible, incremental and multi-layered certification

Based on CSA best practices

Integrating with popular third-party assessment and attestation statements, initially ISO 27001 & AICPA SSAE16 (SOC2)

Project initiative is called OCF, the certification mark is STAR

www.cloudsecurityalliance.orgCopyright 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright 2013 Cloud Security Alliance

OPEN CERTIFICATION FRAMEWORKLEVEL 3 - CONTINUOUS

LEVEL 2 - ATTESTATION | CERTIFICATION

LEVEL 1:- SELF ASSESSMENT TR

A

N

S

P

E

R

A

N

C

Y

A

S

S

U

R

A

N

C

E

www.cloudsecurityalliance.orgCopyright 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright 2013 Cloud Security Alliance

Clear GRC objectives

3rd Party Assessment

Real time, continuous monitoring

+

+

Self Assessment

+

www.cloudsecurityalliance.orgCopyright 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright 2013 Cloud Security Alliance

CSA STAR (Security, Trust and Assurance Registry)

Public Registry of Cloud Provider self assessments

Based on Consensus Assessments Initiative Questionnaire

Provider may substitute documented Cloud Controls Matrix compliance

Voluntary industry action promoting transparency

Security as a market differentiator

www.cloudsecurityalliance.org/star

STAR Demand it from your providers!

www.cloudsecurityalliance.orgCopyright 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright 2013 Cloud Security Alliance

2 Registered (December 2012)

22 Registered (February 2013)

www.cloudsecurityalliance.orgCopyright 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright 2013 Cloud Security Alliance

Completion of APAC pilots @ Alibaba and New Taipei City (G-Cloud)

Target launch for Level 2 certification @ CSA EMEA Congress on Sep 25

Also announced harmonization of Singapore Standard (Multi-tier Cloud Security) certification scheme against CSAs OCF

www.cloudsecurityalliance.orgCopyright 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright 2013 Cloud Security Alliance

www.cloudsecurityalliance.orgCopyright 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright 2013 Cloud Security Alliance

The industrys first user certification program for secure cloud computing

Based on CSA research framework, specifically the Security Guidance for Critical Area of Focus in Cloud Computing

Designed to ensure that a broad range of professionals with responsibility related to cloud computing have a demonstrated awareness of the security threats and best practices for securing the cloud

www.cloudsecurityalliance.orgCopyright 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright 2013 Cloud Security Alliance

CCSK Basic

One day course to enable student to pass CCSK

CCSK Plus

Two day course includes practical cloud lab work

CCSK Train-the-Trainer

Three day course including CCSK Plus

GRC Stack Training

Additional one day course to use GRC Stack components

PCI/DSS In the Cloud

Additional one day course focusing on achieving PCI compliance in cloud computing

http://cloudsecurityalliance.org/education/training/

www.cloudsecurityalliance.orgCopyright 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright 2013 Cloud Security Alliance

CCSK for IT & Security Architects

Whitepaper: Security best practices for security architecture in the cloud derived from CSA Domain 1, Trusted Cloud Initiative Reference Architecture model and new materials.

Courseware: Development of 3 day courseware derived from above whitepaper and other CSA materials.

CCSK for Software Developers

Whitepaper: Security best practices for software development in the cloud and recommended industry curriculum.

Courseware: Development of 3 day courseware derived from above whitepaper and other CSA materials.

CCSK for Cloud Auditing/Assurance (GRC Stack)

Whitepaper: Security best practices for assurance in the cloud derived from CSA Guidance 3 and components of the GRC Stack research projects.

Courseware: Development of 3 day courseware derived from existing GRC Stack courseware, above whitepaper and other CSA materials.

www.cloudsecurityalliance.orgCopyright 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright 2013 Cloud Security Alliance

www.cloudsecurityalliance.orgCopyright 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright 2013 Cloud Security Alliance

Engage international standards bodies on behalf of CSA

Propose key CSA research for standardization

Working with NBs and tracking SDOs

A.4 and A.5 liaison relationship with ITU-T

Category A liaison with ISO/IEC SC27 & SC38

www.cloudsecurityalliance.orgCopyright 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright 2013 Cloud Security Alliance

www.cloudsecurityalliance.orgCopyright 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright 2013 Cloud Security Alliance

Industry thought leadership Traditional Monday start to RSA Conference2011: White House launches Federal Cloud Strategy 2012: Keynote from Former NSA Director Mike McConnell, announce CSA Mobile2013: DHS Undersecretary for Cybersecurityand Presiding Director of Coca Cola Company, James Robinson III

www.cloudsecurityalliance.orgCopyright 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright 2013 Cloud Security Alliance

One day conferences in conjunction with chaptersEngage with local thought leadersProject CSA best practices globally2013 Regional Summits (so far)

16 in Asia Pacific4 in Americas4 in EMEA

http://www.csathailand.org

www.cloudsecurityalliance.orgCopyright 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright 2013 Cloud Security Alliance

Only multi-track, multi-day conference focused on cloud securityKey venue for new researchPrimarily attended by enterprise end users2013 CSA Congress Plans

CSA Congress APAC, Singapore, May 14-17CSA Congress EMEA, Edinburgh, September 24 - 27CSA Congress US, Orlando, December 3 - 6

www.cloudsecurityalliance.orgCopyright 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright 2013 Cloud Security Alliance

www.cloudsecurityalliance.orgCopyright 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright 2013 Cloud Security Alliance

Challenges remain, there will always be insecurityGlobal collaboration, public & privateInnovation can make policy restrictions obsoleteMajor focus on identity neededThe Internet of Things is a ticking bombMust solve tomorrows problems todayTransparency must be our guide

www.cloudsecurityalliance.orgCopyright 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright 2013 Cloud Security Alliance

Be Pragmatic, Be AgileFollow the law, but do not concede to poor interpretations of the law. Defend the spirit of the law forcefully.More tools available than you thinkAdvocate through procurementWaiting not an option, but dont forget

StrategyRisk ManagementCloud-ready Enterprise ArchitectureBe Educated

www.cloudsecurityalliance.orgCopyright 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright 2013 Cloud Security Alliance

For more information on the Cloud Security Alliance, please contact:

Global/AmericasJim Reavis jreavis@cloudsecurityalliance.org

EMEA Daniele Catteddu dcatteddu@cloudsecurityalliance.org

APACAloysius Cheangacheang@cloudsecurityalliance.org

www.cloudsecurityalliance.orgCopyright 2012 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright 2013 Cloud Security Alliance