Contenu connexe Similaire à CSA Atlanta and Metro Atlanta ISSA Chapter Meeting May 2014 - Key Threats to the Cloud and CSA Research (20) Plus de Phil Agcaoili (20) CSA Atlanta and Metro Atlanta ISSA Chapter Meeting May 2014 - Key Threats to the Cloud and CSA Research2. Agenda
• Key Trust Issues in the Cloud
• CSA Research Roadmap
• 30 Minutes Later…
2
All materials were created by the CSA and used by philA.
4. Key Trust Issues in Cloud
• Incomplete standards
• Evolving towards true multi-tenant technologies & architecture
e.g. Identity Brokering
• Risk Concentration
• Incompatible laws across jurisdictions
• Lack of transparency & visibility from providers and government
4 © 2014, Cloud Security Alliance.
5. Key Trust Issues in Cloud
• Incomplete standards
• Evolving towards true multi-tenant technologies & architecture
e.g. Identity Brokering
• Risk Concentration
• Incompatible laws across jurisdictions
• Lack of transparency & visibility from providers and government
5 © 2014, Cloud Security Alliance.
7. US Patriot Act
• USA Patriot Act of 2001 (reauthorized in 2006 & 2011)
• Not a new law, series of amendments to existing laws related to
surveillance, investigation and prosecution of terrorism (Foreign
Intelligence Surveillance Act)
• Most requests for information follow subpoenas/warrants, but
records may be sealed
• Most countries have laws permitting disclosure of user info without
user consent related to foreign intelligence and national security
• Not clear if interpretation of Section 215 of the Patriot Act, Section
702 of the Foreign Intelligence Surveillance, FISA followed legislative
intent
7 © 2014, Cloud Security Alliance.
8. Meet philA
Hello, I’m a data guy…
I’m with the Ponemon Institute.
You know, you quote us all of the of the time:
Annual Cost of Data Breach
Annual Cost of Cybercrime
Annual Most Trusted Companies for Privacy
© 2014, Cloud Security Alliance.
9. CSA Government Access
to Information Survey
• Conducted online from June 25, 2013 to July 9, 2013
• 456 responses
• 234 from United States of America
• 138 from Europe
• 36 from Asia Pacific
• Many long, long open-ended responses
https://cloudsecurityalliance.org/wp-content/uploads/2013/07/CSA-govt-access-survey-July-2013.pdf
9 © 2014, Cloud Security Alliance.
10. Using US Cloud Providers
• Survey Question: (For non-US residents only) Does the
Snowden Incident make your company more or less likely
to use US-based cloud providers? (207 respondents)
• 56% less likely to use US-based cloud providers
• 31% no impact on usage of US-based cloud providers
• 10% cancelled a project to use US-based cloud providers
• 3% more likely to use US-based cloud providers
10 © 2014, Cloud Security Alliance.
11. Using US Cloud Providers
• Survey Question: (For US residents only) Does the
Snowden Incident make it more difficult for your company
to conduct business outside of the US? (220)
• 36% Yes
• 64% No
11 © 2014, Cloud Security Alliance.
12. Transparency of Government Access
• Survey Question: (For all respondents) How would you rate
your country's processes to obtain user information for the
purpose of criminal and terrorist investigations? (440)
• 47% Poor, there is no transparency in the process
• 32% Fair, there is some public information about the process and some
instances of its usage
• 11% Unknown, I do not have enough information to make an informed
judgment
• 10% Excellent, the process is well documented
12 © 2014, Cloud Security Alliance.
13. Opinion of Patriot Act
• Survey Question: (For all respondents) If you have
concerns about this recent news, which of the following
actions do you think would be the best course to mitigate
concerns? (423)
• 41% The Patriot Act should be repealed in its entirety.
• 45% The Patriot Act should be modified to tighten the oversight of
permitted activities and to provide greater transparency as to how often
it is enacted.
• 13% The Patriot Act is fine as is.
13 © 2014, Cloud Security Alliance.
14. Publishing FISA Requests
• Survey Question: (For all respondents) Should companies
who have been subpoenaed through provisions of the
Patriot Act, such as FISA (Foreign Intelligence Surveillance
Act) be able to publish summary information about the
amount of responses they have made? (438)
• 91% Yes
• 9% No
14 © 2014, Cloud Security Alliance.
15. Balancing Safety and Privacy
“…Living in this kind of democracy, we’re going to have to be a
little less effective in order to be a little more transparent to get to
do anything to defend the American people.”
Michael Hayden, former Director of CIA and NSA
15 © 2014, Cloud Security Alliance.
17. Industry Transparency Example
• User Data requests from law enforcement according to Google
• Jul – Dec 2012, from http://www.google.com/transparencyreport/governmentrequests/
• France: 1,693 requests, responded to 44%
• Germany: 1,550 requests, responded to 42%
• India: 2,431, responded to 66%
• Singapore: 96 requests, responded to 75%
• US: 8,438 requests, responded to 88%
• UK: 1,458 requests, responded to 70%
17 © 2014, Cloud Security Alliance.
18. Can Providers be Transparent
about National Security Issues?
“…ask you to help make it possible for Google to publish in our
Transparency Report aggregate numbers of national security
requests, including FISA disclosures—in terms of both the
number we receive and their scope. Google’s numbers would
clearly show that our compliance with these requests falls far
short of the claims being made. Google has nothing to hide.”
David Drummond, Chief Legal Counsel, Google
18 © 2014, Cloud Security Alliance.
19. EFF - Who Has Your Back? 2014
19 © 2014, Cloud Security Alliance.
20. CSA Transparency Example: STAR
• CSA STAR (Security, Trust and Assurance Registry)
• Public Registry of Cloud Provider self assessments
• Based on CSA best practices (CCM or CAIQ)
• Voluntary industry action promoting transparency
• Security as a market differentiator
• www.cloudsecurityalliance.org/star
• STAR – Demand it from your providers!
20 © 2014, Cloud Security Alliance.
21. CSA STAR: Read and Compare
21
DG 4.2: Do you have a documented procedure for responding to requests for tenant
data from governments or third parties?
Amazon AWS
AWS errs on the side of protecting customer privacy and is vigilant in determining which
law enforcement requests we must comply with. AWS does not hesitate to challenge
orders from law enforcement if we think the orders lack a solid basis.
Box.net
Box does have documented procedures for responding to requests for tenant data from
governments and third parties.
SHI
Customer responsibility. SHI has no direct access, so requests for data through third
parties will be responded to by the customer themselves, however, SHI can sanitize and
delete customer data upon migration from the cloud.
Verizon/Terremark Yes
© 2014, Cloud Security Alliance.
22. What is the Future of Assurance in
the Global Compute Utility?
• Traditional Auditing and Certification activities
• Harmonized disparate requirements versus a single global standard
• Example - NIST CSF for cyber security
• Continuous Monitoring
• Community Policing via Transparency
• Privacy emphasis
22 © 2014, Cloud Security Alliance.
23. What global dialogue is needed?
• Government
• Do we treat foreigners differently than citizens?
• Aligning with global standards for assurance
• Industry
• Build the technology to make policy moot
• Enterprise
• A time to engage
• Demand accountability from policy makers & providers
• Protect your data and metadata
• For All: Demand Transparency & Minimization Principles
23 © 2014, Cloud Security Alliance.
24. I’m not going
to keep you
much longer
It’s 30 minutes already.
But…
24 © 2014, Cloud Security Alliance.
26. CSA Research Portfolio
• Our research includes
fundamental projects needed
to define and implement trust
within the future of
information technology
• CSA continues to be
aggressive in producing
critical research, education
and tools
• 30+ Active Global Work
Groups
© 2013, Cloud Security Alliance.26
28. Security Guidance for Critical
Areas of Cloud Computing
• The CSA guidance as it enters its third edition
seeks to establish a stable, secure baseline for
cloud operations. This effort provides a practical,
actionable road map to managers wanting to
adopt the cloud paradigm safely and securely.
Domains have been rewritten to emphasize
security, stability and privacy, ensuring corporate
privacy in a multi-tenant environment.
• The Security Guidance V.3 will serve as the
gateway to emerging standards being developed
in the world’s standards organization and is
designed to serve as an executive-level primer to
any organization seeking a secure, stable
transition to hosting their business operations in
the cloud.
• Research and Activities for 2013 - 2014
• Security Guidance for Critical Areas of Cloud
Computing V.4 – Q1 2014 (Planning)
• Publish V.4 – Q4 2014/Q1 2015
© 2013, Cloud Security Alliance.28
29. www.cloudsecurityalliance.org
GRC Stack
GRC Stack
Family of 4 research projects
Cloud Controls Matrix (CCM)
Consensus Assessments Initiative (CAI)
Cloud Audit
Cloud Trust Protocol (CTP)
Impact to the Industry
Developed tools for governance, risk
and compliance management in the
cloud
Technical pilots
Provider certification through STAR
program
Control
Requirements
Provider
Assertions
Private,
Community &
Public Clouds
30. Cloud Control Matrix Working
Group
• The Cloud Security Alliance Cloud Controls Matrix
(CCM) is specifically designed to provide fundamental
security principles to guide cloud vendors and to assist
prospective cloud customers in assessing the overall
security risk of a cloud provider.
• Research and Activities for 2013 – 2014
• CCM V.3 – Q3 2013
• Internet2 Net+ Initiative Mappings (Higher Education) – Q2
2013
• AICPA Trust Service Principles Mapping – Q4 2013
• ENISA Information Assurance Framework Mapping – Q4
2013
• ODCA Mapping – Q4 2013
• German BSI Mapping – Q4 2013
• NZISM Mapping – Q4 2013
• Unified Compliance Framework Mapping – TBD
• Control Area Gap Analysis – Q4 2013
• COBIT 5 Mapping – Q1 2014
• NIST SP 800-53 Rev 4 – Q4 2013
• Slovenian Information Commissioner on Privacy Guidance
for Cloud Computing Mapping – Q1 2014
© 2013, Cloud Security Alliance.30
31. Consensus Assessment Initiative
• Lack of security control transparency is a
leading inhibitor to the adoption of cloud
services. The Cloud Security Alliance
Consensus Assessments Initiative (CAI)
was launched to perform research,
create tools and create industry
partnerships to enable cloud computing
assessments.
• We are focused on providing industry-
accepted ways to document what
security controls exist in IaaS, PaaS, and
SaaS offerings, providing security control
transparency. This effort by design is
integrated with and will support other
projects from our research partners.
• Research and Activities for 2013 – 2014
• CAIQ V.3 – Q4 2013
© 2013, Cloud Security Alliance.31
32. Cloud Audit
• The goal of CloudAudit is to provide a
common interface and namespace that
allows enterprises who are interested in
streamlining their audit processes (cloud
or otherwise) as well as cloud computing
providers to automate the Audit,
Assertion, Assessment, and Assurance
of their infrastructure (IaaS), platform
(PaaS), and application (SaaS)
environments and allow authorized
consumers of their services to do
likewise via an open, extensible and
secure interface and methodology.
• Research and Activities for 2013 – 2014
• Create CCM V.3 Database – Q4 2013
• Automate Change-adds through DB Version
of CCM – Q1 2014
• Update Notification Functionality – Q2 2014
© 2013, Cloud Security Alliance.32
33. Cloud Trust Protocol Working Group
• The CloudTrust Protocol (CTP) is the
mechanism by which cloud service
consumers (also known as “cloud users”
or “cloud service owners”) ask for and
receive information about the elements
of transparency as applied to cloud
service providers. The primary purpose
of the CTP and the elements of
transparency is to generate evidence-
based confidence that everything that is
claimed to be happening in the cloud is
indeed happening as described, …, and
nothing else.
• Research and Activities for 2013 – 2014
• API Interface Definition – Q3 2013
• Prototype – Q4 2013
• Trust Model – Q1 2014
• Pilot – Q2 2014
© 2013, Cloud Security Alliance.33
34. CSA Enterprise Architecture
(aka Trusted Cloud Initiative)
• To promote research, development, and
education of best practices and
methodologies around a reference
architecture for a secure and trusted
cloud.
• Research and Activities for 2013 – 2014
• Develop a Use-Case for the Network
Container, to define more context about
Polymorphic Malware Prevention – Q4 2013
• Develop a Use-Case around Behavioral
Monitoring – Q4 2013
• KRI and KPI Development for CSA
Reference Architecture Interactive Site – Q4
2013
• Case Study Webinars (CloudBytes Sessions)
– Q4 2013
© 2013, Cloud Security Alliance.34
35. Top Threats Working Group
• The purpose of this document, Top
Threats to Cloud Computing, is to
provide needed context to assist
organizations in making educated risk
management decisions regarding their
cloud adoption strategies. In essence,
this threat research document should be
seen as a companion to Security
Guidance for Critical Areas in Cloud
Computing.
• Research and Activities for 2013 – 2014
• Top Threats to Cloud Computing Survey –
Q1 2014
• Top Threats to Cloud Computing V.4 – Q2
2014
• Full featured Interact Change Method for Top
Threats – Q3 2014
© 2013, Cloud Security Alliance.35
36. Cloud Vulnerabilities Working Group
• CSA Cloud Vulnerabilities Working Group is
global working group chartered to conduct
research in the area of cloud computing
vulnerabilities, with the goals of understanding
and educating the classification and exact causes
of cloud computing vulnerabilities,
recommendations and best practices for the
reduction of top vulnerabilities, reporting of
vulnerabilities and the development of related
tools and standards.
• Research and Activities for 2013 – 2014
• Publish Cloud Vulnerabilities White Paper– Q2 2013
• Establishment of a taxonomy for Cloud Vulnerabilities
based on statistical data – Q1 2014
• Creation of a cloud vulnerability feed documentation
mechanism/ format/ protocol – Q2 2014
• Portal established for cloud vulnerability reporting
and tools – Q4 2014
© 2013, Cloud Security Alliance.36
37. • Security as a Service
Research for gaining greater understanding for
how to deliver security solutions via cloud
models.
• Information Security Industry Re-
invented
• Identify Ten Categories within SecaaS
• Implementation Guidance for each
SecaaS Category
• Align with international standards and
other CSA research
• Industry Impact
Defined 10 Categories of Service and Developed
Domain 14 of CSA Guidance V.3
Security as a Service
37 © 2014, Cloud Security Alliance.
38. Security as a Service Working Group
• The purpose of this research will be
to identify consensus definitions of
what Security as a Service means, to
categorize the different types of
Security as a Service and to provide
guidance to organizations on
reasonable implementation practices.
Other research purposes will be
identified by the working group.
• Research and Activities for 2013 –
2014
• Defined SecaaS Framework (Defined
Categories of Service V.2) – Q4 2013
• Implementation Guidance Documents
V.2 – Q1 2014 (Start Planning)
© 2013, Cloud Security Alliance.38
39. Smart Mobile
• Mobile
• Securing application stores and other public
entities deploying software to mobile devices
• Analysis of mobile security capabilities and
features of key mobile operating systems
• Cloud-based management, provisioning, policy,
and data management of mobile devices to
achieve security objectives
• Guidelines for the mobile device security
framework and mobile cloud architectures
• Solutions for resolving multiple usage roles related
to BYOD, e.g. personal and business use of a
common device
• Best practices for secure mobile application
development
39 © 2014, Cloud Security Alliance.
40. Mobile Working Group
• Mobile computing is experiencing tremendous
growth and adoption, while the devices are gaining
significant power and dynamic capabilities.
Personally owned mobile devices are increasingly
being used to access employers’ systems and
cloud-hosted data - both via browser-based and
native mobile applications. Clouds of mobile
devices are likely to be common. The CSA Mobile
working group will be responsible for providing
fundamental research to help secure mobile
endpoint computing from a cloud-centric vantage
point.
• Research and Activities for 2013 – 2014
• BYOD Policy Guidance – Q3/Q4 2013
• Mobile Authentication Management – Q3/Q4 2013
• Mobile Application Security Guidance – Q3/Q4 2013
• Mobile Device Management – Q3/Q4 2013
• Mobile Maturity v2 Report – Q4 2013
• Mobile Security Guidance V.2 – Q4 2013
© 2013, Cloud Security Alliance.40
41. • Big Data
• Identifying scalable techniques for
data-centric security and privacy
problems
• Lead to crystallization of best
practices for security and privacy in
big data
• Help industry and government on
adoption of best practices
• Establish liaisons with other
organizations in order to coordinate
the development of big data security
and privacy standards
• Accelerate the adoption of novel
research aimed to address security
and privacy issues
Big Data Working Group
41 © 2014, Cloud Security Alliance.
42. Big Data Working Group
• The Big Data Working Group (BDWG) will be identifying
scalable techniques for data-centric security and privacy
problems. BDWG’s investigation is expected to lead to
crystallization of best practices for security and privacy in
big data, help industry and government on adoption of
best practices, establish liaisons with other organizations
in order to coordinate the development of big data
security and privacy standards, and accelerate the
adoption of novel research aimed to address security
and privacy issues.
• Research and Activities for 2013 – 2014
• Expanded Top 10 Big Data Security and Privacy Concerns –
Q3 2013
• Big Data Analytics for Security Intelligence – Q3 2013
• Big Data Framework and Taxonomy White Paper – Q4 2013
• Big Data Cryptography Report – Q4 2013/Q1 2014
• Big Data Policy and Governance Position Paper - TBD
• Cloud Infrastructures' Attack Surface Analysis and Reduction
Position Paper - TBD
© 2013, Cloud Security Alliance.42
43. Cloud Data Governance Working Group
• Cloud Computing marks the decrease
in emphasis on 'systems' and the
increase in emphasis on 'data'. With
this trend, Cloud Computing
stakeholders need to be aware of the
best practices for governing and
operating data and information in the
Cloud.
• Research and Activities for 2013 –
2014
• Data Governance across International
Borders – Q1 2014
• Data Tracking and Logging Standard–
Q2 2014
© 2013, Cloud Security Alliance.43
44. Incident Management & Forensics
Working Group
• The Working Group serves as a focal point for the
examination of incident handling and forensics in cloud
environments. We seek to develop best practices that
consider the legal, technical, and procedural elements
involved in responding in a forensically sound way to
security incidents in the cloud.
• Research and Activities for 2013 – 2014
• Publish “Provider Forensic Support in Public Multi-Tenant
Cloud Environments” – Q3 2013
• Developing a capability maturity model (CMM) for IncM and
Forensics in Cloud Environments – Q4 2013
• Conduct first workshop on IncM & Forensics Roadmap for
the Cloud. Roadmap is intended to standardize forensic
techniques in cooperation with cloud providers so that
quality of evidence is assured and defensible.
• Survey of cloud users to determine pain points and variation
of techniques, workarounds used by consumers. Goal is
define problem space more clearly.
• WG works with CAI and CCM to create a common
language, set of expectations around this domain.
© 2013, Cloud Security Alliance.44
45. Virtualization Working Group
• The CSA Virtualization Working
Group is chartered to lead research
into the combined virtualized
operating system and SDN
technologies. The group should build
upon existing Domain 13 research
and provide more detailed guidance
as to threats, architecture, hardening
and recommended best practices.
• Research and Activities for 2013 –
2014
• Standalone Domain 13 Virtualization
Whitepaper as part of the CSA Security
Guidance for Critical Areas of Focus in
Cloud Computing – Q1 2014
© 2013, Cloud Security Alliance.45
46. Telecom Working Group
• The Telecom Working Group (TWG)
within the Cloud Security Alliance
(CSA) has been designated to
provide direct influence on how to
deliver secure cloud solutions and
foster cloud awareness within all
aspects of Telecommunications.
• Research and Activities for 2013 -
2014
• Next Generation SIEM White Paper – Q3
2013
• IPv6 Research – In Progress
• Continued advisory role for the Telecom
Industry
© 2013, Cloud Security Alliance.46
47. Health Information Management Working
Group
• The Health Information Management
Working Group (HIWG) within the Cloud
Security Alliance (CSA) has been
designated to provide direct influence on
how health information service providers
deliver secure cloud solutions (services,
transport, applications and storage) to
their clients, and foster cloud awareness
within all aspects of healthcare and
related industries.
• Research and Activities for 2013 – 2014
• Business Associate Agreement Policy
Guidance – Q2 2014
• Updated HIPAA HiTech Mapping for V.3 – Q1
2014
• HIPAA Omnibus Rule Education – Q3 2013
© 2013, Cloud Security Alliance.47
48. Small to Medium Sized Business (SMB)
Working Group
• This working group will focus on providing
tailored guidance to small business, will
cooperate with other working groups where
appropriate, and, will help cloud providers
understand small business requirements.
• Research and Activities for 2013 – 2014
• Organize a series of workshops to discuss
small business cloud requirements and
perception of current cloud alliance guidance –
Q3/Q4 2013
• Analyze existing Cloud Security Alliance
workgroups and identify where small business
related input is required - TBD
• Produce Small business guidance document,
draft version - TBD
• Produce requirements and recommendations to
other Cloud Security Alliance workgroups - TBD
© 2013, Cloud Security Alliance.48
49. Service Level Agreement Working Group
• Service Level Agreements (SLAs) are a
component in most cloud service terms and
contracts. However, there is a consensus that
Customers and providers alike have questions
about what constitutes an SLA, the sufficiency
and adequacy of SLAs and their management.
The Cloud Security Alliance SLA Working Group
,(SLA WG)in an effort to provide clarity to the
subject of SLAs has developed guidance in the
following areas.
• What are the components of an SLA?
• What role does the SLA play for CSP and CSU?
• Can we define an SLA Taxonomy?
• What is the status of SLA’s today?
• SLA myths, challenges and obstacles?
• SLA Guidance and Recommendations
• Research and Activities for 2013 – 2014
• Cloud SLA Guidance – Q4 2013/ Q1 2014
© 2013, Cloud Security Alliance.49
50. Privacy Level Agreement Working Group
• This working group aims at creating PLA templates
that can be a powerful self-regulatory harmonization
tool, which is almost impossible to achieve at global
level using traditional legislative means. This will
provide a clear and effective way to communicate to
(potential) customers a CSP’s level of personal data
protection, especially when trans-border data flaw is
concerned.
• A Privacy Level Agreement (PLA) has twofold
objectives:
• Provide cloud customers with a tool to assess a CSP’s
commitment to address personal data protection.
• Offer contractual protection against possible economical
damages due to lack of compliance or commitment of the
CSP with privacy and data protection regulation.
• Research and Activities for 2013 – 2014
• Phase 2 - Gap Analysis - Cover Requirements outside of
Europe (Global PLA)– Q4 2013/ Q1 2014
• Seal or Privacy Certification - Assess Need – Q1 2014
© 2013, Cloud Security Alliance.50
51. Financial Working Group
• The Financial Working Group (FWG) will be
identifying challenges, risks and Best Practices
for the development, deployment and
management of secure cloud services in the
financial Industry.
• FWG’s investigation is expected to lead to the
following goals:
• Identifying the Industry’s main concerns regarding
Cloud Services in their sector.
• Help industry on adoption of best practices,
• Establish liaisons with regulatory bodies in order to
foster the development of suitable regulations.
• Accelerate the adoption of Secure Cloud services
in the Financial Industry
• Research proposals for funding
• Research and Activities for 2013 – 2014
• Develop guidelines and recommendations for the
delivery and management of cloud services in the
F&B sector – QX 2014
© 2013, Cloud Security Alliance.51
52. Open Certification Framework
• The CSA Open Certification Framework provides:
• A path for any region to address compliance concerns with trusted, global
best practices. For example, we expect governments to be heavy adopters
of the CSA Open Certification Framework to layer their own unique
requirements on top of the GRC Stack and provide agile certification of
public sector cloud usage.
• An explicit guidance for providers on how to use GRC Stack tools for
multiple certification efforts. For example, scoping documentation will
articulate the means by which a provider may follow an ISO/IEC 27001
certification path that incorporates the CSA Cloud Controls Matrix (CCM).
• A "recognition scheme" that would allow us to support ISO, AICPA and
potentially others that incorporate CSA IP inside of their
certifications/framework. CSA supports certify-once, use-often, where
possible.
• Research and Activities for 2013 – 2014
• STAR Certification Manual – Q3 2013
• STAR Attestation Manual – Q3 2013
• STAR Certification Auditor Accreditation – Q3 2013
• STAR Attestation Auditor Accreditation – Q4 2013
• OCF Cost Analysis – Q4 2013
• OCF Certification Launch – Q4 2013
© 2013, Cloud Security Alliance.52
53. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
The OCF structure
•The CSA Open Certification Framework is an industry initiative to allow
global, accredited, trusted certification of cloud providers.
54. ISACA Collaboration Project
• A collaborative project by ISACA and
CSA, the Cloud Market Maturity study
provides business and IT leaders with
insight into the maturity of cloud
computing and will help identify any
changes in the market. The report,
released today, provides detailed insight
on the adoption of cloud services among
all levels within today’s global enterprises
and businesses, including the C-suite.
• Research and Activities for 2013 – 2014
• Cloud Market Maturity Survey – Q3 2013
• Cloud Market Maturity Study Results – Q4
2013
© 2013, Cloud Security Alliance.54
55. Internet2 Collaboration Project
• A team of 30 CIOs, CISOs, and other
executives from Internet2’s
membership (both higher education
institutions and industry service
providers) developed this extended
version of the CCM. This version
includes candidate mappings to
address higher education security
and compliance requirements.
• Research and Activities for 2013 –
2014
• Net+ Initiative CCM V1.4 – Q3 2013
• Net+ Initiative CCM V3.0 – Q1 2014
© 2013, Cloud Security Alliance.55
56. CSA APAC
• Incorporated and based in Singapore
• Planned establishment of HQ in Singapore
• Supported by key Singaporean ministries, led by
Infocomm Development Authority
• IDA support for research and standards functions
• Also private/public partnerships with gov’ts of
Thailand and Hong Kong
• CSA chapters throughout APAC
56 © 2014, Cloud Security Alliance.
57. Regional APAC Research
• Research in the APAC region reflects the
rapid growth of the cloud market in the
region and the demand for security
assurances among our member
countries
• Research and Activities for 2013 – 2014
• New Zealand MBIE Funding – Q4 2013
• CSA Research Journal – Q3 2014
• Singapore Standard for Virtualization – TBD
• Salary Survey of Cloud Professionals –TBD
• Joint Interpol Project – TBD
• Survey of Reg Requirements for going to the
Cloud in Asia - TBD
© 2013, Cloud Security Alliance.57
58. CSA Europe
• Incorporated in UK
• Base of operations in Heraklion, Greece
• Staffed by noted experts from key EU
institutions
• Managing director an alumnus of ENISA
(European Network Information Security
Agency)
• Received funding grants for 4 research
projects by European Commission in 2012
• FP7 Projects
58 © 2014, Cloud Security Alliance.
59. FP7 Projects
• Incorporated in UK
• Base of operations in Helsinki,
Finland
• Staffed by noted experts from
key EU institutions
• Managing director an alumnus of
ENISA (European Network
Information Security Agency)
• Received funding grants for 4
research projects by European
Commission in 2012
© 2013, Cloud Security Alliance.59
60. Global University Cloud Research Consortium
• This academic group will be
focusing on research
collaborations, university-to-
university exchanges, university-
industry collaborations adjunct
professorships, visiting
researchers/professors, and will
also organize and administer
funding applications.
• Research and Activities for 2013
– 2014
• Planning in Progress
© 2013, Cloud Security Alliance.60
61. Enterprise User Council
• The Cloud Security Alliance (CSA)
Enterprise User Council was started to
provide a balance of power between
cloud providers and enterprise users in a
world of cloud services, big data, and
mobile computing advancements has
made its biggest leap into businesses.
Our long term goal is to understand the
biggest problems facing enterprises and
help solve these issues. The CSA
Enterprise User Council will represent
businesses on these issues externally
and abroad.
• Research and Activities for 2013 – 2014
• Planning in Progress
© 2013, Cloud Security Alliance.61
62. CCSK – User Certification
Certificate of Cloud Security
Knowledge (CCSK)
Benchmark of cloud security
competency
Online web-based examination
www.cloudsecurityalliance.org/certifym
e
Training partnerships
Developing new curriculum for audit,
software development and architecture
62 © 2014, Cloud Security Alliance.
63. Copyright © 2012 loud Security Alliance
CSA Open Certification Framework
• Leverage CSA STAR Infrastructure to create
national,
local or industry-specific provider certifications
• Allows governments, certification bodies and
industry consortia to create certifications
addressing specific requirements without
developing complete & proprietary bodies of
knowledge
• Leverage existing certification/attestation
regimes
• 2013 Open Certification
• ISO 27001 Certification based upon CSA CCM (partnered
with British Standards Institution)
• SOC-2 Audit Attestation Reporting based upon CSA CCM
(partnered with AICPA)
• Branded as CSA STAR Certification – the gold
standard for cloud provider certification
63
64. Copyright © 2012 Cloud Security Alliance
International Standardization Council
• Engage international standards bodies on behalf of CSA
• Propose key CSA research for standardization
• Liaison relationship with ITU-T
• Category A liaison with ISO/IEC SC27 & SC38
• Tracking key SDOs for 2013
• DMTF
• IEEE
• IETF
• CCSA
• RAISE
64
65. CCM
CCM V.3
BIG DATA WORKING GROUP
Expanded Top 10 Big Data Security and Privacy Concerns
Big Data Analytics for Security Intelligence
HIM
HIPAA Omnibus Rule Education
CTP
API Interface Definition (Alain to update)
INCIDENT MANAGEMENT & FORENSICS
Provider Forensic Support in Public Multi-Tenant Cloud Environments
OCF
STAR Certification Manual
STAR Attestation Manual
STAR Certification Auditor Accreditation
ISACA
Cloud Market Maturity Survey
INTERNET2 COLLABORATION
Net+ Initiative CCM V1.4
ANTI-BOT Working Group
Work Group Kick-Off
Enterprise User Council
Work Group Kick-OffQ3 2013 RESEARCH RELEASES
© 2013, Cloud Security Alliance.
66. Q4 2013 RESEARCH RELEASES
MOBILE WORKING GROUP
Mobile Authentication Management V.1.1
Mobile Device Management V.2
Mobile Maturity Survey
CCM
AICPA Trust Service Principles Mapping
COBIT 5.0
ENISA Information Assurance Framework Mapping
ODCA Mapping
German BSI Mapping
NZISM Mapping
Privacy Control Assessment
Internet 2 Compliance Area Mapping
NIST SP 800-53 Rev 4
SecaaS
Defined SecaaS Framework Survey
BIG DATA WORKING GROUP
Big Data Framework and Taxonomy White Paper
CSA ENTERPRISE ARCHITECTURE
KRI and KPI Development for CSA Reference Architecture Interactive Site
Case Study Webinars (CloudBytes Sessions)
Workshop with EAWG, NIST and Vidders
Anti-Bot Working Group
Outreach Program Launch
Essential Practices Sub-Group Launch
Tools and Operations Sub-Group Launch
Economics Sub-group Launch
© 2013, Cloud Security Alliance.
67. Q4 2013 RESEARCH RELEASES
SMB WG
Small Medium Size Business Kick-Off and Outreach
CAIQ
CAIQ V.3
CTP
Prototype
CLOUD AUDIT
Create CCM V.3 Database
INCIDENT MANAGEMENT & FORENSICS
Developing a capability maturity model (CMM) for IncM and Forensics in Cloud
Environments
OCF
STAR Attestation Auditor Accreditation
OCF Cost Analysis
OCF Certification Launch
ISACA
Cloud Market Maturity Study Results
TELECOM WORKING GROUP
Next Generation SIEM White Paper
APAC Research
Roadmap for Execution
© 2013, Cloud Security Alliance.
68. Q4 2013 RESEARCH RELEASES
Virtualization Working Group
Virtualization Working Group Kick-Off
Update Security Guidance to include SDN
Financial Services Working Group
FSWG Kick-off
Establish Security and Privacy Test Beds
Cloud Brokerage Working Group
Publication of one year work plan
Launch CSA Cloud Broker microsite, partner directory and twitter account
Publication of V.1 of Working Group Deliverables
Cloud Brokerage Kick-Off
Leapfrog Project
Create CCM V.3 Database
Vulnerabilities Working Group
Working Group Expansion/Official Kick-Off
OCF
STAR Attestation Auditor Accreditation
OCF Cost Analysis
OCF Certification Launch
ISACA
Cloud Market Maturity Study Results
APAC RESEARCH
New Zealand MBIE Funding
TELECOM WORKING GROUP
Next Generation SIEM White Paper
© 2013, Cloud Security Alliance.
69. Q1 2014 RESEARCH RELEASES
GUIDANCE
Security Guidance for Critical Areas of Cloud Computing V.4 (Planning)
CCM
COBIT 5 Mapping
Slovenian Information Commissioner on Privacy Guidance for Cloud Computing
Mapping
SECAAS
Implementation Guidance Documents V.2 (Planning)
BIG DATA WORKING GROUP
Big Data Cryptography Report
HIM
Updated HIPAA HiTech Mapping for V.3
CTP
Trust Model
CLOUD AUDIT
Automate Change-adds through DB Version of CCM
TOP THREATS
Top Threats to Cloud Computing Survey
CDG
Data Governance across International Borders
© 2013, Cloud Security Alliance.
70. Q1 2014 RESEARCH RELEASES
VIRTUALIZATION WORKING GROUP
Standalone Domain 13 Virtualization Whitepaper as part of the CSA Security
Guidance for Critical Areas of Focus in Cloud Computing
CLOUD VULNERABILTIES WORKING GROUP
Establishment of a taxonomy for Cloud Vulnerabilities based on statistical data
SLA
Cloud SLA Guidance
PLA
Phase 2 - Gap Analysis - Cover Requirements outside of Europe (Global PLA)
Seal or Privacy Certification - Assess Need
INTERNET2 COLLABORATION
Net+ Initiative CCM V3.0
© 2013, Cloud Security Alliance.
71. Q2 2014 RESEARCH RELEASES
HIM
Business Associate Agreement Policy Guidance
CTP
Pilot
CLOUD AUDIT
Update Notification Functionality
TOP THREATS
Top Threats to Cloud Computing V.4
CDG
Data Tracking and Logging Standard
CLOUD VULNERABILTIES WORKING GROUP
Creation of a cloud vulnerability feed documentation mechanism/ format/ protocol
© 2013, Cloud Security Alliance.
73. About the Cloud Security Alliance
• Global, not-for-profit organization: 56,000 members
• Building security best practices for next generation IT
• Research and Educational Programs
• Cloud Provider Certification: CSA STAR
• User Certification: CCSK
• Awareness and Marketing
• The globally authoritative source for Trust in the Cloud
www.cloudsecurityalliance.org
“To promote the use of best practices for providing security assurance within Cloud Computing,
and provide education on the uses of Cloud Computing to help secure all other forms of
computing.”
73
74. CSA Fast Facts
• Founded in 2009
• 56,000+ individual members, 70+ chapters globally
• 190+ corporate members
• Major cloud providers, tech companies, infosec leaders, DoD, the Fortune 100 and
much more
• Offices in Seattle USA, Singapore, Helsinki Finland
• Over 40 research projects in 30+ working groups
• Strategic partnerships with governments, research institutions,
professional associations and industry
74
75. Thanks
Phil Agcaoili
Co-Founder & Board Member, Southern CISO Security Council
Distinguished Fellow and Fellows Chairman, Ponemon Institute
Founding Member, Cloud Security Alliance (CSA)
Inventor & Co-Author, CSA Cloud Controls Matrix,
GRC Stack, Security, Trust and Assurance Registry (STAR), and
CSA Open Certification Framework (OCF)
Contributor, NIST Cybersecurity Framework version 1
@hacksec
https://www.linkedin.com/in/philA