Cloud Security Alliance presentation

1. www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
Ken Low
Chairman, Asia Pacific Executive Council
Cloud Security Alliance

2. www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
Cloud
One million new
mobile devices -
each day!
Social Networking
Digital Natives

3. www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
State Sponsored Cyberattacks?
Organized Crime?
Legal Jurisdiction & Data Sovereignty?
Global Security Standards?
Privacy Protection for Citizens?
Transparency & Visibility from Cloud Providers?

4. www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
Shift the balance of power to consumers of IT
Enable innovation to solve difficult problems of
humanity
Give the individual the tools to control their digital
destiny
Do this by creating confidence, trust and
transparency in IT systems
Security is not overhead, it is the enabler

5. www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
Transparency & visibility from providers
Compatible laws across jurisdictions
Data sovereignty
Incomplete standards
Lack true multi-tenant technologies &
architecture
Incomplete Identity Mgt implementations
Risk Concentration

6. www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
Shared Responsibility
Incident sharing
Legal frameworks
Human intelligence
Agile communities

7. www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
Global, not-for-profit organization, founded 2009
Geographically divided into Americas, EMEA and
APAC regions to meet strategic objectives
200 member driven organization with over 44,000
individual members in 64 chapters worldwide
Established with the aim of bringing trust to the
cloud
Develop a global trusted cloud ecosystem
Building best practices and standards for next-gen IT
Grounded in an agile philosophy, rapid development of
applied research that supports all activities

8. www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
2009
CSA launch at RSA 2009 with Security Guidance for
Critical Areas of Focus in Cloud Computing
6,000 members
2010
Launch Certificate of Cloud Security Knowledge
(CCSK)
15,000 members
2011
Launch CSA Security, Trust and Assurance Registry
(STAR)
27,000 members
2012
Launch CSA Mobile and Big Data research to
address emerging needs
42,000 members
North
America
EMEA
APAC
Latin
America
0
5,000
10,000
15,000
20,000
25,000
30,000
35,000
40,000
45,000
Membership Growth

9. www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

10. www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
Corporate HQ is established in
Singapore
Global CSA Research Centre
Global Standards Secretariat
CCSK Global Centre of Excellence
Secondary hub is established in
Hong Kong anchored by
CloudCERT APAC Operational Base
Both locations also serve as
APAC business centre
Serving as a regional hub and
operations magnet our members
Subsequently satellite hubs are
established in Thailand, Taiwan and
New Zealand

11. www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

12. www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
CSA research is organized
under a framework based
on CSA Security Guidance
for Critical Area of Focus in
Cloud Computing
Total of 14 domains
organised under 3 key
areas of focus –
Architecture, Governance
and Operational Security

13. www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
Our research includes
fundamental projects needed
to define and implement trust
within the future of
information technology
CSA continues to be
aggressive in producing
critical research, education
and tools
Sponsorship opportunities
Selected research projects in
following slides

14. www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

15. www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
The industry’s first user certification
program for secure cloud computing
Based on CSA research framework,
specifically the Security Guidance for
Critical Area of Focus in Cloud Computing
Designed to ensure that a broad range of
professionals with responsibility related to
cloud computing have a demonstrated
awareness of the security threats and best
practices for securing the cloud

16. www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
CCSK Basic
One day course to enable student to pass CCSK
CCSK Plus
Two day course includes practical cloud lab work
CCSK Train-the-Trainer
Three day course including CCSK Plus
GRC Stack Training
Additional one day course to use GRC Stack components
PCI/DSS In the Cloud
Additional one day course focusing on achieving PCI compliance in cloud
computing
http://cloudsecurityalliance.org/education/training/

17. www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

18. www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
Public visibility into Providers
Corporate Governance
Supply Chain
Information Security Program
Policies Impacting Customers
Consumer right to know
Public will demand better
Sunlight is the best disinfectant,” U.S. Supreme
Court Justice Louis Brandeis

19. www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
The CSA Open Certification Framework is an
industry initiative to allow global, accredited,
trusted certification of cloud providers.
The CSA Open Certification Framework is a
program for flexible, incremental and multi-
layered certification
Based on CSA best practices
Integrating with popular third-party assessment
and attestation statements, initially ISO 27001
& AICPA SSAE16 (SOC2)
Pilots in progress, will be released Q3 2013
under the STAR brand

20. www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
OPEN CERTIFICATION FRAMEWORK
CONTINUOUS
ATTESTATION | CERTIFICATION
SELF ASSESSMENT
TRANSPERANCY
ASSURANCE

21. www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
Clear GRC objectives
3rd Party
Assessment
Real time,
continuous
monitoring
+
+
Self Assessment
+

22. www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
CSA STAR (Security, Trust and Assurance Registry)
Public Registry of Cloud Provider self assessments
Based on Consensus Assessments Initiative Questionnaire
Provider may substitute documented Cloud Controls Matrix
compliance
Voluntary industry action promoting transparency
Security as a market differentiator
www.cloudsecurityalliance.org/star
STAR – Demand it from your providers!

23. www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
2 Registered
(December 2012)
22 Registered
(February 2013)

24. www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

25. www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
Industry thought leadership
Traditional Monday start to RSA
Conference
2011: White House launches Federal
Cloud Strategy
2012: Keynote from Former NSA Director
Mike McConnell, announce CSA Mobile
2013: DHS Undersecretary for
Cybersecurity and Presiding Director of
Coca Cola Company, James Robinson III

26. www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
One day conferences in conjunction with
chapters
Engage with local thought leaders
Project CSA best practices globally
2013 Regional Summits (so far)
16 in Asia Pacific
4 in Americas
4 in EMEA
http://www.csathailand.org

27. www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
Only multi-track, multi-day conference
focused on cloud security
Key venue for new research
Primarily attended by enterprise end users
2013 CSA Congress Plans
CSA Congress APAC, Singapore, May 14-17
CSA Congress EMEA, Europe, September
CSA Congress US, Orlando, November
http://www.csa-apac.org

28. www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

29. www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
Challenges remain, there will always be
insecurity
Global collaboration, public & private
Innovation can make policy restrictions
obsolete
Major focus on identity needed
The Internet of Things is a ticking bomb
Must solve tomorrow’s problems today
Transparency must be our guide

30. www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
Be Pragmatic, Be Agile
Follow the law, but do not concede to poor
interpretations of the law. Defend the spirit of
the law forcefully.
More tools available than you think
Advocate through procurement
Waiting not an option, but don’t forget
Strategy
Risk Management
Cloud-ready Enterprise Architecture
Be Educated

31. www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
For more information on the Cloud
Security Alliance, please contact:
Global/Americas
Jim Reavis
jreavis@cloudsecurityalliance.org
EMEA
Daniele Catteddu
dcatteddu@cloudsecurityalliance.org
APAC
Aloysius Cheang
acheang@cloudsecurityalliance.org

32. www.cloudsecurityalliance.orgCopyright © 2012 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance