2. Agenda
• About the Cloud Security Alliance
• What is cloud computing?
• CSA GRC
• Consensus Assessment Initiative Questionnaire
• Control Matrix
• Industry GRC activities in the cloud
• CS-DLP roadmap
• Q&A
3. About the Cloud Security Alliance
• Global, not-for-profit organization
• Over 17,000 individual members, 90 corporate
members
• Building best practices and a trusted cloud
ecosystem
• Agile philosophy, rapid development of
applied research
– GRC: Balance compliance with risk management
– Reference models: build using existing standards
4. What is Cloud Computing?
• Compute as a utility: third major era of computing
• Aligning IT costs with business needs and revenue
• Accelerate innovation
• Not one cloud
– 3 Delivery Models
– 4 Deployment Modes
– Thousands of providers
– Several unique cloud solutions for any given business problem
5. CSA GRC (Governance Risk
• Compliance) Stack
Suite of tools, best practices
Provider Assertions
and enabling technology
• For cloud providers,
enterprises, solution
providers and
audit/compliance
– CCM: Controls Framework Private & Public
– CAI: Assessment Questionnaire Clouds
– CloudAudit: Continuous Controls
Monitoring Automation
Control Requirements
www.cloudsecurityalliance.org/grcstack
8. Additional relevant GRC tools &
initiatives
• Jericho Forum
• BITS Shared Assessments
• ISF
• CAMM
• Risk Ontology for Basel III
• ISACA Cloud Computing Mgt Audit/Assurance
Program
•
NIST, SANS, ... in all these initiatives & organizations
CSA participates
9. CS-DLP Roadmap
•
Assess Current situation
•
Define Target situation
•
Use CSA GRC Stack
•
Organise, Test and Adapt GRC Process
including Monitoring & Audit
•
Test run & adopt Cloud Services
•
...