Presentation that I gave at ISC2 SecureLondon conference in London on 11th December 2012.

1. Security architecture and Cloud
computing, are these mutually
exclusive?
(Introduction to Cloud Security Guidance)

2. Agenda
 Cloud risk assessment x compared to traditional risk
assessments
 Cloud security architectures x compared to security
architectures
 CSA domains
Copyright © 2012 Cloud Security Alliance https://cloudsecurityalliance.org.uk

3. Cloud risk assessment
Identify Context
assets establishment
Map the data Evaluate
flows assets
Risk Risk
communication assessment
Evaluate
Map to Cloud
Cloud
deployments
models and Risk treatment
models
Providers
Copyright © 2012 Cloud Security Alliance https://cloudsecurityalliance.org.uk

4. Cloud model
Broad network Rapid elasticity Measured On-demand
access service service
Resource pooling
Software as a Platform as a Infrastructure
Service (SaaS) Service (SaaS) as a Service
(SaaS)
Publi Private Hybrid Community
c
Copyright © 2012 Cloud Security Alliance https://cloudsecurityalliance.org.uk

5. Cloud computing deployment
models
Infrastructure Infrastructure Infrastructure Accessible and
managed by owned by located consumed by
Third party Third party
Public Off-premise Untrusted
provider provider
Organisation Organisation On-premise
Private/ o
Trusted
Community r 3rd party 3rdparty
Off-Premise
provider provider
Both Organisation Both Organisation
Both On-Premise Trusted &
Hybrid & Third party & Third party
& Off-Premise Untrusted
provider provider
Copyright © 2012 Cloud Security Alliance https://cloudsecurityalliance.org.uk

6. Cloud model maps to Security model
Cloud model
GRC
Business continuity
SIEM
Data security
Identity, Access
Direct map
Cryptography
Application sec.
Host security
Network security
Physical security
Copyright © 2012 Cloud Security Alliance https://cloudsecurityalliance.org.uk

7. Responsibilities for areas in security
model compared to delivery models
Provider responsible Customer responsible
GRC
Business continuity
SIEM
Identity, Access
Cryptography
Data security
Application sec.
Host security
Network security
Physical security
IaaS PaaS SaaS IaaS PaaS SaaS
Copyright © 2012 Cloud Security Alliance https://cloudsecurityalliance.org.uk

8. Cloud Security Domains
Governance Operational
 Governance and Enterprise Risk  Traditional Security, Business
Management Continuity and Disaster Recovery
 Legal Issues: Contracts and Electronic  Data Center Operations
Discovery
 Incident Response, Notification and
 Compliance and Audit Remediation
 Information Management and Data  Application Security
Security
 Encryption and Key Management
 Portability and Interoperability
 Identity and Access Management
 Virtualization
 Security as a Service
Copyright © 2012 Cloud Security Alliance https://cloudsecurityalliance.org.uk

9. Cloud Security Alliance supports number
of projects related to cloud
Get involved at
https://cloudsecurityalliance.org/resea
rch/https://cloudsecurityalliance.org.uk
Copyright © 2012 Cloud Security Alliance

10. How to manage cloud security
• Have a cloud security standard
• What to do on an Enterprise level
• Before your Cloud project
• During your Cloud project
How to drive out the
• BAU 'seven deadly sins' of
cloud computing - new
Information Security
• Exit from the Cloud provider Forum report
• Risks cannot be outsourced
• Manage lock-in and exit up-front – especially in SaaS
Copyright © 2012 Cloud Security Alliance https://cloudsecurityalliance.org.uk

11. Contact
Help us secure cloud computing – Get involved
• http://cloudsecurityalliance.org.uk
• info@cloudsecurityalliance.org.uk
• LinkedIn: http://www.linkedin.com/groups/Cloud-
Security-Alliance-UK-Chapter-3745837
• Twitter: @CSAUKResearch
Copyright © 2012 Cloud Security Alliance https://cloudsecurityalliance.org.uk

12. Thank you!
www.cloudsecurityalliance.org