• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Open certification framework
 

Open certification framework

on

  • 790 views

Cloud Asia Singapore 15 May 2013

Cloud Asia Singapore 15 May 2013

Statistics

Views

Total Views
790
Views on SlideShare
790
Embed Views
0

Actions

Likes
0
Downloads
0
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Open certification framework Open certification framework Presentation Transcript

    • www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security AllianceOpen CertificationFrameworkCSA APAC Congress 2013Singapore, May 2013Daniele Catteddu,CSA Managing Director EMEA and OCF ProjectDirector
    • www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security AllianceAbout the Cloud Security AllianceGlobal, not-for-profit organisationOver 40,000 individual members, more than 160 corporatemembers, over 60 chaptersBuilding best practices and a trusted cloud ecosystemAgile philosophy, rapid development of applied researchGRC: Balance compliance with risk managementReference models: build using existing standardsIdentity: a key foundation of a functioning cloud economyChampion interoperabilityEnable innovationAdvocacy of prudent public policy“To promote the use of best practices for providing security assurance within CloudComputing, and provide education on the uses of Cloud Computing to helpsecure all other forms of computing.”
    • www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security AllianceCloud in 2013Cloud computing is becoming a mature businessmodelMany companies and governments around the globeare implementing their strategies to embraceeffectively and efficiently cloud services.Growing adoption of cloud services by large banks,manufacturers, healthcare organizations and otherlarge corporations and small and medium businesses.
    • www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security AllianceCloud and the GO game
    • www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security AllianceCloud and the GO gameDespite the simplicity of the idea of ICT services offered asutility, on demand and pay-as-you-go, the cloudcomputing model is based on a complex chain ofinteractions between multiple parties which operate indifferent countries and legal jurisdictions. The complexityand opacity that sometimes characterize this cloud“supply-chain” have generated some barriers to fasteradoption of cloud computing.
    • www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security AllianceCloud BARRIERSLack of clarity around the definition andattribution of responsibilities and liabilities,Difficulties achieving accountability acrossthe cloud supply chain,Incoherent global (and even sometimesregional and national) legal frameworkand compliance regimesThe lack of transparency of some serviceproviders or brokers, particularly aroundsecurity and risk management
    • www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance…and more BARRIERSDifficulties in performing internal andexternal due diligenceLack of clarity in Service Level AgreementsLack of interoperability.Lack of awareness and expertise.
    • www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security AllianceIn 3 words: LACK OF TRUST
    • www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security AllianceA new GOVERNANCE modelUsers need to understand the shift in thebalance of responsibility and accountability forkey functions such as governance and controlover data and IT operations, ensuringcompliance with laws and regulations.Cloud computing requires a new model forassessing organisational risks related to securityand resilience.
    • www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security AllianceINDIRECT CONTROL
    • www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security AllianceACCOUNTABILITY
    • www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security AllianceASSURANCEConsumers do not havesimple, cost effective ways toevaluate and comparetheir providers’ resilience,data protection capabilitiesand service portability.
    • www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security AllianceHOW DO WE BUILD TRUST& TRANSPARENCY?
    • www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security AllianceGOV Cloud Strategies around the globeStimulating a wider use of standardsCertification of cloud services to show theymeet these standards andEndorsement of such certificates byregulatory authorities as indicatingcompliance with legal obligations.
    • www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security AllianceProvider CertificationIncrease consumer trust and confidencein cloud systems – the future of ITImprove overall security and transparencyof the ecosystemAssist cloud providers and consumers inachieving regulatory compliance
    • www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security AllianceCertification for cloud servicesAlready part of the cloud strategy in countries such USA,Singapore, Thailand, China, Honk Kong, Taiwan,In Europe various Member States are looking at acertification/accreditation schema for cloud service (especiallyin Public Procurement)The UK G-Cloud is based on a logic of companies accreditedto offer service in the App Store
    • www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security AllianceCertification ChallengesProvide a globally relevant certification to reduce duplication of effortsAddress localized, national-state and regional compliance needsAddress industry specific requirementsAddress different assurance requirementsAddress “certification staleness” – assure provider is still secure after“point in time” certificationDo all of the above while recognizing the dynamic and fast-changingworld that is cloud
    • www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security AllianceOPEN CERTIFICATIONFRAMEWORK
    • www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security AllianceOCF: The structureThe open certification framework is structured on 3 LEVELs of TRUST,each one of them providing an incrementallevel of visibility and transparency into the operations of the CloudService Provider and a higher level of assurance to the Cloud consumer.
    • www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security AllianceOCF: TimelineCertification :3rd PartyAssessment-CertificationCertification:ContinuousmonitoringSelf AssessmentSTAR RegistryQ4 2011 Q3 2013 2015CertificationFrameworkQ1 2013
    • www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security AllianceOCF step 1: CSA STAR RegistryCSA STAR (Security, Trust and Assurance Registry)Public Registry of Cloud Provider self assessmentsBased on Consensus Assessments Initiative QuestionnaireProvider may substitute documented Cloud Controls MatrixcomplianceVoluntary industry action promoting transparencyFree market competition to provide quality assessmentsProvider may elect to provide assessments from third partiesAvailable since October 2011
    • www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security AllianceOCF: Step 2CERTIFICATION
    • www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security AllianceWhat is STAR Certification?The concept of the scheme is to use to the ISO/IEC 27001:2005certification integrated with the CSA Cloud Control Matrix (CCM) asadditional or compensating controls as applicable and theorganization’s own internal requirements or specifications to assesshow advanced their systems are.The scheme will be compliant with ISO 17021 and ISO 27006.Will be open to all 3rd party Certified Bodies (CB)Will be an additional scheme to the CB organizations internal ISO27001 scheme requirements.It is not meant to be a replacement of ISO 27001, but integratesthe ISO 27001 with Cloud-specific controls
    • www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security AllianceWhat is STAR Certification?STAR CERTIFICATION evaluates the efficiency of an organization’s ISMSand ensures the scope, processes and objectives are “Fit for Purpose.”Help organizations prioritize areas for improvement and lead them towardsbusiness excellence.Enables effective comparison across other organizations in the applicablesector.Based upon the Plan, Do, Check, Act (PDCA) approach and the controlsoutlined in the Cloud Controls Matrix (CCM)Enables the auditor to assess a company’s performance, on long-termsustainability and risks, in addition to ensuring they are SLA driven, allowingsenior management to quantify and measure improvement year on year.It gives a prospective customer of the certified organisation a greaterunderstanding of the level of control the organisation they are buying from has inplace.
    • www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security AllianceSTAR Certification: the role of CCMThe CCM is specifically designed to provide fundamental securityprinciples to guide cloud vendors and to assist prospective cloudcustomers in assessing the overall security risk of a cloud provider.The Cloud Controls Matrix is meant to be integrated into the assessmentby the auditor, referencing the applicable CCM control to the associatedISO 27001 controls (SOA) The output will be the result of the overallperformance of the organization within the scope of certification.
    • www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security AllianceHOW STAR Certification providesassurance to a cloud client?ISO 27001 requires the organisation to evaluate their customers’requirements and expectation, and contractual requirements. Itrequires that they have implemented a system to achieve this.ISO 27001 requires the organisation has conducted a risk analysis thatidentifies the risks to meeting their customer’s expectations.The Cloud Controls Matrix requires the organisation to address thespecific issues that are critical to cloud security.The maturity model assesses how well managed activities in thecontrol areas are.
    • www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security AllianceHOW STAR Certification providesassurance to a cloud client?No Certification can ever guarantee information is 100% secure howeverSTAR certification ensures an organisation has an appropriate systemfor the type of information it is dealing with and that it is well managedand focused on cloud specific concerns.
    • www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security AllianceAssigning a score to an organizationWhen an organisation is audited a Management Capability Score will beassigned to each of the control areas in the CCM. This will indicate thecapability of the management in this area to ensure the control isoperating effectively.The management capability of the controls will be scored on a scale of 1-15. These scores have been divided into 5 different categories thatdescribe the type of approach characteristic of each group of scores.
    • www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security AllianceAssigning a score to an organizationFor a control area to be awarded a certain score it must at a minimum ofthat level across 5 management principles:In summary – there are 11 control areas on the CCM v1.4. that will each beawarded a management capability score on a scale of 1-15. To decidewhat the score is each control area will be considered against 5 capabilityfactors.
    • www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security AllianceWhat type of certificate will a client get?A client will be awarded a certificate following the assessment.Depending on the capability level they achieved they will either get:No AwardA Bronze AwardA Silver AwardA Gold AwardThe CAPABILITY MATURITY LEVEL will NOT be PUBBLIC, will be aninformation provider only to the candidate company.The ONLY public information available on the CSA STAR web site will be:STAR Certificate CERTIFICATESCOPE of the CERTIFICATION and SoA
    • www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security AllianceBenefits of STAR Certification?Sales and Marketing Benefits:Added to the current management system.A ISO 27001 certification plus a STAR certificate as evidence of bothcompliance and performance to both suppliers, customers and otherinterested parties.The ability to benchmark your organization’s performance and gaugeyour improvement from year to year.An independently validated report from an external Certified Body (CB)body which can be used to demonstrate an organization’s progress &performance levels.Exclusive to the STAR Registry.
    • www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security AllianceBenefits of STAR Certification?Strategic Benefits:A 360º enhanced assessment giving senior management full visibilityto evaluate the effectiveness of both their management system and theroles and responsibilities of personnel within the organization.A flexible assessment that can be tailored through the Statement ofApplicability. This guarantees the results and measurements ofassessments are both relevant and necessary in helping organizationsmanage their business.A comprehensive business report that goes beyond a usualassessment report and gives a strategic and accurate overview of anorganizations performance to enabling senior management to theidentify action areas needed.A set of improvement targets to encourage an organization to movebeyond compliance toward continued improvement.
    • www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security AllianceBenefits of STAR Certification?Operational BenefitsScalable to organizations of all sizes. Provides information that allowsorganizations to know where they are now and measure anyimprovements, internally benchmark their sites and potentially externallybenchmark their supply chain to stimulate healthy competition.A visual representation of the status of a business and instantly highlightswhere the strengths, weaknesses, allowing clients to maximize resources,improve operational efficiencies and reduce costsIndependent reassurance to prove to senior management where therisks, threats, opportunities lie within a business
    • www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security AllianceOCF Pilots in APAC: Objectives2 Pilots finalised with ALIBABA and New TAPEI City Government(NTPC): Proof of concept using ISO 27001 + CCM as a foundation ofSTAR CertificationEvaluate and gather supporting information and data on the maturitymodelGather feedback from actual clients on their experiences and value ofSTAR CertificationAnalyze data and lessons learnedImprove process and finalize for full launch
    • www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security AllianceOCF Pilots in APAC: OutcomesBoth Pilots went as planned and both organizations had a goodexperienceBoth organizations did well, proving that good risk assessment habitsand continual improvement are key in the processThe maturity model proved to be valuable in validating proper scope andlevel of process optimizationThe maturity model is key in the transparency process.The maturity model requires more detailed data gathering which is avalue add for the CSP and its customersCONFIRMED that OCF / STAR CERTIFICATIONWORKS in real life implementation
    • www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security AllianceNEXT STEPSOpen LEAD AUDITOR training to certified bodies and the general publicglobally in SEPTEMBER 2013LAUNCHING STAR CERTIFICATION in SEPTEMBER 2013OUR TARGET OBJECTIVE is to have 10 ORGANIZATIONS STARCERTIFIED by END OF 2013PILOT Cloud Audit and Cloud Trust Protocol during 2014INTRODUCE STAR Continuous Monitoring in 2015
    • www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security AllianceCIRRUS ProjectThe Certification, InteRnationalisation and standaRdization in cloUd Security(CIRRUS) Consortium and Advisory Board bring together major players in thecloud landscape: users, law enforcement, cloud service providers, auditors,DPAs, policy makers, software developers, and more. It encompasses privateand public partners that balance the needs of cloud consumers, providers, andlaw enforcement while maintaining high-level objectives such as bringingresearch project results to market or improving trust in cyberspaceCIRRUS is an EU FP7 project with 6 partners under the Support Action fundingscheme. Partners include the ATOS, the Austrian Standards Institute (ASI),and the Japanese IT Promotion Agency (IPA).
    • www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security AllianceCIRRUS Project: ObjectivesKey objectives of the project include the following:• Analyse (understand, describe, measure and monitor) the complexityof the cloud service delivery supply chain and security implications ateach stage (e.g. offshoring)• Coalesce differing perspectives (e.g. consumer requests fortransparency and provider needs to protect confidential business)and provide consolidated opinions as an advisor to EU policy making• Identify and describe proper measures and actions that increase trustand accelerate cloud adoption (e.g. link trust to trustworthiness byinternational certification scheme)
    • www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security AllianceCIRRUS Project: 2nd WorkshopKyoto on July 24th 2013, co-located with COMSAC conference.Aim at sharing and discussing progress in certification and standardisation incloud security, including different standpoints and views across internationalstakeholders (data protection authorities, auditors, CERT teams, governmentsetc).The feedback from this workshop will be used in the elaboration of the Greenbook on Cloud Security that aims to converge different efforts in this area andto setout priorities for the future research.We look forward to meeting you in Kyoto.
    • www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security AllianceContactHelp Us Secure Cloud Computingwww.cloudsecurityalliance.orginfo@cloudsecurityalliance.orgdcatteddu@cloudsecurityalliance.orgLinkedIn: www.linkedin.com/groups?gid=1864210Twitter: @cloudsawww.cirrus-project.eu
    • www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security AllianceTHANKYOU!