• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Your clouds must be transparent - an intro to Cloud Security Alliance

Your clouds must be transparent - an intro to Cloud Security Alliance



I didn't present this as the night was too adhoc for PPT. Still thought I'd upload it if its useful.

I didn't present this as the night was too adhoc for PPT. Still thought I'd upload it if its useful.



Total Views
Views on SlideShare
Embed Views



3 Embeds 23

http://www.cloud24by7.com 16
http://www.linkedin.com 4
http://www.slideshare.net 3


Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment
  • Maybe I need a random comment on slide #1 to get slideshare to see slidenotes 08/28/09

Your clouds must be transparent - an intro to Cloud Security Alliance Your clouds must be transparent - an intro to Cloud Security Alliance Presentation Transcript

    • All your clouds must be transparent
    • The inconvenient truth for SaaS and PaaS security credibility
    • David Jones – CTO/Founder ThreatMetrix
    CLOUDCAMP SYDNEY AUG 09 TMX: Real-time SaaS based Fraud Protection for eCommerce Payments, Dating/Social, Classifieds, Money Transfer, Virtual Goods
  • Anyone spent 10minutes with a security guy?
  • Anyone told Sales “its not ready to sell?”
  • Compromise: We’ll fix it later
  • Why put off until tomorrow that you can do the day after?
    • Credit Card Breaches (payments gateways are one of the oldest SaaS services)
            • TJMAX – 475 million stolen cards
            • Heartland 130mill stolen cards
    • DDOS
      • Aug 2009: Twitter/Facebook DDOS
      • BUT there were 770 other DDOS attacks on the same day (source:Arbor Networks)
      • 30Gbit/sec attack on a 3G provider
    • Phish, Spearphish and Keylogger (identity theft driven fraud)
      • I’ve lost track…
      • Twitter public document leak (password exploit)
  • And then there is Outages
  • Gartner (July 2008) “ Cloud computing is the least transparent externally sourced delivery method,” “ [cloud] not only introduces the same risks as any externally provided service, it also includes some unique risk challenges.” reduced visibility, the complication of compliance, and the loss of control over the location of the data. Reliability and recoverability become a concern when outsourcing to a commodity provider, as does the viability of that supplier. “ assess the risks of using any cloud computing provider, and to demand greater transparency than many are currently willing to offer”
  • Cloud Security Alliance wwwcloudsecurityallianceorg (I don’t speak for them, just talkin’ about them)
    • 3,512 individual members as of August 3 rd
    • Broad Geographical Distribution
    • Board of Directors include: ING, eBay execs
    • CSA challenges/position
      • We aren’t moving to the cloud We are reinventing in the cloud
      • Accelerated pace of change
      • Globalization
      • Massive multi-tenancy
      • Pressure on traditional organizational boundaries
      • Challenges traditional thinking
        • How do we build standards?
        • How do we create architectures?
        • What is the ecosystem required to managed, operate, assess and audit cloud systems?
  • Activities
    • New Working Groups
      • Healthcare
      • Cloud Threat Analysis
      • US Federal Government
      • Financial Services
  • What is in the Guide? (April 2009 edition is 80+ pages)
    • Is a working document that defines the basis on which vendors and customers can NEGOTIATE an understood service engagement (for IaaS, PaaS, SaaS)
    • Many enterprises are clueless about security anyway – so the document EDUCATES current landscape of concern/issues
  • What is in the Guide? (cont’d)
    • Section I Cloud Architecture
    • Domain 1: Cloud Computing Architectural Framework
    • Section II Governing in the Cloud
        • Domain 2: Governance and Enterprise Risk Management
        • Domain 3: Legal
        • Domain 4: Electronic Discovery
        • Domain 5: Compliance and Audit
        • Domain 6: Information Lifecycle Management
        • Domain 7: Portability and Interoperability
    • Section III Operating in the Cloud
      • Domain 8: Traditional Security, Business Continuity and Disaster Recovery
      • Domain 9: Data Center Operations
      • Domain 10: Incident Response, Notification and Remediation
      • Domain 11: Application Security
      • Domain 12: Encryption and Key Management
      • Domain 13: Identity and Access Management
      • Domain 14: Storage
      • Domain 15: Virtualization
  • So is CSA a good or bad thing? ” Yes” if you don’t like being pwned “ Yes” if cloud is to be Long-term credible Can create a perception of “one size fits all” Is this Sarbanes Oxley for service providers? “ No” if it only benefits big/incumbent vendors
  • A compliance comparison… Credit: Sense of Security and aisaorgau
  • Heartland was PCI Compliant
  • So…compliance does not always deliver what is needed but…
  • CSA: Call to Action
    • Discussions & announcements on LinkedIn & GoogleGroups
    • Hold regional CSA meetups
    • Volunteer for existing research
    • Brainstorm new research initiatives
    • Contact:
      • wwwcloudsecurityallianceorg
      • [email_address]
      • Twitter: @cloudsa, #csaguide
      • LinkedIn: wwwlinkedincom/groups?gid=1864210
  • All your clouds must be transparent thanks! david DOT jones AT gmail DOT com @djinoz