2011 Digital Summit - Not So Cloudy - Agcaoili
Upcoming SlideShare
Loading in...5
×
 

2011 Digital Summit - Not So Cloudy - Agcaoili

on

  • 1,219 views

 

Statistics

Views

Total Views
1,219
Slideshare-icon Views on SlideShare
1,218
Embed Views
1

Actions

Likes
0
Downloads
10
Comments
0

1 Embed 1

http://www.linkedin.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • CSA did some research to understand what threats cloud computing brings. In these early days, the biggest issue is trusting your provider to have the transparency required to assure your governance, risk and compliance requirements are being met.
  • In the future, cloud computing will not be efficient and economical if we do not harmonize legislation, have globally recognized standards, and operate in real-time.
  • The previous 3 projects are integrated into a suite of tools you can use. Several key solution providers announced their support for these tools at the RSA 2011 conference, and a large number of enterprises already use these tools for cloud vendor management.
  • Do visit the website Do join the LinkedIn Groups – you will receive regular email updates

2011 Digital Summit - Not So Cloudy - Agcaoili 2011 Digital Summit - Not So Cloudy - Agcaoili Presentation Transcript

  • Not So Cloudy Assurances to use the Cloud Phil Agcaoili CISO, Cox Communications Founding Member, Cloud Security Alliance Co-founder & co-author, CSA Cloud Controls Matrix (CCM) and GRC Stack
  • To the Cloud: Key Risks and Security Concerns
  • Cloud Computing Security: Largest Barrier to Adoption
  • Key Cloud Security Problems of Today
    • From CSA Top Threats Research:
      • Trust: Lack of Provider transparency, impacts Governance, Risk Management, Compliance
      • Data: Leakage, Loss or Storage in unfriendly geography
      • Insecure Cloud software
      • Malicious use of Cloud services
      • Account/Service Hijacking
      • Malicious Insiders
      • Cloud-specific attacks
  • Key Problems of Tomorrow
    • Globally incompatible legislation and policy
    • Non-standard Private & Public clouds
    • Lack of continuous Risk Management and Compliance monitoring
    • Incomplete Identity Management implementations
    • Haphazard response to security incidents
  • Current Assurance Demands Do Not Scale
    • Customers:
    • Reinvent the security wheel for each Cloud Provider
    • Construct detailed and custom questionnaires
      • Pre-sales
      • Post-sales
    • Cloud Providers:
    • Answer lengthy and unique questionnaires from every potential customer
      • Disregard/address
      • Larger Cloud Providers ignore questionnaires
    • Right to Audit
  • Basic Question Everyone is Asking Is it safe to put my data in this Cloud?
  • Cloud Computing Security Industry Initiatives
    • Open Cloud Manifesto
    • ( http:// www.opencloudmanifesto.org / )
      • Making the case for an Open Cloud
    • Jericho Forum
    • ( http:// www.opengroup.org/jericho / )
      • Cloud Cube Model:
      • Recommendations & (Security) Evaluation
      • Framework
    • NIST Cloud Computing Program
    • ( http://www.nist.gov/itl/cloud/index.cfm )
      • Cloud Security Guidelines
    • Cloud Security Alliance
    • ( http:// www.cloudsecurityalliance.org / )
      • Promoting Best Security Practices for the Cloud
    6- Marcus J. Ranum on Cloud Computing Security video
  • Cloud Controls Matrix (CCM)
  • The Cloud Controls Matrix addresses these challenges
    • Who is responsible? (Tenant, IaaS, PaaS, SaaS)
    • How do you measure risk?
    • How do you effectively decouple information intrinsic in infrastructure and applications?
    • How do you satisfy regulators?
    • How do you assure shareholders that the Cloud is a stable platform to conduct business?
    Controls frameworks are the foundation of most attestation methodologies
  • Cloud Controls Matrix
    • V1.1 Released Dec 2010
    • Rated as applicable to S-P-I with Cloud Provider / Tenant Delineation
    • Controls baselined and mapped to:
      • COBIT
      • HIPAA / HITECH Act
      • ISO/IEC 27001-2005
      • NISTSP800-53
      • FedRAMP
      • PCI DSS v2.0
      • BITS Shared Assessments
      • GAPP
    • Leadership Team
    • Phil Agcaoili – Cox Communications
    • Becky Swain – Cisco Systems, Inc.
    • Marlin Pohlman – EMC, RSA
    • Kip Boyle – CSA
    www.cloudsecurityalliance.org/cm
  • Cloud Controls Matrix Global Industry Contribution
    • Kyle Lai – KLC Consulting, Inc.
    • Larry Harvey – Cisco Systems, Inc.
    • Laura Kuiper – Cisco Systems, Inc.
    • Lisa Peterson – Progressive Insurance
    • Lloyd Wilkerson – Robert Half International
    • Marcelo Gonzalez – Banco Central Republica Argentina
    • Mark Lobel – PricewaterhouseCoopers LLP
    • Meenu Gupta – Mittal Technologies
    • Mike Craigue, Ph.D. – Dell
    • MS Prasad, Exec Dir CSA India
    • Niall BrowneI – LiveOps
    • Patrick Sullivan
    • Patty Williams – Symetra Financial
    • Paul Stephen – Ernst and Young LLP
    • Phil Genever-Watling - Dell
    • Philip Richardson – Logicalis UK Ltd
    • Pritam Bankar – Infosys Technologies Ltd.
    • Ramesan Ramani – Paramount Computer Systems
    • Steve Primost
    • Taiye Lambo – eFortresses, Inc .
    • Tajeshwar Singh
    • Thej Mehta – KPMG LLP
    • Thomas Loczewski – Ernst and Young GmbH, Germany
    • Vincent Samuel – KPMG LLP
    • Yves Le Roux – CA Technologies
    • HISPI membership (Release ISO Review Body)
    • Adalberto Afonso A Navarro F do Valle – Deloitte LLP
    • Addison Lawrence – Dell
    • Akira Shibata – NTT DATA Corp
    • Andy Dancer
    • Anna Tang – Cisco Systems, Inc.
    • April Battle – MITRE
    • Chandrasekar Umpathy - Symphony Services Ltd
    • Chris Brenton – Dell
    • Dale Pound – SAIC
    • Daniel Philpott – Tantus Technologies
    • Dr. Anton Chuvakin – Security Warrior Consulting
    • Elizabeth Ann Wickham – L47 Consulting Limited
    • Gary Sheehan – Advanced Server Mgmt Group, Inc.
    • Georg Heß
    • Georges Ataya Solvay – Brussels School of Economics & Mgmt
    • Glen Jones – Cisco Systems, Inc.
    • Greg Zimmerman – Jefferson Wells
    • Guy Bejerano - LivePerson
    • Henry Ojo – Kamhen Services Ltd,
    • Jakob Holm Hansen – Neupart A/S
    • Joel Cort – Xerox Corporation
    • John DiMaria – HISPI
    • John Sapp – McKesson Healthcare, HISPI
    • Joshua Schmidt – Vertafore, Inc.
    • Karthik Amrutesh – Ernst and Young LLP
    • Kelvin Arcelay – Arcelay& Associates
  • Consensus Assessment Initiative
  • Consensus Assessment Initiative
    • Questions for shared assessments of Cloud Providers
    • Lightweight “common assessment criteria” concept
    • Integrated with Cloud Controls Matrix (CCM)
    • Ver 1 CAI Questionnaire (CAIQ) released Oct 2010
      • 148 questions
      • Identifies presence of security controls or practices
    www.cloudsecurityalliance.org/cai
  • Consensus Assessment Initiative Team
    • Contributors
    • Matthew Becker – Bank of America
    • Aaron Benson – Novell
    • Ken Biery – Verizon Business
    • Kristopher Fador – Bank of America
    • David Gochenaur – Aon Corporation
    • Jesus Molina – Fujitsu
    • John Nootens – AMA Association
    • HemmaPrafullchandra – Hytrust
    • GorkaSadowski – Log Logic
    • Richard Schimmel – Bank of America
    • Patrick Vowles – RSA
    • Kenneth Zoline – IBM
    • Leaders
    • Laura Posey – Microsoft
    • Jason Witty – Bank of America
    • Marlin Pohlman – EMC, RSA
    • Earle Humphreys – ITEEx
    • Editor
    • Christofer Hoff – Cisco
  • CloudAudit
  • CloudAudit
    • Provide a common interface and namespace that allows cloud computing providers to automate the Audit, Assertion, Assessment, and Assurance (A6) of their environments
    • Allow authorized consumers of services to do likewise via an open, extensible and secure interface and methodology.
    • Aligned to CSA Cloud Controls Matrix (CCM)
    • Incorporates CSA CAIQ and additional CompliancePacks
    • Expands alignment to “infrastructure” and “operations”-centric views
    http://cloudaudit.org
  • CloudAudit Sample Implementation – CSA Compliance Pack
  • CSA GRC Stack
  • CSA Governance, Risk, and Compliance (CSA GRC) Stack
    • Suite of tools, best practices and enabling technology
    • Consolidate industry research & simplify GRC in the cloud
    • For cloud providers, enterprises, solution providers and audit/compliance
    • Simplifies customer and cloud provider attestation to accelerate cloud adoption
      • Common language to report security and compliance
      • Common lexicon for communication between tiers of service
      • Common ontology for reasoning about providers
    • https://cloudsecurityalliance.org/grc-stack
    Control Requirements Provider Assertions Private & Public Clouds
  • CSA GRC Stack Industry Collaboration & Support
    • International Organization for Standards (ISO)
      • ISO/IEC JTC 1 SC 27 (“SC 27”) WG 1, 4 and 5 in Study Period in the area of Cloud Computing Security and Privacy
    • National Institute of Standards and Technology (NIST)
      • Consolidated feedback on Federal Risk and Authorization Management Program (FedRAMP)
    • European Network and Information Security Agency (ENISA)
    • Common Assurance Maturity Model (CAMM)
    • American Institute of Certified Public Accountants (AICPA)
      • Statement on Standards for Attestation Engagements (SSAE) No. 16 SOC 2 – Service Organization Controls over Security, Confidentiality, Processing Integrity, Availability, and Privacy
        • Next generation SAS 70 Type I and II attestation
    • Inverse Control Framework Mappings
      • Unified Compliance Framework (UCF)
      • Payment Card Industry (PCI) DSS
      • Health Information Trust Alliance (HITRUST)
      • Information Systems Audit and Control Association (ISACA) COBIT
      • BITS Shared Assessments SIG/AUP + TG Participation
      • Information Security Forum (ISF)
  • philA’s Approach to Using the CSA GRC Stack
    • Pre-sales - Use CAI Questionnaire
    • Contracts (MSA) – Attach CAIQ + CCM
    • Post Sales Assurance and Continuous Compliance – Use CloudAudit to verify contract and pre-sales assertions
  • Other Practical Risk Management Strategies for Cloud Computing
    • Adoption and demand use of good industry practices
      • CSA GRC Stack
    • Risk assessments
    • Contract terms
    • Service Level Agreement (SLA)
    • Multi-Sourcing
      • Parallel in-house service
      • Several compatible suppliers
    • More to come…Market is still evolving…
  • About the Cloud Security Alliance
    • Global, not-for-profit organization
    • Almost 20,000 individual members, 80 corporate members
    • Building best practices and a trusted cloud ecosystem
    • Agile philosophy, rapid development of applied research
      • GRC: Balance compliance with risk management
      • Reference models: build using existing standards
      • Identity: a key foundation of a functioning cloud economy
      • Champion interoperability
      • Advocacy of prudent public policy
    • “ To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.”
    About the Cloud Security Alliance
    • Help us secure cloud computing
    • Web: www.cloudsecurityalliance.org
    • Email: info@cloudsecurityalliance.org
    • LinkedIn: www.linkedin.com/groups?gid=1864210
    • Twitter: @cloudsa
    • Email: [email_address]
    • Twitter: @HackSec
    Questions & Answers