CSA Atlanta and Metro Atlanta ISSA Chapter Meeting May 2014 - Key Threats to the Cloud and CSA Research

938 views

Published on

CSA Atlanta and Metro Atlanta ISSA Chapter Meeting May 2014 - Key Threats to the Cloud and CSA Research

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
938
On SlideShare
0
From Embeds
0
Number of Embeds
9
Actions
Shares
0
Downloads
19
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

CSA Atlanta and Metro Atlanta ISSA Chapter Meeting May 2014 - Key Threats to the Cloud and CSA Research

  1. 1. Atlanta Chapter Joint Meeting May 29, 2014
  2. 2. Agenda • Key Trust Issues in the Cloud • CSA Research Roadmap • 30 Minutes Later… 2 All materials were created by the CSA and used by philA.
  3. 3. Key Trust Issues in the Cloud 3 © 2014, Cloud Security Alliance.
  4. 4. Key Trust Issues in Cloud • Incomplete standards • Evolving towards true multi-tenant technologies & architecture e.g. Identity Brokering • Risk Concentration • Incompatible laws across jurisdictions • Lack of transparency & visibility from providers and government 4 © 2014, Cloud Security Alliance.
  5. 5. Key Trust Issues in Cloud • Incomplete standards • Evolving towards true multi-tenant technologies & architecture e.g. Identity Brokering • Risk Concentration • Incompatible laws across jurisdictions • Lack of transparency & visibility from providers and government 5 © 2014, Cloud Security Alliance.
  6. 6. The Government Trust Issue 6 © 2014, Cloud Security Alliance.
  7. 7. US Patriot Act • USA Patriot Act of 2001 (reauthorized in 2006 & 2011) • Not a new law, series of amendments to existing laws related to surveillance, investigation and prosecution of terrorism (Foreign Intelligence Surveillance Act) • Most requests for information follow subpoenas/warrants, but records may be sealed • Most countries have laws permitting disclosure of user info without user consent related to foreign intelligence and national security • Not clear if interpretation of Section 215 of the Patriot Act, Section 702 of the Foreign Intelligence Surveillance, FISA followed legislative intent 7 © 2014, Cloud Security Alliance.
  8. 8. Meet philA Hello, I’m a data guy… I’m with the Ponemon Institute. You know, you quote us all of the of the time: Annual Cost of Data Breach Annual Cost of Cybercrime Annual Most Trusted Companies for Privacy © 2014, Cloud Security Alliance.
  9. 9. CSA Government Access to Information Survey • Conducted online from June 25, 2013 to July 9, 2013 • 456 responses • 234 from United States of America • 138 from Europe • 36 from Asia Pacific • Many long, long open-ended responses https://cloudsecurityalliance.org/wp-content/uploads/2013/07/CSA-govt-access-survey-July-2013.pdf 9 © 2014, Cloud Security Alliance.
  10. 10. Using US Cloud Providers • Survey Question: (For non-US residents only) Does the Snowden Incident make your company more or less likely to use US-based cloud providers? (207 respondents) • 56% less likely to use US-based cloud providers • 31% no impact on usage of US-based cloud providers • 10% cancelled a project to use US-based cloud providers • 3% more likely to use US-based cloud providers 10 © 2014, Cloud Security Alliance.
  11. 11. Using US Cloud Providers • Survey Question: (For US residents only) Does the Snowden Incident make it more difficult for your company to conduct business outside of the US? (220) • 36% Yes • 64% No 11 © 2014, Cloud Security Alliance.
  12. 12. Transparency of Government Access • Survey Question: (For all respondents) How would you rate your country's processes to obtain user information for the purpose of criminal and terrorist investigations? (440) • 47% Poor, there is no transparency in the process • 32% Fair, there is some public information about the process and some instances of its usage • 11% Unknown, I do not have enough information to make an informed judgment • 10% Excellent, the process is well documented 12 © 2014, Cloud Security Alliance.
  13. 13. Opinion of Patriot Act • Survey Question: (For all respondents) If you have concerns about this recent news, which of the following actions do you think would be the best course to mitigate concerns? (423) • 41% The Patriot Act should be repealed in its entirety. • 45% The Patriot Act should be modified to tighten the oversight of permitted activities and to provide greater transparency as to how often it is enacted. • 13% The Patriot Act is fine as is. 13 © 2014, Cloud Security Alliance.
  14. 14. Publishing FISA Requests • Survey Question: (For all respondents) Should companies who have been subpoenaed through provisions of the Patriot Act, such as FISA (Foreign Intelligence Surveillance Act) be able to publish summary information about the amount of responses they have made? (438) • 91% Yes • 9% No 14 © 2014, Cloud Security Alliance.
  15. 15. Balancing Safety and Privacy “…Living in this kind of democracy, we’re going to have to be a little less effective in order to be a little more transparent to get to do anything to defend the American people.” Michael Hayden, former Director of CIA and NSA 15 © 2014, Cloud Security Alliance.
  16. 16. Important Considerations for Enterprises and Public Policy • Transparency of actors • Metadata is important • Data minimization principles 16 © 2014, Cloud Security Alliance.
  17. 17. Industry Transparency Example • User Data requests from law enforcement according to Google • Jul – Dec 2012, from http://www.google.com/transparencyreport/governmentrequests/ • France: 1,693 requests, responded to 44% • Germany: 1,550 requests, responded to 42% • India: 2,431, responded to 66% • Singapore: 96 requests, responded to 75% • US: 8,438 requests, responded to 88% • UK: 1,458 requests, responded to 70% 17 © 2014, Cloud Security Alliance.
  18. 18. Can Providers be Transparent about National Security Issues? “…ask you to help make it possible for Google to publish in our Transparency Report aggregate numbers of national security requests, including FISA disclosures—in terms of both the number we receive and their scope. Google’s numbers would clearly show that our compliance with these requests falls far short of the claims being made. Google has nothing to hide.” David Drummond, Chief Legal Counsel, Google 18 © 2014, Cloud Security Alliance.
  19. 19. EFF - Who Has Your Back? 2014 19 © 2014, Cloud Security Alliance.
  20. 20. CSA Transparency Example: STAR • CSA STAR (Security, Trust and Assurance Registry) • Public Registry of Cloud Provider self assessments • Based on CSA best practices (CCM or CAIQ) • Voluntary industry action promoting transparency • Security as a market differentiator • www.cloudsecurityalliance.org/star • STAR – Demand it from your providers! 20 © 2014, Cloud Security Alliance.
  21. 21. CSA STAR: Read and Compare 21 DG 4.2: Do you have a documented procedure for responding to requests for tenant data from governments or third parties? Amazon AWS AWS errs on the side of protecting customer privacy and is vigilant in determining which law enforcement requests we must comply with. AWS does not hesitate to challenge orders from law enforcement if we think the orders lack a solid basis. Box.net Box does have documented procedures for responding to requests for tenant data from governments and third parties. SHI Customer responsibility. SHI has no direct access, so requests for data through third parties will be responded to by the customer themselves, however, SHI can sanitize and delete customer data upon migration from the cloud. Verizon/Terremark Yes © 2014, Cloud Security Alliance.
  22. 22. What is the Future of Assurance in the Global Compute Utility? • Traditional Auditing and Certification activities • Harmonized disparate requirements versus a single global standard • Example - NIST CSF for cyber security • Continuous Monitoring • Community Policing via Transparency • Privacy emphasis 22 © 2014, Cloud Security Alliance.
  23. 23. What global dialogue is needed? • Government • Do we treat foreigners differently than citizens? • Aligning with global standards for assurance • Industry • Build the technology to make policy moot • Enterprise • A time to engage • Demand accountability from policy makers & providers • Protect your data and metadata • For All: Demand Transparency & Minimization Principles 23 © 2014, Cloud Security Alliance.
  24. 24. I’m not going to keep you much longer It’s 30 minutes already. But… 24 © 2014, Cloud Security Alliance.
  25. 25. 25 CSA Research Roadmap
  26. 26. CSA Research Portfolio • Our research includes fundamental projects needed to define and implement trust within the future of information technology • CSA continues to be aggressive in producing critical research, education and tools • 30+ Active Global Work Groups © 2013, Cloud Security Alliance.26
  27. 27. © 2013, Cloud Security Alliance.27
  28. 28. Security Guidance for Critical Areas of Cloud Computing • The CSA guidance as it enters its third edition seeks to establish a stable, secure baseline for cloud operations. This effort provides a practical, actionable road map to managers wanting to adopt the cloud paradigm safely and securely. Domains have been rewritten to emphasize security, stability and privacy, ensuring corporate privacy in a multi-tenant environment. • The Security Guidance V.3 will serve as the gateway to emerging standards being developed in the world’s standards organization and is designed to serve as an executive-level primer to any organization seeking a secure, stable transition to hosting their business operations in the cloud. • Research and Activities for 2013 - 2014 • Security Guidance for Critical Areas of Cloud Computing V.4 – Q1 2014 (Planning) • Publish V.4 – Q4 2014/Q1 2015 © 2013, Cloud Security Alliance.28
  29. 29. www.cloudsecurityalliance.org GRC Stack GRC Stack Family of 4 research projects Cloud Controls Matrix (CCM) Consensus Assessments Initiative (CAI) Cloud Audit Cloud Trust Protocol (CTP) Impact to the Industry Developed tools for governance, risk and compliance management in the cloud Technical pilots Provider certification through STAR program Control Requirements Provider Assertions Private, Community & Public Clouds
  30. 30. Cloud Control Matrix Working Group • The Cloud Security Alliance Cloud Controls Matrix (CCM) is specifically designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider. • Research and Activities for 2013 – 2014 • CCM V.3 – Q3 2013 • Internet2 Net+ Initiative Mappings (Higher Education) – Q2 2013 • AICPA Trust Service Principles Mapping – Q4 2013 • ENISA Information Assurance Framework Mapping – Q4 2013 • ODCA Mapping – Q4 2013 • German BSI Mapping – Q4 2013 • NZISM Mapping – Q4 2013 • Unified Compliance Framework Mapping – TBD • Control Area Gap Analysis – Q4 2013 • COBIT 5 Mapping – Q1 2014 • NIST SP 800-53 Rev 4 – Q4 2013 • Slovenian Information Commissioner on Privacy Guidance for Cloud Computing Mapping – Q1 2014 © 2013, Cloud Security Alliance.30
  31. 31. Consensus Assessment Initiative • Lack of security control transparency is a leading inhibitor to the adoption of cloud services. The Cloud Security Alliance Consensus Assessments Initiative (CAI) was launched to perform research, create tools and create industry partnerships to enable cloud computing assessments. • We are focused on providing industry- accepted ways to document what security controls exist in IaaS, PaaS, and SaaS offerings, providing security control transparency. This effort by design is integrated with and will support other projects from our research partners. • Research and Activities for 2013 – 2014 • CAIQ V.3 – Q4 2013 © 2013, Cloud Security Alliance.31
  32. 32. Cloud Audit • The goal of CloudAudit is to provide a common interface and namespace that allows enterprises who are interested in streamlining their audit processes (cloud or otherwise) as well as cloud computing providers to automate the Audit, Assertion, Assessment, and Assurance of their infrastructure (IaaS), platform (PaaS), and application (SaaS) environments and allow authorized consumers of their services to do likewise via an open, extensible and secure interface and methodology. • Research and Activities for 2013 – 2014 • Create CCM V.3 Database – Q4 2013 • Automate Change-adds through DB Version of CCM – Q1 2014 • Update Notification Functionality – Q2 2014 © 2013, Cloud Security Alliance.32
  33. 33. Cloud Trust Protocol Working Group • The CloudTrust Protocol (CTP) is the mechanism by which cloud service consumers (also known as “cloud users” or “cloud service owners”) ask for and receive information about the elements of transparency as applied to cloud service providers. The primary purpose of the CTP and the elements of transparency is to generate evidence- based confidence that everything that is claimed to be happening in the cloud is indeed happening as described, …, and nothing else. • Research and Activities for 2013 – 2014 • API Interface Definition – Q3 2013 • Prototype – Q4 2013 • Trust Model – Q1 2014 • Pilot – Q2 2014 © 2013, Cloud Security Alliance.33
  34. 34. CSA Enterprise Architecture (aka Trusted Cloud Initiative) • To promote research, development, and education of best practices and methodologies around a reference architecture for a secure and trusted cloud. • Research and Activities for 2013 – 2014 • Develop a Use-Case for the Network Container, to define more context about Polymorphic Malware Prevention – Q4 2013 • Develop a Use-Case around Behavioral Monitoring – Q4 2013 • KRI and KPI Development for CSA Reference Architecture Interactive Site – Q4 2013 • Case Study Webinars (CloudBytes Sessions) – Q4 2013 © 2013, Cloud Security Alliance.34
  35. 35. Top Threats Working Group • The purpose of this document, Top Threats to Cloud Computing, is to provide needed context to assist organizations in making educated risk management decisions regarding their cloud adoption strategies. In essence, this threat research document should be seen as a companion to Security Guidance for Critical Areas in Cloud Computing. • Research and Activities for 2013 – 2014 • Top Threats to Cloud Computing Survey – Q1 2014 • Top Threats to Cloud Computing V.4 – Q2 2014 • Full featured Interact Change Method for Top Threats – Q3 2014 © 2013, Cloud Security Alliance.35
  36. 36. Cloud Vulnerabilities Working Group • CSA Cloud Vulnerabilities Working Group is global working group chartered to conduct research in the area of cloud computing vulnerabilities, with the goals of understanding and educating the classification and exact causes of cloud computing vulnerabilities, recommendations and best practices for the reduction of top vulnerabilities, reporting of vulnerabilities and the development of related tools and standards. • Research and Activities for 2013 – 2014 • Publish Cloud Vulnerabilities White Paper– Q2 2013 • Establishment of a taxonomy for Cloud Vulnerabilities based on statistical data – Q1 2014 • Creation of a cloud vulnerability feed documentation mechanism/ format/ protocol – Q2 2014 • Portal established for cloud vulnerability reporting and tools – Q4 2014 © 2013, Cloud Security Alliance.36
  37. 37. • Security as a Service Research for gaining greater understanding for how to deliver security solutions via cloud models. • Information Security Industry Re- invented • Identify Ten Categories within SecaaS • Implementation Guidance for each SecaaS Category • Align with international standards and other CSA research • Industry Impact Defined 10 Categories of Service and Developed Domain 14 of CSA Guidance V.3 Security as a Service 37 © 2014, Cloud Security Alliance.
  38. 38. Security as a Service Working Group • The purpose of this research will be to identify consensus definitions of what Security as a Service means, to categorize the different types of Security as a Service and to provide guidance to organizations on reasonable implementation practices. Other research purposes will be identified by the working group. • Research and Activities for 2013 – 2014 • Defined SecaaS Framework (Defined Categories of Service V.2) – Q4 2013 • Implementation Guidance Documents V.2 – Q1 2014 (Start Planning) © 2013, Cloud Security Alliance.38
  39. 39. Smart Mobile • Mobile • Securing application stores and other public entities deploying software to mobile devices • Analysis of mobile security capabilities and features of key mobile operating systems • Cloud-based management, provisioning, policy, and data management of mobile devices to achieve security objectives • Guidelines for the mobile device security framework and mobile cloud architectures • Solutions for resolving multiple usage roles related to BYOD, e.g. personal and business use of a common device • Best practices for secure mobile application development 39 © 2014, Cloud Security Alliance.
  40. 40. Mobile Working Group • Mobile computing is experiencing tremendous growth and adoption, while the devices are gaining significant power and dynamic capabilities. Personally owned mobile devices are increasingly being used to access employers’ systems and cloud-hosted data - both via browser-based and native mobile applications. Clouds of mobile devices are likely to be common. The CSA Mobile working group will be responsible for providing fundamental research to help secure mobile endpoint computing from a cloud-centric vantage point. • Research and Activities for 2013 – 2014 • BYOD Policy Guidance – Q3/Q4 2013 • Mobile Authentication Management – Q3/Q4 2013 • Mobile Application Security Guidance – Q3/Q4 2013 • Mobile Device Management – Q3/Q4 2013 • Mobile Maturity v2 Report – Q4 2013 • Mobile Security Guidance V.2 – Q4 2013 © 2013, Cloud Security Alliance.40
  41. 41. • Big Data • Identifying scalable techniques for data-centric security and privacy problems • Lead to crystallization of best practices for security and privacy in big data • Help industry and government on adoption of best practices • Establish liaisons with other organizations in order to coordinate the development of big data security and privacy standards • Accelerate the adoption of novel research aimed to address security and privacy issues Big Data Working Group 41 © 2014, Cloud Security Alliance.
  42. 42. Big Data Working Group • The Big Data Working Group (BDWG) will be identifying scalable techniques for data-centric security and privacy problems. BDWG’s investigation is expected to lead to crystallization of best practices for security and privacy in big data, help industry and government on adoption of best practices, establish liaisons with other organizations in order to coordinate the development of big data security and privacy standards, and accelerate the adoption of novel research aimed to address security and privacy issues. • Research and Activities for 2013 – 2014 • Expanded Top 10 Big Data Security and Privacy Concerns – Q3 2013 • Big Data Analytics for Security Intelligence – Q3 2013 • Big Data Framework and Taxonomy White Paper – Q4 2013 • Big Data Cryptography Report – Q4 2013/Q1 2014 • Big Data Policy and Governance Position Paper - TBD • Cloud Infrastructures' Attack Surface Analysis and Reduction Position Paper - TBD © 2013, Cloud Security Alliance.42
  43. 43. Cloud Data Governance Working Group • Cloud Computing marks the decrease in emphasis on 'systems' and the increase in emphasis on 'data'. With this trend, Cloud Computing stakeholders need to be aware of the best practices for governing and operating data and information in the Cloud. • Research and Activities for 2013 – 2014 • Data Governance across International Borders – Q1 2014 • Data Tracking and Logging Standard– Q2 2014 © 2013, Cloud Security Alliance.43
  44. 44. Incident Management & Forensics Working Group • The Working Group serves as a focal point for the examination of incident handling and forensics in cloud environments. We seek to develop best practices that consider the legal, technical, and procedural elements involved in responding in a forensically sound way to security incidents in the cloud. • Research and Activities for 2013 – 2014 • Publish “Provider Forensic Support in Public Multi-Tenant Cloud Environments” – Q3 2013 • Developing a capability maturity model (CMM) for IncM and Forensics in Cloud Environments – Q4 2013 • Conduct first workshop on IncM & Forensics Roadmap for the Cloud. Roadmap is intended to standardize forensic techniques in cooperation with cloud providers so that quality of evidence is assured and defensible. • Survey of cloud users to determine pain points and variation of techniques, workarounds used by consumers. Goal is define problem space more clearly. • WG works with CAI and CCM to create a common language, set of expectations around this domain. © 2013, Cloud Security Alliance.44
  45. 45. Virtualization Working Group • The CSA Virtualization Working Group is chartered to lead research into the combined virtualized operating system and SDN technologies. The group should build upon existing Domain 13 research and provide more detailed guidance as to threats, architecture, hardening and recommended best practices. • Research and Activities for 2013 – 2014 • Standalone Domain 13 Virtualization Whitepaper as part of the CSA Security Guidance for Critical Areas of Focus in Cloud Computing – Q1 2014 © 2013, Cloud Security Alliance.45
  46. 46. Telecom Working Group • The Telecom Working Group (TWG) within the Cloud Security Alliance (CSA) has been designated to provide direct influence on how to deliver secure cloud solutions and foster cloud awareness within all aspects of Telecommunications. • Research and Activities for 2013 - 2014 • Next Generation SIEM White Paper – Q3 2013 • IPv6 Research – In Progress • Continued advisory role for the Telecom Industry © 2013, Cloud Security Alliance.46
  47. 47. Health Information Management Working Group • The Health Information Management Working Group (HIWG) within the Cloud Security Alliance (CSA) has been designated to provide direct influence on how health information service providers deliver secure cloud solutions (services, transport, applications and storage) to their clients, and foster cloud awareness within all aspects of healthcare and related industries. • Research and Activities for 2013 – 2014 • Business Associate Agreement Policy Guidance – Q2 2014 • Updated HIPAA HiTech Mapping for V.3 – Q1 2014 • HIPAA Omnibus Rule Education – Q3 2013 © 2013, Cloud Security Alliance.47
  48. 48. Small to Medium Sized Business (SMB) Working Group • This working group will focus on providing tailored guidance to small business, will cooperate with other working groups where appropriate, and, will help cloud providers understand small business requirements. • Research and Activities for 2013 – 2014 • Organize a series of workshops to discuss small business cloud requirements and perception of current cloud alliance guidance – Q3/Q4 2013 • Analyze existing Cloud Security Alliance workgroups and identify where small business related input is required - TBD • Produce Small business guidance document, draft version - TBD • Produce requirements and recommendations to other Cloud Security Alliance workgroups - TBD © 2013, Cloud Security Alliance.48
  49. 49. Service Level Agreement Working Group • Service Level Agreements (SLAs) are a component in most cloud service terms and contracts. However, there is a consensus that Customers and providers alike have questions about what constitutes an SLA, the sufficiency and adequacy of SLAs and their management. The Cloud Security Alliance SLA Working Group ,(SLA WG)in an effort to provide clarity to the subject of SLAs has developed guidance in the following areas. • What are the components of an SLA? • What role does the SLA play for CSP and CSU? • Can we define an SLA Taxonomy? • What is the status of SLA’s today? • SLA myths, challenges and obstacles? • SLA Guidance and Recommendations • Research and Activities for 2013 – 2014 • Cloud SLA Guidance – Q4 2013/ Q1 2014 © 2013, Cloud Security Alliance.49
  50. 50. Privacy Level Agreement Working Group • This working group aims at creating PLA templates that can be a powerful self-regulatory harmonization tool, which is almost impossible to achieve at global level using traditional legislative means. This will provide a clear and effective way to communicate to (potential) customers a CSP’s level of personal data protection, especially when trans-border data flaw is concerned. • A Privacy Level Agreement (PLA) has twofold objectives: • Provide cloud customers with a tool to assess a CSP’s commitment to address personal data protection. • Offer contractual protection against possible economical damages due to lack of compliance or commitment of the CSP with privacy and data protection regulation. • Research and Activities for 2013 – 2014 • Phase 2 - Gap Analysis - Cover Requirements outside of Europe (Global PLA)– Q4 2013/ Q1 2014 • Seal or Privacy Certification - Assess Need – Q1 2014 © 2013, Cloud Security Alliance.50
  51. 51. Financial Working Group • The Financial Working Group (FWG) will be identifying challenges, risks and Best Practices for the development, deployment and management of secure cloud services in the financial Industry. • FWG’s investigation is expected to lead to the following goals: • Identifying the Industry’s main concerns regarding Cloud Services in their sector. • Help industry on adoption of best practices, • Establish liaisons with regulatory bodies in order to foster the development of suitable regulations. • Accelerate the adoption of Secure Cloud services in the Financial Industry • Research proposals for funding • Research and Activities for 2013 – 2014 • Develop guidelines and recommendations for the delivery and management of cloud services in the F&B sector – QX 2014 © 2013, Cloud Security Alliance.51
  52. 52. Open Certification Framework • The CSA Open Certification Framework provides: • A path for any region to address compliance concerns with trusted, global best practices. For example, we expect governments to be heavy adopters of the CSA Open Certification Framework to layer their own unique requirements on top of the GRC Stack and provide agile certification of public sector cloud usage. • An explicit guidance for providers on how to use GRC Stack tools for multiple certification efforts. For example, scoping documentation will articulate the means by which a provider may follow an ISO/IEC 27001 certification path that incorporates the CSA Cloud Controls Matrix (CCM). • A "recognition scheme" that would allow us to support ISO, AICPA and potentially others that incorporate CSA IP inside of their certifications/framework. CSA supports certify-once, use-often, where possible. • Research and Activities for 2013 – 2014 • STAR Certification Manual – Q3 2013 • STAR Attestation Manual – Q3 2013 • STAR Certification Auditor Accreditation – Q3 2013 • STAR Attestation Auditor Accreditation – Q4 2013 • OCF Cost Analysis – Q4 2013 • OCF Certification Launch – Q4 2013 © 2013, Cloud Security Alliance.52
  53. 53. www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance The OCF structure •The CSA Open Certification Framework is an industry initiative to allow global, accredited, trusted certification of cloud providers.
  54. 54. ISACA Collaboration Project • A collaborative project by ISACA and CSA, the Cloud Market Maturity study provides business and IT leaders with insight into the maturity of cloud computing and will help identify any changes in the market. The report, released today, provides detailed insight on the adoption of cloud services among all levels within today’s global enterprises and businesses, including the C-suite. • Research and Activities for 2013 – 2014 • Cloud Market Maturity Survey – Q3 2013 • Cloud Market Maturity Study Results – Q4 2013 © 2013, Cloud Security Alliance.54
  55. 55. Internet2 Collaboration Project • A team of 30 CIOs, CISOs, and other executives from Internet2’s membership (both higher education institutions and industry service providers) developed this extended version of the CCM. This version includes candidate mappings to address higher education security and compliance requirements. • Research and Activities for 2013 – 2014 • Net+ Initiative CCM V1.4 – Q3 2013 • Net+ Initiative CCM V3.0 – Q1 2014 © 2013, Cloud Security Alliance.55
  56. 56. CSA APAC • Incorporated and based in Singapore • Planned establishment of HQ in Singapore • Supported by key Singaporean ministries, led by Infocomm Development Authority • IDA support for research and standards functions • Also private/public partnerships with gov’ts of Thailand and Hong Kong • CSA chapters throughout APAC 56 © 2014, Cloud Security Alliance.
  57. 57. Regional APAC Research • Research in the APAC region reflects the rapid growth of the cloud market in the region and the demand for security assurances among our member countries • Research and Activities for 2013 – 2014 • New Zealand MBIE Funding – Q4 2013 • CSA Research Journal – Q3 2014 • Singapore Standard for Virtualization – TBD • Salary Survey of Cloud Professionals –TBD • Joint Interpol Project – TBD • Survey of Reg Requirements for going to the Cloud in Asia - TBD © 2013, Cloud Security Alliance.57
  58. 58. CSA Europe • Incorporated in UK • Base of operations in Heraklion, Greece • Staffed by noted experts from key EU institutions • Managing director an alumnus of ENISA (European Network Information Security Agency) • Received funding grants for 4 research projects by European Commission in 2012 • FP7 Projects 58 © 2014, Cloud Security Alliance.
  59. 59. FP7 Projects • Incorporated in UK • Base of operations in Helsinki, Finland • Staffed by noted experts from key EU institutions • Managing director an alumnus of ENISA (European Network Information Security Agency) • Received funding grants for 4 research projects by European Commission in 2012 © 2013, Cloud Security Alliance.59
  60. 60. Global University Cloud Research Consortium • This academic group will be focusing on research collaborations, university-to- university exchanges, university- industry collaborations adjunct professorships, visiting researchers/professors, and will also organize and administer funding applications. • Research and Activities for 2013 – 2014 • Planning in Progress © 2013, Cloud Security Alliance.60
  61. 61. Enterprise User Council • The Cloud Security Alliance (CSA) Enterprise User Council was started to provide a balance of power between cloud providers and enterprise users in a world of cloud services, big data, and mobile computing advancements has made its biggest leap into businesses. Our long term goal is to understand the biggest problems facing enterprises and help solve these issues. The CSA Enterprise User Council will represent businesses on these issues externally and abroad. • Research and Activities for 2013 – 2014 • Planning in Progress © 2013, Cloud Security Alliance.61
  62. 62. CCSK – User Certification Certificate of Cloud Security Knowledge (CCSK) Benchmark of cloud security competency Online web-based examination www.cloudsecurityalliance.org/certifym e Training partnerships Developing new curriculum for audit, software development and architecture 62 © 2014, Cloud Security Alliance.
  63. 63. Copyright © 2012 loud Security Alliance CSA Open Certification Framework • Leverage CSA STAR Infrastructure to create national, local or industry-specific provider certifications • Allows governments, certification bodies and industry consortia to create certifications addressing specific requirements without developing complete & proprietary bodies of knowledge • Leverage existing certification/attestation regimes • 2013 Open Certification • ISO 27001 Certification based upon CSA CCM (partnered with British Standards Institution) • SOC-2 Audit Attestation Reporting based upon CSA CCM (partnered with AICPA) • Branded as CSA STAR Certification – the gold standard for cloud provider certification 63
  64. 64. Copyright © 2012 Cloud Security Alliance International Standardization Council • Engage international standards bodies on behalf of CSA • Propose key CSA research for standardization • Liaison relationship with ITU-T • Category A liaison with ISO/IEC SC27 & SC38 • Tracking key SDOs for 2013 • DMTF • IEEE • IETF • CCSA • RAISE 64
  65. 65. CCM CCM V.3 BIG DATA WORKING GROUP Expanded Top 10 Big Data Security and Privacy Concerns Big Data Analytics for Security Intelligence HIM HIPAA Omnibus Rule Education CTP API Interface Definition (Alain to update) INCIDENT MANAGEMENT & FORENSICS Provider Forensic Support in Public Multi-Tenant Cloud Environments OCF STAR Certification Manual STAR Attestation Manual STAR Certification Auditor Accreditation ISACA Cloud Market Maturity Survey INTERNET2 COLLABORATION Net+ Initiative CCM V1.4 ANTI-BOT Working Group Work Group Kick-Off Enterprise User Council Work Group Kick-OffQ3 2013 RESEARCH RELEASES © 2013, Cloud Security Alliance.
  66. 66. Q4 2013 RESEARCH RELEASES MOBILE WORKING GROUP Mobile Authentication Management V.1.1 Mobile Device Management V.2 Mobile Maturity Survey CCM AICPA Trust Service Principles Mapping COBIT 5.0 ENISA Information Assurance Framework Mapping ODCA Mapping German BSI Mapping NZISM Mapping Privacy Control Assessment Internet 2 Compliance Area Mapping NIST SP 800-53 Rev 4 SecaaS Defined SecaaS Framework Survey BIG DATA WORKING GROUP Big Data Framework and Taxonomy White Paper CSA ENTERPRISE ARCHITECTURE KRI and KPI Development for CSA Reference Architecture Interactive Site Case Study Webinars (CloudBytes Sessions) Workshop with EAWG, NIST and Vidders Anti-Bot Working Group Outreach Program Launch Essential Practices Sub-Group Launch Tools and Operations Sub-Group Launch Economics Sub-group Launch © 2013, Cloud Security Alliance.
  67. 67. Q4 2013 RESEARCH RELEASES SMB WG Small Medium Size Business Kick-Off and Outreach CAIQ CAIQ V.3 CTP Prototype CLOUD AUDIT Create CCM V.3 Database INCIDENT MANAGEMENT & FORENSICS Developing a capability maturity model (CMM) for IncM and Forensics in Cloud Environments OCF STAR Attestation Auditor Accreditation OCF Cost Analysis OCF Certification Launch ISACA Cloud Market Maturity Study Results TELECOM WORKING GROUP Next Generation SIEM White Paper APAC Research Roadmap for Execution © 2013, Cloud Security Alliance.
  68. 68. Q4 2013 RESEARCH RELEASES Virtualization Working Group Virtualization Working Group Kick-Off Update Security Guidance to include SDN Financial Services Working Group FSWG Kick-off Establish Security and Privacy Test Beds Cloud Brokerage Working Group Publication of one year work plan Launch CSA Cloud Broker microsite, partner directory and twitter account Publication of V.1 of Working Group Deliverables Cloud Brokerage Kick-Off Leapfrog Project Create CCM V.3 Database Vulnerabilities Working Group Working Group Expansion/Official Kick-Off OCF STAR Attestation Auditor Accreditation OCF Cost Analysis OCF Certification Launch ISACA Cloud Market Maturity Study Results APAC RESEARCH New Zealand MBIE Funding TELECOM WORKING GROUP Next Generation SIEM White Paper © 2013, Cloud Security Alliance.
  69. 69. Q1 2014 RESEARCH RELEASES GUIDANCE Security Guidance for Critical Areas of Cloud Computing V.4 (Planning) CCM COBIT 5 Mapping Slovenian Information Commissioner on Privacy Guidance for Cloud Computing Mapping SECAAS Implementation Guidance Documents V.2 (Planning) BIG DATA WORKING GROUP Big Data Cryptography Report HIM Updated HIPAA HiTech Mapping for V.3 CTP Trust Model CLOUD AUDIT Automate Change-adds through DB Version of CCM TOP THREATS Top Threats to Cloud Computing Survey CDG Data Governance across International Borders © 2013, Cloud Security Alliance.
  70. 70. Q1 2014 RESEARCH RELEASES VIRTUALIZATION WORKING GROUP Standalone Domain 13 Virtualization Whitepaper as part of the CSA Security Guidance for Critical Areas of Focus in Cloud Computing CLOUD VULNERABILTIES WORKING GROUP Establishment of a taxonomy for Cloud Vulnerabilities based on statistical data SLA Cloud SLA Guidance PLA Phase 2 - Gap Analysis - Cover Requirements outside of Europe (Global PLA) Seal or Privacy Certification - Assess Need INTERNET2 COLLABORATION Net+ Initiative CCM V3.0 © 2013, Cloud Security Alliance.
  71. 71. Q2 2014 RESEARCH RELEASES HIM Business Associate Agreement Policy Guidance CTP Pilot CLOUD AUDIT Update Notification Functionality TOP THREATS Top Threats to Cloud Computing V.4 CDG Data Tracking and Logging Standard CLOUD VULNERABILTIES WORKING GROUP Creation of a cloud vulnerability feed documentation mechanism/ format/ protocol © 2013, Cloud Security Alliance.
  72. 72. Thank you
  73. 73. About the Cloud Security Alliance • Global, not-for-profit organization: 56,000 members • Building security best practices for next generation IT • Research and Educational Programs • Cloud Provider Certification: CSA STAR • User Certification: CCSK • Awareness and Marketing • The globally authoritative source for Trust in the Cloud www.cloudsecurityalliance.org “To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.” 73
  74. 74. CSA Fast Facts • Founded in 2009 • 56,000+ individual members, 70+ chapters globally • 190+ corporate members • Major cloud providers, tech companies, infosec leaders, DoD, the Fortune 100 and much more • Offices in Seattle USA, Singapore, Helsinki Finland • Over 40 research projects in 30+ working groups • Strategic partnerships with governments, research institutions, professional associations and industry 74
  75. 75. Thanks Phil Agcaoili Co-Founder & Board Member, Southern CISO Security Council Distinguished Fellow and Fellows Chairman, Ponemon Institute Founding Member, Cloud Security Alliance (CSA) Inventor & Co-Author, CSA Cloud Controls Matrix, GRC Stack, Security, Trust and Assurance Registry (STAR), and CSA Open Certification Framework (OCF) Contributor, NIST Cybersecurity Framework version 1 @hacksec https://www.linkedin.com/in/philA

×