CSA Atlanta Chapter Meeting Q1'2013 and RSA Conference 2013 CSA Announcements

Cloud Security Alliance Research & Roadmap
RSA Conference 2013 Announcements

Copyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.org

Copyright ©© 2013 Cloud Security Alliance
Copyright 2012 Cloud Security Alliance
2011
2013 www.cloudsecurityalliance.org
www.cloudsecurityalliance.org

Developed first comprehensive best practices for secure cloud computing,
Security Guidance for Critical Areas of Focus for Cloud Computing
(updated October 2011)
First and only user certification for cloud security, the CCSK
(Certificate of Cloud Security Knowledge, September 2010)
Tools for managing Governance, Risk and Compliance in the Cloud
Registry of cloud provider security practices, the CSA STAR
(Security, Trust & Assurance Registry, Q4 2011)
First and only multi-tenant security controls framework adapted for cloud (CSA
CCM)
Industry leading security practices, education and tools developed by 20+
working groups
Selection of CSA venue by US White House to announce the US Federal Cloud
Strategy in 2011
Leadership in developing new security standards addressing cloud computing
Trusted advisor to governments and Global 2000 firms around the world

“To promote the use of best practices for providing security assurance within Cloud
Computing, and provide education on the uses of Cloud Computing to help
secure all other forms of computing.”


60 chapters and growing
Every continent except Antarctica
Translating guidance
Adapting research to local needs
Creating their own research projects


Our research includes
fundamental projects needed
to define and implement trust
within the future of
information technology
CSA continues to be
aggressive in producing
critical research, education
and tools
22 Active Work Groups and
10 in the pipeline

Copyright © 2011 Cloud Security Alliance

Global resource and research
coverage through our corporate
membership, affiliate
members, chapters and
Connected to great minds:
Research contributors represent
some of the top minds in
information security and cloud
computing


Security Guidance for Critical
Areas of Cloud Computing
Popular best practices for securing
cloud computing

Flagship research project

V 3.0 Released (November 2011)

In alignment with international
standards

Impact to the Industry
Developed first comprehensive best
practices for secure cloud
computing, Security Guidance for
Critical Areas of Focus for Cloud
Computing (updated October 2011)


GRC Stack
Family of 4 research projects
Cloud Controls Matrix (CCM)

Consensus Assessments Initiative
(CAI)

Cloud Audit

Cloud Trust Protocol (CTP)

Control Provider
Requirements Assertions


Controls derived from
guidance
Mapped to familiar
frameworks: ISO
27001, COBIT, PCI, HIPAA,
FISMA, FedRAMP, etc.
Rated as applicable to S-P-I
Customer vs. Provider role
Help bridge the “cloud gap”
for IT & IT auditors


Research tools and processes to
perform shared assessments of
cloud providers
Integrated with Controls Matrix
Version 1 CAI Questionnaire
released Oct 2010, approximately
140 provider questions to identify
presence of security controls or
practices
Use to assess cloud providers today,
procurement negotiation, contract
inclusion, quantify SLAs


Open standard and API to
automate provider audit
assertions
Change audit from data
gathering to data analysis
Necessary to provide audit &
assurance at the scale
demanded by cloud providers
Uses Cloud Controls Matrix as
controls namespace
Use to instrument cloud for
continuous controls monitoring


Developed by CSC, transferred to
CSA
Open standard and API to verify
control assertions
“Question and Answer”
asynchronous protocol, leverages
SCAP (Secure Content
Automation Protocol)
Integrates with Cloud Audit
Now we have all the components
for continuous controls monitoring


CSA STAR
(Security, Trust and Assurance Registry)
Public Registry of Cloud Provider self assessments
Based on Consensus Assessments Initiative Questionnaire
Provider may substitute documented Cloud Controls Matrix compliance

Voluntary industry action promoting transparency
Free market competition to provide quality assessments
Provider may elect to provide assessments from third parties


Security as a Service
Research for gaining greater understanding
for how to deliver security solutions via
cloud models.
Information Security Industry Re-invented

Identify Ten Categories within SecaaS

Implementation Guidance for each SecaaS
Category

Align with international standards and other CSA
research


Mobile
Securing application stores and other public entities
deploying software to mobile devices
Analysis of mobile security capabilities and features
of key mobile operating systems
Cloud-based management, provisioning, policy, and
data management of mobile devices to achieve
security objectives
Guidelines for the mobile device security framework
and mobile cloud architectures
Solutions for resolving multiple usage roles related to
BYOD, e.g. personal and business use of a common
device
Best practices for secure mobile application
development


Big Data
Identifying scalable techniques for
data-centric security and privacy
problems
Lead to crystallization of best practices
for security and privacy in big data
Help industry and government on
adoption of best practices
Establish liaisons with other
organizations in order to coordinate the
development of big data security and
privacy standards
Accelerate the adoption of novel
research aimed to address security
and privacy issues


Cloud Data Governance
Cloud Data Governance Maturity Survey of
current Cloud Provider practices in the market
(e.g. backup, encryption, secure deletion, etc.)
Structure based on Domain 5: Information
Lifecycle Management
Re-define Data Life Cycle Model
Identify Key Concerns for Stakeholders
Data Governance in Emerging Technologies in
the Cloud


Telecom Working Group
Industry a key stakeholder in future of cloud
CSA’s liaison to ITU-T
5 Telecom Initiatives
Telecom and the GRC Stack

ISO 27017 Interviews to CSP’s

SIEM

Compliance Monitoring

Cloud Forensics and Legal


CloudCERT
Consensus research for emergency response in
Cloud
Enhance community’s ability to respond to
incidents
Standardized processes
Supplemental best practices for CERTs
Hosted Community of Cloud CERTs


Health Information Management
(NEW)
Provide direct influence on how health
information service providers deliver secure
cloud solutions (services, transport,
applications and storage) to their clients, and
foster cloud awareness within all aspects of
healthcare and related industries

2 Health Initiatives

HIPAA and HiTech Best Practices

Healthcare Recommendations Guidance to V.3


Privacy Level Agreement
(PLA)
PLA = SLA for privacy.
In the PLA (typically an attachment to the
Service Agreement) the cloud service
provider (CSP) clearly declares the level of
privacy and data protection that it
undertakes to maintain with respect to the
relevant data processing.
Provide cloud customers with a tool to
assess a CSP’s commitment to address
personal data protection.
Offer contractual protection against possible
economical damages due to lack of
compliance or commitment of the CSP
privacy and data protection regulation.







ISACA/CSA Cloud Security
Maturity Project
The Cloud Security Alliance (CSA) and
ISACA announced the availability of a new
survey on cloud market maturity

This is the first collaborative project
between the two organizations

A report based off of the survey results will
be published


Top Threats
Provide needed context to assist
organizations in making educated
risk management decisions
regarding their cloud adoption
strategies
V.2 of Top Threats Report
released in October 2012


CSA has been awarded 4 FP7 Projects
Helix Nebula - The HELIX NEBULA Project is a
preliminary step towards a European cloud‐based
scientific e‐ infrastructure: HELIX NEBULA – the Science
Cloud.

Cumulus - The overall aim of the project is to develop a
framework for hybrid, incremental and multi-layer
certification for all services in cloud computing stacks,
including infrastructure (IaaS), platform (PaaS) and
software services (SaaS

Cirrus – Cirrus pretends to bring together different
stakeholders (industry, research, service providers, end-
users, standardization bodies…) and perform an
analysis of implications for overall E2E (end-to-end)
Cloud Security with the special attention to issues of
assurance and trustworthiness.

A4 Cloud - This project aims to clarify regulatory
expectations with regard to cloud and also provide
mechanisms that enable provision of accountable
services in the cloud.


Most of our Research Projects
are ideas from professionals like
you
Do you have an idea for a
research project on a cloud
security topic?
If so, please take the time to
describe your concept by filling
out the our online form. This
form is monitored by the CSA
research team, who will review
your proposal and respond to you
with feedback.

Contribute to the
CSA library
The Cloud Security Alliance is a community non-profit
which is driven by its members. Have a white paper or
information on a cloud security product you want to
contribute?
https://cloudsecurityalliance.org/education/white-papers-and-
educational-material/


Learn how you can participate in Cloud
Security Alliance's goals to promote the
use of best practices for providing security
assurance within Cloud Computing

http://www.linkedin.com/groups?gid=1864210
https://cloudsecurityalliance.org/get-involved/


RSA Conference 2013 Announcements


Released a draft of the latest version of the
Cloud Control Matrix, CCM v3.0

Realigns the CCM control domains to achieve
tighter integration with the CSA’s “Security
Guidance for Critical Areas of Focus in Cloud
Computing version 3”

Introduced three new control domains
Mobile Security
Supply Change Management, Transparency and
Accountability
Interoperability & Portability

Available for peer review through the CSA
https://interact.cloudsecurityalliance.org/index.php/ccm/v3_group_1
Interact website with the peer review period https://interact.cloudsecurityalliance.org/index.php/ccm/v3_group_2
closing March 31, 2013, and final release of https://interact.cloudsecurityalliance.org/index.php/ccm/v3_group_3
CCM v3.0 on April 17, 2013


CSA Big Data Working Group released an initial report--The Top 10 Big Data Security and Privacy Challenges at CSA Congress
2012

2013 RSA announcement expanded this to Top Ten Big Data Security and Privacy Challenges report

The 35-page report outlines the unique challenges presented by Big Data

The Top 10 Big Data Security and Privacy Challenges have been enumerated as follows:
1. Secure computations in distributed programming frameworks
2. Security best practices for non-relational data stores
3. Secure data storage and transactions logs
4. End-point input validation/filtering
5. Real-time security monitoring
6. Scalable and composable privacy-preserving data mining and analytics
7. Cryptographically enforced data centric security
8. Granular access control
9. Granular audits
10. Data provenance

The goal of outlining these challenges is to raise awareness among security practitioners and researchers

To review the report and provide comments, please visit
https://interact.cloudsecurityalliance.org/index.php/bigdata/top_ten_big_data_2013 .


Released a position paper on the American Institute of CPAs’ reporting framework
Educating members and providing guidance on selecting the most appropriate reporting option
Latest step in CSA’s previously announced Open Certification Framework and STAR Attestation initiatives
AICPA’s reporting framework, known as Service Organization Control Reports, consists of three major document
types
The first – the SOC 1 report – deals with controls over financial reporting
The SOC 2 report focuses on controls that bear on a service provider’s security, processing integrity and
operating availability, as well as the confidentiality and privacy of data moving through its systems.
A third report, SOC 3, is a compressed version of the SOC 2 and is designed for public distribution.
Highlights that for most cloud providers, a SOC 2 Type 2 attestation examination conducted in accordance with
AICPA standard AT Section 101 (AT 101) utilizing the CSA Cloud Controls Matrix (CCM) as additional suitable
criteria is likely to meet the assurance and reporting needs of the majority of users of cloud services
The Cloud Controls Matrix is designed to be used in conjunction with existing standards, and this is one such
example where the combination provides a comprehensive view that should suit most users reporting needs
Position paper also offers guidance to members on the following:
When a SOC 1 report is necessary,
When a SOC 2 report is called for, and
When both engagement types may be required
The full position paper can be found at https://cloudsecurityalliance.org/research/collaborate/#_aicpa


The CSA PLA Working Group formed in 2012 to help transpose the Art. 29 WP and EU National Data Protection
Regulators’ recommendations on Cloud Computing into an easy to use outline that CSPs can use to disclose personal
data handling practices
The Cloud Security Alliance (CSA) Privacy Level Agreement (PLA) Working Group released the Privacy Level
Agreement (PLA) Outline for Cloud Service Providers providing services in the European Union
The Outline provides a structure for Cloud Service Providers (CSP) to disclose, in a consistent matter, information
about the privacy and data protection policies, procedures and practices used when processing personal data that
customers upload or store in the CSP’s servers
Once a PLA outline is completed by a CSP, it will provide current and potential customers with a new tool to assess
that CSP’s disclosure of its practices.
This knowledge, in turn, will allow companies to evaluate the extent to which the use of a particular CSP will allow
them to achieve compliance with applicable data protection laws, including, in particular, their transparency and
accountability obligations, a positive shift for both the customer and provider alike.
Key elements covered in the outline include:
Cloud customer internal and external due diligence
Categories of personal data that may be uploaded to the service
Ways which data should be processed in the cloud
Data location, transfer, retention, monitoring and security measures
Personal data breach notification
Data portability, migration, and transfer back assistance
Accountability
Law enforcement access
Remedies

To learn more, download the PLA Initiative Research Sponsorship Outline.

The Cloud Security Alliance (CSA) Top Threats Working Group released The Notorious Nine: Cloud Computing Top
Threats in 2013
A revised report aimed to provide organizations with up-to-date, expert-informed understanding of cloud security
threats in order to make educated risk-management decisions regarding cloud adoption strategies
Report focuses on threats specifically related to the shared, on-demand nature of cloud computing
Serves as an up-to-date threat identification guide that will help cloud users and providers make informed decisions
about risk mitigation within a cloud strategy
The Top Threats Working Group used these survey results alongside their expertise to craft the final The Notorious
Nine: Cloud Computing Top Threats in 2013.
Identified the following nine critical threats to cloud security:
1. Data Breaches
2. Data Loss
3. Account Hijacking
4. Insecure APIs
5. Denial of Service
6. Malicious Insiders
7. Abuse and Nefarious Use
8. Insufficient Due Diligence
9. Shared Technology Issues
Intended to be utilized in conjunction with the best practices guides “Security Guidance for Critical Areas in Cloud
Computing V.3” and “Security as a Service Implementation Guidance”
Companies and individuals interested in learning more or joining the group can visit
https://cloudsecurityalliance.org/research/top-threats/.


Formation of the Legal Information Center (CLIC), a new online resource.
The launch of the CLIC is part of an ongoing effort on behalf of the CSA to help individuals and organizations better
understand and address the various and often complicated legal issues related to cloud computing
The CLIC will be an open resource for cloud computing practitioners, regulators, and legal experts with a mission to
provide unbiased information about the applicability of existing laws and also identify laws that are being impacted by
technology trends that may require modification
As part of this new initiative, CSA and Box hosted a panel discussion entitled, “US and Foreign Laws Regulating
Government Access to Data Held in the Cloud” on Thursday, February 28th
Panel participants included legal and regulatory experts from seven countries
Moderated by Francoise Gilbert, Founder and General Manager of the IT Law Group as well as General Counsel
for the CSA.
The panel explored a wide range of issues related to the rule of laws governing access of governments to data
held in the cloud
More information on the CLIC: https://cloudsecurityalliance.org/research/clic/


Announced the launch of a new global training program called the CSA Master Training Program
HP named as the initial partner of this new program
The CSA Master Training Program is designed to accelerate worldwide access and adoption of the CSA Certificate of
Cloud Security Knowledge (CCSK) Certification
With assistance from HP, CSA will invest in the global expansion of CCSK training availability,
A key focus on the Asia Pacific region.
CSA and HP will also work closely to collaborate on a curriculum roadmap through the CCSK Center of Excellence
based in Singapore
HP will adapt existing CCSK lab-based training to include HP cloud solutions
HP Education Services will certify any HP CCSK training staff based on HP’s CSA-certified courseware
At the annual CSA Congress in October 2012, the CSA published version 3 of its CCSK
Included two principal updates, including an update to the CCSK Training Materials as well as a new CCSK exam
The CCSK is aligned with the latest release of CSA’s Security Guidance as well as other intellectual property,
which comprises the CSA Common Body of Knowledge (CBK)


CSA Atlanta Chapter Meeting Q1'2013 and RSA Conference 2013 CSA Announcements

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to CSA Atlanta Chapter Meeting Q1'2013 and RSA Conference 2013 CSA Announcements

Similar to CSA Atlanta Chapter Meeting Q1'2013 and RSA Conference 2013 CSA Announcements (20)

More from Phil Agcaoili

More from Phil Agcaoili (20)

Recently uploaded

Recently uploaded (20)

CSA Atlanta Chapter Meeting Q1'2013 and RSA Conference 2013 CSA Announcements

Editor's Notes