• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
CSA Atlanta Chapter Meeting Q1'2013 and RSA Conference 2013 CSA Announcements
 

CSA Atlanta Chapter Meeting Q1'2013 and RSA Conference 2013 CSA Announcements

on

  • 430 views

Cloud Security Alliance Atlanta Chapter Meeting Q1'2013 and RSA Conference 2013 CSA Announcements

Cloud Security Alliance Atlanta Chapter Meeting Q1'2013 and RSA Conference 2013 CSA Announcements

Statistics

Views

Total Views
430
Views on SlideShare
423
Embed Views
7

Actions

Likes
1
Downloads
9
Comments
0

2 Embeds 7

https://www.linkedin.com 4
http://www.linkedin.com 3

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

CC Attribution-ShareAlike LicenseCC Attribution-ShareAlike License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Research is the crown jewel of CSAThe objective of CSA research is to develop best practices, guidelines, white papers and frameworks that will be conducive in building trust into the CloudAs a result, consumers can go to the cloud securely with confidence. Cloud service provider can use our work as a baseline to address interoperability and security issues, where assurance is assessable continuously and automatically. Switching costs to consumers is reduced to a minimum and a dynamic cloud eco-system is hence created to allow for acceleration of cloud adoption
  • The CSA Guidance is our flagship research that provides a broad catalog of best practices. It contains 13 domains to address both broad governance and specific operational issues. This Guidance is used as a foundation for the other research projects in the following slides that relate to compliance.
  • Do visit the websiteDo join the LinkedIn Groups – you will receive regular email updates

CSA Atlanta Chapter Meeting Q1'2013 and RSA Conference 2013 CSA Announcements CSA Atlanta Chapter Meeting Q1'2013 and RSA Conference 2013 CSA Announcements Presentation Transcript

  • Cloud Security Alliance Research & Roadmap RSA Conference 2013 Announcements Copyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.org
  • Copyright ©© 2013 Cloud Security Alliance Copyright 2012 Cloud Security Alliance 2011 2013 www.cloudsecurityalliance.org www.cloudsecurityalliance.org
  • Developed first comprehensive best practices for secure cloud computing, Security Guidance for Critical Areas of Focus for Cloud Computing (updated October 2011) First and only user certification for cloud security, the CCSK (Certificate of Cloud Security Knowledge, September 2010) Tools for managing Governance, Risk and Compliance in the Cloud Registry of cloud provider security practices, the CSA STAR (Security, Trust & Assurance Registry, Q4 2011) First and only multi-tenant security controls framework adapted for cloud (CSA CCM) Industry leading security practices, education and tools developed by 20+ working groups Selection of CSA venue by US White House to announce the US Federal Cloud Strategy in 2011 Leadership in developing new security standards addressing cloud computing Trusted advisor to governments and Global 2000 firms around the world“To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.” www.cloudsecurityalliance.org
  • Copyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org
  • 60 chapters and growingEvery continent except AntarcticaTranslating guidanceAdapting research to local needsCreating their own research projects Copyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org
  • Copyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org
  • Copyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org
  • Copyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org
  • Copyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org
  • Copyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org
  • Copyright © 2012 Cloud Security Alliance www.cloudsecurityalliance.org
  • Our research includesfundamental projects neededto define and implement trustwithin the future ofinformation technologyCSA continues to beaggressive in producingcritical research, educationand tools22 Active Work Groups and10 in the pipeline Copyright © 2011 Cloud Security Alliance Copyright © 2012 Cloud Security Alliance www.cloudsecurityalliance.org www.cloudsecurityalliance.org Copyright © 2012 Cloud Security Alliance
  • Global resource and researchcoverage through our corporatemembership, affiliatemembers, chapters andConnected to great minds:Research contributors representsome of the top minds ininformation security and cloudcomputing Copyright © 2011 Cloud Security Alliance Copyright © 2012 Cloud Security Alliance www.cloudsecurityalliance.org www.cloudsecurityalliance.org Copyright © 2012 Cloud Security Alliance
  • Security Guidance for CriticalAreas of Cloud Computing Popular best practices for securing cloud computing Flagship research project V 3.0 Released (November 2011) In alignment with international standardsImpact to the Industry Developed first comprehensive best practices for secure cloud computing, Security Guidance for Critical Areas of Focus for Cloud Computing (updated October 2011) Copyright © 2012 Cloud Security Alliance www.cloudsecurityalliance.org
  • GRC Stack Family of 4 research projects Cloud Controls Matrix (CCM) Consensus Assessments Initiative (CAI) Cloud Audit Cloud Trust Protocol (CTP) Control Provider Requirements Assertions Copyright © 2012 Cloud Security Alliance www.cloudsecurityalliance.org
  • Controls derived fromguidanceMapped to familiarframeworks: ISO27001, COBIT, PCI, HIPAA,FISMA, FedRAMP, etc.Rated as applicable to S-P-ICustomer vs. Provider roleHelp bridge the “cloud gap”for IT & IT auditors Copyright © 2012 Cloud Security Alliance www.cloudsecurityalliance.org
  • Research tools and processes toperform shared assessments ofcloud providersIntegrated with Controls MatrixVersion 1 CAI Questionnairereleased Oct 2010, approximately140 provider questions to identifypresence of security controls orpracticesUse to assess cloud providers today,procurement negotiation, contractinclusion, quantify SLAs Copyright © 2012 Cloud Security Alliance www.cloudsecurityalliance.org
  • Open standard and API toautomate provider auditassertionsChange audit from datagathering to data analysisNecessary to provide audit &assurance at the scaledemanded by cloud providersUses Cloud Controls Matrix ascontrols namespaceUse to instrument cloud forcontinuous controls monitoring Copyright © 2012 Cloud Security Alliance www.cloudsecurityalliance.org
  • Developed by CSC, transferred toCSAOpen standard and API to verifycontrol assertions“Question and Answer”asynchronous protocol, leveragesSCAP (Secure ContentAutomation Protocol)Integrates with Cloud AuditNow we have all the componentsfor continuous controls monitoring Copyright © 2012 Cloud Security Alliance www.cloudsecurityalliance.org
  • CSA STAR(Security, Trust and Assurance Registry) Public Registry of Cloud Provider self assessments Based on Consensus Assessments Initiative Questionnaire Provider may substitute documented Cloud Controls Matrix compliance Voluntary industry action promoting transparency Free market competition to provide quality assessments Provider may elect to provide assessments from third parties Copyright © 2012 Cloud Security Alliance www.cloudsecurityalliance.org
  • Copyright © 2012 Cloud Security Alliance www.cloudsecurityalliance.org
  • Security as a Service Research for gaining greater understanding for how to deliver security solutions via cloud models. Information Security Industry Re-invented Identify Ten Categories within SecaaS Implementation Guidance for each SecaaS Category Align with international standards and other CSA research Copyright © 2012 Cloud Security Alliance www.cloudsecurityalliance.org
  • Mobile Securing application stores and other public entities deploying software to mobile devices Analysis of mobile security capabilities and features of key mobile operating systems Cloud-based management, provisioning, policy, and data management of mobile devices to achieve security objectives Guidelines for the mobile device security framework and mobile cloud architectures Solutions for resolving multiple usage roles related to BYOD, e.g. personal and business use of a common device Best practices for secure mobile application development Copyright © 2012 Cloud Security Alliance www.cloudsecurityalliance.org
  • Big Data Identifying scalable techniques for data-centric security and privacy problems Lead to crystallization of best practices for security and privacy in big data Help industry and government on adoption of best practices Establish liaisons with other organizations in order to coordinate the development of big data security and privacy standards Accelerate the adoption of novel research aimed to address security and privacy issues Copyright © 2012 Cloud Security Alliance www.cloudsecurityalliance.org
  • Cloud Data Governance Cloud Data Governance Maturity Survey of current Cloud Provider practices in the market (e.g. backup, encryption, secure deletion, etc.) Structure based on Domain 5: Information Lifecycle Management Re-define Data Life Cycle Model Identify Key Concerns for Stakeholders Data Governance in Emerging Technologies in the Cloud Copyright © 2012 Cloud Security Alliance www.cloudsecurityalliance.org
  • Telecom Working Group Industry a key stakeholder in future of cloud CSA’s liaison to ITU-T 5 Telecom Initiatives Telecom and the GRC Stack ISO 27017 Interviews to CSP’s SIEM Compliance Monitoring Cloud Forensics and Legal Copyright © 2012 Cloud Security Alliance www.cloudsecurityalliance.org
  • CloudCERT Consensus research for emergency response in Cloud Enhance community’s ability to respond to incidents Standardized processes Supplemental best practices for CERTs Hosted Community of Cloud CERTs Copyright © 2012 Cloud Security Alliance www.cloudsecurityalliance.org
  • Health Information Management(NEW) Provide direct influence on how health information service providers deliver secure cloud solutions (services, transport, applications and storage) to their clients, and foster cloud awareness within all aspects of healthcare and related industries 2 Health Initiatives HIPAA and HiTech Best Practices Healthcare Recommendations Guidance to V.3 Copyright © 2012 Cloud Security Alliance www.cloudsecurityalliance.org
  • Privacy Level Agreement(PLA) PLA = SLA for privacy. In the PLA (typically an attachment to the Service Agreement) the cloud service provider (CSP) clearly declares the level of privacy and data protection that it undertakes to maintain with respect to the relevant data processing. Provide cloud customers with a tool to assess a CSP’s commitment to address personal data protection. Offer contractual protection against possible economical damages due to lack of compliance or commitment of the CSP privacy and data protection regulation. Copyright © 2012 Cloud Security Alliance www.cloudsecurityalliance.org
  •  www.cloudsecurityalliance.org
  • ISACA/CSA Cloud SecurityMaturity Project The Cloud Security Alliance (CSA) and ISACA announced the availability of a new survey on cloud market maturity This is the first collaborative project between the two organizations A report based off of the survey results will be published Copyright © 2012 Cloud Security Alliance www.cloudsecurityalliance.org
  • Top Threats Provide needed context to assist organizations in making educated risk management decisions regarding their cloud adoption strategies V.2 of Top Threats Report released in October 2012 Copyright © 2012 Cloud Security Alliance www.cloudsecurityalliance.org
  • CSA has been awarded 4 FP7 Projects Helix Nebula - The HELIX NEBULA Project is a preliminary step towards a European cloud‐based scientific e‐ infrastructure: HELIX NEBULA – the Science Cloud. Cumulus - The overall aim of the project is to develop a framework for hybrid, incremental and multi-layer certification for all services in cloud computing stacks, including infrastructure (IaaS), platform (PaaS) and software services (SaaS Cirrus – Cirrus pretends to bring together different stakeholders (industry, research, service providers, end- users, standardization bodies…) and perform an analysis of implications for overall E2E (end-to-end) Cloud Security with the special attention to issues of assurance and trustworthiness. A4 Cloud - This project aims to clarify regulatory expectations with regard to cloud and also provide mechanisms that enable provision of accountable services in the cloud.Copyright © 2012 Cloud Security Alliance www.cloudsecurityalliance.org
  • Most of our Research Projectsare ideas from professionals likeyouDo you have an idea for aresearch project on a cloudsecurity topic?If so, please take the time todescribe your concept by fillingout the our online form. Thisform is monitored by the CSAresearch team, who will reviewyour proposal and respond to youwith feedback. Copyright © 2011 Cloud Security Alliance Copyright © 2012 Cloud Security Alliance www.cloudsecurityalliance.org www.cloudsecurityalliance.org Copyright © 2012 Cloud Security Alliance
  • Contribute to the CSA library The Cloud Security Alliance is a community non-profit which is driven by its members. Have a white paper or information on a cloud security product you want to contribute?https://cloudsecurityalliance.org/education/white-papers-and-educational-material/ Copyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org
  • Learn how you can participate in Cloud Security Alliances goals to promote the use of best practices for providing security assurance within Cloud Computinghttp://www.linkedin.com/groups?gid=1864210https://cloudsecurityalliance.org/get-involved/ Copyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org
  • RSA Conference 2013 Announcements Copyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org
  • Released a draft of the latest version of theCloud Control Matrix, CCM v3.0Realigns the CCM control domains to achievetighter integration with the CSA’s “SecurityGuidance for Critical Areas of Focus in CloudComputing version 3”Introduced three new control domains Mobile Security Supply Change Management, Transparency and Accountability Interoperability & PortabilityAvailable for peer review through the CSA https://interact.cloudsecurityalliance.org/index.php/ccm/v3_group_1Interact website with the peer review period https://interact.cloudsecurityalliance.org/index.php/ccm/v3_group_2closing March 31, 2013, and final release of https://interact.cloudsecurityalliance.org/index.php/ccm/v3_group_3CCM v3.0 on April 17, 2013 Copyright © 2012 Cloud Security Alliance www.cloudsecurityalliance.org
  • CSA Big Data Working Group released an initial report--The Top 10 Big Data Security and Privacy Challenges at CSA Congress 2012 2013 RSA announcement expanded this to Top Ten Big Data Security and Privacy Challenges report The 35-page report outlines the unique challenges presented by Big Data The Top 10 Big Data Security and Privacy Challenges have been enumerated as follows:1. Secure computations in distributed programming frameworks2. Security best practices for non-relational data stores3. Secure data storage and transactions logs4. End-point input validation/filtering5. Real-time security monitoring6. Scalable and composable privacy-preserving data mining and analytics7. Cryptographically enforced data centric security8. Granular access control9. Granular audits10. Data provenance The goal of outlining these challenges is to raise awareness among security practitioners and researchers To review the report and provide comments, please visit https://interact.cloudsecurityalliance.org/index.php/bigdata/top_ten_big_data_2013 . Copyright © 2012 Cloud Security Alliance www.cloudsecurityalliance.org
  • Released a position paper on the American Institute of CPAs’ reporting frameworkEducating members and providing guidance on selecting the most appropriate reporting optionLatest step in CSA’s previously announced Open Certification Framework and STAR Attestation initiativesAICPA’s reporting framework, known as Service Organization Control Reports, consists of three major documenttypes The first – the SOC 1 report – deals with controls over financial reporting The SOC 2 report focuses on controls that bear on a service provider’s security, processing integrity and operating availability, as well as the confidentiality and privacy of data moving through its systems. A third report, SOC 3, is a compressed version of the SOC 2 and is designed for public distribution.Highlights that for most cloud providers, a SOC 2 Type 2 attestation examination conducted in accordance withAICPA standard AT Section 101 (AT 101) utilizing the CSA Cloud Controls Matrix (CCM) as additional suitablecriteria is likely to meet the assurance and reporting needs of the majority of users of cloud services The Cloud Controls Matrix is designed to be used in conjunction with existing standards, and this is one such example where the combination provides a comprehensive view that should suit most users reporting needsPosition paper also offers guidance to members on the following: When a SOC 1 report is necessary, When a SOC 2 report is called for, and When both engagement types may be requiredThe full position paper can be found at https://cloudsecurityalliance.org/research/collaborate/#_aicpa Copyright © 2012 Cloud Security Alliance www.cloudsecurityalliance.org
  • The CSA PLA Working Group formed in 2012 to help transpose the Art. 29 WP and EU National Data ProtectionRegulators’ recommendations on Cloud Computing into an easy to use outline that CSPs can use to disclose personaldata handling practicesThe Cloud Security Alliance (CSA) Privacy Level Agreement (PLA) Working Group released the Privacy LevelAgreement (PLA) Outline for Cloud Service Providers providing services in the European UnionThe Outline provides a structure for Cloud Service Providers (CSP) to disclose, in a consistent matter, informationabout the privacy and data protection policies, procedures and practices used when processing personal data thatcustomers upload or store in the CSP’s serversOnce a PLA outline is completed by a CSP, it will provide current and potential customers with a new tool to assessthat CSP’s disclosure of its practices.This knowledge, in turn, will allow companies to evaluate the extent to which the use of a particular CSP will allowthem to achieve compliance with applicable data protection laws, including, in particular, their transparency andaccountability obligations, a positive shift for both the customer and provider alike.Key elements covered in the outline include: Cloud customer internal and external due diligence Categories of personal data that may be uploaded to the service Ways which data should be processed in the cloud Data location, transfer, retention, monitoring and security measures Personal data breach notification Data portability, migration, and transfer back assistance Accountability Law enforcement access Remedies To learn more, download the PLA Initiative Research Sponsorship Outline. Copyright © 2012 Cloud Security Alliance www.cloudsecurityalliance.org
  • The Cloud Security Alliance (CSA) Top Threats Working Group released The Notorious Nine: Cloud Computing TopThreats in 2013A revised report aimed to provide organizations with up-to-date, expert-informed understanding of cloud securitythreats in order to make educated risk-management decisions regarding cloud adoption strategiesReport focuses on threats specifically related to the shared, on-demand nature of cloud computingServes as an up-to-date threat identification guide that will help cloud users and providers make informed decisionsabout risk mitigation within a cloud strategyThe Top Threats Working Group used these survey results alongside their expertise to craft the final The NotoriousNine: Cloud Computing Top Threats in 2013.Identified the following nine critical threats to cloud security: 1. Data Breaches 2. Data Loss 3. Account Hijacking 4. Insecure APIs 5. Denial of Service 6. Malicious Insiders 7. Abuse and Nefarious Use 8. Insufficient Due Diligence 9. Shared Technology IssuesIntended to be utilized in conjunction with the best practices guides “Security Guidance for Critical Areas in CloudComputing V.3” and “Security as a Service Implementation Guidance”Companies and individuals interested in learning more or joining the group can visithttps://cloudsecurityalliance.org/research/top-threats/. Copyright © 2012 Cloud Security Alliance www.cloudsecurityalliance.org
  • Formation of the Legal Information Center (CLIC), a new online resource.The launch of the CLIC is part of an ongoing effort on behalf of the CSA to help individuals and organizations betterunderstand and address the various and often complicated legal issues related to cloud computingThe CLIC will be an open resource for cloud computing practitioners, regulators, and legal experts with a mission toprovide unbiased information about the applicability of existing laws and also identify laws that are being impacted bytechnology trends that may require modificationAs part of this new initiative, CSA and Box hosted a panel discussion entitled, “US and Foreign Laws RegulatingGovernment Access to Data Held in the Cloud” on Thursday, February 28th Panel participants included legal and regulatory experts from seven countries Moderated by Francoise Gilbert, Founder and General Manager of the IT Law Group as well as General Counsel for the CSA. The panel explored a wide range of issues related to the rule of laws governing access of governments to data held in the cloudMore information on the CLIC: https://cloudsecurityalliance.org/research/clic/ Copyright © 2012 Cloud Security Alliance www.cloudsecurityalliance.org
  • Announced the launch of a new global training program called the CSA Master Training ProgramHP named as the initial partner of this new programThe CSA Master Training Program is designed to accelerate worldwide access and adoption of the CSA Certificate ofCloud Security Knowledge (CCSK) CertificationWith assistance from HP, CSA will invest in the global expansion of CCSK training availability, A key focus on the Asia Pacific region.CSA and HP will also work closely to collaborate on a curriculum roadmap through the CCSK Center of Excellencebased in SingaporeHP will adapt existing CCSK lab-based training to include HP cloud solutionsHP Education Services will certify any HP CCSK training staff based on HP’s CSA-certified coursewareAt the annual CSA Congress in October 2012, the CSA published version 3 of its CCSK Included two principal updates, including an update to the CCSK Training Materials as well as a new CCSK exam The CCSK is aligned with the latest release of CSA’s Security Guidance as well as other intellectual property, which comprises the CSA Common Body of Knowledge (CBK) Copyright © 2012 Cloud Security Alliance www.cloudsecurityalliance.org
  • Copyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org