Csa about-threats-june-2010-ibm

1,799 views
1,705 views

Published on

Published in: Technology, Business
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,799
On SlideShare
0
From Embeds
0
Number of Embeds
397
Actions
Shares
0
Downloads
60
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide
  • The security approach and role varies depending on the delivery model
  • SecureCloud – ISACA, ENISA, IEEE & CSA
  • The CSA Guidance is our flagship research that provides a broad catalog of best practices. It contains 13 domains to address both broad governance and specific operational issues. This Guidance is used as a foundation for the other research projects in the following slides that relate to compliance.
  • The CSA Guidance is our flagship research that provides a broad catalog of best practices. It contains 13 domains to address both broad governance and specific operational issues. This Guidance is used as a foundation for the other research projects in the following slides that relate to compliance.
  • Do visit the websiteDo join the LinkedIn Groups – you will receive regular email updates
  • Csa about-threats-june-2010-ibm

    1. 1. Cloud Security Alliance: Assuring the future of Cloud Computing<br />Sergio Loureiro, CSA founding member<br />sergio@secludit.com<br />IBM La Gaude, 23rd June 2010<br />
    2. 2. About the Cloud Security Alliance<br />Global, not-for-profit organization<br />Inclusive membership, supporting broad spectrum of subject matter expertise: cloud experts, security, legal, compliance, virtualization, and on and on…<br />We believe Cloud Computing has a robust future, we want to make it better<br />“To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.”<br />
    3. 3. Membership<br />50+ Corporate Members<br />12 non-profit affiliations<br />10,000 individual members growing by 300/week<br />Broad Geographical Distribution<br />Working Group activities performed through individual membership class<br />
    4. 4. Corporate Members<br />
    5. 5. S-P-I Framework<br />You “RFP”<br />security in<br />SaaS<br />Software as a Service<br />You build<br />security in<br />PaaS<br />Platform as a Service<br />IaaS<br />Infrastructure as a Service<br />
    6. 6. Top Threats to Cloud Computing<br />
    7. 7. Shared Technology Vulnerabilities<br />
    8. 8. Data Loss / Data Leakage<br />
    9. 9. Malicious Insiders<br />
    10. 10. Interception or Hijacking of Traffic<br />
    11. 11. Insecure APIs<br />
    12. 12. Nefarious Use of Service<br />
    13. 13. Unknown Risk Profile <br />
    14. 14. Top Threats - Status<br />
    15. 15. CSA Research ProjectsGo to www.cloudsecurityalliance.org/Research.html for Research dashboard and Working Group signup<br />
    16. 16. CSA Guidance Research<br />Cloud Architecture<br />Popular best practices for securing cloud computing<br />13 Domains of concern – governing & operating groupings<br />Foundation for CSA research<br />Governance and Enterprise Risk Management<br />Legal and Electronic Discovery<br />Governing the Cloud<br />Compliance and Audit<br />Information Lifecycle Management<br />Portability and Interoperability<br />Security, Bus. Cont,, and Disaster Recovery<br />Data Center Operations<br />Incident Response, Notification, Remediation<br />Application Security<br />Operating in the Cloud<br />Encryption and Key Management<br />Identity and Access Management<br />Virtualization<br />Guidance > 100k downloads: cloudsecurityalliance.org/guidance<br />
    17. 17. CSA Guidance Research - Status<br />Cloud Architecture<br />Ver 2.1 released Dec 2009<br />Ver 3 mid-2011<br />2010 focus<br />Translations<br />Wiki format<br />Per domain whitepapers (not official guidance)<br />Governance and Enterprise Risk Management<br />Legal and Electronic Discovery<br />Governing the Cloud<br />Compliance and Audit<br />Information Lifecycle Management<br />Portability and Interoperability<br />Security, Bus. Cont,, and Disaster Recovery<br />Data Center Operations<br />Incident Response, Notification, Remediation<br />Application Security<br />Operating in the Cloud<br />Encryption and Key Management<br />Identity and Access Management<br />Virtualization<br />
    18. 18. Guidance Highlights - Governance<br />Best opportunity to secure cloud engagement is before procurement – contracts, SLAs, architecture<br />Know provider’s third parties, BCM/DR, financial viability, employee vetting<br />Identify data location when possible<br />Plan for provider termination & return of assets<br />Preserve right to audit<br />Reinvest provider cost savings into due diligence<br />
    19. 19. Guidance Highlights - Operating<br />Encrypt data when possible, segregate key mgt from cloud provider<br />Adapt secure software development lifecycle<br />Understand provider’s patching, provisioning, protection<br />Logging, data exfiltration, granular customer segregation<br />Hardened VM images<br />Assess provider IdM integration, e.g. SAML, OpenID<br />
    20. 20. CSA Research Projects<br />Cloud Controls Matrix Tool<br />Trusted Cloud Initiative<br />Consensus Assessments Initiative<br />Cloud Metrics Research<br />
    21. 21. Contact<br />Help us secure cloud computing<br />www.cloudsecurityalliance.org<br />info@cloudsecurityalliance.org<br />LinkedIn: www.linkedin.com/groups?gid=1864210<br />Twitter: @cloudsa<br />
    22. 22. Summary<br />Cloud Computing is real and transformational<br />Challenges for People, Process, Technology, Organizations and Countries<br />Broad governance approach needed<br />Tactical fixes needed<br />Combination of updating existing best practices and creating completely new best practices<br />Adapting controls into “all virtual” environment<br />
    23. 23. Thank you!sergio@secludit.comBlog elastic-security.com, Twitter @elasticsecurity<br />

    ×