Csa about-threats-june-2010-ibm

Cloud Security Alliance: Assuring the future of Cloud Computing
Sergio Loureiro, CSA founding member
sergio@secludit.com
IBM La Gaude, 23rd June 2010

About the Cloud Security Alliance
Global, not-for-profit organization
Inclusive membership, supporting broad spectrum of subject matter expertise: cloud experts, security, legal, compliance, virtualization, and on and on…
We believe Cloud Computing has a robust future, we want to make it better
“To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.”

Membership
50+ Corporate Members
12 non-profit affiliations
10,000 individual members growing by 300/week
Broad Geographical Distribution
Working Group activities performed through individual membership class

Corporate Members

S-P-I Framework
You “RFP”
security in
SaaS
Software as a Service
You build
security in
PaaS
Platform as a Service
IaaS
Infrastructure as a Service

Top Threats to Cloud Computing

Shared Technology Vulnerabilities

Data Loss / Data Leakage

Malicious Insiders

Interception or Hijacking of Traffic

Insecure APIs

Nefarious Use of Service

Unknown Risk Profile

Top Threats - Status

CSA Research ProjectsGo to www.cloudsecurityalliance.org/Research.html for Research dashboard and Working Group signup

CSA Guidance Research
Cloud Architecture
Popular best practices for securing cloud computing
13 Domains of concern – governing & operating groupings
Foundation for CSA research
Governance and Enterprise Risk Management
Legal and Electronic Discovery
Governing the Cloud
Compliance and Audit
Information Lifecycle Management
Portability and Interoperability
Security, Bus. Cont,, and Disaster Recovery
Data Center Operations
Incident Response, Notification, Remediation
Application Security
Operating in the Cloud
Encryption and Key Management
Identity and Access Management
Virtualization
Guidance > 100k downloads: cloudsecurityalliance.org/guidance

CSA Guidance Research - Status
Cloud Architecture
Ver 2.1 released Dec 2009
Ver 3 mid-2011
2010 focus
Translations
Wiki format
Per domain whitepapers (not official guidance)
Governance and Enterprise Risk Management
Legal and Electronic Discovery
Governing the Cloud
Compliance and Audit
Information Lifecycle Management
Portability and Interoperability
Security, Bus. Cont,, and Disaster Recovery
Data Center Operations
Incident Response, Notification, Remediation
Application Security
Operating in the Cloud
Encryption and Key Management
Identity and Access Management
Virtualization

Guidance Highlights - Governance
Best opportunity to secure cloud engagement is before procurement – contracts, SLAs, architecture
Know provider’s third parties, BCM/DR, financial viability, employee vetting
Identify data location when possible
Plan for provider termination & return of assets
Preserve right to audit
Reinvest provider cost savings into due diligence

Guidance Highlights - Operating
Encrypt data when possible, segregate key mgt from cloud provider
Adapt secure software development lifecycle
Understand provider’s patching, provisioning, protection
Logging, data exfiltration, granular customer segregation
Hardened VM images
Assess provider IdM integration, e.g. SAML, OpenID

CSA Research Projects
Cloud Controls Matrix Tool
Trusted Cloud Initiative
Consensus Assessments Initiative
Cloud Metrics Research

Contact
Help us secure cloud computing
www.cloudsecurityalliance.org
info@cloudsecurityalliance.org
LinkedIn: www.linkedin.com/groups?gid=1864210
Twitter: @cloudsa

Summary
Cloud Computing is real and transformational
Challenges for People, Process, Technology, Organizations and Countries
Broad governance approach needed
Tactical fixes needed
Combination of updating existing best practices and creating completely new best practices
Adapting controls into “all virtual” environment

Thank you!sergio@secludit.comBlog elastic-security.com, Twitter @elasticsecurity

http://elastic-security.com	219
http://www.slideshare.net	3
url_unknown	2

Csa about-threats-june-2010-ibm

by Sergio Loureiro on Jun 24, 2010

Accessibility

Categories

Upload Details

Usage Rights

3 Embeds 224

Statistics

Csa about-threats-june-2010-ibm — Presentation Transcript