1. The Cloud Security Alliance is a global non-profit organization focused on best practices for cloud security. 2. It has an inclusive membership of cloud experts and produces guidance documents, checklists, and research on topics like threats, encryption, and compliance. 3. The Alliance aims to help secure cloud computing through education and by promoting best practices.

2. • Global, not-for-profit organization, started Nov. 2008,
individual members (free), corporate members and
affiliated organizations
• Inclusive membership, supporting broad spectrum of
subject matter expertise: cloud experts, security, legal,
compliance, virtualization, and on and on…
• We believe Cloud Computing has a robust future, we
want to make it better
“To promote the use of best practices for providing security assurance
within Cloud Computing, and provide education on the uses of Cloud
Computing to help secure all other forms of computing.”
Copyright © 2009 Cloud Security Alliance
www.cloudsecurityalliance.org

3. • April 2009: Security Guidance for Critical Areas of Focus for Cloud
Computing – Version 1
• July 2009: Version 1 translated into Japanese
• November 2009: Security Guidance for Critical Areas of Focus for
Cloud Computing – Version 2
• Q4 2009: Top Ten Cloud Threats (monthly)
• Q4 2009: Provider & Customer Checklists
• Q4 2009: eHealth Guidance
• Global CSA Executive Summits
• Q1 2010 – Europe
• Q1 or Q2 2010 - US
Copyright © 2009 Cloud Security Alliance
www.cloudsecurityalliance.org

5. Copyright © 2009 Cloud Security Alliance
www.cloudsecurityalliance.org

6. Focusing the Security Discussion
IaaS, Hybrid,"
Application Domains
HPC/
SaaS, Analytics
Public,"
CRM
Private
Software as a Service
Hybrid
Public
XaaS Layers
Platform as a Service
Infrastructure as a Service
IaaS, Public,"
Transcoding
Copyright © 2009 Cloud Security Alliance
www.cloudsecurityalliance.org

7. 1. Architecture & Framework
Governing in the Cloud
Operating in the Cloud
1. Governance & Risk Mgt
1. Traditional, BCM, DR
2. Legal
2. Data Center Operations
3. Electronic Discovery
3. Incident Response
4. Compliance & Audit
4. Application Security
5. Information Lifecycle Mgt
5. Encryption & Key Mgt
6. Portability & 6. Identity & Access Mgt
Interoperability
7. Storage
8. Virtualization
Copyright © 2009 Cloud Security Alliance
www.cloudsecurityalliance.org

8. Analyzing Cloud Security
• Some key issues:
 Trust, multi-tenancy, encryption, key
management compliance
• Clouds are massively complex systems can be
reduced to simple primitives that are replicated
thousands of times and common functional units
• Cloud security is a tractable problem
 There are both advantages and challenges
Copyright © 2009 Cloud Security Alliance
www.cloudsecurityalliance.org

9. Balancing Threat Exposure and Cost
Effectiveness
• Private clouds may have less threat exposure than
community or hosted clouds which have less
threat exposure than public clouds.
• Massive public clouds may be more cost effective
than large community clouds which may be more
cost effective than small private clouds.
Copyright © 2009 Cloud Security Alliance
www.cloudsecurityalliance.org

10. General Security Advantages
• Democratization of security capabilities
• Shifting public data to a external cloud
reduces the exposure of the internal
sensitive data
• Forcing functions to add security controls
• Clouds enable automated security
management
• Redundancy / Disaster Recovery
Copyright © 2009 Cloud Security Alliance
www.cloudsecurityalliance.org

11. General Security Challenges
• Trusting vendor’s security model
• Customer inability to respond to audit findings
• Obtaining support for investigations
• Indirect administrator accountability
• Proprietary implementations can’t be
examined
• Loss of physical control
Copyright © 2009 Cloud Security Alliance
www.cloudsecurityalliance.org

12. • Geo-location of sensitive data
• Inability to deploy security services (e.g. scanning)
• Risk with shared computing platform (multi-tenant)
• Data confidentiality
• Access via internet – untrusted
• Cloud vendors for the most part non-committal on security
• Company data on 3rd party machine
• Compliance lacking – inability to satisfy auditors
• Vendors not up to speed from a guidance and auditing perspective
• Inability to perform forensic investigation
Copyright © 2009 Cloud Security Alliance
www.cloudsecurityalliance.org

13. “We have to accept what we all know to be elemental -
that taking a defensive position can, at best, only limit
losses.
And we need gains."
Peter F. Drucker
Copyright © 2009 Cloud Security Alliance
www.cloudsecurityalliance.org

14. • Cloud Computing is real and transformational
• Cloud Computing can be secured but also can carry
increased risk due to aggregation of assets
• Broad governance approach needed
• Tactical fixes needed
• Combination of updating existing best practices and
creating completely new best practices
• Common sense not optional
Copyright © 2009 Cloud Security Alliance
www.cloudsecurityalliance.org

15. • Join us, help make our work better
• Discussions & announcements on LinkedIn
• Hold regional CSA Meetups
• Other research initiatives and events being planned
Copyright © 2009 Cloud Security Alliance
www.cloudsecurityalliance.org

16. • Individual Membership (free)
• Subject matter experts for research
• Interested in learning about the topic
• Administrative & organizational help
• Corporate Sponsorship
• Help fund outreach, events
• Affiliated Organizations (free)
• Joint projects in the community interest
• Contact information on website
Copyright © 2009 Cloud Security Alliance
www.cloudsecurityalliance.org

17. • www.cloudsecurityalliance.org
• info@cloudsecurityalliance.org
• Twitter: @cloudsa, #csaguide
• LinkedIn: www.linkedin.com/groups?gid=1864210
Copyright © 2009 Cloud Security Alliance
www.cloudsecurityalliance.org