The document discusses the work of the Cloud Security Alliance (CSA) in securing cloud computing. It provides an overview of CSA, including its mission to promote best practices for cloud security, global membership, research projects, and certification programs for cloud providers (CSA STAR) and users (CCSK). It also outlines key cloud security challenges addressed by CSA, such as sharing threat intelligence, developing standards, addressing skills gaps, and ensuring regulatory frameworks keep pace with innovation.

1. www.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance
Jim Reavis, CEO
June 2016

2. www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance
CEO and Founder of Cloud
Security Alliance
25 years experience in information
security
Honored to be a presenter at the
inaugural CSA Argentina Summit

3. www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance
State of permanent warfare
Battlefields change
Weapons change
Create enough security to
ensure a profitable outcome

4. www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance
Changing compute, changing
the world

5. www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance
As IT moves into the Cloud, so must Security
As IT loses control of the endpoint, Cloud is the only
Security option
As the Internet of Things scales upwards, Cloud
computing will be its data repository, application
engine, provisioning system, Security platform and
organizing concept
Security has a new battlefield

6. www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance
7. APTs
8. Data Loss
9. Due Diligence
10.Nefarious Use and Abuse
11.Denial of Service
12.Shared Technology
Issues
1. Data Breaches
2. Compromised
Credentials and IAM
3. Insecure APIs
4. System and App
Vulnerabilities
5. Account Hijacking
6. Malicious Insiders
https://cloudsecurityalliance.org/group/top-threats/

7. www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance
Awareness: Capturing data on current
cloud usage within organization
Opportunistic: Identifying strong cloud
adoption opportunities (Cloud First!)
Strategic: Building cloud adoption program
– security program, architecture,
frameworks & business alignment

8. www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance
Announced at CSA Summit @ RSA
Chaired by Vinay Patel, Head of Security, Citi
Infrastructure, Citigroup
Public facing, demonstrate enterprise support of CSA
publicly
Issue public “Calls to action” for industry
Advise CSA on strategy
Issue annual “State of Cloud Security” report
https://cloudsecurityalliance.org/download/state-of-cloud-security-
2016/
Citigroup, Johnson & Johnson, Caterpillar, Hertz,
Lucasfilm, ADP, Coca Cola, United Healthcare and
several others

9. www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance
Uneven: Terrific Tier 1 Cloud Provider
Security coexists with Poor and Unknown
Provider Security
Secure Provider + Mature Customer may not
equal secure relationship
Poor Integration & Alignment, e.g. Bring Your Own Keys
Communication Gaps, e.g. sharing event info
Enterprises want a holistic risk-based view of IT with
Cloud as a seamless extension
Greater transparency will help enterprises
close the gaps

10. www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance
Threat intelligence and incident sharing
Transparency on verifiable controls with strong integrity
checks
Standards development on common security requirements
Support for multi-vendor enterprise

11. www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance
Servers are Dead, Long Live Services!
APIs, Automation, Agility, Disposable Infrastructure
SDN, IoT, Analytics, CASB
Better Ways to Handle Old Problems
Fight the Legacy Mindset

12. www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance
Policies rapidly outdated by technology changes
Duplicative nature of many regulations
Conflicting regulations
Global nature of enterprises and cloud providers vs
regional regulatory authorities
Knowledge gaps for regulators and auditors in
addressing cloud computing
Engagement with Regulatory Decision Makers Key

13. www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance
One million unfilled information security jobs
Lagging skillsets among the employed

14. www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance
Understanding different types of Clouds and your Role
Due diligence is critical, Data is key
Identity is very important
Forcing legacy tools & architectures on cloud security
problems doesn’t work
Heavy-handed blocking of cloud services backfires on
infosec
Key role of intermediaries (Cloud Access Security
Broker)

15. www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance
Think
Virtually!

16. www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance
How CSA delivers the secure
cloud

17. www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance
Global, not-for-profit organization
Building security best practices for next generation IT
Research and Educational Programs
Cloud Provider Certification – CSA STAR
User Certification - CCSK
The globally authoritative source for Trust in the
Cloud
“To promote the use of best practices for providing security assurance
within Cloud Computing, and provide education on the uses of
Cloud Computing to help secure all other forms of computing.”

18. www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance
Founded in 2009
Membership stats as of June 2016
75,000 individual members, 80 chapters globally
330 corporate members
Operates in 3 Divisions
CSA Americas headquarters in Seattle
CSA APAC, headquarters in Singapore
CSA Europe (responsible for Europe/Middle East/Africa),
headquarters in Edinburgh UK
Over 30 research projects in 25 working groups
Strategic partnerships with governments, research
institutions, professional associations and industry
www.cloudsecurityalliance.org

19. www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance
Certificate of Cloud Security
Knowledge (CCSK)
Benchmark of cloud security
competency
Based on CSA guidance
Online web-based examination
www.cloudsecurityalliance.org/education
/ccsk/
Partnered with (ISC)2 to develop
complementary certification: CCSP
Close cloud security knowledge gaps

20. www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance
CSA STAR (Security, Trust and Assurance Registry), 3 Level
Provider Certification Program
Managed by CSA in partnership with world leading ISO certification
bodies and audit firms
Adopted Worldwide by Providers, Enterprises and Governments
www.cloudsecurityalliance.org/star

21. www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance
Level 1 STAR Self-Assessment
Public Registry of Cloud Provider self assessments
based on CSA standards
Level 2 STAR 3rd Party Audits
STAR Certification: Integrates ISO/IEC 27001:2013
STAR Attestation: Based upon Type 2 SOC
Coming in Q4 2016: STARWatch
Ask for provider’s STAR entry
If unavailable, ask provider to fill out CSA’s Cloud
Controls Matrix or Consensus Assessments Initiative
Questionnaire
www.cloudsecurityalliance.org/research/ccm
www.cloudsecurityalliance.org/research/cai

22. www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance
Guidance V4
Global Enterprise Advisory Board
Software Defined Perimeter
Financial Services Platform
CCM/CAIQ/CTP/CloudAudit
Security as a Service
Internet of Things
Quantum-Safe Computing
CASB enablement: OpenAPI
Other
It is all free!
https://cloudsecurityalliance.org/research

23. www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance
Blockchain
Containers, micro services
Internet of Things
DevSecOps: DevOps applied to
security
Analytics
Autonomous computing
Artificial Intelligence
Quantum-Safe Computing

24. www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance

25. www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance
Developing a secure world,
virtually, in software

26. www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance
Help us solve tomorrow’s problems
today
Email
info@cloudsecurityalliance.org
WWW
www.cloudsecurityalliance.org
Twitter
@cloudsa

27. www.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance