The Global Mandate to Secure Cloud Computing Dr. Ricci IEONG, CISSP, CISA, CEH, CCFP, CCSK, F.ISFS STAR Auditor CSA

#CLOUDSEC

Trend of Cloud Computing From dominate (Gartner Top 10 Strategic Technology Trend for 2014) • 1. Mobile device diversity and

management • 2. Mobile apps and applications • 3. The Internet of Everything • 4. Hybrid cloud and IT as service

broker • 5. Cloud/client • 6. The era of personal cloud • 7. Software-defined anything • 8. Web-scale IT • 9. Smart machines • 10. 3D printing

To Integrate (Gartner Top 10 Strategic Technology Trends for 2015)

Why we need Global Mandate to Secure Cloud Computing?

• State Sponsored Cyberattacks? • Organized Crime? • Legal Jurisdiction & Data Sovereignty? • Global Security Standards? • Privacy Protection for Citizens? • Transparency & Visibility from Cloud

Providers?

The Global Mandate is Empowerment

• Shift the balance of power to consumers of IT • Enable innovation to solve difficult problems of

humanity • Give the individual the tools to control their digital

destiny • Do this by creating confidence, trust and

transparency in IT systems • Security is not overhead, it is the enabler

Key Trust Issues in Cloud

• Transparency & visibility from providers • Compatible laws across jurisdictions • Data sovereignty • Incomplete standards • Lack true multi-tenant technologies & architecture • Incomplete Identity Management

implementations • Risk Concentration

Collaboration in the Cloud

• Shared Responsibility • Incident sharing • Legal frameworks • Human intelligence • Agile communities

Who Are we?

• Global, not-for-profit organization • Building security best practices for next generation IT • Research and Educational Programs • Cloud Provider Certification – CSA STAR • User Certification - CCSK • The globally authoritative source for Trust in the Cloud

“To paraphrase Star Wars, CSA’s role is to bring trust to the cloud”

Cloud Security Alliance (HK&M Chapter)

CSA Fast Facts

• Founded in 2009 • Membership stats as of August 2014

– 68,000 individual members, 70 chapters globally – Over 300 corporate members worldwide

• Regional HQ in Seattle USA, Edinburgh UK, Singapore covering Americas, EMEA and APAC

• Over 30 research projects in 25 working groups • Strategic partnerships with governments, research

institutions, professional associations and industry • www.cloudsecurityalliance.org

A sample of our corporate members

CSA APAC 24 Official chapters • Japan • Korea • Greater China Regional Coordinating Body

– Beijing – Shanghai – Huanan – Xibei – Hong Kong & Macau – Taiwan

• Thailand • Singapore • India Regional Coordinating Body

– Mumbai – Bangalore – NCR – Hydrabad

• Australia • New Zealand • Malaysia

In development Indonesia Philippines India

New Delhi Chennai Pune

CSA APAC – Government relationships

CSA Standardization

International Standardization Council (ISC)

• Primary CSA Interface with Standards Development Organizations (SDO)

• Coordinate Standardization efforts within CSA • Only available to corporate members, with 2 types of membership

– Voting Membership • CSA corporate member representatives • Any affiliated CSA members who are involved with SDOs • Any at-large CSA members proposed by Council voting membership

– Advisory Membership (Observer status)

CSA/SDO Relationship Landscape

Trusted Provider Certification –

the CSA STAR

Transparency •Public visibility into Providers –Corporate Governance

–Supply Chain –Information Security Program –Policies Impacting Customers

•Consumer right to know •Public will demand better

Sunlight is the best disinfectant,” U.S. Supreme Court Justice Louis Brandeis

CSA Role in Assurance

Control Requirements

Provider Assertions

Private, Community & Public Clouds

Framework Structure

Clear GRC objectives

Path to High Assurance

3rd Party Assessment

Real time, continuous monitoring

+

+

Self Assessment

+

CSA STAR (Security, Trust and Assurance Registry) Public Registry of Cloud Provider self

assessments Based on Consensus Assessments Initiative

Questionnaire Provider may substitute documented Cloud

Controls Matrix compliance Voluntary industry action promoting

transparency Security as a market differentiator

www.cloudsecurityalliance.org/star STAR – Demand it from your providers!

CSA STAR Registry (Level 1: Self Assessment Model)

More than 100 Registered (August 2015)

STAR Level 2

• Launch of Level 2 certification @ CSA EMEA Congress on Sep 25 2013

• Aliyun first to achieve Gold standard! • Ribose (HK) was the first to achieve STAR Attestation! • Since then, we have reference sites in China, Japan, Taiwan,

Hong Kong certified to CSA STAR • And governments worldwide have/are in the process of

incorporating the OCF into their government procurement process

Latest addition to level 2 – C-STAR A proposed Chinese framework

www.cloudsecurityalliance.org Copyright © 2011 Cloud Security Alliance

OCF Level 3

• CSA STAR Continuous will be based on a continuous auditing/assessment of relevant security properties.

• It will built on the following CSA best practices/standards in the CSA GRC Stack Family: – Cloud Control Matrix (CCM) – Cloud Trust Protocol (CTP) – CloudAudit (A6)

• CSA STAR Continuous is currently under development and the target date of delivery is 2015.

Copyright © 2014 Cloud Security Alliance www.cloudsecurityalliance.org

Hong Kong CSP is leading…

Also first three company that achieved C-STAR

EDUCATION AND USER CERTIFICATION

<insert speaker organization logo> 25 www.cloudsec.com | #CLOUDSEC

Introducing Certificate of Cloud Security Knowledge (CCSK)

• The industry’s first user certification program for secure cloud computing

• Based on CSA research framework, specifically the Security Guidance for Critical Area of Focus in Cloud Computing

• Designed to ensure that a broad range of professionals with responsibility related to cloud computing have a demonstrated awareness of the security threats and best practices for securing the cloud

Training Courses Available Today Hong Kong and Macau local training • CCSK Basic

– One day course to enable student to pass CCSK

• CCSK Plus – Two day course includes practical

cloud lab work • HP CCSK Basic

– 2 days extended course to enable student to pass CCSK

• HP CCSK Plus – 3 days extended course includes

practical cloud lab work • CCSP (by ISC2 and CSA)

Other region activities • CCSK Train-the-Trainer

– Three day course including CCSK Plus

• GRC Stack Training – Additional one day course to

use GRC Stack components

• PCI/DSS In the Cloud – Additional one day course

focusing on achieving PCI compliance in cloud computing

• http://cloudsecurityalliance.org/education/training/

CSA RESEARCH

<insert speaker organization logo> 28 www.cloudsec.com | #CLOUDSEC

Research framework • CSA research is organized

under a framework based on CSA Security Guidance for Critical Area of Focus in Cloud Computing

• Total of 14 domains organised under 3 key areas of focus – Architecture, Governance and Operational Security

Cloud Controls Matrix (CCM) Controls derived from guidance

Mapped to familiar frameworks: ISO 27001, COBIT, PCI, HIPAA, FISMA, FedRAMP

Rated as applicable to S-P-I

Customer vs Provider role

Help bridge the “cloud gap” for IT & IT auditors

Research Portfolio • Our research includes

fundamental projects needed to define and implement trust within the future of information technology

• CSA continues to be aggressive in producing critical research, education and tools

• Sponsorship opportunities • Selected research projects

in following slides

HK & MACAU CHAPTER ACTIVITIES

<insert speaker organization logo> 33 www.cloudsec.com | #CLOUDSEC

About HKM Local Chapter

• Launched in 2012 • Organization founded

Jul 2015

www.cloudsecurityalliance.org Copyright © 2015 Cloud Security Alliance

Corporate members (from Hong Kong)

Come and join us

How to participate? • For Enterprise

– Join us as corporate member

– Participate to drive the market standards

• For Individual – Join us as individual

members – Learn more about cloud

security topics • Join our upcoming

activities

Please visit our booth

Our upcoming activities • Causal monthly Chit-chat sessions

– 1 – 2 hrs session – Mainly for networking purpose

• Quarterly Technical sessions – 2 – 3 hrs session – Mainly for technical knowledge

sharing by members, vendors or technical experts

• Hot topics workshop sessions – 4 hrs session – Technical knowledge workshop

mainly for hands-on experience sharing related to Cloud Computing

Oct 2015: Security in Government Cloud

Dec 2015: Encryption technical solutions for Cloud users and Secure Cloud Storage

More topics … SDN, Hybrid Cloud, PaaS, Cloud Certification

Sep 2015: How Win 10 enhance cloud security?

Contact Email

chair@hkm.chapters.cloudsecurityalliance.org

WWW

www.csahkm.org

LinkedIn

https://www.linkedin.com/grp/home?gid=4069005

Facebook

https://www.facebook.com/pages/Cloud-Security-Alliance-Hong-Kong-Macau-Chapter/