CSA Atlanta and Metro Atlanta ISSA Chapter Meeting May 2014 - Key Threats to the Cloud and CSA Research

Atlanta ChapterJoint MeetingMay 29, 2014

Agenda

• Key Trust Issues in the Cloud

• CSA Research Roadmap

• 30 Minutes Later…

2

All materials were created by the CSA and used by philA.

Key Trust Issues in the Cloud

3 © 2014, Cloud Security Alliance.

Key Trust Issues in Cloud

• Incomplete standards

• Evolving towards true multi-tenant technologies & architecture

e.g. Identity Brokering

• Risk Concentration

• Incompatible laws across jurisdictions

• Lack of transparency & visibility from providers and government


Key Trust Issues in Cloud

• Incomplete standards

• Evolving towards true multi-tenant technologies & architecture

e.g. Identity Brokering

• Risk Concentration

• Incompatible laws across jurisdictions

• Lack of transparency & visibility from providers and government


The Government Trust Issue


US Patriot Act• USA Patriot Act of 2001 (reauthorized in 2006 & 2011)• Not a new law, series of amendments to existing laws related

to surveillance, investigation and prosecution of terrorism (Foreign Intelligence Surveillance Act)

• Most requests for information follow subpoenas/warrants, but records may be sealed

• Most countries have laws permitting disclosure of user info without user consent related to foreign intelligence and national security

• Not clear if interpretation of Section 215 of the Patriot Act, Section 702 of the Foreign Intelligence Surveillance, FISA followed legislative intent


Meet philAHello, I’m a data guy…

I’m with the Ponemon Institute.

You know, you quote us all of the of the time:

Annual Cost of Data Breach

Annual Cost of Cybercrime

Annual Most Trusted Companies for Privacy

© 2014, Cloud Security Alliance.

CSA Government Access to Information Survey• Conducted online from June 25, 2013 to July 9, 2013• 456 responses

• 234 from United States of America• 138 from Europe• 36 from Asia Pacific

• Many long, long open-ended responseshttps://cloudsecurityalliance.org/wp-content/uploads/2013/07/CSA-govt-access-survey-July-2013.pdf


https://cloudsecurityalliance.org/wp-content/uploads/2013/07/CSA-govt-access-survey-July-2013.pdf

Using US Cloud Providers

• Survey Question: (For non-US residents only) Does the Snowden Incident make your company more or less likely to use US-based cloud providers? (207 respondents)

• 56% less likely to use US-based cloud providers• 31% no impact on usage of US-based cloud providers• 10% cancelled a project to use US-based cloud providers• 3% more likely to use US-based cloud providers


Using US Cloud Providers

• Survey Question: (For US residents only) Does the Snowden Incident make it more difficult for your company to conduct business outside of the US? (220)

• 36% Yes • 64% No


Transparency of Government Access

• Survey Question: (For all respondents) How would you rate your country's processes to obtain user information for the purpose of criminal and terrorist investigations? (440)

• 47% Poor, there is no transparency in the process• 32% Fair, there is some public information about the process

and some instances of its usage• 11% Unknown, I do not have enough information to make an

informed judgment• 10% Excellent, the process is well documented


Opinion of Patriot Act

• Survey Question: (For all respondents) If you have concerns about this recent news, which of the following actions do you think would be the best course to mitigate concerns? (423)

• 41% The Patriot Act should be repealed in its entirety.• 45% The Patriot Act should be modified to tighten the

oversight of permitted activities and to provide greater transparency as to how often it is enacted.

• 13% The Patriot Act is fine as is.


Publishing FISA Requests

• Survey Question: (For all respondents) Should companies who have been subpoenaed through provisions of the Patriot Act, such as FISA (Foreign Intelligence Surveillance Act) be able to publish summary information about the amount of responses they have made? (438)

• 91% Yes• 9% No


Balancing Safety and Privacy

“…Living in this kind of democracy, we’re going to have to be a little less effective in order to be a little more

transparent to get to do anything to defend the American people.”

Michael Hayden, former Director of CIA and NSA


Important Considerations for Enterprises and Public Policy

• Transparency of actors

• Metadata is important

• Data minimization principles


Industry Transparency Example

• User Data requests from law enforcement according to Google

• Jul – Dec 2012, from http://www.google.com/transparencyreport/governmentrequests/

• France: 1,693 requests, responded to 44%• Germany: 1,550 requests, responded to 42%• India: 2,431, responded to 66%• Singapore: 96 requests, responded to 75%• US: 8,438 requests, responded to 88%• UK: 1,458 requests, responded to 70%


http://www.google.com/transparencyreport/governmentrequests/

Can Providers be Transparent about National Security Issues?“…ask you to help make it possible for Google to publish in our Transparency Report aggregate numbers of national security requests, including FISA disclosures—in terms of both the number we receive and their scope. Google’s numbers would clearly show that our compliance with these requests falls far short of the claims being made. Google has nothing to hide.”

David Drummond, Chief Legal Counsel, Google


EFF - Who Has Your Back? 2014


CSA Transparency Example: STAR

• CSA STAR (Security, Trust and Assurance Registry)• Public Registry of Cloud Provider self assessments• Based on CSA best practices (CCM or CAIQ)• Voluntary industry action promoting transparency• Security as a market differentiator• www.cloudsecurityalliance.org/star • STAR – Demand it from your providers!


http://www.cloudsecurityalliance.org/star

CSA STAR: Read and Compare

21

DG 4.2: Do you have a documented procedure for responding to requests for tenant data from governments or third parties?

Amazon AWSAWS errs on the side of protecting customer privacy and is vigilant in determining which law enforcement requests we must comply with. AWS does not hesitate to challenge orders from law enforcement if we think the orders lack a solid basis.

Box.net Box does have documented procedures for responding to requests for tenant data from governments and third parties.

SHICustomer responsibility. SHI has no direct access, so requests for data through third parties will be responded to by the customer themselves, however, SHI can sanitize and delete customer data upon migration from the cloud.

Verizon/Terremark Yes


What is the Future of Assurance in the Global Compute Utility?• Traditional Auditing and Certification activities

• Harmonized disparate requirements versus a single global standard

• Example - NIST CSF for cyber security

• Continuous Monitoring

• Community Policing via Transparency

• Privacy emphasis


What global dialogue is needed?

• Government• Do we treat foreigners differently than citizens?• Aligning with global standards for assurance

• Industry• Build the technology to make policy moot

• Enterprise• A time to engage• Demand accountability from policy makers & providers• Protect your data and metadata

• For All: Demand Transparency & Minimization Principles


I’m not going to

keep you much

longerIt’s 30 minutes already.

But…


25

CSA Research Roadmap


CSA Research Portfolio• Our research includes

fundamental projects needed to define and implement trust within the future of information technology

• CSA continues to be aggressive in producing critical research, education and tools

• 30+ Active Global Work Groups

26

© 2013, Cloud Security Alliance. 27


Security Guidance for Critical Areas of Cloud Computing• The CSA guidance as it enters its third edition

seeks to establish a stable, secure baseline for cloud operations. This effort provides a practical, actionable road map to managers wanting to adopt the cloud paradigm safely and securely. Domains have been rewritten to emphasize security, stability and privacy, ensuring corporate privacy in a multi-tenant environment.

• The Security Guidance V.3 will serve as the gateway to emerging standards being developed in the world’s standards organization and is designed to serve as an executive-level primer to any organization seeking a secure, stable transition to hosting their business operations in the cloud.

• Research and Activities for 2013 - 2014• Security Guidance for Critical Areas of Cloud

Computing V.4 – Q1 2014 (Planning)• Publish V.4 – Q4 2014/Q1 2015 28

www.cloudsecurityalliance.org

GRC Stack GRC Stack

Family of 4 research projectsCloud Controls Matrix (CCM)

Consensus Assessments Initiative (CAI)

Cloud Audit

Cloud Trust Protocol (CTP)

Impact to the Industry

Developed tools for governance, risk and compliance management in the cloud

Technical pilots

Provider certification through STAR program

Control Requirements

Provider Assertions

Private, Community

& Public Clouds

http://www.cloudsecurityalliance.org/


Cloud Control Matrix Working Group• The Cloud Security Alliance Cloud Controls Matrix

(CCM) is specifically designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider.

• Research and Activities for 2013 – 2014• CCM V.3 – Q3 2013• Internet2 Net+ Initiative Mappings (Higher Education) – Q2

2013• AICPA Trust Service Principles Mapping – Q4 2013• ENISA Information Assurance Framework Mapping – Q4

2013• ODCA Mapping – Q4 2013• German BSI Mapping – Q4 2013• NZISM Mapping – Q4 2013• Unified Compliance Framework Mapping – TBD• Control Area Gap Analysis – Q4 2013• COBIT 5 Mapping – Q1 2014• NIST SP 800-53 Rev 4 – Q4 2013• Slovenian Information Commissioner on Privacy Guidance

for Cloud Computing Mapping – Q1 2014 30


Consensus Assessment Initiative

• Lack of security control transparency is a leading inhibitor to the adoption of cloud services. The Cloud Security Alliance Consensus Assessments Initiative (CAI) was launched to perform research, create tools and create industry partnerships to enable cloud computing assessments.

• We are focused on providing industry-accepted ways to document what security controls exist in IaaS, PaaS, and SaaS offerings, providing security control transparency. This effort by design is integrated with and will support other projects from our research partners.

• Research and Activities for 2013 – 2014• CAIQ V.3 – Q4 2013

31


Cloud Audit • The goal of CloudAudit is to provide a

common interface and namespace that allows enterprises who are interested in streamlining their audit processes (cloud or otherwise) as well as cloud computing providers to automate the Audit, Assertion, Assessment, and Assurance of their infrastructure (IaaS), platform (PaaS), and application (SaaS) environments and allow authorized consumers of their services to do likewise via an open, extensible and secure interface and methodology.

• Research and Activities for 2013 – 2014• Create CCM V.3 Database – Q4 2013• Automate Change-adds through DB Version of

CCM – Q1 2014• Update Notification Functionality – Q2 2014

32


Cloud Trust Protocol Working Group• The CloudTrust Protocol (CTP) is the

mechanism by which cloud service consumers (also known as “cloud users” or “cloud service owners”) ask for and receive information about the elements of transparency as applied to cloud service providers. The primary purpose of the CTP and the elements of transparency is to generate evidence-based confidence that everything that is claimed to be happening in the cloud is indeed happening as described, …, and nothing else.

• Research and Activities for 2013 – 2014• API Interface Definition – Q3 2013• Prototype – Q4 2013• Trust Model – Q1 2014• Pilot – Q2 2014 33


CSA Enterprise Architecture(aka Trusted Cloud Initiative)

• To promote research, development, and education of best practices and methodologies around a reference architecture for a secure and trusted cloud.

• Research and Activities for 2013 – 2014• Develop a Use-Case for the Network

Container, to define more context about Polymorphic Malware Prevention – Q4 2013

• Develop a Use-Case around Behavioral Monitoring – Q4 2013

• KRI and KPI Development for CSA Reference Architecture Interactive Site – Q4 2013

• Case Study Webinars (CloudBytes Sessions) – Q4 2013

34


Top Threats Working Group• The purpose of this document, Top

Threats to Cloud Computing, is to provide needed context to assist organizations in making educated risk management decisions regarding their cloud adoption strategies. In essence, this threat research document should be seen as a companion to Security Guidance for Critical Areas in Cloud Computing.

• Research and Activities for 2013 – 2014• Top Threats to Cloud Computing Survey –

Q1 2014• Top Threats to Cloud Computing V.4 – Q2

2014• Full featured Interact Change Method for

Top Threats – Q3 201435


Cloud Vulnerabilities Working Group• CSA Cloud Vulnerabilities Working Group is global

working group chartered to conduct research in the area of cloud computing vulnerabilities, with the goals of understanding and educating the classification and exact causes of cloud computing vulnerabilities, recommendations and best practices for the reduction of top vulnerabilities, reporting of vulnerabilities and the development of related tools and standards.

• Research and Activities for 2013 – 2014 • Publish Cloud Vulnerabilities White Paper– Q2 2013• Establishment of a taxonomy for Cloud Vulnerabilities

based on statistical data – Q1 2014• Creation of a cloud vulnerability feed documentation

mechanism/ format/ protocol – Q2 2014• Portal established for cloud vulnerability reporting and

tools – Q4 2014

36

• Security as a ServiceResearch for gaining greater understanding for how to deliver security solutions via cloud models.

• Information Security Industry Re-invented

• Identify Ten Categories within SecaaS

• Implementation Guidance for each SecaaS Category

• Align with international standards and other CSA research

• Industry ImpactDefined 10 Categories of Service and Developed Domain 14 of CSA Guidance V.3

Security as a Service



Security as a Service Working Group• The purpose of this research will be to

identify consensus definitions of what Security as a Service means, to categorize the different types of Security as a Service and to provide guidance to organizations on reasonable implementation practices. Other research purposes will be identified by the working group.

• Research and Activities for 2013 – 2014• Defined SecaaS Framework (Defined

Categories of Service V.2) – Q4 2013• Implementation Guidance Documents V.2

– Q1 2014 (Start Planning)

38

Smart Mobile• Mobile

• Securing application stores and other public entities deploying software to mobile devices

• Analysis of mobile security capabilities and features of key mobile operating systems

• Cloud-based management, provisioning, policy, and data management of mobile devices to achieve security objectives

• Guidelines for the mobile device security framework and mobile cloud architectures

• Solutions for resolving multiple usage roles related to BYOD, e.g. personal and business use of a common device

• Best practices for secure mobile application development



Mobile Working Group• Mobile computing is experiencing tremendous

growth and adoption, while the devices are gaining significant power and dynamic capabilities. Personally owned mobile devices are increasingly being used to access employers’ systems and cloud-hosted data - both via browser-based and native mobile applications. Clouds of mobile devices are likely to be common. The CSA Mobile working group will be responsible for providing fundamental research to help secure mobile endpoint computing from a cloud-centric vantage point.

• Research and Activities for 2013 – 2014• BYOD Policy Guidance – Q3/Q4 2013• Mobile Authentication Management – Q3/Q4 2013• Mobile Application Security Guidance – Q3/Q4 2013• Mobile Device Management – Q3/Q4 2013• Mobile Maturity v2 Report – Q4 2013• Mobile Security Guidance V.2 – Q4 2013

40

• Big Data • Identifying scalable techniques

for data-centric security and privacy problems

• Lead to crystallization of best practices for security and privacy in big data

• Help industry and government on adoption of best practices

• Establish liaisons with other organizations in order to coordinate the development of big data security and privacy standards

• Accelerate the adoption of novel research aimed to address security and privacy issues

Big Data Working Group



Big Data Working Group• The Big Data Working Group (BDWG) will be identifying

scalable techniques for data-centric security and privacy problems. BDWG’s investigation is expected to lead to crystallization of best practices for security and privacy in big data, help industry and government on adoption of best practices, establish liaisons with other organizations in order to coordinate the development of big data security and privacy standards, and accelerate the adoption of novel research aimed to address security and privacy issues.

• Research and Activities for 2013 – 2014• Expanded Top 10 Big Data Security and Privacy Concerns –

Q3 2013• Big Data Analytics for Security Intelligence – Q3 2013• Big Data Framework and Taxonomy White Paper – Q4 2013• Big Data Cryptography Report – Q4 2013/Q1 2014• Big Data Policy and Governance Position Paper - TBD• Cloud Infrastructures' Attack Surface Analysis and

Reduction Position Paper - TBD

42


Cloud Data Governance Working Group• Cloud Computing marks the decrease

in emphasis on 'systems' and the increase in emphasis on 'data'. With this trend, Cloud Computing stakeholders need to be aware of the best practices for governing and operating data and information in the Cloud.

• Research and Activities for 2013 – 2014

• Data Governance across International Borders – Q1 2014

• Data Tracking and Logging Standard– Q2 2014

43


Incident Management & Forensics Working Group• The Working Group serves as a focal point for the

examination of incident handling and forensics in cloud environments. We seek to develop best practices that consider the legal, technical, and procedural elements involved in responding in a forensically sound way to security incidents in the cloud.

• Research and Activities for 2013 – 2014 • Publish “Provider Forensic Support in Public Multi-Tenant

Cloud Environments” – Q3 2013• Developing a capability maturity model (CMM) for IncM and

Forensics in Cloud Environments – Q4 2013• Conduct first workshop on IncM & Forensics Roadmap for the

Cloud. Roadmap is intended to standardize forensic techniques in cooperation with cloud providers so that quality of evidence is assured and defensible.

• Survey of cloud users to determine pain points and variation of techniques, workarounds used by consumers. Goal is define problem space more clearly.

• WG works with CAI and CCM to create a common language, set of expectations around this domain. 44


Virtualization Working Group• The CSA Virtualization Working Group is

chartered to lead research into the combined virtualized operating system and SDN technologies. The group should build upon existing Domain 13 research and provide more detailed guidance as to threats, architecture, hardening and recommended best practices.

• Research and Activities for 2013 – 2014• Standalone Domain 13 Virtualization

Whitepaper as part of the CSA Security Guidance for Critical Areas of Focus in Cloud Computing – Q1 2014

45


Telecom Working Group• The Telecom Working Group (TWG)

within the Cloud Security Alliance (CSA) has been designated to provide direct influence on how to deliver secure cloud solutions and foster cloud awareness within all aspects of Telecommunications.

• Research and Activities for 2013 - 2014

• Next Generation SIEM White Paper – Q3 2013

• IPv6 Research – In Progress• Continued advisory role for the Telecom

Industry

46


Health Information Management Working Group• The Health Information Management

Working Group (HIWG) within the Cloud Security Alliance (CSA) has been designated to provide direct influence on how health information service providers deliver secure cloud solutions (services, transport, applications and storage) to their clients, and foster cloud awareness within all aspects of healthcare and related industries.

• Research and Activities for 2013 – 2014• Business Associate Agreement Policy

Guidance – Q2 2014• Updated HIPAA HiTech Mapping for V.3 – Q1

2014• HIPAA Omnibus Rule Education – Q3 2013

47


Small to Medium Sized Business (SMB) Working Group• This working group will focus on providing

tailored guidance to small business, will cooperate with other working groups where appropriate, and, will help cloud providers understand small business requirements.

• Research and Activities for 2013 – 2014• Organize a series of workshops to discuss small

business cloud requirements and perception of current cloud alliance guidance – Q3/Q4 2013

• Analyze existing Cloud Security Alliance workgroups and identify where small business related input is required - TBD

• Produce Small business guidance document, draft version - TBD

• Produce requirements and recommendations to other Cloud Security Alliance workgroups - TBD

48


Service Level Agreement Working Group• Service Level Agreements (SLAs) are a

component in most cloud service terms and contracts. However, there is a consensus that Customers and providers alike have questions about what constitutes an SLA, the sufficiency and adequacy of SLAs and their management. The Cloud Security Alliance SLA Working Group ,(SLA WG)in an effort to provide clarity to the subject of SLAs has developed guidance in the following areas.

• What are the components of an SLA?• What role does the SLA play for CSP and CSU?• Can we define an SLA Taxonomy?• What is the status of SLA’s today?• SLA myths, challenges and obstacles?• SLA Guidance and Recommendations

• Research and Activities for 2013 – 2014• Cloud SLA Guidance – Q4 2013/ Q1 2014

49


Privacy Level Agreement Working Group• This working group aims at creating PLA templates

that can be a powerful self-regulatory harmonization tool, which is almost impossible to achieve at global level using traditional legislative means. This will provide a clear and effective way to communicate to (potential) customers a CSP’s level of personal data protection, especially when trans-border data flaw is concerned.

• A Privacy Level Agreement (PLA) has twofold objectives:

• Provide cloud customers with a tool to assess a CSP’s commitment to address personal data protection.

• Offer contractual protection against possible economical damages due to lack of compliance or commitment of the CSP with privacy and data protection regulation.

• Research and Activities for 2013 – 2014• Phase 2 - Gap Analysis - Cover Requirements outside of

Europe (Global PLA)– Q4 2013/ Q1 2014• Seal or Privacy Certification - Assess Need – Q1 2014

50


Financial Working Group• The Financial Working Group (FWG) will be

identifying challenges, risks and Best Practices for the development, deployment and management of secure cloud services in the financial Industry.

• FWG’s investigation is expected to lead to the following goals:

• Identifying the Industry’s main concerns regarding Cloud Services in their sector.

• Help industry on adoption of best practices, • Establish liaisons with regulatory bodies in order to

foster the development of suitable regulations. • Accelerate the adoption of Secure Cloud services in

the Financial Industry• Research proposals for funding

• Research and Activities for 2013 – 2014• Develop guidelines and recommendations for the

delivery and management of cloud services in the F&B sector – QX 2014

51


Open Certification Framework• The CSA Open Certification Framework provides:

• A path for any region to address compliance concerns with trusted, global best practices. For example, we expect governments to be heavy adopters of the CSA Open Certification Framework to layer their own unique requirements on top of the GRC Stack and provide agile certification of public sector cloud usage.

• An explicit guidance for providers on how to use GRC Stack tools for multiple certification efforts. For example, scoping documentation will articulate the means by which a provider may follow an ISO/IEC 27001 certification path that incorporates the CSA Cloud Controls Matrix (CCM).

• A "recognition scheme" that would allow us to support ISO, AICPA and potentially others that incorporate CSA IP inside of their certifications/framework. CSA supports certify-once, use-often, where possible.

• Research and Activities for 2013 – 2014• STAR Certification Manual – Q3 2013• STAR Attestation Manual – Q3 2013• STAR Certification Auditor Accreditation – Q3 2013• STAR Attestation Auditor Accreditation – Q4 2013• OCF Cost Analysis – Q4 2013• OCF Certification Launch – Q4 2013

52

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance

The OCF structure

•The CSA Open Certification Framework is an industry initiative to allow global, accredited, trusted certification of cloud providers.




ISACA Collaboration Project• A collaborative project by ISACA and

CSA, the Cloud Market Maturity study provides business and IT leaders with insight into the maturity of cloud computing and will help identify any changes in the market. The report, released today, provides detailed insight on the adoption of cloud services among all levels within today’s global enterprises and businesses, including the C-suite.

• Research and Activities for 2013 – 2014• Cloud Market Maturity Survey – Q3 2013• Cloud Market Maturity Study Results – Q4

2013

54


Internet2 Collaboration Project• A team of 30 CIOs, CISOs, and other

executives from Internet2’s membership (both higher education institutions and industry service providers) developed this extended version of the CCM. This version includes candidate mappings to address higher education security and compliance requirements.


• Net+ Initiative CCM V1.4 – Q3 2013• Net+ Initiative CCM V3.0 – Q1 2014

55

CSA APAC

• Incorporated and based in Singapore• Planned establishment of HQ in Singapore• Supported by key Singaporean ministries, led

by Infocomm Development Authority• IDA support for research and standards

functions• Also private/public partnerships with gov’ts

of Thailand and Hong Kong• CSA chapters throughout APAC



Regional APAC Research• Research in the APAC region reflects the

rapid growth of the cloud market in the region and the demand for security assurances among our member countries

• Research and Activities for 2013 – 2014• New Zealand MBIE Funding – Q4 2013• CSA Research Journal – Q3 2014• Singapore Standard for Virtualization – TBD• Salary Survey of Cloud Professionals –TBD• Joint Interpol Project – TBD• Survey of Reg Requirements for going to

the Cloud in Asia - TBD

57

CSA Europe

• Incorporated in UK• Base of operations in Heraklion, Greece• Staffed by noted experts from key EU

institutions• Managing director an alumnus of ENISA

(European Network Information Security Agency)

• Received funding grants for 4 research projects by European Commission in 2012

• FP7 Projects



FP7 Projects• Incorporated in UK• Base of operations in Helsinki,

Finland• Staffed by noted experts from key EU institutions

• Managing director an alumnus of ENISA (European Network Information Security Agency)

• Received funding grants for 4 research projects by European Commission in 2012

59


Global University Cloud Research Consortium

• This academic group will be focusing on research collaborations, university-to-university exchanges, university-industry collaborations adjunct professorships, visiting researchers/professors, and will also organize and administer funding applications.


• Planning in Progress

60


Enterprise User Council• The Cloud Security Alliance (CSA)

Enterprise User Council was started to provide a balance of power between cloud providers and enterprise users in a world of cloud services, big data, and mobile computing advancements has made its biggest leap into businesses. Our long term goal is to understand the biggest problems facing enterprises and help solve these issues. The CSA Enterprise User Council will represent businesses on these issues externally and abroad.

• Research and Activities for 2013 – 2014• Planning in Progress

61

CCSK – User CertificationCertificate of Cloud Security Knowledge (CCSK)

Benchmark of cloud security competency

Online web-based examination

www.cloudsecurityalliance.org/certifyme

Training partnerships

Developing new curriculum for audit, software development and architecture


http://www.cloudsecurityalliance.org/certifyme

http://www.cloudsecurityalliance.org/certifyme

Copyright © 2012 loud Security Alliance

CSA Open Certification Framework

• Leverage CSA STAR Infrastructure to create national,

local or industry-specific provider certifications• Allows governments, certification bodies and

industry consortia to create certifications addressing specific requirements without developing complete & proprietary bodies of knowledge

• Leverage existing certification/attestation regimes

• 2013 Open Certification• ISO 27001 Certification based upon CSA CCM (partnered with

British Standards Institution)• SOC-2 Audit Attestation Reporting based upon CSA CCM

(partnered with AICPA)

• Branded as CSA STAR Certification – the gold standard for cloud provider certification

63

Copyright © 2012 Cloud Security Alliance

International Standardization Council

• Engage international standards bodies on behalf of CSA

• Propose key CSA research for standardization• Liaison relationship with ITU-T• Category A liaison with ISO/IEC SC27 & SC38• Tracking key SDOs for 2013

• DMTF• IEEE• IETF• CCSA• RAISE

64


CCMCCM V.3

BIG DATA WORKING GROUPExpanded Top 10 Big Data Security and Privacy Concerns Big Data Analytics for Security Intelligence

HIMHIPAA Omnibus Rule Education

CTPAPI Interface Definition (Alain to update)

INCIDENT MANAGEMENT & FORENSICSProvider Forensic Support in Public Multi-Tenant Cloud Environments

OCFSTAR Certification Manual STAR Attestation ManualSTAR Certification Auditor Accreditation

ISACACloud Market Maturity Survey

INTERNET2 COLLABORATIONNet+ Initiative CCM V1.4

ANTI-BOT Working GroupWork Group Kick-Off

Enterprise User CouncilWork Group Kick-OffQ3 2013 RESEARCH RELEASES

© 2013, Cloud Security Alliance. Q4 2013 RESEARCH RELEASES

MOBILE WORKING GROUPMobile Authentication Management V.1.1Mobile Device Management V.2Mobile Maturity Survey

CCMAICPA Trust Service Principles MappingCOBIT 5.0ENISA Information Assurance Framework MappingODCA MappingGerman BSI MappingNZISM MappingPrivacy Control AssessmentInternet 2 Compliance Area MappingNIST SP 800-53 Rev 4

SecaaSDefined SecaaS Framework Survey

BIG DATA WORKING GROUPBig Data Framework and Taxonomy White Paper

CSA ENTERPRISE ARCHITECTURE KRI and KPI Development for CSA Reference Architecture Interactive Site Case Study Webinars (CloudBytes Sessions)Workshop with EAWG, NIST and Vidders

Anti-Bot Working GroupOutreach Program LaunchEssential Practices Sub-Group LaunchTools and Operations Sub-Group LaunchEconomics Sub-group Launch


SMB WGSmall Medium Size Business Kick-Off and Outreach

CAIQCAIQ V.3

CTPPrototype

CLOUD AUDITCreate CCM V.3 Database

INCIDENT MANAGEMENT & FORENSICSDeveloping a capability maturity model (CMM) for IncM and Forensics in Cloud Environments

OCFSTAR Attestation Auditor AccreditationOCF Cost AnalysisOCF Certification Launch

ISACACloud Market Maturity Study Results

TELECOM WORKING GROUPNext Generation SIEM White Paper

APAC ResearchRoadmap for Execution


Virtualization Working GroupVirtualization Working Group Kick-OffUpdate Security Guidance to include SDN

Financial Services Working GroupFSWG Kick-offEstablish Security and Privacy Test Beds

Cloud Brokerage Working GroupPublication of one year work planLaunch CSA Cloud Broker microsite, partner directory and twitter accountPublication of V.1 of Working Group DeliverablesCloud Brokerage Kick-Off

Leapfrog ProjectCreate CCM V.3 Database

Vulnerabilities Working GroupWorking Group Expansion/Official Kick-Off

OCFSTAR Attestation Auditor AccreditationOCF Cost AnalysisOCF Certification Launch

ISACACloud Market Maturity Study Results

APAC RESEARCHNew Zealand MBIE Funding

TELECOM WORKING GROUPNext Generation SIEM White Paper


GUIDANCESecurity Guidance for Critical Areas of Cloud Computing V.4 (Planning)

CCMCOBIT 5 MappingSlovenian Information Commissioner on Privacy Guidance for Cloud Computing Mapping

SECAASImplementation Guidance Documents V.2 (Planning)

BIG DATA WORKING GROUPBig Data Cryptography Report

HIMUpdated HIPAA HiTech Mapping for V.3

CTPTrust Model

CLOUD AUDITAutomate Change-adds through DB Version of CCM

TOP THREATS Top Threats to Cloud Computing Survey

CDGData Governance across International Borders


VIRTUALIZATION WORKING GROUPStandalone Domain 13 Virtualization Whitepaper as part of the CSA Security Guidance for Critical Areas of Focus in Cloud Computing

CLOUD VULNERABILTIES WORKING GROUPEstablishment of a taxonomy for Cloud Vulnerabilities based on statistical data

SLACloud SLA Guidance

PLAPhase 2 - Gap Analysis - Cover Requirements outside of Europe (Global PLA)Seal or Privacy Certification - Assess Need

INTERNET2 COLLABORATIONNet+ Initiative CCM V3.0


HIMBusiness Associate Agreement Policy Guidance

CTPPilot

CLOUD AUDITUpdate Notification Functionality

TOP THREATS Top Threats to Cloud Computing V.4

CDGData Tracking and Logging Standard

CLOUD VULNERABILTIES WORKING GROUPCreation of a cloud vulnerability feed documentation mechanism/ format/ protocol

Thank you

About the Cloud Security Alliance• Global, not-for-profit organization: 56,000 members • Building security best practices for next generation IT• Research and Educational Programs• Cloud Provider Certification: CSA STAR• User Certification: CCSK• Awareness and Marketing• The globally authoritative source for Trust in the Cloud

www.cloudsecurityalliance.org “To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure

all other forms of computing.”

73


CSA Fast Facts

• Founded in 2009• 56,000+ individual members, 70+ chapters globally• 190+ corporate members

• Major cloud providers, tech companies, infosec leaders, DoD, the Fortune 100 and much more

• Offices in Seattle USA, Singapore, Helsinki Finland• Over 40 research projects in 30+ working groups• Strategic partnerships with governments, research

institutions, professional associations and industry

74

ThanksPhil Agcaoili

Co-Founder & Board Member, Southern CISO Security Council

Distinguished Fellow and Fellows Chairman, Ponemon Institute

Founding Member, Cloud Security Alliance (CSA)

Inventor & Co-Author, CSA Cloud Controls Matrix,

GRC Stack, Security, Trust and Assurance Registry (STAR), and

CSA Open Certification Framework (OCF)

Contributor, NIST Cybersecurity Framework version 1

@hacksec

https://www.linkedin.com/in/philA

Technology

CSA Atlanta and Metro Atlanta ISSA Chapter Meeting May 2014 - Key Threats to the Cloud and CSA Research