CSA Atlanta Chapter Meeting Q1'2013 and RSA Conference 2013 CSA Announcements

www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

Cloud Security Alliance Research & Roadmap

RSA Conference 2013 Announcements

Q1’2013 CSA Atlanta ChapterPhil Agcaoili

CSA Founding Member

Co-Founder/Co-Author, Cloud Controls Matrix

Co-Founder/Steering Committee, GRC Stack

Co-Founder, Security, Trust and Assurance Registry (STAR)

http://www.cloudsecurityalliance.org/



www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

About the Cloud Security AllianceGlobal, not-for-profit organisation

Over 40,000 individual membersMore than 160 corporate membersOver 60 chaptersBuilding best practices and a trusted cloud ecosystemAgile philosophy, rapid development of applied research

GRC: Balance compliance with risk managementReference models: build using existing standardsIdentity: a key foundation of a functioning cloud economyChampion interoperabilityEnable innovationAdvocacy of prudent public policy

“To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.”





www.cloudsecurityalliance.orgwww.cloudsecurityalliance.org

About the Cloud Security Alliance

Developed first comprehensive best practices for secure cloud computing, Security Guidance for Critical Areas of Focus for Cloud Computing (updated October 2011)First and only user certification for cloud security, the CCSK (Certificate of Cloud Security Knowledge, September 2010)Tools for managing Governance, Risk and Compliance in the Cloud Registry of cloud provider security practices, the CSA STAR (Security, Trust & Assurance Registry, Q4 2011)First and only multi-tenant security controls framework adapted for cloud (CSA CCM)Industry leading security practices, education and tools developed by 20+ working groupsSelection of CSA venue by US White House to announce the US Federal Cloud Strategy in 2011Leadership in developing new security standards addressing cloud computingTrusted advisor to governments and Global 2000 firms around the world

“To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud

Computing to help secure all other forms of computing.”




http://cloudsecurityalliance.org/chapters/

GLOBAL CHAPTERS




Chapters Around the World

60 chapters and growing

Every continent except Antarctica

Translating guidance

Adapting research to local needs

Creating their own research projects




2012

Chapter Tools




CSA Chapter Website

https://chapters.cloudsecurityalliance.org/[chapter-name]/

Get your WordPress based chapter site on CSAEvents, news, past events, site mapAdd your logoAdd your Twitter feed

Contact [email protected]



mailto:[email protected]



CSA Chapter Logo

Get your Chapter logoContact [email protected]



mailto:[email protected]



CSA Basecamp

The CSA Projects will begin migrating to the "new" Basecamp found at the following URL:

https://launchpad.37signals.com/

This site will give you access to all of your CSA projects on the new Basecamp and the pre-existing projects found in the renamed "Basecamp Classic". The 37Signals Launchpad will help you navigate to both Basecamp sites if you are participating in multiple CSA Working Groups.



https://launchpad.37signals.com/


http://cloudsecurityalliance.org/research/

RESEARCH


www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2012 Cloud Security Alliance

Click icon to add picture




www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org

Research PortfolioOur research includes fundamental projects needed to define and implement trust within the future of information technology

CSA continues to be aggressive in producing critical research, education and tools

22 Active Work Groups and 10 in the pipeline

Copyright © 2012 Cloud Security Alliance








Global Research Footprint

Global resource and research coverage through our corporate membership, affiliate members, chapters and

Connected to great minds: Research contributors represent some of the top minds in information security and cloud computing







Research HighlightsSecurity Guidance for Critical Areas of Cloud Computing

Popular best practices for securing cloud computing

Flagship research project

V 3.0 Released (November 2011)

In alignment with international standards

Impact to the Industry

Developed first comprehensive best practices for secure cloud computing, Security Guidance for Critical Areas of Focus for Cloud Computing (updated October 2011)

> 300k downloads: cloudsecurityalliance.org/guidance



http://cloudsecurityalliance.org/guidance

http://cloudsecurityalliance.org/guidance


Research Highlights

GRC Stack

Family of 4 research projects

Cloud Controls Matrix (CCM)

Consensus Assessments Initiative (CAI)

Cloud Audit

Cloud Trust Protocol (CTP)

Control Requirements

Provider Assertions

Private, Community

& Public Clouds




Research HighlightsControls derived from guidance

Mapped to familiar frameworks: ISO 27001, COBIT, PCI, HIPAA, FISMA, FedRAMP, etc.

Rated as applicable to S-P-I

Customer vs. Provider role

Help bridge the “cloud gap” for IT & IT auditors




Research HighlightsResearch tools and processes to perform shared assessments of cloud providers

Integrated with Controls Matrix

Version 1 CAI Questionnaire released Oct 2010, approximately 140 provider questions to identify presence of security controls or practices

Use to assess cloud providers today, procurement negotiation, contract inclusion, quantify SLAs




Research HighlightsOpen standard and API to automate provider audit assertions

Change audit from data gathering to data analysis

Necessary to provide audit & assurance at the scale demanded by cloud providers

Uses Cloud Controls Matrix as controls namespace

Use to instrument cloud for continuous controls monitoring




Research HighlightsDeveloped by CSC, transferred to CSA

Open standard and API to verify control assertions

“Question and Answer” asynchronous protocol, leverages SCAP (Secure Content Automation Protocol)

Integrates with Cloud Audit

Now we have all the components for continuous controls monitoring




Research Highlights

CSA STAR (Security, Trust and Assurance Registry)

Public Registry of Cloud Provider self assessments

Based on Consensus Assessments Initiative Questionnaire

Provider may substitute documented Cloud Controls Matrix compliance

Voluntary industry action promoting transparency

Free market competition to provide quality assessments

Provider may elect to provide assessments from third parties




Q&A session on implementing the CSA CCM and CAIQScott Poggi, Cox Enterprises IT Security Engineering

Michael Brady, Cox Enterprises Corporate Security

James Edgar, Cox Communications Information Security

How did using the CAIQ simplify cloud adoption? CCM?

What was it like before?

What were some challenges in utilizing CAIQ and CCM?

Do you have suggestions to make it better?

What teams needed to be involved to help you?




Research Highlights

Security as a ServiceResearch for gaining greater understanding for how to deliver security solutions via cloud models.

Information Security Industry Re-invented

Identify Ten Categories within SecaaS

Implementation Guidance for each SecaaS Category

Align with international standards and other CSA research




Research Highlights

MobileSecuring application stores and other public entities deploying software to mobile devices

Analysis of mobile security capabilities and features of key mobile operating systems

Cloud-based management, provisioning, policy, and data management of mobile devices to achieve security objectives

Guidelines for the mobile device security framework and mobile cloud architectures

Solutions for resolving multiple usage roles related to BYOD, e.g. personal and business use of a common device

Best practices for secure mobile application development




Research HighlightsBig Data

Identifying scalable techniques for data-centric security and privacy problems

Lead to crystallization of best practices for security and privacy in big data

Help industry and government on adoption of best practices

Establish liaisons with other organizations in order to coordinate the development of big data security and privacy standards

Accelerate the adoption of novel research aimed to address security and privacy issues




Research Highlights

Cloud Data Governance

Cloud Data Governance Maturity Survey of current Cloud Provider practices in the market (e.g. backup, encryption, secure deletion, etc.)

Structure based on Domain 5: Information Lifecycle Management

Re-define Data Life Cycle Model

Identify Key Concerns for Stakeholders

Data Governance in Emerging Technologies in the Cloud




Research Highlights

Telecom Working Group

Industry a key stakeholder in future of cloud

CSA’s liaison to ITU-T

5 Telecom Initiatives

Telecom and the GRC Stack

ISO 27017 Interviews to CSP’s

SIEM

Compliance Monitoring

Cloud Forensics and Legal




CloudCERT

Consensus research for emergency response in Cloud

Enhance community’s ability to respond to incidents

Standardized processes

Supplemental best practices for CERTs

Hosted Community of Cloud CERTs

Research Highlights





Research HighlightsHealth Information Management (NEW)

Provide direct influence on how health information service providers deliver secure cloud solutions (services, transport, applications and storage) to their clients, and foster cloud awareness within all aspects of healthcare and related industries

2 Health Initiatives

HIPAA and HiTech Best Practices

Healthcare Recommendations Guidance to V.3




Research HighlightsPrivacy Level Agreement (PLA)

PLA = SLA for privacy.

In the PLA (typically an attachment to the Service Agreement) the cloud service provider (CSP) clearly declares the level of privacy and data protection that it undertakes to maintain with respect to the relevant data processing.

Provide cloud customers with a tool to assess a CSP’s commitment to address personal data protection.

Offer contractual protection against possible economical damages due to lack of compliance or commitment of the CSP privacy and data protection regulation.



www.cloudsecurityalliance.orgwww.cloudsecurityalliance.org

CSA SLA Research Group

Looking for CSA Chapters world-wide participation Regional representation Effective SLAs and their Management is a key factor in

the successful adoption of the Cloud





Research Highlights

ISACA/CSA Cloud Security Maturity Project

The Cloud Security Alliance (CSA) and ISACA announced the availability of a new survey on cloud market maturity

This is the first collaborative project between the two organizations

A report based off of the survey results will be published




Research Highlights

Top ThreatsProvide needed context to assist organizations in making educated risk management decisions regarding their cloud adoption strategies

V.2 of Top Threats Report released in October 2012





Regional Research (EMEA)

CSA has been awarded 4 FP7 Projects

Helix Nebula - The HELIX NEBULA Project is a preliminary step towards a European cloud‐based scientific e‐ infrastructure: HELIX NEBULA – the Science Cloud.

Cumulus - The overall aim of the project is to develop a framework for hybrid, incremental and multi-layer certification for all services in cloud computing stacks, including infrastructure (IaaS), platform (PaaS) and software services (SaaS

Cirrus – Cirrus pretends to bring together different stakeholders (industry, research, service providers, end-users, standardization bodies…) and perform an analysis of implications for overall E2E (end-to-end) Cloud Security with the special attention to issues of assurance and trustworthiness.

A4 Cloud - This project aims to clarify regulatory expectations with regard to cloud and also provide mechanisms that enable provision of accountable services in the cloud.





Research IdeasMost of our Research Projects are ideas from professionals like you

Do you have an idea for a research project on a cloud security topic?

If so, please take the time to describe your concept by filling out the our online form. This form is monitored by the CSA research team, who will review your proposal and respond to you with feedback.






https://cloudsecurityalliance.org/research/



CSA Library

The Cloud Security Alliance is a community non-profit which is driven by its members. Have a white paper or information on a cloud security product you want to contribute?

https://cloudsecurityalliance.org/education/white-papers-and-educational-material/

Contribute to the CSA library







How do you get involved?

Learn how you can participate in Cloud Security Alliance's goals to promote the use of best practices for providing security assurance within Cloud Computing

http://www.linkedin.com/groups?gid=1864210https://cloudsecurityalliance.org/get-involved/



https://cloudsecurityalliance.org/get-involved/

https://cloudsecurityalliance.org/get-involved/


http://cloudsecurityalliance.org/media-center/press-releases/

RSA Conference 2013 Announcements



Released a draft of the latest version of the Cloud Control Matrix, CCM v3.0

Realigns the CCM control domains to achieve tighter integration with the CSA’s “Security Guidance for Critical Areas of Focus in Cloud Computing version 3”

Introduced three new control domains

Mobile Security

Supply Change Management, Transparency and Accountability

Interoperability & Portability

Available for peer review through the CSA Interact website with the peer review period closing March 31, 2013, and final release of CCM v3.0 on April 17, 2013

CSA Seeks Input For Open Peer Review: CCM v3.0

https://interact.cloudsecurityalliance.org/index.php/ccm/v3_group_1












CSA Big Data Working Group released an initial report--The Top 10 Big Data Security and Privacy Challenges at CSA Congress 2012

2013 RSA announcement expanded this to Top Ten Big Data Security and Privacy Challenges report

The 35-page report outlines the unique challenges presented by Big Data

The Top 10 Big Data Security and Privacy Challenges have been enumerated as follows:

1. Secure computations in distributed programming frameworks

2. Security best practices for non-relational data stores

3. Secure data storage and transactions logs

4. End-point input validation/filtering

5. Real-time security monitoring

6. Scalable and composable privacy-preserving data mining and analytics

7. Cryptographically enforced data centric security

8. Granular access control

9. Granular audits

10. Data provenance

The goal of outlining these challenges is to raise awareness among security practitioners and researchers

To review the report and provide comments, please visit https://interact.cloudsecurityalliance.org/index.php/bigdata/top_ten_big_data_2013 .

CSA Seeks Input For Open Peer Review: Expanded Top Ten Big Data Security and Privacy Challenges Report



https://cloudsecurityalliance.org/research/big-data/

https://interact.cloudsecurityalliance.org/index.php/bigdata/top_ten_big_data_2013

https://interact.cloudsecurityalliance.org/index.php/bigdata/top_ten_big_data_2013


Released a position paper on the American Institute of CPAs’ reporting framework

Educating members and providing guidance on selecting the most appropriate reporting option

Latest step in CSA’s previously announced Open Certification Framework and STAR Attestation initiatives

AICPA’s reporting framework, known as Service Organization Control Reports, consists of three major document types

The first – the SOC 1 report – deals with controls over financial reporting

The SOC 2 report focuses on controls that bear on a service provider’s security, processing integrity and operating availability, as well as the confidentiality and privacy of data moving through its systems.

A third report, SOC 3, is a compressed version of the SOC 2 and is designed for public distribution.

Highlights that for most cloud providers, a SOC 2 Type 2 attestation examination conducted in accordance with AICPA standard AT Section 101 (AT 101) utilizing the CSA Cloud Controls Matrix (CCM) as additional suitable criteria is likely to meet the assurance and reporting needs of the majority of users of cloud services

The Cloud Controls Matrix is designed to be used in conjunction with existing standards, and this is one such example where the combination provides a comprehensive view that should suit most users reporting needs

Position paper also offers guidance to members on the following:

When a SOC 1 report is necessary,

When a SOC 2 report is called for, and

When both engagement types may be required

The full position paper can be found at https://cloudsecurityalliance.org/research/collaborate/#_aicpa

CSA Continues Campaign To Improve Transparency And Assurance In The Cloud Market With Position Paper On AICPA Reporting Framework



http://www.aicpa.org/

https://cloudsecurityalliance.org/csa-news/csa-announces-open-certification-framework-for-cloud-providers/

https://cloudsecurityalliance.org/research/collaborate/


The CSA PLA Working Group formed in 2012 to help transpose the Art. 29 WP and EU National Data Protection Regulators’ recommendations on Cloud Computing into an easy to use outline that CSPs can use to disclose personal data handling practices

The Cloud Security Alliance (CSA) Privacy Level Agreement (PLA) Working Group released the Privacy Level Agreement (PLA) Outline for Cloud Service Providers providing services in the European Union

The Outline provides a structure for Cloud Service Providers (CSP) to disclose, in a consistent matter, information about the privacy and data protection policies, procedures and practices used when processing personal data that customers upload or store in the CSP’s servers

Once a PLA outline is completed by a CSP, it will provide current and potential customers with a new tool to assess that CSP’s disclosure of its practices.

This knowledge, in turn, will allow companies to evaluate the extent to which the use of a particular CSP will allow them to achieve compliance with applicable data protection laws, including, in particular, their transparency and accountability obligations, a positive shift for both the customer and provider alike.

Key elements covered in the outline include:Cloud customer internal and external due diligence Categories of personal data that may be uploaded to the service Ways which data should be processed in the cloud Data location, transfer, retention, monitoring and security measures Personal data breach notification Data portability, migration, and transfer back assistance Accountability Law enforcement access Remedies

To learn more, download the PLA Initiative Research Sponsorship Outline.

Cloud Security Alliance Releases First Guidelines for Cloud Service Providers Delivering Services in the European Union



https://cloudsecurityalliance.org/

https://cloudsecurityalliance.org/research/pla/

https://cloudsecurityalliance.org/research/pla/

https://cloudsecurityalliance.org/wp-content/uploads/2012/08/PLA_Outline_Research_Sponsorship2.pdf


The Cloud Security Alliance (CSA) Top Threats Working Group released The Notorious Nine: Cloud Computing Top Threats in 2013

A revised report aimed to provide organizations with up-to-date, expert-informed understanding of cloud security threats in order to make educated risk-management decisions regarding cloud adoption strategies

Report focuses on threats specifically related to the shared, on-demand nature of cloud computing

Serves as an up-to-date threat identification guide that will help cloud users and providers make informed decisions about risk mitigation within a cloud strategy

The Top Threats Working Group used these survey results alongside their expertise to craft the final The Notorious Nine: Cloud Computing Top Threats in 2013.

Identified the following nine critical threats to cloud security:1. Data Breaches 2. Data Loss 3. Account Hijacking 4. Insecure APIs 5. Denial of Service 6. Malicious Insiders 7. Abuse and Nefarious Use 8. Insufficient Due Diligence 9. Shared Technology Issues

Intended to be utilized in conjunction with the best practices guides “Security Guidance for Critical Areas in Cloud Computing V.3” and “Security as a Service Implementation Guidance”

Companies and individuals interested in learning more or joining the group can visit https://cloudsecurityalliance.org/research/top-threats/.

Cloud Security Alliance Warns Providers of ‘The Notorious Nine’ Cloud Computing Top Threats in 2013



https://cloudsecurityalliance.org/

https://cloudsecurityalliance.org/research/top-threats/


https://cloudsecurityalliance.org/research/security-guidance/

https://cloudsecurityalliance.org/research/secaas/



Formation of the Legal Information Center (CLIC), a new online resource.

The launch of the CLIC is part of an ongoing effort on behalf of the CSA to help individuals and organizations better understand and address the various and often complicated legal issues related to cloud computing

The CLIC will be an open resource for cloud computing practitioners, regulators, and legal experts with a mission to provide unbiased information about the applicability of existing laws and also identify laws that are being impacted by technology trends that may require modification

As part of this new initiative, CSA and Box hosted a panel discussion entitled, “US and Foreign Laws Regulating Government Access to Data Held in the Cloud” on Thursday, February 28th

Panel participants included legal and regulatory experts from seven countries

Moderated by Francoise Gilbert, Founder and General Manager of the IT Law Group as well as General Counsel for the CSA.

The panel explored a wide range of issues related to the rule of laws governing access of governments to data held in the cloud

More information on the CLIC: https://cloudsecurityalliance.org/research/clic/

Cloud Security Alliance To Establish New Legal Information Center



https://cloudsecurityalliance.org/research/lic/

http://www.box.com/

http://www.itlawgroup.com/

https://cloudsecurityalliance.org/research/clic/


Announced the launch of a new global training program called the CSA Master Training Program

HP named as the initial partner of this new program

The CSA Master Training Program is designed to accelerate worldwide access and adoption of the CSA Certificate of Cloud Security Knowledge (CCSK) Certification

With assistance from HP, CSA will invest in the global expansion of CCSK training availability,

A key focus on the Asia Pacific region.

CSA and HP will also work closely to collaborate on a curriculum roadmap through the CCSK Center of Excellence based in Singapore

HP will adapt existing CCSK lab-based training to include HP cloud solutions

HP Education Services will certify any HP CCSK training staff based on HP’s CSA-certified courseware

At the annual CSA Congress in October 2012, the CSA published version 3 of its CCSK

Included two principal updates, including an update to the CCSK Training Materials as well as a new CCSK exam

The CCSK is aligned with the latest release of CSA’s Security Guidance as well as other intellectual property, which comprises the CSA Common Body of Knowledge (CBK)

Cloud Security Alliance Selects HP For New Master Training Partner Program



https://cloudsecurityalliance.org/education/ccsk/



Contact

Help Us Secure Cloud Computingwww.cloudsecurityalliance.org

[email protected]

LinkedIn: www.linkedin.com/groups?gid=1864210

Twitter: @cloudsa

//philA//

https://www.linkedin.com/in/philA

@hacksec




http://www.linkedin.com/groups?gid=1864210

https://www.linkedin.com/in/philA