www.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance

Jim Reavis, CEO

June 2016

The Mandate for Global Cloud Security

www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance

About Jim Reavis

CEO and Founder of Cloud Security Alliance

25 years experience in information security

Honored to be a presenter at the inaugural CSA Argentina Summit

www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance

We will never “solve” information security…

State of permanent warfare

Battlefields change

Weapons change

Create enough security to ensure a profitable outcome

www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance

Tech consumerization…Changing compute, changing the world

www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance

CSA Maxims

As IT moves into the Cloud, so must Security

As IT loses control of the endpoint, Cloud is the only Security option

As the Internet of Things scales upwards, Cloud computing will be its data repository, application engine, provisioning system, Security platform and organizing concept

Security has a new battlefield

www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance

CSA Top Threats to Cloud for 2016

7. APTs8. Data Loss9. Due Diligence10.Nefarious Use and

Abuse11.Denial of Service12.Shared Technology

Issues

1. Data Breaches2. Compromised

Credentials and IAM3. Insecure APIs4. System and App

Vulnerabilities5. Account Hijacking6. Malicious Insiders

https://cloudsecurityalliance.org/group/top-threats/

www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance

Cloud in the Enterprise 2016

Awareness: Capturing data on current cloud usage within organizationOpportunistic: Identifying strong cloud adoption opportunities (Cloud First!)Strategic: Building cloud adoption program – security program, architecture, frameworks & business alignment

www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance

CSA Global Enterprise Advisory Board

Announced at CSA Summit @ RSAChaired by Vinay Patel, Head of Security, Citi Infrastructure, CitigroupPublic facing, demonstrate enterprise support of CSA publiclyIssue public “Calls to action” for industryAdvise CSA on strategyIssue annual “State of Cloud Security” report

https://cloudsecurityalliance.org/download/state-of-cloud-security-2016/

Citigroup, Johnson & Johnson, Caterpillar, Hertz, Lucasfilm, ADP, Coca Cola, United Healthcare and several others

www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance

Are Cloud Providers Secure?Uneven: Terrific Tier 1 Cloud Provider Security coexists with Poor and Unknown Provider Security

Secure Provider + Mature Customer may not equal secure relationship

Poor Integration & Alignment, e.g. Bring Your Own KeysCommunication Gaps, e.g. sharing event infoEnterprises want a holistic risk-based view of IT with Cloud as a seamless extension

Greater transparency will help enterprises close the gaps

www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance

Cloud Providers Must Make Cooperation a Priority

Threat intelligence and incident sharingTransparency on verifiable controls with strong integrity checksStandards development on common security requirementsSupport for multi-vendor enterprise

www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance

Cloud is Changing the Very Nature of Information Security

Servers are Dead, Long Live Services!

APIs, Automation, Agility, Disposable Infrastructure

SDN, IoT, Analytics, CASB

Better Ways to Handle Old Problems

Fight the Legacy Mindset

www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance

National, Regional & Industry-Specific Regulations Provide Important Challenges

Policies rapidly outdated by technology changesDuplicative nature of many regulationsConflicting regulationsGlobal nature of enterprises and cloud providers vs regional regulatory authoritiesKnowledge gaps for regulators and auditors in addressing cloud computing

Engagement with Regulatory Decision Makers Key

www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance

Industry Skills Gap

One million unfilled information security jobsLagging skillsets among the employed

www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance

What have leading organizations learned?Understanding different types of Clouds and your RoleDue diligence is critical, Data is key Identity is very importantForcing legacy tools & architectures on cloud security problems doesn’t workHeavy-handed blocking of cloud services backfires on infosecKey role of intermediaries (Cloud Access Security Broker)

www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance

Think Virtually!

www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance

How CSA delivers the secure cloud

www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance

About the Cloud Security Alliance

Global, not-for-profit organizationBuilding security best practices for next generation ITResearch and Educational ProgramsCloud Provider Certification – CSA STARUser Certification - CCSKThe globally authoritative source for Trust in the Cloud

“To promote the use of best practices for providing security assurance within Cloud Computing, and provide education

on the uses of Cloud Computing to help secure all other forms of computing.”

www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance

CSA Fast FactsFounded in 2009 Membership stats as of June 2016

75,000 individual members, 80 chapters globally330 corporate members

Operates in 3 DivisionsCSA Americas headquarters in SeattleCSA APAC, headquarters in SingaporeCSA Europe (responsible for Europe/Middle East/Africa), headquarters in Edinburgh UK

Over 30 research projects in 25 working groupsStrategic partnerships with governments, research institutions, professional associations and industrywww.cloudsecurityalliance.org

www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance

CCSK – User Certification

Certificate of Cloud Security Knowledge (CCSK)

Benchmark of cloud security competencyBased on CSA guidanceOnline web-based examinationwww.cloudsecurityalliance.org/education/ccsk/ Partnered with (ISC)2 to develop complementary certification: CCSPClose cloud security knowledge gaps

www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance

CSA STAR Provider CertificationCSA STAR (Security, Trust and Assurance Registry), 3 Level

Provider Certification ProgramManaged by CSA in partnership with world leading ISO certification bodies and audit firmsAdopted Worldwide by Providers, Enterprises and Governments www.cloudsecurityalliance.org/star

www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance

CSA STAR: Assisting Due Diligence

Level 1 STAR Self-AssessmentPublic Registry of Cloud Provider self assessments based on CSA standards

Level 2 STAR 3rd Party AuditsSTAR Certification: Integrates ISO/IEC 27001:2013 STAR Attestation: Based upon Type 2 SOC

Coming in Q4 2016: STARWatchAsk for provider’s STAR entry

If unavailable, ask provider to fill out CSA’s Cloud Controls Matrix or Consensus Assessments Initiative Questionnaire

www.cloudsecurityalliance.org/research/ccmwww.cloudsecurityalliance.org/research/cai

www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance

Research for 2016Guidance V4Global Enterprise Advisory BoardSoftware Defined PerimeterFinancial Services PlatformCCM/CAIQ/CTP/CloudAuditSecurity as a ServiceInternet of ThingsQuantum-Safe ComputingCASB enablement: OpenAPIOtherIt is all free!

https://cloudsecurityalliance.org/research

www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance

Emerging Trends We Are Evaluating

BlockchainContainers, micro servicesInternet of Things DevSecOps: DevOps applied to securityAnalyticsAutonomous computingArtificial IntelligenceQuantum-Safe Computing

www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance

A New Day forComputing

andTrust

www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance

Argentina has a strategic role

Developing a secure world, virtually, in software

www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance

ContactHelp us solve tomorrow’s

problems today

Emailinfo@cloudsecurityalliance.org

WWWwww.cloudsecurityalliance.org

Twitter@cloudsa

www.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance

www.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance

THANK YOU