www.cloudsecurityalliance.org
Jim Reavis, Executive Director
Cloud Computing Security
www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
About the Cloud Security Alliance
Global, not-for-profit organizationBuilding security best practices for next generation ITResearch and Educational ProgramsCloud Provider CertificationUser CertificationAwareness and MarketingThe globally authoritative source for Trust in the Cloud
“To promote the use of best practices for providing security assurance within Cloud Computing, and provide education
on the uses of Cloud Computing to help secure all other forms of computing.”
www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
CSA Fast FactsFounded in 2009Membership stats as of May 2013
47,000 individual members, 66 chapters globally180 corporate membersMajor cloud providers, tech companies, infosec leaders, governments, financial institutions, retail, healthcare and more
Offices in Seattle USA, Singapore, Heraklion GreeceOver 30 research projects in 25 working groupsStrategic partnerships with governments, research institutions, professional associations and industry
www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org
Growth Beyond Comprehension
Forrester forecasts that the global market for cloud computing will grow from $40.7 billion
in 2011 to more than $241 billion in 2020
Copyright © 2013 Cloud Security Alliance
1 Million new mobile phones a
day!
www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
Our IT System
Enabling Big Data
Managing Mobile Devices
The Glue for the Internet of Things
Accelerating innovation
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org
Cloud is the Foundation
Copyright © 2013 Cloud Security Alliance
www.cloudsecurityalliance.org
What is Cloud Computing?
Compute as a utility: third major era of computing
Cloud enabled byMoore’s Law
Hyperconnectivity
SOA
Provider scale
Key characteristicsElastic & on-demand
Multi-tenancy
Metered service
www.cloudsecurityalliance.org
Key Trust Issues in cloud
Transparency & visibility from providers
Compatible laws across jurisdictions
Data sovereignty
Incomplete standards
Lack true multi-tenant technologies & architecture
Incomplete Identity Mgt implementations
Risk Concentration
www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
Transparency: User Data requests from law enforcement according to Google
For Jul – Dec 2012, from http://www.google.com/transparencyreport/governmentrequests/
France: 1,693 requests, responded to 44%
Germany: 1,550 requests, responded to 42%
US: 8,438 requests, responded to 88%
India: 2,431, responded to 66%
Italy: 846 requests, responded to 34%
Singapore: 96 requests, responded to 75%
www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org
Innovation
Trust InnovationMobile Clouds SaaS EncryptionIdentity Mgt – Strong Auth everywhereReinvent every industry with Cloud/Mobile/Social/Big Data
Copyright © 2013 Cloud Security Alliance
www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org
What is the Global Mandate to Secure Cloud
Computing?State Sponsored Cyberattacks?
Organized Crime?
Legal Jurisdiction & Data Sovereignty?
Global Security Standards?
Privacy Protection for Citizens?
Transparency & Visibility from Cloud Providers?
Copyright © 2013 Cloud Security Alliance
www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org
The Global Mandate is Empowerment
Shift the balance of power to consumers of IT
Enable innovation to solve difficult problems of humanity
Give the individual the tools to control their digital destiny
Do this by creating confidence, trust and transparency in IT systems
Security is not overhead, it is the enabler
Copyright © 2013 Cloud Security Alliance
www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
Selected Research to Secure the Cloud
www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
CSA Security Guidance
Industry standard catalog of cloud security issues and best practices
Widespread adoption
Translated into 6 languages
14 domains
https://cloudsecurityalliance.org/research/security-guidance/
www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
GRC StackGRC Stack
Family of 4 research projects
Cloud Controls Matrix (CCM)
Consensus Assessments Initiative (CAI)
Cloud Audit
Cloud Trust Protocol (CTP)
Impact to the IndustryDeveloped tools for governance, risk and compliance management in the cloud
Technical pilots
Provider certification through STAR program
Control Requirements
Provider Assertions
Private, Community
& Public Clouds
www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
CSA STAR RegistryCSA STAR (Security, Trust and Assurance Registry)
Public Registry of Cloud Provider self assessments
Based on Consensus Assessments Initiative Questionnaire
Provider may substitute documented Cloud Controls Matrix compliance
Voluntary industry action promoting transparency
Security as a market differentiator
www.cloudsecurityalliance.org/star
STAR – Demand it from your providers!
www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
Structure
OPEN CERTIFICATION FRAMEWORK
CONTINUOUS
ATTESTATION | CERTIFICATION
SELF ASSESSMENT TR
AN
SP
ER
AN
CY
ASS
UR
AN
CE
www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
CCSK – User Certification
Certificate of Cloud Security Knowledge (CCSK)
Benchmark of cloud security competency
Online web-based examination
www.cloudsecurityalliance.org/certifyme
Enterprise members get 8 test tokens, contact [email protected] to receive (must provide email addresses of employees taking test)
www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
Security as a ServiceSecurity as a Service
Research for gaining greater understanding for how to deliver security solutions via cloud models.
Information Security Industry Re-invented
Identify Ten Categories within SecaaS
Implementation Guidance for each SecaaS Category
Align with international standards and other CSA research
Industry ImpactDefined 10 Categories of Service and Developed Domain 14 of CSA Guidance V.3
www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
Smart Mobile
MobileSecuring application stores and other public entities deploying software to mobile devices
Analysis of mobile security capabilities and features of key mobile operating systems
Cloud-based management, provisioning, policy, and data management of mobile devices to achieve security objectives
Guidelines for the mobile device security framework and mobile cloud architectures
Solutions for resolving multiple usage roles related to BYOD, e.g. personal and business use of a common device
Best practices for secure mobile application development
www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
Big Data Working GroupBig Data
Identifying scalable techniques for data-centric security and privacy problems
Lead to crystallization of best practices for security and privacy in big data
Help industry and government on adoption of best practices
Establish liaisons with other organizations in order to coordinate the development of big data security and privacy standards
Accelerate the adoption of novel research aimed to address security and privacy issues
www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org
Research Portfolio
Our research includes fundamental projects needed to define and implement trust within the future of information technology
CSA continues to be aggressive in producing critical research, education and tools
Copyright © 2013 Cloud Security Alliance
www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
For the Industry
Challenges remain, there will always be insecurityGlobal collaboration, public & privateInnovation can make policy restrictions obsoleteMajor focus on identity neededMust solve tomorrow’s problems todayTransparency must be our guide
www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
For Nations
Invest in SaaS, not datacentersAlign cloud regulations with global standardsProtect foreigners rights as you would your own citizensBalance industry protection with industry developmentTransparency!
www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
For the Enterprise Be Pragmatic, Be AgileFollow the law, but do not concede to poor interpretations of the law. Defend the spirit of the law forcefully.More tools available than you thinkAdvocate through procurementWaiting not an option, but don’t forget
StrategyRisk ManagementCloud-ready Enterprise ArchitectureBe Educated
www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org
Contact
Jim Reavis [email protected]
Copyright © 2013 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance