www.cloudsecurityalliance.org

CSA Research Insights

www.cloudsecurityalliance.org www.cloudsecurityalliance.org Copyright © 2012 Cloud Security Alliance www.cloudsecurityalliance.org Copyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org

Cloud

Smart Mobile

Big Data

Social

Digital Natives

Copyright © 2012 Cloud Security Alliance

www.cloudsecurityalliance.org www.cloudsecurityalliance.org Copyright © 2012 Cloud Security Alliance

Global, not-for-profit organization

Over 41,000 individual members, 70 chapters

145 corporate members: DoD, Coca Cola, Bank of America

Building security best practices for next generation IT

Research and Educational Programs

Cloud Provider Certification

User Certification

Public/Private partnerships

The globally authoritative source for Trust in the Cloud

“To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help

secure all other forms of computing.”

www.cloudsecurityalliance.org www.cloudsecurityalliance.org Copyright © 2012 Cloud Security Alliance www.cloudsecurityalliance.org Copyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org

Cloud ain’t (just) Outsourcing

Anonymity of provider

Anonymity of geography

Transient business relationships

Shared architecture

A unique business for each layer

Unique risks, innovation required for

Governance, Risk Mgt, Compliance

Copyright © 2012 Cloud Security Alliance

* FFIEC's New Cloud Info 'Disappointing' http://ffiec.bankinfosecurity.com/articles.php?art_id=4949&opg=1

www.cloudsecurityalliance.org

Shared

Responsibility

Strategy

Education

Architecture /

Framework

Due Diligence

We are all cloud consumers, many of us are cloud providers

www.cloudsecurityalliance.org www.cloudsecurityalliance.org Copyright © 2012 Cloud Security Alliance

Control Requirements

Provider Assertions

Private,

Community &

Public Clouds

• Family of 4 research projects

• Cloud Controls Matrix

• Consensus Assessments

Initiative

• Cloud Audit

• Cloud Trust Protocol

• Tools for governance, risk and

compliance mgt

• Enabling automation and

continuous monitoring of GRC

www.cloudsecurityalliance.org www.cloudsecurityalliance.org Copyright © 2012 Cloud Security Alliance

Controls derived from guidance

Mapped to familiar frameworks: ISO 27001, COBIT, PCI, HIPAA, FISMA, FedRAMP, Countries

Rated as applicable to S-P-I

Customer vs Provider role

Help bridge the “cloud gap” for IT & IT auditors

www.cloudsecurityalliance.org www.cloudsecurityalliance.org Copyright © 2012 Cloud Security Alliance

Research tools and processes to perform shared assessments of cloud providers

Integrated with Controls Matrix

CAI Questionnaire initial release Oct 2010, over 160 provider questions to identify presence of security controls or practices

Use to assess cloud providers today, procurement negotiation, contract inclusion, quantify SLAs

www.cloudsecurityalliance.org

Public visibility into Cloud Provider

Corporate Governance

Supply Chain

Information Security Program

Policies Impacting Customers

Consumer right to know

Public will demand better

Sunlight is the best disinfectant,” U.S. Supreme

Court Justice Louis Brandeis

www.cloudsecurityalliance.org www.cloudsecurityalliance.org Copyright © 2012 Cloud Security Alliance

CSA STAR (Security, Trust and Assurance Registry)

Public Registry of Cloud Provider self assessments

Based on Consensus Assessments Initiative Questionnaire

Provider may substitute documented Cloud Controls Matrix compliance

Voluntary industry action promoting transparency

Security as a market differentiator

www.cloudsecurityalliance.org/star

STAR – Demand it from your providers!

www.cloudsecurityalliance.org www.cloudsecurityalliance.org Copyright © 2012 Cloud Security Alliance

www.cloudsecurityalliance.org www.cloudsecurityalliance.org Copyright © 2012 Cloud Security Alliance

DG 4.2: Do you have a documented procedure for responding to requests for tenant data from governments or third parties?

Amazon AWS

AWS errs on the side of protecting customer privacy and is vigilant in determining which law enforcement requests we must comply with. AWS does not hesitate to challenge orders from law enforcement if we think the orders lack a solid basis.

Box.net Box does have documented procedures for responding to requests for tenant data from governments and third parties.

SHI

Customer responsibility. SHI has no direct access, so requests for data through third parties will be responded to by the customer themselves, however, SHI can sanitize and delete customer data upon migration from the cloud.

Verizon/Terremark Yes

www.cloudsecurityalliance.org www.cloudsecurityalliance.org Copyright © 2012 Cloud Security Alliance

www.cloudsecurityalliance.org Copyright © 2012 Cloud Security Alliance

Leverage CSA STAR Infrastructure to create national, local or industry-specific provider certifications

Allows governments, certification bodies and industry consortia to create certifications addressing specific requirements without developing complete & proprietary bodies of knowledge

Leverage existing certification/attestation regimes

Allows providers to certify once, comply many

2013 Open Certification

ISO 27001 Certification based upon CSA CCM (partnered with BSI Group)

SOC-2 Audit Attestation Reporting based upon CSA CCM (partnered with AICPA)

Branded as CSA STAR Certification

www.cloudsecurityalliance.org www.cloudsecurityalliance.org Copyright © 2012 Cloud Security Alliance

www.cloudsecurityalliance.org www.cloudsecurityalliance.org Copyright © 2012 Cloud Security Alliance

www.cloudsecurityalliance.org Copyright © 2012 Cloud Security Alliance

Internet2 - advanced technology community, owned and led by the U.S. research and education community.

Internet2 Net+ Initiative – defining procurement of cloud services for higher education

Net+ Security – creating security requirements and a “FEDRamp like” model

Partnered with CSA and leveraging CCM + STAR to certify cloud providers for higher education use

www.cloudsecurityalliance.org www.cloudsecurityalliance.org Copyright © 2012 Cloud Security Alliance

Clear GRC objectives

3rd Party Assessment

Real time, continuous monitoring

+

+

Self Assessment

+

www.cloudsecurityalliance.org www.cloudsecurityalliance.org Copyright © 2012 Cloud Security Alliance

www.cloudsecurityalliance.org Copyright © 2012 Cloud Security Alliance

GRC Stack tools freely available

Use for internal ISMS, provider assessments, SLAs, contracts

Scope certifications & attestations according to CCM

Ask for STAR Registry participation from providers

Working on the future today

Provider certification in OCF leveraging existing cert mechanisms

Automate GRC monitoring

https://cloudsecurityalliance.org/research/grc-stack/

https://cloudsecurityalliance.org/star/

www.cloudsecurityalliance.org Copyright © 2012 Cloud Security Alliance www.cloudsecurityalliance.org Copyright © 2012 Cloud Security Alliance