csa research insights - cdm media · 2012-12-11 · public visibility into cloud provider corporate...
TRANSCRIPT
www.cloudsecurityalliance.org www.cloudsecurityalliance.org Copyright © 2012 Cloud Security Alliance www.cloudsecurityalliance.org Copyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org
Cloud
Smart Mobile
Big Data
Social
Digital Natives
Copyright © 2012 Cloud Security Alliance
www.cloudsecurityalliance.org www.cloudsecurityalliance.org Copyright © 2012 Cloud Security Alliance
Global, not-for-profit organization
Over 41,000 individual members, 70 chapters
145 corporate members: DoD, Coca Cola, Bank of America
Building security best practices for next generation IT
Research and Educational Programs
Cloud Provider Certification
User Certification
Public/Private partnerships
The globally authoritative source for Trust in the Cloud
“To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help
secure all other forms of computing.”
www.cloudsecurityalliance.org www.cloudsecurityalliance.org Copyright © 2012 Cloud Security Alliance www.cloudsecurityalliance.org Copyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org
Cloud ain’t (just) Outsourcing
Anonymity of provider
Anonymity of geography
Transient business relationships
Shared architecture
A unique business for each layer
Unique risks, innovation required for
Governance, Risk Mgt, Compliance
Copyright © 2012 Cloud Security Alliance
* FFIEC's New Cloud Info 'Disappointing' http://ffiec.bankinfosecurity.com/articles.php?art_id=4949&opg=1
www.cloudsecurityalliance.org
Shared
Responsibility
Strategy
Education
Architecture /
Framework
Due Diligence
We are all cloud consumers, many of us are cloud providers
www.cloudsecurityalliance.org www.cloudsecurityalliance.org Copyright © 2012 Cloud Security Alliance
Control Requirements
Provider Assertions
Private,
Community &
Public Clouds
• Family of 4 research projects
• Cloud Controls Matrix
• Consensus Assessments
Initiative
• Cloud Audit
• Cloud Trust Protocol
• Tools for governance, risk and
compliance mgt
• Enabling automation and
continuous monitoring of GRC
www.cloudsecurityalliance.org www.cloudsecurityalliance.org Copyright © 2012 Cloud Security Alliance
Controls derived from guidance
Mapped to familiar frameworks: ISO 27001, COBIT, PCI, HIPAA, FISMA, FedRAMP, Countries
Rated as applicable to S-P-I
Customer vs Provider role
Help bridge the “cloud gap” for IT & IT auditors
www.cloudsecurityalliance.org www.cloudsecurityalliance.org Copyright © 2012 Cloud Security Alliance
Research tools and processes to perform shared assessments of cloud providers
Integrated with Controls Matrix
CAI Questionnaire initial release Oct 2010, over 160 provider questions to identify presence of security controls or practices
Use to assess cloud providers today, procurement negotiation, contract inclusion, quantify SLAs
www.cloudsecurityalliance.org
Public visibility into Cloud Provider
Corporate Governance
Supply Chain
Information Security Program
Policies Impacting Customers
Consumer right to know
Public will demand better
Sunlight is the best disinfectant,” U.S. Supreme
Court Justice Louis Brandeis
www.cloudsecurityalliance.org www.cloudsecurityalliance.org Copyright © 2012 Cloud Security Alliance
CSA STAR (Security, Trust and Assurance Registry)
Public Registry of Cloud Provider self assessments
Based on Consensus Assessments Initiative Questionnaire
Provider may substitute documented Cloud Controls Matrix compliance
Voluntary industry action promoting transparency
Security as a market differentiator
www.cloudsecurityalliance.org/star
STAR – Demand it from your providers!
www.cloudsecurityalliance.org www.cloudsecurityalliance.org Copyright © 2012 Cloud Security Alliance
www.cloudsecurityalliance.org www.cloudsecurityalliance.org Copyright © 2012 Cloud Security Alliance
DG 4.2: Do you have a documented procedure for responding to requests for tenant data from governments or third parties?
Amazon AWS
AWS errs on the side of protecting customer privacy and is vigilant in determining which law enforcement requests we must comply with. AWS does not hesitate to challenge orders from law enforcement if we think the orders lack a solid basis.
Box.net Box does have documented procedures for responding to requests for tenant data from governments and third parties.
SHI
Customer responsibility. SHI has no direct access, so requests for data through third parties will be responded to by the customer themselves, however, SHI can sanitize and delete customer data upon migration from the cloud.
Verizon/Terremark Yes
www.cloudsecurityalliance.org www.cloudsecurityalliance.org Copyright © 2012 Cloud Security Alliance
www.cloudsecurityalliance.org Copyright © 2012 Cloud Security Alliance
Leverage CSA STAR Infrastructure to create national, local or industry-specific provider certifications
Allows governments, certification bodies and industry consortia to create certifications addressing specific requirements without developing complete & proprietary bodies of knowledge
Leverage existing certification/attestation regimes
Allows providers to certify once, comply many
2013 Open Certification
ISO 27001 Certification based upon CSA CCM (partnered with BSI Group)
SOC-2 Audit Attestation Reporting based upon CSA CCM (partnered with AICPA)
Branded as CSA STAR Certification
www.cloudsecurityalliance.org www.cloudsecurityalliance.org Copyright © 2012 Cloud Security Alliance
www.cloudsecurityalliance.org www.cloudsecurityalliance.org Copyright © 2012 Cloud Security Alliance
www.cloudsecurityalliance.org Copyright © 2012 Cloud Security Alliance
Internet2 - advanced technology community, owned and led by the U.S. research and education community.
Internet2 Net+ Initiative – defining procurement of cloud services for higher education
Net+ Security – creating security requirements and a “FEDRamp like” model
Partnered with CSA and leveraging CCM + STAR to certify cloud providers for higher education use
www.cloudsecurityalliance.org www.cloudsecurityalliance.org Copyright © 2012 Cloud Security Alliance
Clear GRC objectives
3rd Party Assessment
Real time, continuous monitoring
+
+
Self Assessment
+
www.cloudsecurityalliance.org www.cloudsecurityalliance.org Copyright © 2012 Cloud Security Alliance
www.cloudsecurityalliance.org Copyright © 2012 Cloud Security Alliance
GRC Stack tools freely available
Use for internal ISMS, provider assessments, SLAs, contracts
Scope certifications & attestations according to CCM
Ask for STAR Registry participation from providers
Working on the future today
Provider certification in OCF leveraging existing cert mechanisms
Automate GRC monitoring
https://cloudsecurityalliance.org/research/grc-stack/
https://cloudsecurityalliance.org/star/
www.cloudsecurityalliance.org Copyright © 2012 Cloud Security Alliance www.cloudsecurityalliance.org Copyright © 2012 Cloud Security Alliance