global mandate to secure cloud computing
DESCRIPTION
Cloud Security Alliance presentationTRANSCRIPT
www.cloudsecurityalliance.org Copyright © 2013 Cloud Security Alliance
Ken Low
Chairman, Asia Pacific Executive Council
Cloud Security Alliance
www.cloudsecurityalliance.org Copyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.org Copyright © 2013 Cloud Security Alliance
Cloud
One million new
mobile devices -
each day!
Social Networking
Digital Natives
www.cloudsecurityalliance.org Copyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.org Copyright © 2013 Cloud Security Alliance
State Sponsored Cyberattacks?
Organized Crime?
Legal Jurisdiction & Data Sovereignty?
Global Security Standards?
Privacy Protection for Citizens?
Transparency & Visibility from Cloud Providers?
www.cloudsecurityalliance.org Copyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.org Copyright © 2013 Cloud Security Alliance
Shift the balance of power to consumers of IT
Enable innovation to solve difficult problems of
humanity
Give the individual the tools to control their digital
destiny
Do this by creating confidence, trust and
transparency in IT systems
Security is not overhead, it is the enabler
www.cloudsecurityalliance.org Copyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.org Copyright © 2013 Cloud Security Alliance
Transparency & visibility from providers
Compatible laws across jurisdictions
Data sovereignty
Incomplete standards
Lack true multi-tenant technologies &
architecture
Incomplete Identity Mgt implementations
Risk Concentration
www.cloudsecurityalliance.org Copyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.org Copyright © 2013 Cloud Security Alliance
Shared Responsibility
Incident sharing
Legal frameworks
Human intelligence
Agile communities
www.cloudsecurityalliance.org Copyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.org Copyright © 2013 Cloud Security Alliance
Global, not-for-profit organization, founded 2009
Geographically divided into Americas, EMEA and
APAC regions to meet strategic objectives
200 member driven organization with over 44,000
individual members in 64 chapters worldwide
Established with the aim of bringing trust to the
cloud
Develop a global trusted cloud ecosystem
Building best practices and standards for next-gen IT
Grounded in an agile philosophy, rapid development of
applied research that supports all activities
www.cloudsecurityalliance.org Copyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.org Copyright © 2013 Cloud Security Alliance
2009 CSA launch at RSA 2009 with Security Guidance for
Critical Areas of Focus in Cloud Computing
6,000 members
2010 Launch Certificate of Cloud Security Knowledge
(CCSK)
15,000 members
2011 Launch CSA Security, Trust and Assurance Registry
(STAR)
27,000 members
2012 Launch CSA Mobile and Big Data research to
address emerging needs
42,000 members
North America EMEA
APAC
Latin America
0
5,000
10,000
15,000
20,000
25,000
30,000
35,000
40,000
45,000
Membership Growth
www.cloudsecurityalliance.org Copyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.org Copyright © 2013 Cloud Security Alliance
www.cloudsecurityalliance.org Copyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.org Copyright © 2013 Cloud Security Alliance
Corporate HQ is established in
Singapore
Global CSA Research Centre
Global Standards Secretariat
CCSK Global Centre of Excellence
Secondary hub is established in
Hong Kong anchored by
CloudCERT APAC Operational Base
Both locations also serve as
APAC business centre
Serving as a regional hub and
operations magnet our members
Subsequently satellite hubs are
established in Thailand, Taiwan and
New Zealand
www.cloudsecurityalliance.org Copyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.org Copyright © 2013 Cloud Security Alliance
www.cloudsecurityalliance.org Copyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.org Copyright © 2013 Cloud Security Alliance
CSA research is organized
under a framework based
on CSA Security Guidance
for Critical Area of Focus in
Cloud Computing
Total of 14 domains
organised under 3 key
areas of focus –
Architecture, Governance
and Operational Security
www.cloudsecurityalliance.org Copyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.org Copyright © 2013 Cloud Security Alliance
Our research includes
fundamental projects needed
to define and implement trust
within the future of
information technology
CSA continues to be
aggressive in producing
critical research, education
and tools
Sponsorship opportunities
Selected research projects in
following slides
www.cloudsecurityalliance.org Copyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.org Copyright © 2013 Cloud Security Alliance
www.cloudsecurityalliance.org Copyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.org Copyright © 2013 Cloud Security Alliance
The industry’s first user certification
program for secure cloud computing
Based on CSA research framework,
specifically the Security Guidance for
Critical Area of Focus in Cloud Computing
Designed to ensure that a broad range of
professionals with responsibility related to
cloud computing have a demonstrated
awareness of the security threats and best
practices for securing the cloud
www.cloudsecurityalliance.org Copyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.org Copyright © 2013 Cloud Security Alliance
CCSK Basic
One day course to enable student to pass CCSK
CCSK Plus
Two day course includes practical cloud lab work
CCSK Train-the-Trainer
Three day course including CCSK Plus
GRC Stack Training
Additional one day course to use GRC Stack components
PCI/DSS In the Cloud
Additional one day course focusing on achieving PCI compliance in cloud computing
http://cloudsecurityalliance.org/education/training/
www.cloudsecurityalliance.org Copyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.org Copyright © 2013 Cloud Security Alliance
www.cloudsecurityalliance.org Copyright © 2013 Cloud Security Alliance
Public visibility into Providers
Corporate Governance
Supply Chain
Information Security Program
Policies Impacting Customers
Consumer right to know
Public will demand better
Sunlight is the best disinfectant,” U.S. Supreme
Court Justice Louis Brandeis
www.cloudsecurityalliance.org Copyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.org Copyright © 2013 Cloud Security Alliance
The CSA Open Certification Framework is an
industry initiative to allow global, accredited,
trusted certification of cloud providers.
The CSA Open Certification Framework is a
program for flexible, incremental and multi-
layered certification
Based on CSA best practices
Integrating with popular third-party assessment
and attestation statements, initially ISO 27001
& AICPA SSAE16 (SOC2)
Pilots in progress, will be released Q3 2013
under the STAR brand
www.cloudsecurityalliance.org Copyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.org Copyright © 2013 Cloud Security Alliance
OPEN CERTIFICATION FRAMEWORK
CONTINUOUS
ATTESTATION | CERTIFICATION
SELF ASSESSMENT TR
AN
SP
ER
AN
CY
AS
SU
RA
NC
E
www.cloudsecurityalliance.org Copyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.org Copyright © 2013 Cloud Security Alliance
Clear GRC objectives
3rd Party Assessment
Real time, continuous monitoring
+
+
Self Assessment
+
www.cloudsecurityalliance.org Copyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.org Copyright © 2013 Cloud Security Alliance
CSA STAR (Security, Trust and Assurance Registry)
Public Registry of Cloud Provider self assessments
Based on Consensus Assessments Initiative Questionnaire
Provider may substitute documented Cloud Controls Matrix compliance
Voluntary industry action promoting transparency
Security as a market differentiator
www.cloudsecurityalliance.org/star
STAR – Demand it from your providers!
www.cloudsecurityalliance.org Copyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.org Copyright © 2013 Cloud Security Alliance
2 Registered (December 2012)
22 Registered (February 2013)
www.cloudsecurityalliance.org Copyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.org Copyright © 2013 Cloud Security Alliance
www.cloudsecurityalliance.org Copyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.org Copyright © 2013 Cloud Security Alliance
Industry thought leadership
Traditional Monday start to RSA Conference
2011: White House launches Federal Cloud Strategy
2012: Keynote from Former NSA Director Mike McConnell, announce CSA Mobile
2013: DHS Undersecretary for Cybersecurity and Presiding Director of Coca Cola Company, James Robinson III
www.cloudsecurityalliance.org Copyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.org Copyright © 2013 Cloud Security Alliance
One day conferences in conjunction with chapters
Engage with local thought leaders
Project CSA best practices globally
2013 Regional Summits (so far)
16 in Asia Pacific
4 in Americas
4 in EMEA
http://www.csathailand.org
www.cloudsecurityalliance.org Copyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.org Copyright © 2013 Cloud Security Alliance
Only multi-track, multi-day conference focused on cloud security
Key venue for new research
Primarily attended by enterprise end users
2013 CSA Congress Plans
CSA Congress APAC, Singapore, May 14-17
CSA Congress EMEA, Europe, September
CSA Congress US, Orlando, November
http://www.csa-apac.org
www.cloudsecurityalliance.org Copyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.org Copyright © 2013 Cloud Security Alliance
www.cloudsecurityalliance.org Copyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.org Copyright © 2013 Cloud Security Alliance
Challenges remain, there will always be insecurity
Global collaboration, public & private
Innovation can make policy restrictions obsolete
Major focus on identity needed
The Internet of Things is a ticking bomb
Must solve tomorrow’s problems today
Transparency must be our guide
www.cloudsecurityalliance.org Copyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.org Copyright © 2013 Cloud Security Alliance
Be Pragmatic, Be Agile
Follow the law, but do not concede to poor interpretations of the law. Defend the spirit of the law forcefully.
More tools available than you think
Advocate through procurement
Waiting not an option, but don’t forget
Strategy
Risk Management
Cloud-ready Enterprise Architecture
Be Educated
www.cloudsecurityalliance.org Copyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.org Copyright © 2013 Cloud Security Alliance
For more information on the Cloud
Security Alliance, please contact:
Global/Americas
Jim Reavis
EMEA
Daniele Catteddu
APAC
Aloysius Cheang
www.cloudsecurityalliance.org Copyright © 2012 Cloud Security Alliance www.cloudsecurityalliance.org Copyright © 2013 Cloud Security Alliance