www.cloudsecurityalliance.org

Jim Reavis, Executive Director

Cloud Computing Security

www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

About the Cloud Security Alliance

Global, not-for-profit organizationBuilding security best practices for next generation ITResearch and Educational ProgramsCloud Provider CertificationUser CertificationAwareness and MarketingThe globally authoritative source for Trust in the Cloud

“To promote the use of best practices for providing security assurance within Cloud Computing, and provide education

on the uses of Cloud Computing to help secure all other forms of computing.”

www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

CSA Fast FactsFounded in 2009Membership stats as of May 2013

47,000 individual members, 66 chapters globally180 corporate membersMajor cloud providers, tech companies, infosec leaders, governments, financial institutions, retail, healthcare and more

Offices in Seattle USA, Singapore, Heraklion GreeceOver 30 research projects in 25 working groupsStrategic partnerships with governments, research institutions, professional associations and industry

www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org

Growth Beyond Comprehension

Forrester forecasts that the global market for cloud computing will grow from $40.7 billion

in 2011 to more than $241 billion in 2020

Copyright © 2013 Cloud Security Alliance

1 Million new mobile phones a

day!

www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

Our IT System

Enabling Big Data

Managing Mobile Devices

The Glue for the Internet of Things

Accelerating innovation

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org

Cloud is the Foundation

Copyright © 2013 Cloud Security Alliance

www.cloudsecurityalliance.org

What is Cloud Computing?

Compute as a utility: third major era of computing

Cloud enabled byMoore’s Law

Hyperconnectivity

SOA

Provider scale

Key characteristicsElastic & on-demand

Multi-tenancy

Metered service

www.cloudsecurityalliance.org

Key Trust Issues in cloud

Transparency & visibility from providers

Compatible laws across jurisdictions

Data sovereignty

Incomplete standards

Lack true multi-tenant technologies & architecture

Incomplete Identity Mgt implementations

Risk Concentration

www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

Transparency: User Data requests from law enforcement according to Google

For Jul – Dec 2012, from http://www.google.com/transparencyreport/governmentrequests/

France: 1,693 requests, responded to 44%

Germany: 1,550 requests, responded to 42%

US: 8,438 requests, responded to 88%

India: 2,431, responded to 66%

Italy: 846 requests, responded to 34%

Singapore: 96 requests, responded to 75%

www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org

Innovation

Trust InnovationMobile Clouds SaaS EncryptionIdentity Mgt – Strong Auth everywhereReinvent every industry with Cloud/Mobile/Social/Big Data

Copyright © 2013 Cloud Security Alliance

www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org

What is the Global Mandate to Secure Cloud

Computing?State Sponsored Cyberattacks?

Organized Crime?

Legal Jurisdiction & Data Sovereignty?

Global Security Standards?

Privacy Protection for Citizens?

Transparency & Visibility from Cloud Providers?

Copyright © 2013 Cloud Security Alliance

www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org

The Global Mandate is Empowerment

Shift the balance of power to consumers of IT

Enable innovation to solve difficult problems of humanity

Give the individual the tools to control their digital destiny

Do this by creating confidence, trust and transparency in IT systems

Security is not overhead, it is the enabler

Copyright © 2013 Cloud Security Alliance

www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

Selected Research to Secure the Cloud

www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

CSA Security Guidance

Industry standard catalog of cloud security issues and best practices

Widespread adoption

Translated into 6 languages

14 domains

https://cloudsecurityalliance.org/research/security-guidance/

www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

GRC StackGRC Stack

Family of 4 research projects

Cloud Controls Matrix (CCM)

Consensus Assessments Initiative (CAI)

Cloud Audit

Cloud Trust Protocol (CTP)

Impact to the IndustryDeveloped tools for governance, risk and compliance management in the cloud

Technical pilots

Provider certification through STAR program

Control Requirements

Provider Assertions

Private, Community

& Public Clouds

www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

CSA STAR RegistryCSA STAR (Security, Trust and Assurance Registry)

Public Registry of Cloud Provider self assessments

Based on Consensus Assessments Initiative Questionnaire

Provider may substitute documented Cloud Controls Matrix compliance

Voluntary industry action promoting transparency

Security as a market differentiator

www.cloudsecurityalliance.org/star

STAR – Demand it from your providers!

www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

Structure

OPEN CERTIFICATION FRAMEWORK

CONTINUOUS

ATTESTATION | CERTIFICATION

SELF ASSESSMENT TR

AN

SP

ER

AN

CY

ASS

UR

AN

CE

www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

CCSK – User Certification

Certificate of Cloud Security Knowledge (CCSK)

Benchmark of cloud security competency

Online web-based examination

www.cloudsecurityalliance.org/certifyme

Enterprise members get 8 test tokens, contact ccsk-admin@cloudsecurityalliance.org to receive (must provide email addresses of employees taking test)

www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

Security as a ServiceSecurity as a Service

Research for gaining greater understanding for how to deliver security solutions via cloud models.

Information Security Industry Re-invented

Identify Ten Categories within SecaaS

Implementation Guidance for each SecaaS Category

Align with international standards and other CSA research

Industry ImpactDefined 10 Categories of Service and Developed Domain 14 of CSA Guidance V.3

www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

Smart Mobile

MobileSecuring application stores and other public entities deploying software to mobile devices

Analysis of mobile security capabilities and features of key mobile operating systems

Cloud-based management, provisioning, policy, and data management of mobile devices to achieve security objectives

Guidelines for the mobile device security framework and mobile cloud architectures

Solutions for resolving multiple usage roles related to BYOD, e.g. personal and business use of a common device

Best practices for secure mobile application development

www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

Big Data Working GroupBig Data

Identifying scalable techniques for data-centric security and privacy problems

Lead to crystallization of best practices for security and privacy in big data

Help industry and government on adoption of best practices

Establish liaisons with other organizations in order to coordinate the development of big data security and privacy standards

Accelerate the adoption of novel research aimed to address security and privacy issues

www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org

Research Portfolio

Our research includes fundamental projects needed to define and implement trust within the future of information technology

CSA continues to be aggressive in producing critical research, education and tools

Copyright © 2013 Cloud Security Alliance

www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

For the Industry

Challenges remain, there will always be insecurityGlobal collaboration, public & privateInnovation can make policy restrictions obsoleteMajor focus on identity neededMust solve tomorrow’s problems todayTransparency must be our guide

www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

For Nations

Invest in SaaS, not datacentersAlign cloud regulations with global standardsProtect foreigners rights as you would your own citizensBalance industry protection with industry developmentTransparency!

www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

For the Enterprise Be Pragmatic, Be AgileFollow the law, but do not concede to poor interpretations of the law. Defend the spirit of the law forcefully.More tools available than you thinkAdvocate through procurementWaiting not an option, but don’t forget

StrategyRisk ManagementCloud-ready Enterprise ArchitectureBe Educated

www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org

Contact

Jim Reavis jreavis@cloudsecurityalliance.org

Copyright © 2013 Cloud Security Alliance

www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance