CSA Atlanta and Metro Atlanta ISSA Chapter Meeting May 2014 - Key Threats to the Cloud and CSA Research

Atlanta Chapter
Joint Meeting
May 29, 2014

Agenda
• Key Trust Issues in the Cloud
• CSA Research Roadmap
• 30 Minutes Later…
2
All materials were created by the CSA and used by philA.

Key Trust Issues in the
Cloud
3 © 2014, Cloud Security Alliance.

Key Trust Issues in Cloud
• Incomplete standards
• Evolving towards true multi-tenant technologies & architecture
e.g. Identity Brokering
• Risk Concentration
• Incompatible laws across jurisdictions
• Lack of transparency & visibility from providers and government

The Government Trust Issue

US Patriot Act
• USA Patriot Act of 2001 (reauthorized in 2006 & 2011)
• Not a new law, series of amendments to existing laws related to
surveillance, investigation and prosecution of terrorism (Foreign
Intelligence Surveillance Act)
• Most requests for information follow subpoenas/warrants, but
records may be sealed
• Most countries have laws permitting disclosure of user info without
user consent related to foreign intelligence and national security
• Not clear if interpretation of Section 215 of the Patriot Act, Section
702 of the Foreign Intelligence Surveillance, FISA followed legislative
intent

Meet philA
Hello, I’m a data guy…
I’m with the Ponemon Institute.
You know, you quote us all of the of the time:
Annual Cost of Data Breach
Annual Cost of Cybercrime
Annual Most Trusted Companies for Privacy
© 2014, Cloud Security Alliance.

CSA Government Access
to Information Survey
• Conducted online from June 25, 2013 to July 9, 2013
• 456 responses
• 234 from United States of America
• 138 from Europe
• 36 from Asia Pacific
• Many long, long open-ended responses
https://cloudsecurityalliance.org/wp-content/uploads/2013/07/CSA-govt-access-survey-July-2013.pdf

Using US Cloud Providers
• Survey Question: (For non-US residents only) Does the
Snowden Incident make your company more or less likely
to use US-based cloud providers? (207 respondents)
• 56% less likely to use US-based cloud providers
• 31% no impact on usage of US-based cloud providers
• 10% cancelled a project to use US-based cloud providers
• 3% more likely to use US-based cloud providers

Using US Cloud Providers
• Survey Question: (For US residents only) Does the
Snowden Incident make it more difficult for your company
to conduct business outside of the US? (220)
• 36% Yes
• 64% No

Transparency of Government Access
• Survey Question: (For all respondents) How would you rate
your country's processes to obtain user information for the
purpose of criminal and terrorist investigations? (440)
• 47% Poor, there is no transparency in the process
• 32% Fair, there is some public information about the process and some
instances of its usage
• 11% Unknown, I do not have enough information to make an informed
judgment
• 10% Excellent, the process is well documented

Opinion of Patriot Act
• Survey Question: (For all respondents) If you have
concerns about this recent news, which of the following
actions do you think would be the best course to mitigate
concerns? (423)
• 41% The Patriot Act should be repealed in its entirety.
• 45% The Patriot Act should be modified to tighten the oversight of
permitted activities and to provide greater transparency as to how often
it is enacted.
• 13% The Patriot Act is fine as is.

Publishing FISA Requests
• Survey Question: (For all respondents) Should companies
who have been subpoenaed through provisions of the
Patriot Act, such as FISA (Foreign Intelligence Surveillance
Act) be able to publish summary information about the
amount of responses they have made? (438)
• 91% Yes
• 9% No

Balancing Safety and Privacy
“…Living in this kind of democracy, we’re going to have to be a
little less effective in order to be a little more transparent to get to
do anything to defend the American people.”
Michael Hayden, former Director of CIA and NSA

Important Considerations
for Enterprises and Public Policy
• Transparency of actors
• Metadata is important
• Data minimization principles

Industry Transparency Example
• User Data requests from law enforcement according to Google
• Jul – Dec 2012, from http://www.google.com/transparencyreport/governmentrequests/
• France: 1,693 requests, responded to 44%
• Germany: 1,550 requests, responded to 42%
• India: 2,431, responded to 66%
• Singapore: 96 requests, responded to 75%
• US: 8,438 requests, responded to 88%
• UK: 1,458 requests, responded to 70%

Can Providers be Transparent
about National Security Issues?
“…ask you to help make it possible for Google to publish in our
Transparency Report aggregate numbers of national security
requests, including FISA disclosures—in terms of both the
number we receive and their scope. Google’s numbers would
clearly show that our compliance with these requests falls far
short of the claims being made. Google has nothing to hide.”
David Drummond, Chief Legal Counsel, Google

EFF - Who Has Your Back? 2014

CSA Transparency Example: STAR
• CSA STAR (Security, Trust and Assurance Registry)
• Public Registry of Cloud Provider self assessments
• Based on CSA best practices (CCM or CAIQ)
• Voluntary industry action promoting transparency
• Security as a market differentiator
• www.cloudsecurityalliance.org/star
• STAR – Demand it from your providers!

CSA STAR: Read and Compare
21
DG 4.2: Do you have a documented procedure for responding to requests for tenant
data from governments or third parties?
Amazon AWS
AWS errs on the side of protecting customer privacy and is vigilant in determining which
law enforcement requests we must comply with. AWS does not hesitate to challenge
orders from law enforcement if we think the orders lack a solid basis.
Box.net
Box does have documented procedures for responding to requests for tenant data from
governments and third parties.
SHI
Customer responsibility. SHI has no direct access, so requests for data through third
parties will be responded to by the customer themselves, however, SHI can sanitize and
delete customer data upon migration from the cloud.
Verizon/Terremark Yes

What is the Future of Assurance in
the Global Compute Utility?
• Traditional Auditing and Certification activities
• Harmonized disparate requirements versus a single global standard
• Example - NIST CSF for cyber security
• Continuous Monitoring
• Community Policing via Transparency
• Privacy emphasis

What global dialogue is needed?
• Government
• Do we treat foreigners differently than citizens?
• Aligning with global standards for assurance
• Industry
• Build the technology to make policy moot
• Enterprise
• A time to engage
• Demand accountability from policy makers & providers
• Protect your data and metadata
• For All: Demand Transparency & Minimization Principles

I’m not going
to keep you
much longer
It’s 30 minutes already.
But…

CSA Research Portfolio
• Our research includes
fundamental projects needed
to define and implement trust
within the future of
information technology
• CSA continues to be
aggressive in producing
critical research, education
and tools
• 30+ Active Global Work
Groups
© 2013, Cloud Security Alliance.26

Security Guidance for Critical
Areas of Cloud Computing
• The CSA guidance as it enters its third edition
seeks to establish a stable, secure baseline for
cloud operations. This effort provides a practical,
actionable road map to managers wanting to
adopt the cloud paradigm safely and securely.
Domains have been rewritten to emphasize
security, stability and privacy, ensuring corporate
privacy in a multi-tenant environment.
• The Security Guidance V.3 will serve as the
gateway to emerging standards being developed
in the world’s standards organization and is
designed to serve as an executive-level primer to
any organization seeking a secure, stable
transition to hosting their business operations in
the cloud.
• Research and Activities for 2013 - 2014
• Security Guidance for Critical Areas of Cloud
Computing V.4 – Q1 2014 (Planning)
• Publish V.4 – Q4 2014/Q1 2015

www.cloudsecurityalliance.org
GRC Stack
GRC Stack
Family of 4 research projects
Cloud Controls Matrix (CCM)
Consensus Assessments Initiative (CAI)
Cloud Audit
Cloud Trust Protocol (CTP)
Impact to the Industry
Developed tools for governance, risk
and compliance management in the
cloud
Technical pilots
Provider certification through STAR
program
Control
Requirements
Provider
Assertions
Private,
Community &
Public Clouds

Cloud Control Matrix Working
Group
• The Cloud Security Alliance Cloud Controls Matrix
(CCM) is specifically designed to provide fundamental
security principles to guide cloud vendors and to assist
prospective cloud customers in assessing the overall
security risk of a cloud provider.
• Research and Activities for 2013 – 2014
• CCM V.3 – Q3 2013
• Internet2 Net+ Initiative Mappings (Higher Education) – Q2
2013
• AICPA Trust Service Principles Mapping – Q4 2013
• ENISA Information Assurance Framework Mapping – Q4
2013
• ODCA Mapping – Q4 2013
• German BSI Mapping – Q4 2013
• NZISM Mapping – Q4 2013
• Unified Compliance Framework Mapping – TBD
• Control Area Gap Analysis – Q4 2013
• COBIT 5 Mapping – Q1 2014
• NIST SP 800-53 Rev 4 – Q4 2013
• Slovenian Information Commissioner on Privacy Guidance
for Cloud Computing Mapping – Q1 2014

Consensus Assessment Initiative
• Lack of security control transparency is a
leading inhibitor to the adoption of cloud
services. The Cloud Security Alliance
Consensus Assessments Initiative (CAI)
was launched to perform research,
create tools and create industry
partnerships to enable cloud computing
assessments.
• We are focused on providing industry-
accepted ways to document what
security controls exist in IaaS, PaaS, and
SaaS offerings, providing security control
transparency. This effort by design is
integrated with and will support other
projects from our research partners.
• CAIQ V.3 – Q4 2013

Cloud Audit
• The goal of CloudAudit is to provide a
common interface and namespace that
allows enterprises who are interested in
streamlining their audit processes (cloud
or otherwise) as well as cloud computing
providers to automate the Audit,
Assertion, Assessment, and Assurance
of their infrastructure (IaaS), platform
(PaaS), and application (SaaS)
environments and allow authorized
consumers of their services to do
likewise via an open, extensible and
secure interface and methodology.
• Create CCM V.3 Database – Q4 2013
• Automate Change-adds through DB Version
of CCM – Q1 2014
• Update Notification Functionality – Q2 2014

Cloud Trust Protocol Working Group
• The CloudTrust Protocol (CTP) is the
mechanism by which cloud service
consumers (also known as “cloud users”
or “cloud service owners”) ask for and
receive information about the elements
of transparency as applied to cloud
service providers. The primary purpose
of the CTP and the elements of
transparency is to generate evidence-
based confidence that everything that is
claimed to be happening in the cloud is
indeed happening as described, …, and
nothing else.
• API Interface Definition – Q3 2013
• Prototype – Q4 2013
• Trust Model – Q1 2014
• Pilot – Q2 2014

CSA Enterprise Architecture
(aka Trusted Cloud Initiative)
• To promote research, development, and
education of best practices and
methodologies around a reference
architecture for a secure and trusted
cloud.
• Develop a Use-Case for the Network
Container, to define more context about
Polymorphic Malware Prevention – Q4 2013
• Develop a Use-Case around Behavioral
Monitoring – Q4 2013
• KRI and KPI Development for CSA
Reference Architecture Interactive Site – Q4
2013
• Case Study Webinars (CloudBytes Sessions)
– Q4 2013

Top Threats Working Group
• The purpose of this document, Top
Threats to Cloud Computing, is to
provide needed context to assist
organizations in making educated risk
management decisions regarding their
cloud adoption strategies. In essence,
this threat research document should be
seen as a companion to Security
Guidance for Critical Areas in Cloud
Computing.
• Top Threats to Cloud Computing Survey –
Q1 2014
• Top Threats to Cloud Computing V.4 – Q2
2014
• Full featured Interact Change Method for Top
Threats – Q3 2014

Cloud Vulnerabilities Working Group
• CSA Cloud Vulnerabilities Working Group is
global working group chartered to conduct
research in the area of cloud computing
vulnerabilities, with the goals of understanding
and educating the classification and exact causes
of cloud computing vulnerabilities,
recommendations and best practices for the
reduction of top vulnerabilities, reporting of
vulnerabilities and the development of related
tools and standards.
• Publish Cloud Vulnerabilities White Paper– Q2 2013
• Establishment of a taxonomy for Cloud Vulnerabilities
based on statistical data – Q1 2014
• Creation of a cloud vulnerability feed documentation
mechanism/ format/ protocol – Q2 2014
• Portal established for cloud vulnerability reporting
and tools – Q4 2014

• Security as a Service
Research for gaining greater understanding for
how to deliver security solutions via cloud
models.
• Information Security Industry Re-
invented
• Identify Ten Categories within SecaaS
• Implementation Guidance for each
SecaaS Category
• Align with international standards and
other CSA research
• Industry Impact
Defined 10 Categories of Service and Developed
Domain 14 of CSA Guidance V.3
Security as a Service

Security as a Service Working Group
• The purpose of this research will be
to identify consensus definitions of
what Security as a Service means, to
categorize the different types of
Security as a Service and to provide
guidance to organizations on
reasonable implementation practices.
Other research purposes will be
identified by the working group.
• Research and Activities for 2013 –
2014
• Defined SecaaS Framework (Defined
Categories of Service V.2) – Q4 2013
• Implementation Guidance Documents
V.2 – Q1 2014 (Start Planning)

Smart Mobile
• Mobile
• Securing application stores and other public
entities deploying software to mobile devices
• Analysis of mobile security capabilities and
features of key mobile operating systems
• Cloud-based management, provisioning, policy,
and data management of mobile devices to
achieve security objectives
• Guidelines for the mobile device security
framework and mobile cloud architectures
• Solutions for resolving multiple usage roles related
to BYOD, e.g. personal and business use of a
common device
• Best practices for secure mobile application
development

Mobile Working Group
• Mobile computing is experiencing tremendous
growth and adoption, while the devices are gaining
significant power and dynamic capabilities.
Personally owned mobile devices are increasingly
being used to access employers’ systems and
cloud-hosted data - both via browser-based and
native mobile applications. Clouds of mobile
devices are likely to be common. The CSA Mobile
working group will be responsible for providing
fundamental research to help secure mobile
endpoint computing from a cloud-centric vantage
point.
• BYOD Policy Guidance – Q3/Q4 2013
• Mobile Authentication Management – Q3/Q4 2013
• Mobile Application Security Guidance – Q3/Q4 2013
• Mobile Device Management – Q3/Q4 2013
• Mobile Maturity v2 Report – Q4 2013
• Mobile Security Guidance V.2 – Q4 2013

• Big Data
• Identifying scalable techniques for
data-centric security and privacy
problems
• Lead to crystallization of best
practices for security and privacy in
big data
• Help industry and government on
adoption of best practices
• Establish liaisons with other
organizations in order to coordinate
the development of big data security
and privacy standards
• Accelerate the adoption of novel
research aimed to address security
and privacy issues
Big Data Working Group

Big Data Working Group
• The Big Data Working Group (BDWG) will be identifying
scalable techniques for data-centric security and privacy
problems. BDWG’s investigation is expected to lead to
crystallization of best practices for security and privacy in
big data, help industry and government on adoption of
best practices, establish liaisons with other organizations
in order to coordinate the development of big data
security and privacy standards, and accelerate the
adoption of novel research aimed to address security
and privacy issues.
• Expanded Top 10 Big Data Security and Privacy Concerns –
Q3 2013
• Big Data Analytics for Security Intelligence – Q3 2013
• Big Data Framework and Taxonomy White Paper – Q4 2013
• Big Data Cryptography Report – Q4 2013/Q1 2014
• Big Data Policy and Governance Position Paper - TBD
• Cloud Infrastructures' Attack Surface Analysis and Reduction
Position Paper - TBD

Cloud Data Governance Working Group
• Cloud Computing marks the decrease
in emphasis on 'systems' and the
increase in emphasis on 'data'. With
this trend, Cloud Computing
stakeholders need to be aware of the
best practices for governing and
operating data and information in the
Cloud.
2014
• Data Governance across International
Borders – Q1 2014
• Data Tracking and Logging Standard–
Q2 2014

Incident Management & Forensics
Working Group
• The Working Group serves as a focal point for the
examination of incident handling and forensics in cloud
environments. We seek to develop best practices that
consider the legal, technical, and procedural elements
involved in responding in a forensically sound way to
security incidents in the cloud.
• Publish “Provider Forensic Support in Public Multi-Tenant
Cloud Environments” – Q3 2013
• Developing a capability maturity model (CMM) for IncM and
Forensics in Cloud Environments – Q4 2013
• Conduct first workshop on IncM & Forensics Roadmap for
the Cloud. Roadmap is intended to standardize forensic
techniques in cooperation with cloud providers so that
quality of evidence is assured and defensible.
• Survey of cloud users to determine pain points and variation
of techniques, workarounds used by consumers. Goal is
define problem space more clearly.
• WG works with CAI and CCM to create a common
language, set of expectations around this domain.

Virtualization Working Group
• The CSA Virtualization Working
Group is chartered to lead research
into the combined virtualized
operating system and SDN
technologies. The group should build
upon existing Domain 13 research
and provide more detailed guidance
as to threats, architecture, hardening
and recommended best practices.
2014
• Standalone Domain 13 Virtualization
Whitepaper as part of the CSA Security
Guidance for Critical Areas of Focus in
Cloud Computing – Q1 2014

Telecom Working Group
• The Telecom Working Group (TWG)
within the Cloud Security Alliance
(CSA) has been designated to
provide direct influence on how to
deliver secure cloud solutions and
foster cloud awareness within all
aspects of Telecommunications.
• Research and Activities for 2013 -
2014
• Next Generation SIEM White Paper – Q3
2013
• IPv6 Research – In Progress
• Continued advisory role for the Telecom
Industry

Health Information Management Working
Group
• The Health Information Management
Working Group (HIWG) within the Cloud
Security Alliance (CSA) has been
designated to provide direct influence on
how health information service providers
deliver secure cloud solutions (services,
transport, applications and storage) to
their clients, and foster cloud awareness
within all aspects of healthcare and
related industries.
• Business Associate Agreement Policy
Guidance – Q2 2014
• Updated HIPAA HiTech Mapping for V.3 – Q1
2014
• HIPAA Omnibus Rule Education – Q3 2013

Small to Medium Sized Business (SMB)
Working Group
• This working group will focus on providing
tailored guidance to small business, will
cooperate with other working groups where
appropriate, and, will help cloud providers
understand small business requirements.
• Organize a series of workshops to discuss
small business cloud requirements and
perception of current cloud alliance guidance –
Q3/Q4 2013
• Analyze existing Cloud Security Alliance
workgroups and identify where small business
related input is required - TBD
• Produce Small business guidance document,
draft version - TBD
• Produce requirements and recommendations to
other Cloud Security Alliance workgroups - TBD

Service Level Agreement Working Group
• Service Level Agreements (SLAs) are a
component in most cloud service terms and
contracts. However, there is a consensus that
Customers and providers alike have questions
about what constitutes an SLA, the sufficiency
and adequacy of SLAs and their management.
The Cloud Security Alliance SLA Working Group
,(SLA WG)in an effort to provide clarity to the
subject of SLAs has developed guidance in the
following areas.
• What are the components of an SLA?
• What role does the SLA play for CSP and CSU?
• Can we define an SLA Taxonomy?
• What is the status of SLA’s today?
• SLA myths, challenges and obstacles?
• SLA Guidance and Recommendations
• Cloud SLA Guidance – Q4 2013/ Q1 2014

Privacy Level Agreement Working Group
• This working group aims at creating PLA templates
that can be a powerful self-regulatory harmonization
tool, which is almost impossible to achieve at global
level using traditional legislative means. This will
provide a clear and effective way to communicate to
(potential) customers a CSP’s level of personal data
protection, especially when trans-border data flaw is
concerned.
• A Privacy Level Agreement (PLA) has twofold
objectives:
• Provide cloud customers with a tool to assess a CSP’s
commitment to address personal data protection.
• Offer contractual protection against possible economical
damages due to lack of compliance or commitment of the
CSP with privacy and data protection regulation.
• Phase 2 - Gap Analysis - Cover Requirements outside of
Europe (Global PLA)– Q4 2013/ Q1 2014
• Seal or Privacy Certification - Assess Need – Q1 2014

Financial Working Group
• The Financial Working Group (FWG) will be
identifying challenges, risks and Best Practices
for the development, deployment and
management of secure cloud services in the
financial Industry.
• FWG’s investigation is expected to lead to the
following goals:
• Identifying the Industry’s main concerns regarding
Cloud Services in their sector.
• Help industry on adoption of best practices,
• Establish liaisons with regulatory bodies in order to
foster the development of suitable regulations.
• Accelerate the adoption of Secure Cloud services
in the Financial Industry
• Research proposals for funding
• Develop guidelines and recommendations for the
delivery and management of cloud services in the
F&B sector – QX 2014

Open Certification Framework
• The CSA Open Certification Framework provides:
• A path for any region to address compliance concerns with trusted, global
best practices. For example, we expect governments to be heavy adopters
of the CSA Open Certification Framework to layer their own unique
requirements on top of the GRC Stack and provide agile certification of
public sector cloud usage.
• An explicit guidance for providers on how to use GRC Stack tools for
multiple certification efforts. For example, scoping documentation will
articulate the means by which a provider may follow an ISO/IEC 27001
certification path that incorporates the CSA Cloud Controls Matrix (CCM).
• A "recognition scheme" that would allow us to support ISO, AICPA and
potentially others that incorporate CSA IP inside of their
certifications/framework. CSA supports certify-once, use-often, where
possible.
• STAR Certification Manual – Q3 2013
• STAR Attestation Manual – Q3 2013
• STAR Certification Auditor Accreditation – Q3 2013
• STAR Attestation Auditor Accreditation – Q4 2013
• OCF Cost Analysis – Q4 2013
• OCF Certification Launch – Q4 2013

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
The OCF structure
•The CSA Open Certification Framework is an industry initiative to allow
global, accredited, trusted certification of cloud providers.

ISACA Collaboration Project
• A collaborative project by ISACA and
CSA, the Cloud Market Maturity study
provides business and IT leaders with
insight into the maturity of cloud
computing and will help identify any
changes in the market. The report,
released today, provides detailed insight
on the adoption of cloud services among
all levels within today’s global enterprises
and businesses, including the C-suite.
• Cloud Market Maturity Survey – Q3 2013
• Cloud Market Maturity Study Results – Q4
2013

Internet2 Collaboration Project
• A team of 30 CIOs, CISOs, and other
executives from Internet2’s
membership (both higher education
institutions and industry service
providers) developed this extended
version of the CCM. This version
includes candidate mappings to
address higher education security
and compliance requirements.
2014
• Net+ Initiative CCM V1.4 – Q3 2013
• Net+ Initiative CCM V3.0 – Q1 2014

CSA APAC
• Incorporated and based in Singapore
• Planned establishment of HQ in Singapore
• Supported by key Singaporean ministries, led by
Infocomm Development Authority
• IDA support for research and standards functions
• Also private/public partnerships with gov’ts of
Thailand and Hong Kong
• CSA chapters throughout APAC

Regional APAC Research
• Research in the APAC region reflects the
rapid growth of the cloud market in the
region and the demand for security
assurances among our member
countries
• New Zealand MBIE Funding – Q4 2013
• CSA Research Journal – Q3 2014
• Singapore Standard for Virtualization – TBD
• Salary Survey of Cloud Professionals –TBD
• Joint Interpol Project – TBD
• Survey of Reg Requirements for going to the
Cloud in Asia - TBD

CSA Europe
• Incorporated in UK
• Base of operations in Heraklion, Greece
• Staffed by noted experts from key EU
institutions
• Managing director an alumnus of ENISA
(European Network Information Security
Agency)
• Received funding grants for 4 research
projects by European Commission in 2012
• FP7 Projects

FP7 Projects
• Incorporated in UK
• Base of operations in Helsinki,
Finland
• Staffed by noted experts from
key EU institutions
• Managing director an alumnus of
ENISA (European Network
Information Security Agency)
• Received funding grants for 4
research projects by European
Commission in 2012

Global University Cloud Research Consortium
• This academic group will be
focusing on research
collaborations, university-to-
university exchanges, university-
industry collaborations adjunct
professorships, visiting
researchers/professors, and will
also organize and administer
funding applications.
• Research and Activities for 2013
– 2014
• Planning in Progress

Enterprise User Council
• The Cloud Security Alliance (CSA)
Enterprise User Council was started to
provide a balance of power between
cloud providers and enterprise users in a
world of cloud services, big data, and
mobile computing advancements has
made its biggest leap into businesses.
Our long term goal is to understand the
biggest problems facing enterprises and
help solve these issues. The CSA
Enterprise User Council will represent
businesses on these issues externally
and abroad.
• Planning in Progress

CCSK – User Certification
Certificate of Cloud Security
Knowledge (CCSK)
Benchmark of cloud security
competency
Online web-based examination
www.cloudsecurityalliance.org/certifym
e
Training partnerships
Developing new curriculum for audit,
software development and architecture

Copyright © 2012 loud Security Alliance
CSA Open Certification Framework
• Leverage CSA STAR Infrastructure to create
national,
local or industry-specific provider certifications
• Allows governments, certification bodies and
industry consortia to create certifications
addressing specific requirements without
developing complete & proprietary bodies of
knowledge
• Leverage existing certification/attestation
regimes
• 2013 Open Certification
• ISO 27001 Certification based upon CSA CCM (partnered
with British Standards Institution)
• SOC-2 Audit Attestation Reporting based upon CSA CCM
(partnered with AICPA)
• Branded as CSA STAR Certification – the gold
standard for cloud provider certification
63

Copyright © 2012 Cloud Security Alliance
International Standardization Council
• Engage international standards bodies on behalf of CSA
• Propose key CSA research for standardization
• Liaison relationship with ITU-T
• Category A liaison with ISO/IEC SC27 & SC38
• Tracking key SDOs for 2013
• DMTF
• IEEE
• IETF
• CCSA
• RAISE
64

CCM
CCM V.3
BIG DATA WORKING GROUP
Expanded Top 10 Big Data Security and Privacy Concerns
Big Data Analytics for Security Intelligence
HIM
HIPAA Omnibus Rule Education
CTP
API Interface Definition (Alain to update)
INCIDENT MANAGEMENT & FORENSICS
Provider Forensic Support in Public Multi-Tenant Cloud Environments
OCF
STAR Certification Manual
STAR Attestation Manual
STAR Certification Auditor Accreditation
ISACA
Cloud Market Maturity Survey
INTERNET2 COLLABORATION
Net+ Initiative CCM V1.4
ANTI-BOT Working Group
Work Group Kick-Off
Enterprise User Council
Work Group Kick-OffQ3 2013 RESEARCH RELEASES

Q4 2013 RESEARCH RELEASES
MOBILE WORKING GROUP
Mobile Authentication Management V.1.1
Mobile Device Management V.2
Mobile Maturity Survey
CCM
AICPA Trust Service Principles Mapping
COBIT 5.0
ENISA Information Assurance Framework Mapping
ODCA Mapping
German BSI Mapping
NZISM Mapping
Privacy Control Assessment
Internet 2 Compliance Area Mapping
NIST SP 800-53 Rev 4
SecaaS
Defined SecaaS Framework Survey
Big Data Framework and Taxonomy White Paper
CSA ENTERPRISE ARCHITECTURE
KRI and KPI Development for CSA Reference Architecture Interactive Site
Case Study Webinars (CloudBytes Sessions)
Workshop with EAWG, NIST and Vidders
Anti-Bot Working Group
Outreach Program Launch
Essential Practices Sub-Group Launch
Tools and Operations Sub-Group Launch
Economics Sub-group Launch

SMB WG
Small Medium Size Business Kick-Off and Outreach
CAIQ
CAIQ V.3
CTP
Prototype
CLOUD AUDIT
Create CCM V.3 Database
INCIDENT MANAGEMENT & FORENSICS
Developing a capability maturity model (CMM) for IncM and Forensics in Cloud
Environments
OCF
STAR Attestation Auditor Accreditation
OCF Cost Analysis
OCF Certification Launch
ISACA
Cloud Market Maturity Study Results
TELECOM WORKING GROUP
Next Generation SIEM White Paper
APAC Research
Roadmap for Execution

Virtualization Working Group
Virtualization Working Group Kick-Off
Update Security Guidance to include SDN
Financial Services Working Group
FSWG Kick-off
Establish Security and Privacy Test Beds
Cloud Brokerage Working Group
Publication of one year work plan
Launch CSA Cloud Broker microsite, partner directory and twitter account
Publication of V.1 of Working Group Deliverables
Cloud Brokerage Kick-Off
Leapfrog Project
Create CCM V.3 Database
Vulnerabilities Working Group
Working Group Expansion/Official Kick-Off
OCF
STAR Attestation Auditor Accreditation
OCF Cost Analysis
OCF Certification Launch
ISACA
Cloud Market Maturity Study Results
APAC RESEARCH
New Zealand MBIE Funding
TELECOM WORKING GROUP
Next Generation SIEM White Paper

GUIDANCE
Security Guidance for Critical Areas of Cloud Computing V.4 (Planning)
CCM
COBIT 5 Mapping
Slovenian Information Commissioner on Privacy Guidance for Cloud Computing
Mapping
SECAAS
Implementation Guidance Documents V.2 (Planning)
Big Data Cryptography Report
HIM
Updated HIPAA HiTech Mapping for V.3
CTP
Trust Model
CLOUD AUDIT
Automate Change-adds through DB Version of CCM
TOP THREATS
Top Threats to Cloud Computing Survey
CDG
Data Governance across International Borders

VIRTUALIZATION WORKING GROUP
Standalone Domain 13 Virtualization Whitepaper as part of the CSA Security
Guidance for Critical Areas of Focus in Cloud Computing
CLOUD VULNERABILTIES WORKING GROUP
Establishment of a taxonomy for Cloud Vulnerabilities based on statistical data
SLA
Cloud SLA Guidance
PLA
Phase 2 - Gap Analysis - Cover Requirements outside of Europe (Global PLA)
Seal or Privacy Certification - Assess Need
INTERNET2 COLLABORATION
Net+ Initiative CCM V3.0

HIM
Business Associate Agreement Policy Guidance
CTP
Pilot
CLOUD AUDIT
Update Notification Functionality
TOP THREATS
Top Threats to Cloud Computing V.4
CDG
Data Tracking and Logging Standard
CLOUD VULNERABILTIES WORKING GROUP
Creation of a cloud vulnerability feed documentation mechanism/ format/ protocol

About the Cloud Security Alliance
• Global, not-for-profit organization: 56,000 members
• Building security best practices for next generation IT
• Research and Educational Programs
• Cloud Provider Certification: CSA STAR
• User Certification: CCSK
• Awareness and Marketing
• The globally authoritative source for Trust in the Cloud
www.cloudsecurityalliance.org
“To promote the use of best practices for providing security assurance within Cloud Computing,
and provide education on the uses of Cloud Computing to help secure all other forms of
computing.”
73

CSA Fast Facts
• Founded in 2009
• 56,000+ individual members, 70+ chapters globally
• 190+ corporate members
• Major cloud providers, tech companies, infosec leaders, DoD, the Fortune 100 and
much more
• Offices in Seattle USA, Singapore, Helsinki Finland
• Over 40 research projects in 30+ working groups
• Strategic partnerships with governments, research institutions,
professional associations and industry
74

Thanks
Phil Agcaoili
Co-Founder & Board Member, Southern CISO Security Council
Distinguished Fellow and Fellows Chairman, Ponemon Institute
Founding Member, Cloud Security Alliance (CSA)
Inventor & Co-Author, CSA Cloud Controls Matrix,
GRC Stack, Security, Trust and Assurance Registry (STAR), and
CSA Open Certification Framework (OCF)
Contributor, NIST Cybersecurity Framework version 1
@hacksec
https://www.linkedin.com/in/philA

CSA Atlanta and Metro Atlanta ISSA Chapter Meeting May 2014 - Key Threats to the Cloud and CSA Research

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Semelhante a CSA Atlanta and Metro Atlanta ISSA Chapter Meeting May 2014 - Key Threats to the Cloud and CSA Research

Semelhante a CSA Atlanta and Metro Atlanta ISSA Chapter Meeting May 2014 - Key Threats to the Cloud and CSA Research (20)

Mais de Phil Agcaoili

Mais de Phil Agcaoili (20)

Último

Último (20)

CSA Atlanta and Metro Atlanta ISSA Chapter Meeting May 2014 - Key Threats to the Cloud and CSA Research