Mais conteúdo relacionado Semelhante a Global Efforts to Secure Cloud Computing (20) Global Efforts to Secure Cloud Computing 3. www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org
State Sponsored Cyberattacks?
Organized Crime?
Legal Jurisdiction & Data Sovereignty?
Global Security Standards?
Privacy Protection for Citizens?
Transparency & Visibility from Cloud Providers?
Copyright © 2013 Cloud Security Alliance
4. www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org
Shift the balance of power to consumers of IT
Enable innovation to solve difficult problems of
humanity
Give the individual the tools to control their digital
destiny
Do this by creating confidence, trust and
transparency in IT systems
Security is not overhead, it is the enabler
Copyright © 2013 Cloud Security Alliance
13. www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
GRC Stack
Family of 4 research projects
Cloud Controls Matrix (CCM)
Consensus Assessments Initiative
(CAI)
Cloud Audit
Cloud Trust Protocol (CTP)
Impact to the Industry
Developed tools for governance,
risk and compliance management
in the cloud
Technical pilots
Provider certification through
STAR program
Control
Requirements
Provider
Assertions
19. www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
DG 4.2: Do you have a documented procedure for responding to requests
for tenant data from governments or third parties?
Amazon AWS
AWS errs on the side of protecting customer privacy and is vigilant in
determining which law enforcement requests we must comply with. AWS
does not hesitate to challenge orders from law enforcement if we think the
orders lack a solid basis.
Box.net
Box does have documented procedures for responding to requests for tenant
data from governments and third parties.
SHI
Customer responsibility. SHI has no direct access, so requests for data
through third parties will be responded to by the customer themselves,
however, SHI can sanitize and delete customer data upon migration from the
cloud.
Verizon/Terremark Yes
28. www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org
Our research includes
fundamental projects needed
to define and implement trust
within the future of
information technology
CSA continues to be
aggressive in producing
critical research, education
and tools
Copyright © 2013 Cloud Security Alliance
31. www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
Certificate of Cloud Security
Knowledge (CCSK)
Benchmark of cloud security
competency
Online web-based examination
www.cloudsecurityalliance.org/certifyme
Training partnerships
Developing new curriculum for
audit, software development and
architecture
Partnership with (ISC)2 for cloud
security architecture certification
35. www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org
Please contact Jim Reavis at
jreavis@cloudsecurityalliance.
org for more information on the
Cloud Security Alliance
I will see you at the CSA
EMEA Congress, September
24-26 in Edinburgh
Copyright © 2013 Cloud Security Alliance
https://cloudsecurityalliance.org/events/csa-emea-congress-2013/
Notas do Editor Will my provider be transparent about how they manage their systems, organization governance, etc?Will I be considered compliant?Do I know where my data is?Will a lack of standards drive unexpected obsolescence? Is my provider really better at security than me?Are the hackers waiting for me in the cloud?Will I get fired?How can we gracefully “lose control” of IT The CSA Security, Trust & Assurance Registry (STAR) is a free, publicly accessible registry that documents the security controls provided by various cloud computing offerings, thereby helping users assess the security of cloud providers they currently use or are considering contracting with.CSA STAR is open to all cloud providers, and allows them to submit self assessment reports that document compliance to CSA published best practices. The searchable registry will allow potential cloud customers to review the security practices of providers, accelerating their due diligence and leading to higher quality procurement experiences. CSA STAR represents a major leap forward in industry transparency, encouraging providers to make security capabilities a market differentiator. Sample entry from Verizon Terremark We can start having fun scrutinizing entries!