a view from the cloud security alliance peephole preso - apkic...cloud-based management,...

44
www.cloudsecurityalliance.org Copyright © 2013 Cloud Security Alliance A view from the Cloud Security Alliance peephole

Upload: others

Post on 12-Jul-2020

1 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: A view from the Cloud Security Alliance peephole Preso - APKIC...Cloud-based management, provisioning, policy, and data management of mobile devices to achieve security objectives

www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

A view from the Cloud Security Alliance peephole

Page 2: A view from the Cloud Security Alliance peephole Preso - APKIC...Cloud-based management, provisioning, policy, and data management of mobile devices to achieve security objectives

www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

Cloud

One million new mobile devices -each day!

Social Networking

Digital Natives

Page 3: A view from the Cloud Security Alliance peephole Preso - APKIC...Cloud-based management, provisioning, policy, and data management of mobile devices to achieve security objectives

www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

State Sponsored Cyberattacks?

Organized Crime?

Legal Jurisdiction & Data Sovereignty?

Global Security Standards?

Privacy Protection for Citizens?

Transparency & Visibility from Cloud Providers?

Page 4: A view from the Cloud Security Alliance peephole Preso - APKIC...Cloud-based management, provisioning, policy, and data management of mobile devices to achieve security objectives

www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

Shift the balance of power to consumers of IT

Enable innovation to solve difficult problems of humanity

Give the individual the tools to control their digital destiny

Do this by creating confidence, trust and transparency in IT systems

Security is not overhead, it is the enabler

Page 5: A view from the Cloud Security Alliance peephole Preso - APKIC...Cloud-based management, provisioning, policy, and data management of mobile devices to achieve security objectives

www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

Global, not-for-profit organization, founded 2009Geographically divided into Americas, EMEA and APAC regions to meet strategic objectives200 member driven organization with over 48,000 individual members in 64 chapters worldwideEstablished with the aim of bringing trust to the cloud

Develop a global trusted cloud ecosystem

Building best practices and standards for next-gen IT

Grounded in an agile philosophy, rapid development of applied research that supports all activities

Page 6: A view from the Cloud Security Alliance peephole Preso - APKIC...Cloud-based management, provisioning, policy, and data management of mobile devices to achieve security objectives

www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

Page 7: A view from the Cloud Security Alliance peephole Preso - APKIC...Cloud-based management, provisioning, policy, and data management of mobile devices to achieve security objectives

www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

Corporate HQ is established in Singapore

Global CSA Research Centre

Global Standards Secretariat

CCSK Global Centre of Excellence

Secondary hub is established in Hong Kong anchored by

CloudCERT APAC Operational Base

Both locations also serve as

APAC business centre

Serving as a regional hub and operations magnet our members

Subsequently satellite hubs are established in Thailand, Taiwan and New Zealand

Page 8: A view from the Cloud Security Alliance peephole Preso - APKIC...Cloud-based management, provisioning, policy, and data management of mobile devices to achieve security objectives

www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

Page 9: A view from the Cloud Security Alliance peephole Preso - APKIC...Cloud-based management, provisioning, policy, and data management of mobile devices to achieve security objectives

www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

Page 10: A view from the Cloud Security Alliance peephole Preso - APKIC...Cloud-based management, provisioning, policy, and data management of mobile devices to achieve security objectives

www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

CSA research is organized under a framework based on CSA Security Guidance for Critical Area of Focus in Cloud Computing

Total of 14 domains organised under 3 key areas of focus – Architecture, Governance and Operational Security

Page 11: A view from the Cloud Security Alliance peephole Preso - APKIC...Cloud-based management, provisioning, policy, and data management of mobile devices to achieve security objectives

www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

Our research includes fundamental projects needed to define and implement trust within the future of information technology

CSA continues to be aggressive in producing critical research, education and tools

Sponsorship opportunities

Selected research projects in following slides

Page 12: A view from the Cloud Security Alliance peephole Preso - APKIC...Cloud-based management, provisioning, policy, and data management of mobile devices to achieve security objectives

www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

GRC Stack Family of 4 research projects

Cloud Controls Matrix (CCM)

Consensus Assessments Initiative (CAI)

Cloud Audit

Cloud Trust Protocol (CTP)

Impact to the IndustryDeveloped tools for governance, risk and compliance management in the cloud

Technical pilots

Provider certification through STAR program

Control Requirements

Provider Assertions

Private, Community & Public Clouds

Page 13: A view from the Cloud Security Alliance peephole Preso - APKIC...Cloud-based management, provisioning, policy, and data management of mobile devices to achieve security objectives

www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

Previously known as Trusted Cloud Initiative

Security reference architecture for cloud

Architecture in use by early adopters of cloud in Global 2000

Cloud brokering

To do:

Management tools

Technical implementation guides

Documented case studies & use cases

https://cloudsecurityalliance.org/research/architecture/

Page 14: A view from the Cloud Security Alliance peephole Preso - APKIC...Cloud-based management, provisioning, policy, and data management of mobile devices to achieve security objectives

www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

1. Data Breaches

2. Data Loss

3. Account Hijacking

4. Insecure APIs

5. Denial of Service

6. Malicious Insiders

7. Abuse of Cloud Services

8. Insufficient Due Diligence

9. Shared Technology Issues

https://cloudsecurityalliance.org/research/top-threats/

Page 15: A view from the Cloud Security Alliance peephole Preso - APKIC...Cloud-based management, provisioning, policy, and data management of mobile devices to achieve security objectives

www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

1. Data loss from lost, stolen or decommissioned devices.

2. Information-stealing mobile malware.

3. Data loss and data leakage through poorly written third-party apps.

4. Vulnerabilities within devices, OS, design and third-party applications.

5. Unsecured WiFi, network access and rogue access points.

6. Unsecured or rogue marketplaces.

7. Insufficient management tools, capabilities and access to APIs (includes

personas).

8. NFC and proximity-based hacking.

Page 16: A view from the Cloud Security Alliance peephole Preso - APKIC...Cloud-based management, provisioning, policy, and data management of mobile devices to achieve security objectives

www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

Security as a ServiceResearch for gaining greater understanding for how to deliver security solutions via cloud models.

Information Security Industry Re-invented

Identify Ten Categories within SecaaS

Implementation Guidance for each SecaaSCategory

Align with international standards and other CSA research

Industry ImpactDefined 10 Categories of Service and Developed Domain 14 of CSA Guidance V.3

Page 17: A view from the Cloud Security Alliance peephole Preso - APKIC...Cloud-based management, provisioning, policy, and data management of mobile devices to achieve security objectives

www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

MobileSecuring application stores and other public entities deploying software to mobile devices

Analysis of mobile security capabilities and features of key mobile operating systems

Cloud-based management, provisioning, policy, and data management of mobile devices to achieve security objectives

Guidelines for the mobile device security framework and mobile cloud architectures

Solutions for resolving multiple usage roles related to BYOD, e.g. personal and business use of a common device

Best practices for secure mobile application development

Page 18: A view from the Cloud Security Alliance peephole Preso - APKIC...Cloud-based management, provisioning, policy, and data management of mobile devices to achieve security objectives

www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

Big Data Identifying scalable techniques for data-centric security and privacy problems

Lead to crystallization of best practices for security and privacy in big data

Help industry and government on adoption of best practices

Establish liaisons with other organizations in order to coordinate the development of big data security and privacy standards

Accelerate the adoption of novel research aimed to address security and privacy issues

Page 19: A view from the Cloud Security Alliance peephole Preso - APKIC...Cloud-based management, provisioning, policy, and data management of mobile devices to achieve security objectives

www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

Expert-led community resource for global legal issues impacting cloud computing.

“Ask the Expert” advice column

Regular in-person seminars and webcasts

Expert opinion whitepapers, initial postingsGovernment Access to Data Held by US Cloud Service Providers

Proposed EU Data Protection Regulation Implications for Cloud Users

Article 29 for Cloud Computing

https://cloudsecurityalliance.org/research/clic

Page 20: A view from the Cloud Security Alliance peephole Preso - APKIC...Cloud-based management, provisioning, policy, and data management of mobile devices to achieve security objectives

www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

CSA Working Group based in Europe

Define baselines for compliance with data protection legislation via a Privacy Level Agreement mechanism

A clear and effective way to communicate to (potential) cloud customers the level of personal data protection provided by a CSP.

A tool to assess the level of a CSP’s compliance with data protection legislative requirements and best practices.

A way to offer contractual protection against possible financial damages due to lack of compliance.

https://cloudsecurityalliance.org/research/pla/

Page 21: A view from the Cloud Security Alliance peephole Preso - APKIC...Cloud-based management, provisioning, policy, and data management of mobile devices to achieve security objectives

www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

Page 22: A view from the Cloud Security Alliance peephole Preso - APKIC...Cloud-based management, provisioning, policy, and data management of mobile devices to achieve security objectives

www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

Public visibility into ProvidersCorporate Governance

Supply Chain

Information Security Program

Policies Impacting Customers

Consumer right to knowPublic will demand better

Sunlight is the best disinfectant,” U.S. Supreme Court Justice Louis Brandeis

Page 23: A view from the Cloud Security Alliance peephole Preso - APKIC...Cloud-based management, provisioning, policy, and data management of mobile devices to achieve security objectives

www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

Control Requirements

Provider Assertions

Private, Community & Public Clouds

Page 24: A view from the Cloud Security Alliance peephole Preso - APKIC...Cloud-based management, provisioning, policy, and data management of mobile devices to achieve security objectives

www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

The CSA Open Certification Framework (OCF) is an industry initiative to allow global, accredited, trusted certification of cloud providers.

The CSA Open Certification Framework is a program for flexible, incremental and multi-layered certification

Based on CSA best practices

Integrating with popular third-party assessment and attestation statements, initially ISO 27001 & AICPA SSAE16 (SOC2)

Project initiative is called OCF, the certification mark is STAR

Page 25: A view from the Cloud Security Alliance peephole Preso - APKIC...Cloud-based management, provisioning, policy, and data management of mobile devices to achieve security objectives

www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

OPEN CERTIFICATION FRAMEWORKLEVEL 3 - CONTINUOUS

LEVEL 2 - ATTESTATION | CERTIFICATION

LEVEL 1:- SELF ASSESSMENT TRA

NSP

ERA

NC

Y

ASS

UR

AN

CE

Page 26: A view from the Cloud Security Alliance peephole Preso - APKIC...Cloud-based management, provisioning, policy, and data management of mobile devices to achieve security objectives

www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

Clear GRC objectives

3rd Party Assessment

Real time, continuous monitoring

+

+

Self Assessment

+

Page 27: A view from the Cloud Security Alliance peephole Preso - APKIC...Cloud-based management, provisioning, policy, and data management of mobile devices to achieve security objectives

www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

CSA STAR (Security, Trust and Assurance Registry)

Public Registry of Cloud Provider self assessments

Based on Consensus Assessments Initiative Questionnaire

Provider may substitute documented Cloud Controls Matrix compliance

Voluntary industry action promoting transparency

Security as a market differentiator

www.cloudsecurityalliance.org/star

STAR – Demand it from your providers!

Page 28: A view from the Cloud Security Alliance peephole Preso - APKIC...Cloud-based management, provisioning, policy, and data management of mobile devices to achieve security objectives

www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

2 Registered (December 2012)

22 Registered (February 2013)

Page 29: A view from the Cloud Security Alliance peephole Preso - APKIC...Cloud-based management, provisioning, policy, and data management of mobile devices to achieve security objectives

www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

Completion of APAC pilots @ Alibaba and New Taipei City (G-Cloud)

Target launch for Level 2 certification @ CSA EMEA Congress on Sep 25

Also announced harmonization of Singapore Standard (Multi-tier Cloud Security) certification scheme against CSA’s OCF

Page 30: A view from the Cloud Security Alliance peephole Preso - APKIC...Cloud-based management, provisioning, policy, and data management of mobile devices to achieve security objectives

www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

Page 31: A view from the Cloud Security Alliance peephole Preso - APKIC...Cloud-based management, provisioning, policy, and data management of mobile devices to achieve security objectives

www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

The industry’s first user certification program for secure cloud computing

Based on CSA research framework, specifically the Security Guidance for Critical Area of Focus in Cloud Computing

Designed to ensure that a broad range of professionals with responsibility related to cloud computing have a demonstrated awareness of the security threats and best practices for securing the cloud

Page 32: A view from the Cloud Security Alliance peephole Preso - APKIC...Cloud-based management, provisioning, policy, and data management of mobile devices to achieve security objectives

www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

CCSK Basic

One day course to enable student to pass CCSK

CCSK Plus

Two day course includes practical cloud lab work

CCSK Train-the-Trainer

Three day course including CCSK Plus

GRC Stack Training

Additional one day course to use GRC Stack components

PCI/DSS In the Cloud

Additional one day course focusing on achieving PCI compliance in cloud computing

http://cloudsecurityalliance.org/education/training/

Page 33: A view from the Cloud Security Alliance peephole Preso - APKIC...Cloud-based management, provisioning, policy, and data management of mobile devices to achieve security objectives

www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

CCSK for IT & Security Architects

Whitepaper: Security best practices for security architecture in the cloud derived from CSA Domain 1, Trusted Cloud Initiative Reference Architecture model and new materials.

Courseware: Development of 3 day courseware derived from above whitepaper and other CSA materials.

CCSK for Software Developers

Whitepaper: Security best practices for software development in the cloud and recommended industry curriculum.

Courseware: Development of 3 day courseware derived from above whitepaper and other CSA materials.

CCSK for Cloud Auditing/Assurance (GRC Stack)

Whitepaper: Security best practices for assurance in the cloud derived from CSA Guidance 3 and components of the GRC Stack research projects.

Courseware: Development of 3 day courseware derived from existing GRC Stack courseware, above whitepaper and other CSA materials.

Page 34: A view from the Cloud Security Alliance peephole Preso - APKIC...Cloud-based management, provisioning, policy, and data management of mobile devices to achieve security objectives

www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

Page 35: A view from the Cloud Security Alliance peephole Preso - APKIC...Cloud-based management, provisioning, policy, and data management of mobile devices to achieve security objectives

www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

Engage international standards bodies on behalf of CSA

Propose key CSA research for standardization

Working with NBs and tracking SDOs

A.4 and A.5 liaison relationship with ITU-T

Category A liaison with ISO/IEC SC27 & SC38

Page 36: A view from the Cloud Security Alliance peephole Preso - APKIC...Cloud-based management, provisioning, policy, and data management of mobile devices to achieve security objectives

www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

Page 37: A view from the Cloud Security Alliance peephole Preso - APKIC...Cloud-based management, provisioning, policy, and data management of mobile devices to achieve security objectives

www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

Industry thought leadership Traditional Monday start to RSA Conference2011: White House launches Federal Cloud Strategy 2012: Keynote from Former NSA Director Mike McConnell, announce CSA Mobile2013: DHS Undersecretary for Cybersecurityand Presiding Director of Coca Cola Company, James Robinson III

Page 38: A view from the Cloud Security Alliance peephole Preso - APKIC...Cloud-based management, provisioning, policy, and data management of mobile devices to achieve security objectives

www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

One day conferences in conjunction with chaptersEngage with local thought leadersProject CSA best practices globally2013 Regional Summits (so far)

16 in Asia Pacific4 in Americas4 in EMEA

http://www.csathailand.org

Page 39: A view from the Cloud Security Alliance peephole Preso - APKIC...Cloud-based management, provisioning, policy, and data management of mobile devices to achieve security objectives

www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

Only multi-track, multi-day conference focused on cloud securityKey venue for new researchPrimarily attended by enterprise end users2013 CSA Congress Plans

CSA Congress APAC, Singapore, May 14-17CSA Congress EMEA, Edinburgh, September 24 - 27CSA Congress US, Orlando, December 3 - 6

Page 40: A view from the Cloud Security Alliance peephole Preso - APKIC...Cloud-based management, provisioning, policy, and data management of mobile devices to achieve security objectives

www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

Page 41: A view from the Cloud Security Alliance peephole Preso - APKIC...Cloud-based management, provisioning, policy, and data management of mobile devices to achieve security objectives

www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

Challenges remain, there will always be insecurityGlobal collaboration, public & privateInnovation can make policy restrictions obsoleteMajor focus on identity neededThe Internet of Things is a ticking bombMust solve tomorrow’s problems todayTransparency must be our guide

Page 42: A view from the Cloud Security Alliance peephole Preso - APKIC...Cloud-based management, provisioning, policy, and data management of mobile devices to achieve security objectives

www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

Be Pragmatic, Be AgileFollow the law, but do not concede to poor interpretations of the law. Defend the spirit of the law forcefully.More tools available than you thinkAdvocate through procurementWaiting not an option, but don’t forget

StrategyRisk ManagementCloud-ready Enterprise ArchitectureBe Educated

Page 43: A view from the Cloud Security Alliance peephole Preso - APKIC...Cloud-based management, provisioning, policy, and data management of mobile devices to achieve security objectives

www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

For more information on the Cloud Security Alliance, please contact:

Global/AmericasJim Reavis [email protected]

EMEA Daniele Catteddu [email protected]

APACAloysius [email protected]

Page 44: A view from the Cloud Security Alliance peephole Preso - APKIC...Cloud-based management, provisioning, policy, and data management of mobile devices to achieve security objectives

www.cloudsecurityalliance.orgCopyright © 2012 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance