- Cloud Security Alliance

Report
DANIELE CATTEDDU
CSA Managing Director EMEA
Copyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.org
Global, not-for-profit organization
Over 26,000 individual members, 100 corporate members,
50 chapters
Building best practices and a trusted cloud ecosystem
Agile philosophy, rapid development of applied research
GRC: Balance compliance with risk management
Reference models: build using existing standards
Identity: a key foundation of a functioning cloud economy
Champion interoperability
Enable innovation
Advocacy of prudent public policy
“To promote the use of best practices for providing security assurance
within Cloud Computing, and provide education on the uses of Cloud
Computing to help secure all other forms of computing.”
Copyright ©
© 2011
2011 Cloud
Cloud Security
SecurityAlliance
Alliance
Copyright
www.cloudsecurityalliance.org
www.cloudsecurityalliance.org
Will CSP be transparent about governance and
operational issues?
Will the user be considered compliant?
Does the user know what legislation applies?
Will a lack of standards drive unexpected
obsolescence?
Is cloud really better at security than traditional IT
solution?
Are the hackers waiting for me in the cloud?
Copyright ©
© 2011
2011 Cloud
Cloud Security
SecurityAlliance
Alliance
Copyright
www.cloudsecurityalliance.org
www.cloudsecurityalliance.org
Keeping pace with cloud changes
Globally incompatible legislation and policy
Non-standard private & public clouds
Lack of continuous risk management & compliance
monitoring
Incomplete identity management implementations
Haphazard response to security incidents
Copyright ©
© 2011
2011 Cloud
Cloud Security
SecurityAlliance
Alliance
Copyright
www.cloudsecurityalliance.org
www.cloudsecurityalliance.org
KEY AREAS
Interoperability and portability
Trust, security, and assurance
Security innovation in the cloud
Our proposals should be understood in the context of the CSA
focus on security, assurance, and compliance.
Copyright©© 2011
2011Cloud
CloudSecurity
SecurityAlliance
Alliance
Copyright
www.cloudsecurityalliance.org
www.cloudsecurityalliance.org
Public procurement to catalyse cloud adoption
Developing a standard framework and guidelines for service
and data asset classification
Help customers decide which services and data can be
moved in which type of cloud
Defining requirements for data security, privacy, portability
and secure deletion
Designing models for cloud bursting
Developing/publishing “buyer’s guides” and SLAs & RFPs for
common services
Copyright©© 2011
2011Cloud
CloudSecurity
SecurityAlliance
Alliance
Copyright
www.cloudsecurityalliance.org
www.cloudsecurityalliance.org
SHORT-TERM PRIORITIES
Interoperability of security policy
Security service level agreements
Privacy level agreements
Security as a Service
Promoting the use of open standards
Copyright©© 2011
2011Cloud
CloudSecurity
SecurityAlliance
Alliance
Copyright
www.cloudsecurityalliance.org
www.cloudsecurityalliance.org
POSITIVE IMPACT
Overcome the lack of solid technical standards for
interoperability & portability
Guidance and support for SMEs
Help CSPs in improving and customising cloud
offerings based on explicit requirements
Copyright©© 2011
2011Cloud
CloudSecurity
SecurityAlliance
Alliance
Copyright
www.cloudsecurityalliance.org
www.cloudsecurityalliance.org
ACTION 1:
WHAT: Interoperable Security Policies and Measures
HOW: Standardisation of security policy syntax and basic
settings
WHO: Public sector + research community + industry
Expert group to collect requirements and define policy syntax, and
framework for policy interoperability
Research program framework, e.g. developing projects on security
policy management automation.
CSA will play an active role
Copyright©© 2011
2011Cloud
CloudSecurity
SecurityAlliance
Alliance
Copyright
www.cloudsecurityalliance.org
www.cloudsecurityalliance.org
ACTION 2:
WHAT: Security Service Level Agreements
HOW: Develop quantitative and comparable measures
for reporting parameters by leveraging existing efforts
from ENISA, NIST and CSA
WHO: Industry and/or ENISA to develop, Public
Sector to endorse
CSA is playing an active role
Copyright©© 2011
2011Cloud
CloudSecurity
SecurityAlliance
Alliance
Copyright
www.cloudsecurityalliance.org
www.cloudsecurityalliance.org
ACTION 3:
WHAT: Privacy Level Agreements (PLAs)
HOW: Define a standard format for a CSP to declare
the level of privacy (data protection and data security)
that it sustains for the relevant data processing
WHO: Industry + DP authorities + subject matter
experts to develop PLAs and public sector to endorse
CSA is playing an active role: PLA Outlines project to be
launched Dec.2011
Copyright©© 2011
2011Cloud
CloudSecurity
SecurityAlliance
Alliance
Copyright
www.cloudsecurityalliance.org
www.cloudsecurityalliance.org
ACTION 4:
WHAT: Security as a Service
HOW: Create a common vocabulary (define and,
characterise) for cloud-based security services and
keep records of providers offerings
WHO: Industry and/or ENISA to develop, Public
Sector to endorse
CSA is playing an active role: SecaaS
Copyright©© 2011
2011Cloud
CloudSecurity
SecurityAlliance
Alliance
Copyright
www.cloudsecurityalliance.org
www.cloudsecurityalliance.org
SHORT-TERM PRIORITIES
Assessment Framework
Transparency Registry
Security Breach Notification
CloudSIRT and Real-Time Security Monitoring
Continuous Controls Monitoring and Auditing
Copyright©© 2011
2011Cloud
CloudSecurity
SecurityAlliance
Alliance
Copyright
www.cloudsecurityalliance.org
www.cloudsecurityalliance.org
SHORT-TERM PRIORITIES
(CONT.)
Identity Model
Consumer Education
Applicable Law and Jurisdictions
Government Access to Data
e-Discovery
Copyright©© 2011
2011Cloud
CloudSecurity
SecurityAlliance
Alliance
Copyright
www.cloudsecurityalliance.org
www.cloudsecurityalliance.org
ACTION 1:
WHAT: Assessment Framework
HOW: Integrated approach to assessment CSPs and
their external suppliers. A single approach provides
cross-mapping between existing standards (ISO 2700x,
COBIT, PCI- DSS, ENISA Cloud IAF, CSA CCM and
ISF SOGP)
WHO: Industry and ENISA to refine existing
framework, public sector to endorse and adopt
CSA is playing an active role: CCM, CAMM, CAI &
CloudAudit
Copyright©© 2011
2011Cloud
CloudSecurity
SecurityAlliance
Alliance
Copyright
www.cloudsecurityalliance.org
www.cloudsecurityalliance.org
ACTION 2:
WHAT: Transparency Registry
HOW: Create a system to share and compare
assessment results that would be managed and
maintained by a European or national public institution,
or from an independent trusted party or public/private
partnership. Voluntary participation
WHO: Public sector, PPP, or independent org. to
establish and maintain, EC to endorse
CSA is playing an active role: CSA STAR Registry
Copyright©© 2011
2011Cloud
CloudSecurity
SecurityAlliance
Alliance
Copyright
www.cloudsecurityalliance.org
www.cloudsecurityalliance.org
ACTION 3:
WHAT: Security Breach Notification
HOW: Voluntary incident reporting mechanism.
Inspired to Article 13a (3) ,2009/140/EC, and Article
4,2009/136/EC.
WHO: Industry to develop, public sector to endorse
CSA is playing an active role: CloudSIRT
Copyright©© 2011
2011Cloud
CloudSecurity
SecurityAlliance
Alliance
Copyright
www.cloudsecurityalliance.org
www.cloudsecurityalliance.org
ACTION 4:
WHAT: SIRT and Real-Time Security Monitoring
HOW: Creation of EC-wide cloud-related SIRT; a
single point for vendors and customers to get data on
the latest risks and incidents.
Real- time reporting solutions could voluntarily send
non-sensitive data to the SIRT
WHO: Public sector + research community + industry
CSA is playing an active role: CloudSIRT
Copyright©© 2011
2011Cloud
CloudSecurity
SecurityAlliance
Alliance
Copyright
www.cloudsecurityalliance.org
www.cloudsecurityalliance.org
ACTION 5
WHAT: Continuous Controls Monitoring and Auditing
HOW: Research and development of frameworks and
automated systems for continuous controls monitoring
and auditing.
WHO: Research community + public sector + industry
CSA is playing an active role: GRC Stack
Copyright©© 2011
2011Cloud
CloudSecurity
SecurityAlliance
Alliance
Copyright
www.cloudsecurityalliance.org
www.cloudsecurityalliance.org
ACTION 6:
WHAT: Identity Model
HOW: Support CSPs and SDOs, e.g. OASIS, develop
secure and interoperable identity, access and
compliance management configurations, and practices.
WHO: EC + SDOs + research community+ industry
CSA is playing an active role: Trusted Cloud Initiative (TCI)
Reference Architecture
Copyright©© 2011
2011Cloud
CloudSecurity
SecurityAlliance
Alliance
Copyright
www.cloudsecurityalliance.org
www.cloudsecurityalliance.org
ACTION 7:
WHAT: Consumer Education
HOW: Pan-European and national awareness raising
campaigns to explain terminology and remove false
perceptions around benefits, risks, and legal framework
WHO: EC + MSs + Associations
CSA is playing an active role
Copyright©© 2011
2011Cloud
CloudSecurity
SecurityAlliance
Alliance
Copyright
www.cloudsecurityalliance.org
www.cloudsecurityalliance.org
ACTION 8:
WHAT: Applicable Law and Jurisdictions
HOW: Jurisdiction should be the ones of the country of
origin of the user
Copyright©© 2011
2011Cloud
CloudSecurity
SecurityAlliance
Alliance
Copyright
www.cloudsecurityalliance.org
www.cloudsecurityalliance.org
ACTION 9:
WHAT: Government Access to Data
HOW: Bilateral agreement between EC and the US
federal government to set up clear rules of engagement
and limitations to the right of a government to
confiscate servers
WHO: European Commission
Copyright©© 2011
2011Cloud
CloudSecurity
SecurityAlliance
Alliance
Copyright
www.cloudsecurityalliance.org
www.cloudsecurityalliance.org
ACTION 10:
WHAT: e-Discovery
HOW: Bring forward Article 29 opinion on pre-trial
discovery for cross-border civil litigation
(http://ec.europa.eu/justice/policies/privacy/docs/wpdoc
s/2009/wp158_en.pdf)
Copyright©© 2011
2011Cloud
CloudSecurity
SecurityAlliance
Alliance
Copyright
www.cloudsecurityalliance.org
www.cloudsecurityalliance.org
KEY RESEARCH AREAS
New encryption and key management approaches
Format-preserving encryption
Tokenisation
Homomorphic encryption
Cloud management technologies to enforce desired
policies at data centres around the world.
Copyright©© 2011
2011Cloud
CloudSecurity
SecurityAlliance
Alliance
Copyright
www.cloudsecurityalliance.org
www.cloudsecurityalliance.org
http://cloudsecurityalliance.org/research/
Copyright©© 2011
2011Cloud
CloudSecurity
SecurityAlliance
Alliance
Copyright
www.cloudsecurityalliance.org
www.cloudsecurityalliance.org
Governing the Cloud
Popular best practices for
securing cloud computing
Flagship research project
cloudsecurityalliance.org/gui
dance
Guidance > 100k
downloads:
cloudsecurityalliance.org/guidanc
e
Operating in the Cloud
V3 released 11/2011
Copyright ©
© 2011
2011 Cloud
Cloud Security
SecurityAlliance
Alliance
Copyright
www.cloudsecurityalliance.org
www.cloudsecurityalliance.org
Family of 4 research projects
Cloud Controls Matrix
Consensus Assessments
Initiative
Cloud Audit
Cloud Trust Protocol
Tools for governance, risk and
compliance management
Control
Requirements
Copyright ©
© 2011
2011 Cloud
Cloud Security
SecurityAlliance
Alliance
Copyright
Private,
Community &
Public Clouds
Provider
Assertions
www.cloudsecurityalliance.org
www.cloudsecurityalliance.org
Controls derived from
guidance
Mapped to familiar
frameworks: ISO 27001,
COBIT, PCI, HIPAA,
FISMA, FedRAMP
Rated as applicable to S-PI
Customer vs. provider role
Help bridge the “cloud gap”
for IT & IT auditors
Copyright ©
© 2011
2011 Cloud
Cloud Security
SecurityAlliance
Alliance
Copyright
www.cloudsecurityalliance.org
www.cloudsecurityalliance.org
Research tools and processes to perform shared
assessments of cloud providers
Integrated with Controls Matrix
Version 1 CAI Questionnaire released Oct. 2010,
approximately 140 provider questions to identify presence of
security controls or practices
Use to assess cloud providers today, procurement
negotiation, contract inclusion, quantify SLAs
Copyright ©
© 2011
2011 Cloud
Cloud Security
SecurityAlliance
Alliance
Copyright
www.cloudsecurityalliance.org
www.cloudsecurityalliance.org
Open standard and API to automate provider audit assertions
Change audit from data gathering to data analysis
Necessary to provide audit & assurance at the scale
demanded by cloud providers
Uses Cloud Controls Matrix as controls namespace
Use to instrument cloud for continuous controls monitoring
Copyright ©
© 2011
2011 Cloud
Cloud Security
SecurityAlliance
Alliance
Copyright
www.cloudsecurityalliance.org
www.cloudsecurityalliance.org
Developed by CSC, transferred to CSA
Open standard and API to verify control assertions
“Question and Answer” asynchronous protocol, leverages
SCAP (Secure Content Automation Protocol)
Integrates with Cloud Audit
Now we have all the components for continuous controls
monitoring
Copyright ©
© 2011
2011 Cloud
Cloud Security
SecurityAlliance
Alliance
Copyright
www.cloudsecurityalliance.org
www.cloudsecurityalliance.org
CSA STAR (Security, Trust and Assurance Registry)
Public Registry of Cloud Provider self assessments
Based on Consensus Assessments Initiative
Questionnaire
Provider may substitute documented Cloud Controls Matrix
compliance
Voluntary industry action promoting transparency
Free market competition to provide quality assessments
Provider may elect to provide assessments from third parties
Available since October 2011
Copyright ©
© 2011
2011 Cloud
Cloud Security
SecurityAlliance
Alliance
Copyright
www.cloudsecurityalliance.org
www.cloudsecurityalliance.org
Comprehensive Cloud Security Reference Architecture
Secure & interoperable Identity in the cloud
Getting SaaS, PaaS to be “Relying Parties” for corporate
directories
Scalable federation
Outline responsibilities for Identity Providers
Assemble reference architectures with existing standards
www.cloudsecurityalliance.org/trustedcloud.html
Copyright ©
© 2011
2011 Cloud
Cloud Security
SecurityAlliance
Alliance
Copyright
www.cloudsecurityalliance.org
www.cloudsecurityalliance.org
TCI Reference Architecture
Copyright ©
© 2011
2011 Cloud
Cloud Security
SecurityAlliance
Alliance
Copyright
www.cloudsecurityalliance.org
www.cloudsecurityalliance.org
Information Security Industry re-invented
Define Security as a Service
Articulate solution categories within Security as a Service
Guidance for adoption of Security as a Service
Align with other CSA research
14th domain within CSA Guidance Version 3.
www.cloudsecurityalliance.org/secaas.html
Copyright ©
© 2011
2011 Cloud
Cloud Security
SecurityAlliance
Alliance
Copyright
www.cloudsecurityalliance.org
www.cloudsecurityalliance.org
Consensus research for emergency response
in Cloud
Enhance community’s ability to respond to incidents
Standardised processes
Supplemental best practices for SIRTs
Hosted community of Cloud SIRTs
Being spun out into a separate, related entity
Fully functional SIRT launched at CSA Congress Nov. 2011
www.cloudsecurityalliance.org/cloudsirt.html
Copyright ©
© 2011
2011 Cloud
Cloud Security
SecurityAlliance
Alliance
Copyright
www.cloudsecurityalliance.org
www.cloudsecurityalliance.org
CSA is a Cloud Security Standards Incubator not an SDO
CSA research projects last approx. 6 months
Research artifacts made available to SDOs, in some cases, SDOs
may assume ownership
CSA a neutral community for all SDOs
Gives industry a fast track to standards alignment
Established CAT C Liaison with ISO/IEC SC 27, WGs 1, 4 & 5
Co-editor of ISO/IEC SC 27 WG1 Cloud Computing Security Study
Period
Co-editor ISO 27036
Formal Liaison with ITU-T
Copyright ©
© 2011
2011 Cloud
Cloud Security
SecurityAlliance
Alliance
Copyright
www.cloudsecurityalliance.org
www.cloudsecurityalliance.org
Help Us Secure Cloud Computing
www.cloudsecurityalliance.org
[email protected]
[email protected]
LinkedIn: www.linkedin.com/groups?gid=1864210
Twitter: @cloudsa
Copyright©© 2011
2011Cloud
CloudSecurity
SecurityAlliance
Alliance
Copyright
www.cloudsecurityalliance.org
www.cloudsecurityalliance.org
Copyright©© 2011
2011Cloud
CloudSecurity
SecurityAlliance
Alliance
Copyright
www.cloudsecurityalliance.org
www.cloudsecurityalliance.org

similar documents