Thin Air or Solid Ground? Practical Cloud Security
Guy Alfassi - CSA Conference Highlights
1. Highlights of the CSA Conference
Orlando, Nov. 2010
Guy
Alfassi
Alfa
Consul.ng
2. Agenda
• 14:00 Registration, networking and general chaos
• 14:20 Highlights of the CSA event in Orlando - Guy Alfassi, General Manager,
Alfa Consulting
• 14:40 CCSK - Ariel Litvin, Technology Innovation Leader, PWC
• 14:50 The Technology Showcase Wiki - Iftach Amit, VP Business
Development, Security Art
• 15:00 Security management to, for, and from the cloud - Oded Tsur, Senior
Solution Strategist, CA
• 15:30 Short break
• 15:50 OWASP Israel & Introduction to OWASP Top 10- Ofer Maor, CTO -
Hacktics & Chairman - OWASP Israel
• 16:20 Practical Enterprise use cases of data protection in the cloud - Guy
Bejerano, Chief Security Officer, LivePerson
• 16:50 Virtual Private SaaS - the solution to data privacy and data compliance
issues in SaaS - Dr. David Movshovitz, CTO, Navajo Systems
3. About CSA
Formed in 2008 as a non-profit organization.
Objectives:
• Promote a common level of understanding
• Promote research
• Awareness
• Create consensus lists and guidance.
5. CSA Research
• Cloud Control Matrix
• Top threats to Cloud Computing
• Guidance for Identity and Access Management
• Application Security Whitepaper
6. How to get there
http://cloudsecurityalliance.org/
Managed through a LinkedIn group:
Cloud Security Alliance
http://www.linkedin.com/groups?
mostPopular=&gid=1864210
7. CSA Israel
• An Israeli chapter of the CSA, formalized in June 2010.
• Our focus:
– Cloud Security technology innovations
– localization of Cloud Security best practices
– LinkedIn group:
http://www.linkedin.com/groups?
mostPopular=&gid=3050440
Join CSA at
http://cloudsecurityalliance.org/Membership.html ,
And then request to join our chapter.
8. About the conference
First independent global event for CSA
2 days, 4 tracks , 32 presentations, 4 keynotes
Hundreds of participants from all over the world
10. About the conference
• General impression: Vendors, clients and
regulators are highly interested in cloud
security.
• Some might actually try it sometime.
11. FedRAMP
• Federal Risk and Authorization
Management Program
• Providing a standard approach to Assessing
and Authorizing (A&A) cloud computing
services and products.
12. FedRAMP – Applicability to Israel
• The standard itself does not apply here.
• The need for such a standard exists.
• A call to action to government / the private
sector :
Let’s do our own version / adopt FedRamp !
14. Quantum Datum
• An analogy between quantum mechanics
and cloud computing
• Quantum: The minimum unit of a physical
entity.
• Datum: the singular form of Data. A single
piece of information.
15. Quantum Mechanics
• Quantum mechanics looks at the particle,
and tries to explain its behavior.
• Wave- Particle duality
• The uncertainty principle: Heisenberg
principle
16. Why is this relevant?
• The perimeter shrinks to the size of a datum.
• Datum can be in multiple places at the same
time, and have different security levels.
• A breach for one instance of the datum affects
other instances.
• Leakage can occur even when the probability is
low.
17. What can we do?
• Use data labeling.
• Use data encryption according to security
needs.
• Implement DLP and DRM in our
architecture.