Global Efforts to Secure Cloud Computing
•
1 gefällt mir•754 views
Presented at InnoTech Oregon 2013. All rights reserved.
Empfohlen
Empfohlen
Weitere ähnliche Inhalte
Was ist angesagt?
Was ist angesagt? (20)
Andere mochten auch
Ähnlich wie Global Efforts to Secure Cloud Computing
Ähnlich wie Global Efforts to Secure Cloud Computing (20)
Mehr von InnoTech
Mehr von InnoTech (20)
Kürzlich hochgeladen
Kürzlich hochgeladen (20)
Global Efforts to Secure Cloud Computing
- 2. www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance Cloud One million new mobile devices - each day! Social Networking Digital Natives www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org Copyright © 2013 Cloud Security Alliance
- 3. www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org State Sponsored Cyberattacks? Organized Crime? Legal Jurisdiction & Data Sovereignty? Global Security Standards? Privacy Protection for Citizens? Transparency & Visibility from Cloud Providers? Copyright © 2013 Cloud Security Alliance
- 4. www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org Shift the balance of power to consumers of IT Enable innovation to solve difficult problems of humanity Give the individual the tools to control their digital destiny Do this by creating confidence, trust and transparency in IT systems Security is not overhead, it is the enabler Copyright © 2013 Cloud Security Alliance
- 5. www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
- 6. www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
- 7. www.cloudsecurityalliance.org 7 enterprise boundary public clouds private clouds cloud of users Notional organizational boundary • Cloud + Mobile • Dispersal of applications • Dispersal of data • Dispersal of users • Dispersal of endpoint devices
- 8. www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance https://cloudsecurityalliance.org/research/top-threats/
- 10. www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
- 11. www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance Sunlight is the best disinfectant,” U.S. Supreme Court Justice Louis Brandeis
- 12. www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance Control Requirements Provider Assertions
- 13. www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance GRC Stack Family of 4 research projects Cloud Controls Matrix (CCM) Consensus Assessments Initiative (CAI) Cloud Audit Cloud Trust Protocol (CTP) Impact to the Industry Developed tools for governance, risk and compliance management in the cloud Technical pilots Provider certification through STAR program Control Requirements Provider Assertions
- 14. www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
- 15. www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
- 16. www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
- 17. www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance 2 Registered (December 2012) 30 Registered (April 2013)
- 18. www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
- 19. www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance DG 4.2: Do you have a documented procedure for responding to requests for tenant data from governments or third parties? Amazon AWS AWS errs on the side of protecting customer privacy and is vigilant in determining which law enforcement requests we must comply with. AWS does not hesitate to challenge orders from law enforcement if we think the orders lack a solid basis. Box.net Box does have documented procedures for responding to requests for tenant data from governments and third parties. SHI Customer responsibility. SHI has no direct access, so requests for data through third parties will be responded to by the customer themselves, however, SHI can sanitize and delete customer data upon migration from the cloud. Verizon/Terremark Yes
- 20. www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
- 21. www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance OPEN CERTIFICATION FRAMEWORK CONTINUOUS ATTESTATION | CERTIFICATION SELF ASSESSMENT TRANSPERANCY ASSURANCE
- 22. www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance Clear GRC objectives 3rd Party Assessment Real time, continuous monitoring + + Self Assessment +
- 23. www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
- 24. www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2012 Cloud Security Alliance
- 25. www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2012 Cloud Security Alliance
- 26. www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
- 27. www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
- 28. www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org Our research includes fundamental projects needed to define and implement trust within the future of information technology CSA continues to be aggressive in producing critical research, education and tools Copyright © 2013 Cloud Security Alliance
- 29. www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance Previously known as Trusted Cloud Initiative Security reference architecture for cloud Architecture in use by early adopters of cloud in Global 2000 Cloud brokering To do: Management tools Technical implementation guides Documented case studies & use cases
- 30. www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
- 31. www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance Certificate of Cloud Security Knowledge (CCSK) Benchmark of cloud security competency Online web-based examination www.cloudsecurityalliance.org/certifyme Training partnerships Developing new curriculum for audit, software development and architecture Partnership with (ISC)2 for cloud security architecture certification
- 32. www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
- 33. www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
- 34. www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
- 35. www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org Please contact Jim Reavis at jreavis@cloudsecurityalliance. org for more information on the Cloud Security Alliance I will see you at the CSA EMEA Congress, September 24-26 in Edinburgh Copyright © 2013 Cloud Security Alliance https://cloudsecurityalliance.org/events/csa-emea-congress-2013/
- 36. www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance
Hinweis der Redaktion
- Will my provider be transparent about how they manage their systems, organization governance, etc?Will I be considered compliant?Do I know where my data is?Will a lack of standards drive unexpected obsolescence? Is my provider really better at security than me?Are the hackers waiting for me in the cloud?Will I get fired?How can we gracefully “lose control” of IT
- The CSA Security, Trust & Assurance Registry (STAR) is a free, publicly accessible registry that documents the security controls provided by various cloud computing offerings, thereby helping users assess the security of cloud providers they currently use or are considering contracting with.CSA STAR is open to all cloud providers, and allows them to submit self assessment reports that document compliance to CSA published best practices. The searchable registry will allow potential cloud customers to review the security practices of providers, accelerating their due diligence and leading to higher quality procurement experiences. CSA STAR represents a major leap forward in industry transparency, encouraging providers to make security capabilities a market differentiator.
- Sample entry from Verizon Terremark
- We can start having fun scrutinizing entries!