SlideShare ist ein Scribd-Unternehmen logo

CSA & GRC Stack

CloudSecurityAllianceAustralia
CloudSecurityAllianceAustralia

Cloud Security Alliance

TechnologieBusiness
1 von 33
Downloaden Sie, um offline zu lesen
© 2011 Cloud Security Alliance, Inc. All rights reserved. Cloud Security Alliance & GRC Stack Materials by Cloud Security Alliance.org © & PCI in the cloud training, created by SecurityWarrior LLC for Cloud Security Alliance , & Prof. Kai Hwang, University of Southern California Presented to Triad ISSA, NC January 26, 2012 Valdez Ladd, ISSA Raleigh, NC 2012 1
© 2011 Cloud Security Alliance, Inc. All rights reserved. About the Cloud Security Alliance Global, not-for-profit organization Building best practices and a trusted cloud ecosystem Comprehensive research and tools Certificate of Cloud Security Knowledge (CCSK) www.cloudsecurityalliance.org 2
© 2011 Cloud Security Alliance, Inc. All rights reserved. Presentation Outline Introduction What this class is about, prerequisites, how to benefit Cloud basics PCI DSS + cloud scenario for example Cloud Security Alliance toolsets: Control Matrix, Consensus Assessments, etc., Conclusions and action items 3
© 2011 Cloud Security Alliance, Inc. All rights reserved. Cloud? 4
© 2011 Cloud Security Alliance, Inc. All rights reserved. NIST Definition of Cloud Computing “Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction. “ 55
© 2011 Cloud Security Alliance, Inc. All rights reserved. 5 Essential Cloud Characteristics 1. On-demand self-service 2. Broad network access 3. Resource pooling – Location independence 4. Rapid elasticity 5. Measured service 66
© 2011 Cloud Security Alliance, Inc. All rights reserved. 3 Cloud Service Models 1. Cloud Software as a Service (SaaS) – Use provider’s applications over a network 2. Cloud Platform as a Service (PaaS) – Deploy customer-created applications to a cloud 3. Cloud Infrastructure as a Service (IaaS) – Rent processing, storage, network capacity, and other fundamental computing resources To be considered “cloud” they must be deployed on top of cloud infrastructure that has the essential characteristics 7
© 2011 Cloud Security Alliance, Inc. All rights reserved. 4 Cloud Deployment Models Private cloud Enterprise owned or leased Community cloud Shared infrastructure for specific community Public cloud <- our focus in this class! Sold to the public, mega-scale infrastructure Hybrid cloud Composition of two or more clouds 88
© 2011 Cloud Security Alliance, Inc. All rights reserved.
© 2011 Cloud Security Alliance, Inc. All rights reserved. 7 Common Cloud Characteristics 1. Massive scale 2. Homogeneity 3. Virtualization 4. Resilient computing 5. Low cost software 6. Geographic distribution 7. Service orientation 10
© 2011 Cloud Security Alliance, Inc. All rights reserved. All of this TOGETHER: The Cloud Community Cloud Private Cloud Public Cloud Hybrid Clouds Deployment Models Service Models Essential Characteristics Common Characteristics Software as a Service (SaaS) Platform as a Service (PaaS) Infrastructure as a Service (IaaS) Resource Pooling Broad Network Access Rapid Elasticity Measured Service On Demand Self-Service Low Cost Software Virtualization Service Orientation Advanced Security Homogeneity Massive Scale Resilient Computing Geographic Distribution 1111
© 2011 Cloud Security Alliance, Inc. All rights reserved. Example IaaS// Amazon Cloud Amazon cloud components – Elastic Compute Cloud (EC2) • Run your own or Amazon’s OS “instances” – Simple Storage Service (S3) – SimpleDB – Other services 1212
© 2011 Cloud Security Alliance, Inc. All rights reserved. Example PaaS// Google App Engine Create, deploy and run applications NO control (or, in fact, even visibility) of OS Use SDK to develop the applications Run “natively” in the cloud 13
© 2011 Cloud Security Alliance, Inc. All rights reserved. Example SaaS// Salesforce Well-known SaaS CRM application Cloud CRM + a lot more applications 1414
© 2011 Cloud Security Alliance, Inc. All rights reserved. Example P/IaaS // Azure Source: Microsoft Presentation, A Lap Around Windows Azure, Manuvir Das 1515
© 2011 Cloud Security Alliance, Inc. All rights reserved. Service Model Architectures Cloud Infrastructure IaaS PaaS SaaS Infrastructure as a Service (IaaS) Architectures Platform as a Service (PaaS) Architectures Software as a Service (SaaS) Architectures Cloud Infrastructure SaaS Cloud Infrastructure PaaS SaaS Cloud Infrastructure IaaS PaaS Cloud Infrastructure PaaS Cloud Infrastructure IaaS 1616
© 2011 Cloud Security Alliance, Inc. All rights reserved. 18 Security: Barrier to Adoption?
© 2011 Cloud Security Alliance, Inc. All rights reserved. 19 What is Different about Cloud?
© 2011 Cloud Security Alliance, Inc. All rights reserved. Security Relevant Cloud Components Cloud Provisioning Services Cloud Data Storage Services Cloud Processing Infrastructure Cloud Support Services Cloud Network and Perimeter Security Elastic Elements: Storage, Processing, and Virtual Networks 2020
© 2011 Cloud Security Alliance, Inc. All rights reserved. 21 What is Different about Cloud? SERVICE OWNER SaaS PaaS IaaS Data Joint Tenant Tenant Application Joint Joint Tenant Compute Provider Joint Tenant Storage Provider Provider Joint Network Provider Provider Joint Physical Provider Provider Provider
© 2011 Cloud Security Alliance, Inc. All rights reserved. 22 What is Different about Cloud?
© 2011 Cloud Security Alliance, Inc. All rights reserved. 23 What is Different about Cloud?
© 2011 Cloud Security Alliance, Inc. All rights reserved. CSA Cloud “Threats” 1. Abuse & Nefarious Use of Cloud Computing 2. Insecure Interfaces & APIs 3. Malicious Insiders 4. Shared Technology Issues 5. Data Loss or Leakage 6. Account or Service Hijacking 7. Unknown Risk Profile 24
© 2011 Cloud Security Alliance, Inc. All rights reserved. ENISA Cloud Computing Risk Assessment http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment 1. Loss of governance 2. Lock-in 3. Isolation failure 4. Compliance risks 5. Management interface compromise 6. Data protection 7. Insecure or incomplete data deletion 8. Malicious insider 25
© 2011 Cloud Security Alliance, Inc. All rights reserved. Cloud “Threats” – Top 3 1. Authentication abuse 2. Operations breakdown 3. Misuse of cloud-specific technology 26
© 2011 Cloud Security Alliance, Inc. All rights reserved. FBI Takes Cloud Away 27
© 2011 Cloud Security Alliance, Inc. All rights reserved. While we are “in the cloud” Here are some additional CSA/cloud security resources… 28
© 2011 Cloud Security Alliance, Inc. All rights reserved. CSA GRC Stack Bringing it all together to peel back the layers of control ownership and address concerns for trusted Cloud adoption. 29 Control Requirements Provider Assertions Private, Community & Public Clouds
© 2011 Cloud Security Alliance, Inc. All rights reserved. CSA CloudAudit Open standard and API to automate provider audit assertions Change audit from data gathering to data analysis Necessary to provide audit & assurance at the scale demanded by cloud providers Uses Cloud Controls Matrix as controls namespace Use to instrument cloud for continuous controls monitoring 30
© 2011 Cloud Security Alliance, Inc. All rights reserved. CSA Cloud Controls Matrix 31 Controls derived from guidance Mapped to familiar frameworks: ISO 27001, COBIT, PCI, HIPAA Rated as applicable to SaaS/PaaS/IaaS Customer vs Provider role Help bridge the “cloud gap” for IT & IT auditors https://cloudsecurityalliance.org/research/projects/cloud-controls-matrix-ccm/
© 2011 Cloud Security Alliance, Inc. All rights reserved. 32 Next?
© 2011 Cloud Security Alliance, Inc. All rights reserved. Thanks for Your Review! Acknowledgement to Dr. Anton Chuvakin, SecurityWarrior LLC for Cloud Security Alliance, Cloud Security Alliance.org, Materials by Cloud Security Alliance.org © & PCI in the cloud training, created by for Triad ISSA, NC January 26, 2012 Valdez Ladd, ISSA Raleigh, NC 2011 33
© 2011 Cloud Security Alliance, Inc. All rights reserved. 34

Empfohlen

Democratizing IT Automation in a Multi-Cloud World
Democratizing IT Automation in a Multi-Cloud WorldDemocratizing IT Automation in a Multi-Cloud World
Democratizing IT Automation in a Multi-Cloud WorldEnterprise Management Associates
 
CSA Security Guidance Cloud Computing v3.0
CSA Security Guidance Cloud Computing v3.0CSA Security Guidance Cloud Computing v3.0
CSA Security Guidance Cloud Computing v3.0CloudSecurityAllianceAustralia
 
Cloud Governance Framework - Required Cloud Sourcing Capabilities
Cloud Governance Framework - Required Cloud Sourcing CapabilitiesCloud Governance Framework - Required Cloud Sourcing Capabilities
Cloud Governance Framework - Required Cloud Sourcing CapabilitiesSusanneT
 
Cloud computing-security-issues
Cloud computing-security-issuesCloud computing-security-issues
Cloud computing-security-issuesAleem Mohammed
 
Global Mandate to Secure Cloud Computing
Global Mandate to Secure Cloud ComputingGlobal Mandate to Secure Cloud Computing
Global Mandate to Secure Cloud ComputingCloudSecurityAllianceAustralia
 
Chap 6 cloud security
Chap 6 cloud securityChap 6 cloud security
Chap 6 cloud securityRaj Sarode
 
Cloud security
Cloud security Cloud security
Cloud security Mohamed Shalash
 
Cloud Security 101 by Madhav Chablani
Cloud Security 101 by Madhav ChablaniCloud Security 101 by Madhav Chablani
Cloud Security 101 by Madhav ChablaniOWASP Delhi
 

Empfohlen

Democratizing IT Automation in a Multi-Cloud World
Democratizing IT Automation in a Multi-Cloud WorldDemocratizing IT Automation in a Multi-Cloud World
Democratizing IT Automation in a Multi-Cloud WorldEnterprise Management Associates
 
CSA Security Guidance Cloud Computing v3.0
CSA Security Guidance Cloud Computing v3.0CSA Security Guidance Cloud Computing v3.0
CSA Security Guidance Cloud Computing v3.0CloudSecurityAllianceAustralia
 
Cloud Governance Framework - Required Cloud Sourcing Capabilities
Cloud Governance Framework - Required Cloud Sourcing CapabilitiesCloud Governance Framework - Required Cloud Sourcing Capabilities
Cloud Governance Framework - Required Cloud Sourcing CapabilitiesSusanneT
 
Cloud computing-security-issues
Cloud computing-security-issuesCloud computing-security-issues
Cloud computing-security-issuesAleem Mohammed
 
Global Mandate to Secure Cloud Computing
Global Mandate to Secure Cloud ComputingGlobal Mandate to Secure Cloud Computing
Global Mandate to Secure Cloud ComputingCloudSecurityAllianceAustralia
 
Chap 6 cloud security
Chap 6 cloud securityChap 6 cloud security
Chap 6 cloud securityRaj Sarode
 
Cloud security
Cloud security Cloud security
Cloud security Mohamed Shalash
 
Cloud Security 101 by Madhav Chablani
Cloud Security 101 by Madhav ChablaniCloud Security 101 by Madhav Chablani
Cloud Security 101 by Madhav ChablaniOWASP Delhi
 
Sukumar Nayak-Detailed-Cloud Risk Management and Audit
Sukumar Nayak-Detailed-Cloud Risk Management and AuditSukumar Nayak-Detailed-Cloud Risk Management and Audit
Sukumar Nayak-Detailed-Cloud Risk Management and AuditSukumar Nayak
 
4.5.cloud security
4.5.cloud security4.5.cloud security
4.5.cloud securityDrRajapraveenkN
 
Cloud Computing Security Issues in Infrastructure as a Service”
Cloud Computing Security Issues in Infrastructure as a Service”Cloud Computing Security Issues in Infrastructure as a Service”
Cloud Computing Security Issues in Infrastructure as a Service”Vivek Maurya
 
SaaS Challenges & Security Concerns
SaaS Challenges & Security ConcernsSaaS Challenges & Security Concerns
SaaS Challenges & Security ConcernsKannan Subbiah
 
Security As A Service In Cloud(SECaaS)
Security As A Service In Cloud(SECaaS)Security As A Service In Cloud(SECaaS)
Security As A Service In Cloud(SECaaS)أحلام انصارى
 
Multitenant, Dedicated or Hybrid - Which cloud to choose?
Multitenant, Dedicated or Hybrid - Which cloud to choose?Multitenant, Dedicated or Hybrid - Which cloud to choose?
Multitenant, Dedicated or Hybrid - Which cloud to choose?RapidScale
 
Keys to success and security in the cloud
Keys to success and security in the cloudKeys to success and security in the cloud
Keys to success and security in the cloudScalar Decisions
 
Scaling the Cloud - Cloud Security
Scaling the Cloud - Cloud SecurityScaling the Cloud - Cloud Security
Scaling the Cloud - Cloud SecurityBill Burns
 
glenn_amblercloud_security_ncc_event_22-may-2012_v1 (9)
glenn_amblercloud_security_ncc_event_22-may-2012_v1 (9)glenn_amblercloud_security_ncc_event_22-may-2012_v1 (9)
glenn_amblercloud_security_ncc_event_22-may-2012_v1 (9)Glenn Ambler
 
Evaluation Of The Data Security Methods In Cloud Computing Environments
Evaluation Of The Data Security Methods In Cloud Computing EnvironmentsEvaluation Of The Data Security Methods In Cloud Computing Environments
Evaluation Of The Data Security Methods In Cloud Computing Environmentsijfcstjournal
 
Introduction to Cloud Computing and Security
Introduction to Cloud Computing and SecurityIntroduction to Cloud Computing and Security
Introduction to Cloud Computing and SecurityOran Epelbaum
 
Cloud Security: A New Perspective
Cloud Security: A New PerspectiveCloud Security: A New Perspective
Cloud Security: A New PerspectiveWen-Pai Lu
 
Microsoft Private Cloud Strategy
Microsoft Private Cloud StrategyMicrosoft Private Cloud Strategy
Microsoft Private Cloud StrategyAmit Gatenyo
 
Cloud Security
Cloud SecurityCloud Security
Cloud SecurityAWS User Group Bengaluru
 
DAM 2018 Review, What's next 2019 ?
DAM 2018 Review, What's next 2019 ?DAM 2018 Review, What's next 2019 ?
DAM 2018 Review, What's next 2019 ?Activo Consulting
 
CCSK Certificate of Cloud Computing Knowledge - overview
CCSK Certificate of Cloud Computing Knowledge - overviewCCSK Certificate of Cloud Computing Knowledge - overview
CCSK Certificate of Cloud Computing Knowledge - overviewPeter HJ van Eijk
 
Cloud Security ("securing the cloud")
Cloud Security ("securing the cloud")Cloud Security ("securing the cloud")
Cloud Security ("securing the cloud")Vic Winkler
 
Cloud Services: Types of Cloud
Cloud Services: Types of CloudCloud Services: Types of Cloud
Cloud Services: Types of CloudDr. Sunil Kr. Pandey
 
Security & Privacy In Cloud Computing
Security & Privacy In Cloud ComputingSecurity & Privacy In Cloud Computing
Security & Privacy In Cloud Computingsaurabh soni
 
Cloud Computing Security Issues
Cloud Computing Security Issues Cloud Computing Security Issues
Cloud Computing Security Issues Discover Cloud Computing
 
Cloud Security Alliance's GRC Stack Overview
Cloud Security Alliance's GRC Stack OverviewCloud Security Alliance's GRC Stack Overview
Cloud Security Alliance's GRC Stack OverviewValdez Ladd MBA, CISSP, CISA,
 
5787355.ppt
5787355.ppt5787355.ppt
5787355.pptahmad21315
 

Weitere ähnliche Inhalte

Was ist angesagt?

Sukumar Nayak-Detailed-Cloud Risk Management and Audit
Sukumar Nayak-Detailed-Cloud Risk Management and AuditSukumar Nayak-Detailed-Cloud Risk Management and Audit
Sukumar Nayak-Detailed-Cloud Risk Management and AuditSukumar Nayak
 
Cloud Computing Security Issues in Infrastructure as a Service”
Cloud Computing Security Issues in Infrastructure as a Service”Cloud Computing Security Issues in Infrastructure as a Service”
Cloud Computing Security Issues in Infrastructure as a Service”Vivek Maurya
 
SaaS Challenges & Security Concerns
SaaS Challenges & Security ConcernsSaaS Challenges & Security Concerns
SaaS Challenges & Security ConcernsKannan Subbiah
 
Multitenant, Dedicated or Hybrid - Which cloud to choose?
Multitenant, Dedicated or Hybrid - Which cloud to choose?Multitenant, Dedicated or Hybrid - Which cloud to choose?
Multitenant, Dedicated or Hybrid - Which cloud to choose?RapidScale
 
Keys to success and security in the cloud
Keys to success and security in the cloudKeys to success and security in the cloud
Keys to success and security in the cloudScalar Decisions
 
Scaling the Cloud - Cloud Security
Scaling the Cloud - Cloud SecurityScaling the Cloud - Cloud Security
Scaling the Cloud - Cloud SecurityBill Burns
 
glenn_amblercloud_security_ncc_event_22-may-2012_v1 (9)
glenn_amblercloud_security_ncc_event_22-may-2012_v1 (9)glenn_amblercloud_security_ncc_event_22-may-2012_v1 (9)
glenn_amblercloud_security_ncc_event_22-may-2012_v1 (9)Glenn Ambler
 
Evaluation Of The Data Security Methods In Cloud Computing Environments
Evaluation Of The Data Security Methods In Cloud Computing EnvironmentsEvaluation Of The Data Security Methods In Cloud Computing Environments
Evaluation Of The Data Security Methods In Cloud Computing Environmentsijfcstjournal
 
Introduction to Cloud Computing and Security
Introduction to Cloud Computing and SecurityIntroduction to Cloud Computing and Security
Introduction to Cloud Computing and SecurityOran Epelbaum
 
Cloud Security: A New Perspective
Cloud Security: A New PerspectiveCloud Security: A New Perspective
Cloud Security: A New PerspectiveWen-Pai Lu
 
Microsoft Private Cloud Strategy
Microsoft Private Cloud StrategyMicrosoft Private Cloud Strategy
Microsoft Private Cloud StrategyAmit Gatenyo
 
DAM 2018 Review, What's next 2019 ?
DAM 2018 Review, What's next 2019 ?DAM 2018 Review, What's next 2019 ?
DAM 2018 Review, What's next 2019 ?Activo Consulting
 
CCSK Certificate of Cloud Computing Knowledge - overview
CCSK Certificate of Cloud Computing Knowledge - overviewCCSK Certificate of Cloud Computing Knowledge - overview
CCSK Certificate of Cloud Computing Knowledge - overviewPeter HJ van Eijk
 
Cloud Security ("securing the cloud")
Cloud Security ("securing the cloud")Cloud Security ("securing the cloud")
Cloud Security ("securing the cloud")Vic Winkler
 
Security & Privacy In Cloud Computing
Security & Privacy In Cloud ComputingSecurity & Privacy In Cloud Computing
Security & Privacy In Cloud Computingsaurabh soni
 

Was ist angesagt? (20)

Sukumar Nayak-Detailed-Cloud Risk Management and Audit
Sukumar Nayak-Detailed-Cloud Risk Management and AuditSukumar Nayak-Detailed-Cloud Risk Management and Audit
Sukumar Nayak-Detailed-Cloud Risk Management and Audit
 
4.5.cloud security
4.5.cloud security4.5.cloud security
4.5.cloud security
 
Cloud Computing Security Issues in Infrastructure as a Service”
Cloud Computing Security Issues in Infrastructure as a Service”Cloud Computing Security Issues in Infrastructure as a Service”
Cloud Computing Security Issues in Infrastructure as a Service”
 
SaaS Challenges & Security Concerns
SaaS Challenges & Security ConcernsSaaS Challenges & Security Concerns
SaaS Challenges & Security Concerns
 
Security As A Service In Cloud(SECaaS)
Security As A Service In Cloud(SECaaS)Security As A Service In Cloud(SECaaS)
Security As A Service In Cloud(SECaaS)
 
Multitenant, Dedicated or Hybrid - Which cloud to choose?
Multitenant, Dedicated or Hybrid - Which cloud to choose?Multitenant, Dedicated or Hybrid - Which cloud to choose?
Multitenant, Dedicated or Hybrid - Which cloud to choose?
 
Keys to success and security in the cloud
Keys to success and security in the cloudKeys to success and security in the cloud
Keys to success and security in the cloud
 
Scaling the Cloud - Cloud Security
Scaling the Cloud - Cloud SecurityScaling the Cloud - Cloud Security
Scaling the Cloud - Cloud Security
 
glenn_amblercloud_security_ncc_event_22-may-2012_v1 (9)
glenn_amblercloud_security_ncc_event_22-may-2012_v1 (9)glenn_amblercloud_security_ncc_event_22-may-2012_v1 (9)
glenn_amblercloud_security_ncc_event_22-may-2012_v1 (9)
 
Evaluation Of The Data Security Methods In Cloud Computing Environments
Evaluation Of The Data Security Methods In Cloud Computing EnvironmentsEvaluation Of The Data Security Methods In Cloud Computing Environments
Evaluation Of The Data Security Methods In Cloud Computing Environments
 
Introduction to Cloud Computing and Security
Introduction to Cloud Computing and SecurityIntroduction to Cloud Computing and Security
Introduction to Cloud Computing and Security
 
Cloud Security: A New Perspective
Cloud Security: A New PerspectiveCloud Security: A New Perspective
Cloud Security: A New Perspective
 
Microsoft Private Cloud Strategy
Microsoft Private Cloud StrategyMicrosoft Private Cloud Strategy
Microsoft Private Cloud Strategy
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
 
DAM 2018 Review, What's next 2019 ?
DAM 2018 Review, What's next 2019 ?DAM 2018 Review, What's next 2019 ?
DAM 2018 Review, What's next 2019 ?
 
CCSK Certificate of Cloud Computing Knowledge - overview
CCSK Certificate of Cloud Computing Knowledge - overviewCCSK Certificate of Cloud Computing Knowledge - overview
CCSK Certificate of Cloud Computing Knowledge - overview
 
Cloud Security ("securing the cloud")
Cloud Security ("securing the cloud")Cloud Security ("securing the cloud")
Cloud Security ("securing the cloud")
 
Cloud Services: Types of Cloud
Cloud Services: Types of CloudCloud Services: Types of Cloud
Cloud Services: Types of Cloud
 
Security & Privacy In Cloud Computing
Security & Privacy In Cloud ComputingSecurity & Privacy In Cloud Computing
Security & Privacy In Cloud Computing
 
Cloud Computing Security Issues
Cloud Computing Security Issues Cloud Computing Security Issues
Cloud Computing Security Issues
 

Ähnlich wie CSA & GRC Stack

CSA Atlanta Chapter Meeting Q1'2013 and RSA Conference 2013 CSA Announcements
CSA Atlanta Chapter Meeting Q1'2013 and RSA Conference 2013 CSA AnnouncementsCSA Atlanta Chapter Meeting Q1'2013 and RSA Conference 2013 CSA Announcements
CSA Atlanta Chapter Meeting Q1'2013 and RSA Conference 2013 CSA AnnouncementsPhil Agcaoili
 
CCSK, cloud security framework, Indonesia
CCSK, cloud security framework, IndonesiaCCSK, cloud security framework, Indonesia
CCSK, cloud security framework, IndonesiaWise Pacific Venture
 
Oracle Keynote Cloud Expo 11-04-09
Oracle Keynote Cloud Expo 11-04-09Oracle Keynote Cloud Expo 11-04-09
Oracle Keynote Cloud Expo 11-04-09Rex Wang
 
Effectively and Securely Using the Cloud Computing Paradigm
Effectively and Securely Using the Cloud Computing ParadigmEffectively and Securely Using the Cloud Computing Paradigm
Effectively and Securely Using the Cloud Computing Paradigmfanc1985
 
Oracle Cloud Computing Strategy
Oracle Cloud Computing StrategyOracle Cloud Computing Strategy
Oracle Cloud Computing StrategyRex Wang
 
Gitex journey to the cloud
Gitex journey to the cloudGitex journey to the cloud
Gitex journey to the cloudJorge Sebastiao
 
Security Building Blocks of the IBM Cloud Computing Reference Architecture
Security Building Blocks of the IBM Cloud Computing Reference ArchitectureSecurity Building Blocks of the IBM Cloud Computing Reference Architecture
Security Building Blocks of the IBM Cloud Computing Reference ArchitectureStefaan Van daele
 
Keys-to-Success-and-Security-in-the-Cloud
Keys-to-Success-and-Security-in-the-CloudKeys-to-Success-and-Security-in-the-Cloud
Keys-to-Success-and-Security-in-the-Cloudpatmisasi
 
Presentation on Effectively and Securely Using the Cloud Computing Paradigm v26
Presentation on Effectively and Securely Using the Cloud Computing Paradigm v26Presentation on Effectively and Securely Using the Cloud Computing Paradigm v26
Presentation on Effectively and Securely Using the Cloud Computing Paradigm v26Bill Annibell
 
Presentation On Effectively And Securely Using The Cloud Computing Paradigm V26
Presentation On Effectively And Securely Using The Cloud Computing Paradigm V26Presentation On Effectively And Securely Using The Cloud Computing Paradigm V26
Presentation On Effectively And Securely Using The Cloud Computing Paradigm V26TT L
 
Cloud Ecosystems A Perspective
Cloud Ecosystems A PerspectiveCloud Ecosystems A Perspective
Cloud Ecosystems A Perspectivejmcdaniel650
 
Lucw lsec-securit-20110907-4-final-5
Lucw lsec-securit-20110907-4-final-5Lucw lsec-securit-20110907-4-final-5
Lucw lsec-securit-20110907-4-final-5Luc Wijns
 
Securing Your CI Pipeline with HashiCorp Vault - P2
Securing Your CI Pipeline with HashiCorp Vault - P2Securing Your CI Pipeline with HashiCorp Vault - P2
Securing Your CI Pipeline with HashiCorp Vault - P2Ashnikbiz
 
A Detailed Analysis of the Issues and Solutions for Securing Data in Cloud
A Detailed Analysis of the Issues and Solutions for Securing Data in CloudA Detailed Analysis of the Issues and Solutions for Securing Data in Cloud
A Detailed Analysis of the Issues and Solutions for Securing Data in CloudIOSR Journals
 
McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB) - POC Report
McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB) - POC ReportMcAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB) - POC Report
McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB) - POC ReportIftikhar Ali Iqbal
 
Implementing security groups in open stack
Implementing security groups in open stackImplementing security groups in open stack
Implementing security groups in open stackRishabh Agarwal
 

Ähnlich wie CSA & GRC Stack (20)

Cloud Security Alliance's GRC Stack Overview
Cloud Security Alliance's GRC Stack OverviewCloud Security Alliance's GRC Stack Overview
Cloud Security Alliance's GRC Stack Overview
 
5787355.ppt
5787355.ppt5787355.ppt
5787355.ppt
 
CSA Atlanta Chapter Meeting Q1'2013 and RSA Conference 2013 CSA Announcements
CSA Atlanta Chapter Meeting Q1'2013 and RSA Conference 2013 CSA AnnouncementsCSA Atlanta Chapter Meeting Q1'2013 and RSA Conference 2013 CSA Announcements
CSA Atlanta Chapter Meeting Q1'2013 and RSA Conference 2013 CSA Announcements
 
CCSK, cloud security framework, Indonesia
CCSK, cloud security framework, IndonesiaCCSK, cloud security framework, Indonesia
CCSK, cloud security framework, Indonesia
 
Oracle Keynote Cloud Expo 11-04-09
Oracle Keynote Cloud Expo 11-04-09Oracle Keynote Cloud Expo 11-04-09
Oracle Keynote Cloud Expo 11-04-09
 
Effectively and Securely Using the Cloud Computing Paradigm
Effectively and Securely Using the Cloud Computing ParadigmEffectively and Securely Using the Cloud Computing Paradigm
Effectively and Securely Using the Cloud Computing Paradigm
 
3245224.ppt
3245224.ppt3245224.ppt
3245224.ppt
 
Oracle Cloud Computing Strategy
Oracle Cloud Computing StrategyOracle Cloud Computing Strategy
Oracle Cloud Computing Strategy
 
Gitex journey to the cloud
Gitex journey to the cloudGitex journey to the cloud
Gitex journey to the cloud
 
Security Building Blocks of the IBM Cloud Computing Reference Architecture
Security Building Blocks of the IBM Cloud Computing Reference ArchitectureSecurity Building Blocks of the IBM Cloud Computing Reference Architecture
Security Building Blocks of the IBM Cloud Computing Reference Architecture
 
Keys-to-Success-and-Security-in-the-Cloud
Keys-to-Success-and-Security-in-the-CloudKeys-to-Success-and-Security-in-the-Cloud
Keys-to-Success-and-Security-in-the-Cloud
 
Presentation on Effectively and Securely Using the Cloud Computing Paradigm v26
Presentation on Effectively and Securely Using the Cloud Computing Paradigm v26Presentation on Effectively and Securely Using the Cloud Computing Paradigm v26
Presentation on Effectively and Securely Using the Cloud Computing Paradigm v26
 
Presentation On Effectively And Securely Using The Cloud Computing Paradigm V26
Presentation On Effectively And Securely Using The Cloud Computing Paradigm V26Presentation On Effectively And Securely Using The Cloud Computing Paradigm V26
Presentation On Effectively And Securely Using The Cloud Computing Paradigm V26
 
Cloud Ecosystems A Perspective
Cloud Ecosystems A PerspectiveCloud Ecosystems A Perspective
Cloud Ecosystems A Perspective
 
Lucw lsec-securit-20110907-4-final-5
Lucw lsec-securit-20110907-4-final-5Lucw lsec-securit-20110907-4-final-5
Lucw lsec-securit-20110907-4-final-5
 
Securing Your CI Pipeline with HashiCorp Vault - P2
Securing Your CI Pipeline with HashiCorp Vault - P2Securing Your CI Pipeline with HashiCorp Vault - P2
Securing Your CI Pipeline with HashiCorp Vault - P2
 
Cloud Computing
Cloud ComputingCloud Computing
Cloud Computing
 
A Detailed Analysis of the Issues and Solutions for Securing Data in Cloud
A Detailed Analysis of the Issues and Solutions for Securing Data in CloudA Detailed Analysis of the Issues and Solutions for Securing Data in Cloud
A Detailed Analysis of the Issues and Solutions for Securing Data in Cloud
 
McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB) - POC Report
McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB) - POC ReportMcAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB) - POC Report
McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB) - POC Report
 
Implementing security groups in open stack
Implementing security groups in open stackImplementing security groups in open stack
Implementing security groups in open stack
 

Kürzlich hochgeladen

#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 

Kürzlich hochgeladen (20)

#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 

CSA & GRC Stack

  • 1. © 2011 Cloud Security Alliance, Inc. All rights reserved. Cloud Security Alliance & GRC Stack Materials by Cloud Security Alliance.org © & PCI in the cloud training, created by SecurityWarrior LLC for Cloud Security Alliance , & Prof. Kai Hwang, University of Southern California Presented to Triad ISSA, NC January 26, 2012 Valdez Ladd, ISSA Raleigh, NC 2012 1
  • 2. © 2011 Cloud Security Alliance, Inc. All rights reserved. About the Cloud Security Alliance Global, not-for-profit organization Building best practices and a trusted cloud ecosystem Comprehensive research and tools Certificate of Cloud Security Knowledge (CCSK) www.cloudsecurityalliance.org 2
  • 3. © 2011 Cloud Security Alliance, Inc. All rights reserved. Presentation Outline Introduction What this class is about, prerequisites, how to benefit Cloud basics PCI DSS + cloud scenario for example Cloud Security Alliance toolsets: Control Matrix, Consensus Assessments, etc., Conclusions and action items 3
  • 4. © 2011 Cloud Security Alliance, Inc. All rights reserved. Cloud? 4
  • 5. © 2011 Cloud Security Alliance, Inc. All rights reserved. NIST Definition of Cloud Computing “Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction. “ 55
  • 6. © 2011 Cloud Security Alliance, Inc. All rights reserved. 5 Essential Cloud Characteristics 1. On-demand self-service 2. Broad network access 3. Resource pooling – Location independence 4. Rapid elasticity 5. Measured service 66
  • 7. © 2011 Cloud Security Alliance, Inc. All rights reserved. 3 Cloud Service Models 1. Cloud Software as a Service (SaaS) – Use provider’s applications over a network 2. Cloud Platform as a Service (PaaS) – Deploy customer-created applications to a cloud 3. Cloud Infrastructure as a Service (IaaS) – Rent processing, storage, network capacity, and other fundamental computing resources To be considered “cloud” they must be deployed on top of cloud infrastructure that has the essential characteristics 7
  • 8. © 2011 Cloud Security Alliance, Inc. All rights reserved. 4 Cloud Deployment Models Private cloud Enterprise owned or leased Community cloud Shared infrastructure for specific community Public cloud <- our focus in this class! Sold to the public, mega-scale infrastructure Hybrid cloud Composition of two or more clouds 88
  • 9. © 2011 Cloud Security Alliance, Inc. All rights reserved.
  • 10. © 2011 Cloud Security Alliance, Inc. All rights reserved. 7 Common Cloud Characteristics 1. Massive scale 2. Homogeneity 3. Virtualization 4. Resilient computing 5. Low cost software 6. Geographic distribution 7. Service orientation 10
  • 11. © 2011 Cloud Security Alliance, Inc. All rights reserved. All of this TOGETHER: The Cloud Community Cloud Private Cloud Public Cloud Hybrid Clouds Deployment Models Service Models Essential Characteristics Common Characteristics Software as a Service (SaaS) Platform as a Service (PaaS) Infrastructure as a Service (IaaS) Resource Pooling Broad Network Access Rapid Elasticity Measured Service On Demand Self-Service Low Cost Software Virtualization Service Orientation Advanced Security Homogeneity Massive Scale Resilient Computing Geographic Distribution 1111
  • 12. © 2011 Cloud Security Alliance, Inc. All rights reserved. Example IaaS// Amazon Cloud Amazon cloud components – Elastic Compute Cloud (EC2) • Run your own or Amazon’s OS “instances” – Simple Storage Service (S3) – SimpleDB – Other services 1212
  • 13. © 2011 Cloud Security Alliance, Inc. All rights reserved. Example PaaS// Google App Engine Create, deploy and run applications NO control (or, in fact, even visibility) of OS Use SDK to develop the applications Run “natively” in the cloud 13
  • 14. © 2011 Cloud Security Alliance, Inc. All rights reserved. Example SaaS// Salesforce Well-known SaaS CRM application Cloud CRM + a lot more applications 1414
  • 15. © 2011 Cloud Security Alliance, Inc. All rights reserved. Example P/IaaS // Azure Source: Microsoft Presentation, A Lap Around Windows Azure, Manuvir Das 1515
  • 16. © 2011 Cloud Security Alliance, Inc. All rights reserved. Service Model Architectures Cloud Infrastructure IaaS PaaS SaaS Infrastructure as a Service (IaaS) Architectures Platform as a Service (PaaS) Architectures Software as a Service (SaaS) Architectures Cloud Infrastructure SaaS Cloud Infrastructure PaaS SaaS Cloud Infrastructure IaaS PaaS Cloud Infrastructure PaaS Cloud Infrastructure IaaS 1616
  • 17. © 2011 Cloud Security Alliance, Inc. All rights reserved. 18 Security: Barrier to Adoption?
  • 18. © 2011 Cloud Security Alliance, Inc. All rights reserved. 19 What is Different about Cloud?
  • 19. © 2011 Cloud Security Alliance, Inc. All rights reserved. Security Relevant Cloud Components Cloud Provisioning Services Cloud Data Storage Services Cloud Processing Infrastructure Cloud Support Services Cloud Network and Perimeter Security Elastic Elements: Storage, Processing, and Virtual Networks 2020
  • 20. © 2011 Cloud Security Alliance, Inc. All rights reserved. 21 What is Different about Cloud? SERVICE OWNER SaaS PaaS IaaS Data Joint Tenant Tenant Application Joint Joint Tenant Compute Provider Joint Tenant Storage Provider Provider Joint Network Provider Provider Joint Physical Provider Provider Provider
  • 21. © 2011 Cloud Security Alliance, Inc. All rights reserved. 22 What is Different about Cloud?
  • 22. © 2011 Cloud Security Alliance, Inc. All rights reserved. 23 What is Different about Cloud?
  • 23. © 2011 Cloud Security Alliance, Inc. All rights reserved. CSA Cloud “Threats” 1. Abuse & Nefarious Use of Cloud Computing 2. Insecure Interfaces & APIs 3. Malicious Insiders 4. Shared Technology Issues 5. Data Loss or Leakage 6. Account or Service Hijacking 7. Unknown Risk Profile 24
  • 24. © 2011 Cloud Security Alliance, Inc. All rights reserved. ENISA Cloud Computing Risk Assessment http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment 1. Loss of governance 2. Lock-in 3. Isolation failure 4. Compliance risks 5. Management interface compromise 6. Data protection 7. Insecure or incomplete data deletion 8. Malicious insider 25
  • 25. © 2011 Cloud Security Alliance, Inc. All rights reserved. Cloud “Threats” – Top 3 1. Authentication abuse 2. Operations breakdown 3. Misuse of cloud-specific technology 26
  • 26. © 2011 Cloud Security Alliance, Inc. All rights reserved. FBI Takes Cloud Away 27
  • 27. © 2011 Cloud Security Alliance, Inc. All rights reserved. While we are “in the cloud” Here are some additional CSA/cloud security resources… 28
  • 28. © 2011 Cloud Security Alliance, Inc. All rights reserved. CSA GRC Stack Bringing it all together to peel back the layers of control ownership and address concerns for trusted Cloud adoption. 29 Control Requirements Provider Assertions Private, Community & Public Clouds
  • 29. © 2011 Cloud Security Alliance, Inc. All rights reserved. CSA CloudAudit Open standard and API to automate provider audit assertions Change audit from data gathering to data analysis Necessary to provide audit & assurance at the scale demanded by cloud providers Uses Cloud Controls Matrix as controls namespace Use to instrument cloud for continuous controls monitoring 30
  • 30. © 2011 Cloud Security Alliance, Inc. All rights reserved. CSA Cloud Controls Matrix 31 Controls derived from guidance Mapped to familiar frameworks: ISO 27001, COBIT, PCI, HIPAA Rated as applicable to SaaS/PaaS/IaaS Customer vs Provider role Help bridge the “cloud gap” for IT & IT auditors https://cloudsecurityalliance.org/research/projects/cloud-controls-matrix-ccm/
  • 31. © 2011 Cloud Security Alliance, Inc. All rights reserved. 32 Next?
  • 32. © 2011 Cloud Security Alliance, Inc. All rights reserved. Thanks for Your Review! Acknowledgement to Dr. Anton Chuvakin, SecurityWarrior LLC for Cloud Security Alliance, Cloud Security Alliance.org, Materials by Cloud Security Alliance.org © & PCI in the cloud training, created by for Triad ISSA, NC January 26, 2012 Valdez Ladd, ISSA Raleigh, NC 2011 33
  • 33. © 2011 Cloud Security Alliance, Inc. All rights reserved. 34