nils puhlmann ncoic slides

NCOIC

Federal Cloud Storefront Workshop

Nils PuhlmannCo-Founder

September 21st, 2009

www.cloudsecurityalliance.orgCopyright © 2009 Cloud Security Alliance

Security is a concern

www.cloudsecurityalliance.orgCopyright © 2009 Cloud Security Alliance

S-P-I Model

IaaS

PaaS

SaaS

You build

security in

You “RFP”

security in

www.cloudsecurityalliance.orgCopyright © 2009 Cloud Security Alliance

Security and the SPI model

www.cloudsecurityalliance.orgCopyright © 2009 Cloud Security Alliance

Risk Examples• Geo-location of sensitive data

• Inability to deploy security services (e.g. scanning)

• Risk with shared computing platform (multi-tenant)

• Data confidentiality

• Access via internet – untrusted

• Cloud vendors for the most part non-committal on security

• Company data on 3rd party machine

• Compliance lacking – inability to satisfy auditors

• Vendors not up to speed from a guidance and auditing perspective

• Inability to perform forensic investigation

www.cloudsecurityalliance.orgCopyright © 2009 Cloud Security Alliance

Meet the Cloud Security Alliance

• Global, not-for-profit organization, started Nov. 2008, individual members (free), corporate members and affiliated organizations

• Inclusive membership, supporting broad spectrum of subject matter expertise: cloud experts, security, legal, compliance, virtualization, and on and on…

• We believe Cloud Computing has a robust future, we want to make it better

“To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud

Computing to help secure all other forms of computing.”

www.cloudsecurityalliance.orgCopyright © 2009 Cloud Security Alliance

Current corporate members

www.cloudsecurityalliance.orgCopyright © 2009 Cloud Security Alliance

Current affiliates

Cloud-Standards.org

www.cloudsecurityalliance.orgCopyright © 2009 Cloud Security Alliance

Individual Members

• 4,174 as of September 15th

• Broad Geographical Distribution

• Active Working Groups

• Editorial

• Educational Outreach

• Architecture

• Governance, Risk Mgt, Compliance, Business

Continuity

• Legal & E-Discovery

• Portability, Interoperability and Application Security

• Identity and Access Mgt, Encryption & Key Mgt

• Data Center Operations and Incident Response

• Information Lifecycle Management & Storage

• Virtualization and Technology Compartmentalization

• New Working Groups

• Healthcare

• Cloud Threat Analysis

• US Federal Government

• Financial Services

www.cloudsecurityalliance.orgCopyright © 2009 Cloud Security Alliance

Project Roadmap

• April 2009: Security Guidance for Critical Areas of Focus for Cloud Computing – Version 1

• July 2009: Version 1 translated into Japanese

• October 2009: Security Guidance for Critical Areas of Focus for Cloud Computing – Version 2

• October 2009: Top Ten Cloud Threats (monthly)

• November 2009: Provider & Customer Checklists

• December 2009: eHealth Guidance

• Global CSA Executive Summits

• Q1 2010 – Europe

• Q1 or Q2 2010 - US

www.cloudsecurityalliance.orgCopyright © 2009 Cloud Security Alliance

Security Guidance for Critical Areas of Focus in

Cloud Computing

Download at:

www.cloudsecurityalliance.org/guidance

www.cloudsecurityalliance.orgCopyright © 2009 Cloud Security Alliance

Overview of Guidance

Governing in the Cloud

2. Governance & Risk Mgt

3. Legal

4. Electronic Discovery

5. Compliance & Audit

6. Information Lifecycle Mgt

7. Portability & Interoperability

Operating in the Cloud

8. Traditional, BCM, DR

9. Data Center Operations

10. Incident Response

11. Application Security

12. Encryption & Key Mgt

13. Identity & Access Mgt

14. Storage

15. Virtualization

1. Architecture & Framework

www.cloudsecurityalliance.orgCopyright © 2009 Cloud Security Alliance

Contact

• www.cloudsecurityalliance.org

• info@cloudsecurityalliance.org

• Twitter: @cloudsa, #csaguide

• LinkedIn: www.linkedin.com/groups?gid=1864210

www.cloudsecurityalliance.org

Thank You!