Cloud Channel Summit 2015 | @rhipecloud #RCCS15

About the Cloud Security Alliance

• Global, not-for-profit organisation

• 300 member driven organization with over 56,000 individual

members in 65 chapters worldwide

• Building best practices and a trusted cloud ecosystem

• Agile philosophy, rapid development of applied research

– GRC: Balance compliance with risk management

– Reference models: build using existing standards

– Identity: a key foundation of a functioning cloud economy

– Champion interoperability

– Enable innovation

– Advocacy of prudent public policy

“To promote the use of best practices for providing security assurance

within Cloud Computing, and provide education on the uses of

Cloud Computing to help secure all other forms of computing.”

• Regional HQ based in Singapore; registered as a Company Limited by Guarantee in August 2012

• Representative office in Beijing established in 2014

• 22 Chapters, 2 regional coordinating bodies

• Official chapters

– *Japan

– Korea

– Greater China Regional Coordinating Body

• Beijing, Shanghai, Guangzhou

• *Hong Kong & Macau, *Taiwan

– *Thailand

– Singapore

– India Regional Coordinating Body

• Mumbai, Bangalore, NCR, Hydrabad

– Australia

– *New Zealand

– Malaysia

• In development

chapters

– Indonesia

– Pakistan

– Islamabad

– India

• New Delhi,

Chennai, Pune

Cloud Barriers

• (Perceived) Loss of control

• Lack of clarity around the

definition and attribution

of responsibilities and

liabilities

• Difficulties achieving

accountability across the

cloud supply chain

• Incoherent global (and

even sometimes regional

and national) legal

framework and

compliance regimes

….and more barriers

• The lack of transparency

of some service

providers or brokers

• Lack of clarity in Service

Level Agreements

• Lack of interoperability

• Lack of awareness and

expertise

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance

In 3 words: LACK OF TRUST

HOW DO WE BUILD TRUST

& TRANSPARENCY?

Certification for cloud services

• In US

– Looked upon as a critical service to be provided by AICPA members

• In the Agenda of the EU

– Requested from Art29 WP as a measure for privacy compliance

– various Member States are looking at a certification/accreditation schema for

cloud service (especially in Public Procurement)

• In APAC

– Already part of the cloud strategy in countries such as Singapore,

Thailand, China, Hong Kong and Taiwan to leverage CSA STAR into

national cloud certification scheme or public procurement

requirement

Requirements

• Provide a globally relevant certification to reduce duplication of

efforts

• Address localized, national-state and regional compliance needs

• Address industry specific requirements

• Address different assurance requirements

• Address “certification staleness” – assure provider is still secure after

“point in time” certification

• User-centric

• Voluntary, business driven

• Leverage global standards/schemes

• Do all of the above while recognizing the dynamic and fast-changing

world that is cloud

Objectives

• To improve customer trust in cloud services

• To improve security of cloud services

• To increase the efficiency of cloud service procurement

• To make it easier for cloud providers and customers to

achieve compliance

• To provide greater transparency to customers about

provider security practices

• To achieve all the above objectives as cost-effectively as

possible

The Answer from Cloud

Security Alliance

CSA STAR:

Security, Trust & Assurance Registry

• Launched in 2011, the CSA STAR is the first step in

improving transparency and assurance in the cloud.

• The STAR is a

publicly accessible

registry that

documents the

security controls

provided by cloud

computing offerings

• Helps users to assess

the security of cloud

providers

• It is based on a

multilayered

structure defined by

Open Certification

Framework Working

Group

• Searchable registry to allow cloud customers to

review the security practices of providers,

accelerating their due diligence and leading to

higher quality procurement experiences.

What is CSA STAR Certification?

Optimizing Cloud Security, Trust and Transparency

• The CSA STAR Certification is a rigorous third party independent

assessment of the security of a cloud service provider.

• Technology-neutral certification leverages the requirements of the

ISO/IEC 27001:2005 & the CSA Cloud Controls Matrix (CCM)

• Integrates ISO/IEC 27001:2005 with the CSA CCM as additional or

compensating controls.

• Measures the capability levels of the cloud service.

• It assigns a ‘Management Capability’ score to each of the CCM

security domains.

The OCF structure

The CSA Open Certification Framework is an industry initiative to allow

global, accredited, trusted certification of cloud providers.

STAR Certification: Certificate

Approving Assessors

• They must demonstrate knowledge of the Cloud Sector

• Either through verifiable industry experience – this can include though assessing

organizations

• Or through completing CCSK certification or equivalent

• They must be a qualified auditor working a ISO 27006 accredited CB

• Evidence of conducting ISO 27001 assessments for a certification body accredited by an IAF

member to ISO 27006 or their qualifications as an auditor for that organization.

• They must complete the CSA approved course qualifying them to audit the CCM for

STAR Certification (This course will be carried out by BSI)

Members Network in Asia Pacific

Government Relationship

• Singapore Institute of Technology

• CEPREI Certification Body (The Fifth Electronic Institute of Ministry of Industry and Information Technology)

• China Electronics Standardization Institution of Ministry of Industry and Information Technology

• Institute of High Energy Physics (IHEP), Chinese Academy of Science

• China Cloud OS Pioneer Strategic Alliance (CCOPSA)

• China Advanced Technology Investment Ltd

• The Cloud Identity Institute of Peking University’s College of Engineering

• HP China

• University of Waikato

• University of Mahidol

Key MOUs signed P-P-P Research

Introducing Certificate of Cloud Security

Knowledge (CCSK)

• The industry’s first user certification program for secure

cloud computing

• Based on CSA research framework, specifically the Security

Guidance for Critical Area of Focus in Cloud Computing

• Designed to ensure that a broad range of professionals with

responsibility related to cloud computing have a

demonstrated awareness of the security threats and best

practices for securing the cloud

CSA EVENTS

• CSA ASEAN Summit

June 11-12, 2015, Bangkok, Thailand

•

CSA APAC Summit

July 21, 2015, Singapore

•

CSA Innovation Conference

October 28-29, 2015, Singapore

• CSA APAC Congress (tentative)

November 11-12, 2015, Beijing, China

Very important

No Certification can ever guarantee information is 100%

secure however STAR certification ensures an organisation

has an appropriate system for the type of information it is

dealing with and that it is well managed and focused on

cloud specific concerns.

Contact us

www.cloudsecurityalliance.org

info@cloudsecurityalliance.org

www.linkedin.com/groups?gid=1864210

@cloudsa

Enquiries.my@rhipe.com