cloud channel summit 2015 @rhipecloud #rccs15€¦ · about the cloud security alliance ......
TRANSCRIPT
Cloud Channel Summit 2015 | @rhipecloud #RCCS15
About the Cloud Security Alliance
• Global, not-for-profit organisation
• 300 member driven organization with over 56,000 individual
members in 65 chapters worldwide
• Building best practices and a trusted cloud ecosystem
• Agile philosophy, rapid development of applied research
– GRC: Balance compliance with risk management
– Reference models: build using existing standards
– Identity: a key foundation of a functioning cloud economy
– Champion interoperability
– Enable innovation
– Advocacy of prudent public policy
“To promote the use of best practices for providing security assurance
within Cloud Computing, and provide education on the uses of
Cloud Computing to help secure all other forms of computing.”
• Regional HQ based in Singapore; registered as a Company Limited by Guarantee in August 2012
• Representative office in Beijing established in 2014
• 22 Chapters, 2 regional coordinating bodies
• Official chapters
– *Japan
– Korea
– Greater China Regional Coordinating Body
• Beijing, Shanghai, Guangzhou
• *Hong Kong & Macau, *Taiwan
– *Thailand
– Singapore
– India Regional Coordinating Body
• Mumbai, Bangalore, NCR, Hydrabad
– Australia
– *New Zealand
– Malaysia
• In development
chapters
– Indonesia
– Pakistan
– Islamabad
– India
• New Delhi,
Chennai, Pune
Cloud Barriers
• (Perceived) Loss of control
• Lack of clarity around the
definition and attribution
of responsibilities and
liabilities
• Difficulties achieving
accountability across the
cloud supply chain
• Incoherent global (and
even sometimes regional
and national) legal
framework and
compliance regimes
….and more barriers
• The lack of transparency
of some service
providers or brokers
• Lack of clarity in Service
Level Agreements
• Lack of interoperability
• Lack of awareness and
expertise
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
In 3 words: LACK OF TRUST
HOW DO WE BUILD TRUST
& TRANSPARENCY?
Certification for cloud services
• In US
– Looked upon as a critical service to be provided by AICPA members
• In the Agenda of the EU
– Requested from Art29 WP as a measure for privacy compliance
– various Member States are looking at a certification/accreditation schema for
cloud service (especially in Public Procurement)
• In APAC
– Already part of the cloud strategy in countries such as Singapore,
Thailand, China, Hong Kong and Taiwan to leverage CSA STAR into
national cloud certification scheme or public procurement
requirement
Requirements
• Provide a globally relevant certification to reduce duplication of
efforts
• Address localized, national-state and regional compliance needs
• Address industry specific requirements
• Address different assurance requirements
• Address “certification staleness” – assure provider is still secure after
“point in time” certification
• User-centric
• Voluntary, business driven
• Leverage global standards/schemes
• Do all of the above while recognizing the dynamic and fast-changing
world that is cloud
Objectives
• To improve customer trust in cloud services
• To improve security of cloud services
• To increase the efficiency of cloud service procurement
• To make it easier for cloud providers and customers to
achieve compliance
• To provide greater transparency to customers about
provider security practices
• To achieve all the above objectives as cost-effectively as
possible
The Answer from Cloud
Security Alliance
CSA STAR:
Security, Trust & Assurance Registry
• Launched in 2011, the CSA STAR is the first step in
improving transparency and assurance in the cloud.
• The STAR is a
publicly accessible
registry that
documents the
security controls
provided by cloud
computing offerings
• Helps users to assess
the security of cloud
providers
• It is based on a
multilayered
structure defined by
Open Certification
Framework Working
Group
• Searchable registry to allow cloud customers to
review the security practices of providers,
accelerating their due diligence and leading to
higher quality procurement experiences.
What is CSA STAR Certification?
Optimizing Cloud Security, Trust and Transparency
• The CSA STAR Certification is a rigorous third party independent
assessment of the security of a cloud service provider.
• Technology-neutral certification leverages the requirements of the
ISO/IEC 27001:2005 & the CSA Cloud Controls Matrix (CCM)
• Integrates ISO/IEC 27001:2005 with the CSA CCM as additional or
compensating controls.
• Measures the capability levels of the cloud service.
• It assigns a ‘Management Capability’ score to each of the CCM
security domains.
The OCF structure
The CSA Open Certification Framework is an industry initiative to allow
global, accredited, trusted certification of cloud providers.
STAR Certification: Certificate
Approving Assessors
• They must demonstrate knowledge of the Cloud Sector
• Either through verifiable industry experience – this can include though assessing
organizations
• Or through completing CCSK certification or equivalent
• They must be a qualified auditor working a ISO 27006 accredited CB
• Evidence of conducting ISO 27001 assessments for a certification body accredited by an IAF
member to ISO 27006 or their qualifications as an auditor for that organization.
• They must complete the CSA approved course qualifying them to audit the CCM for
STAR Certification (This course will be carried out by BSI)
Members Network in Asia Pacific
Government Relationship
• Singapore Institute of Technology
• CEPREI Certification Body (The Fifth Electronic Institute of Ministry of Industry and Information Technology)
• China Electronics Standardization Institution of Ministry of Industry and Information Technology
• Institute of High Energy Physics (IHEP), Chinese Academy of Science
• China Cloud OS Pioneer Strategic Alliance (CCOPSA)
• China Advanced Technology Investment Ltd
• The Cloud Identity Institute of Peking University’s College of Engineering
• HP China
• University of Waikato
• University of Mahidol
Key MOUs signed P-P-P Research
Introducing Certificate of Cloud Security
Knowledge (CCSK)
• The industry’s first user certification program for secure
cloud computing
• Based on CSA research framework, specifically the Security
Guidance for Critical Area of Focus in Cloud Computing
• Designed to ensure that a broad range of professionals with
responsibility related to cloud computing have a
demonstrated awareness of the security threats and best
practices for securing the cloud
CSA EVENTS
• CSA ASEAN Summit
June 11-12, 2015, Bangkok, Thailand
•
CSA APAC Summit
July 21, 2015, Singapore
•
CSA Innovation Conference
October 28-29, 2015, Singapore
• CSA APAC Congress (tentative)
November 11-12, 2015, Beijing, China
Very important
No Certification can ever guarantee information is 100%
secure however STAR certification ensures an organisation
has an appropriate system for the type of information it is
dealing with and that it is well managed and focused on
cloud specific concerns.
Contact us
www.cloudsecurityalliance.org
www.linkedin.com/groups?gid=1864210
@cloudsa