Post on 08-Jun-2020
The Global Mandate to Secure Cloud Computing Dr. Ricci IEONG, CISSP, CISA, CEH, CCFP, CCSK, F.ISFS STAR Auditor CSA
#CLOUDSEC
Trend of Cloud Computing From dominate (Gartner Top 10 Strategic Technology Trend for 2014) • 1. Mobile device diversity and
management • 2. Mobile apps and applications • 3. The Internet of Everything • 4. Hybrid cloud and IT as service
broker • 5. Cloud/client • 6. The era of personal cloud • 7. Software-defined anything • 8. Web-scale IT • 9. Smart machines • 10. 3D printing
To Integrate (Gartner Top 10 Strategic Technology Trends for 2015)
Why we need Global Mandate to Secure Cloud Computing?
• State Sponsored Cyberattacks? • Organized Crime? • Legal Jurisdiction & Data Sovereignty? • Global Security Standards? • Privacy Protection for Citizens? • Transparency & Visibility from Cloud
Providers?
The Global Mandate is Empowerment
• Shift the balance of power to consumers of IT • Enable innovation to solve difficult problems of
humanity • Give the individual the tools to control their digital
destiny • Do this by creating confidence, trust and
transparency in IT systems • Security is not overhead, it is the enabler
Key Trust Issues in Cloud
• Transparency & visibility from providers • Compatible laws across jurisdictions • Data sovereignty • Incomplete standards • Lack true multi-tenant technologies & architecture • Incomplete Identity Management
implementations • Risk Concentration
Collaboration in the Cloud
• Shared Responsibility • Incident sharing • Legal frameworks • Human intelligence • Agile communities
Who Are we?
• Global, not-for-profit organization • Building security best practices for next generation IT • Research and Educational Programs • Cloud Provider Certification – CSA STAR • User Certification - CCSK • The globally authoritative source for Trust in the Cloud
“To paraphrase Star Wars, CSA’s role is to bring trust to the cloud”
Cloud Security Alliance (HK&M Chapter)
CSA Fast Facts
• Founded in 2009 • Membership stats as of August 2014
– 68,000 individual members, 70 chapters globally – Over 300 corporate members worldwide
• Regional HQ in Seattle USA, Edinburgh UK, Singapore covering Americas, EMEA and APAC
• Over 30 research projects in 25 working groups • Strategic partnerships with governments, research
institutions, professional associations and industry • www.cloudsecurityalliance.org
A sample of our corporate members
CSA APAC 24 Official chapters • Japan • Korea • Greater China Regional Coordinating Body
– Beijing – Shanghai – Huanan – Xibei – Hong Kong & Macau – Taiwan
• Thailand • Singapore • India Regional Coordinating Body
– Mumbai – Bangalore – NCR – Hydrabad
• Australia • New Zealand • Malaysia
In development Indonesia Philippines India
New Delhi Chennai Pune
CSA APAC – Government relationships
CSA Standardization
International Standardization Council (ISC)
• Primary CSA Interface with Standards Development Organizations (SDO)
• Coordinate Standardization efforts within CSA • Only available to corporate members, with 2 types of membership
– Voting Membership • CSA corporate member representatives • Any affiliated CSA members who are involved with SDOs • Any at-large CSA members proposed by Council voting membership
– Advisory Membership (Observer status)
CSA/SDO Relationship Landscape
Trusted Provider Certification –
the CSA STAR
Transparency •Public visibility into Providers –Corporate Governance
–Supply Chain –Information Security Program –Policies Impacting Customers
•Consumer right to know •Public will demand better
Sunlight is the best disinfectant,” U.S. Supreme Court Justice Louis Brandeis
CSA Role in Assurance
Control Requirements
Provider Assertions
Private, Community & Public Clouds
Framework Structure
Clear GRC objectives
Path to High Assurance
3rd Party Assessment
Real time, continuous monitoring
+
+
Self Assessment
+
CSA STAR (Security, Trust and Assurance Registry) Public Registry of Cloud Provider self
assessments Based on Consensus Assessments Initiative
Questionnaire Provider may substitute documented Cloud
Controls Matrix compliance Voluntary industry action promoting
transparency Security as a market differentiator
www.cloudsecurityalliance.org/star STAR – Demand it from your providers!
CSA STAR Registry (Level 1: Self Assessment Model)
More than 100 Registered (August 2015)
STAR Level 2
• Launch of Level 2 certification @ CSA EMEA Congress on Sep 25 2013
• Aliyun first to achieve Gold standard! • Ribose (HK) was the first to achieve STAR Attestation! • Since then, we have reference sites in China, Japan, Taiwan,
Hong Kong certified to CSA STAR • And governments worldwide have/are in the process of
incorporating the OCF into their government procurement process
Latest addition to level 2 – C-STAR A proposed Chinese framework
www.cloudsecurityalliance.org Copyright © 2011 Cloud Security Alliance
OCF Level 3
• CSA STAR Continuous will be based on a continuous auditing/assessment of relevant security properties.
• It will built on the following CSA best practices/standards in the CSA GRC Stack Family: – Cloud Control Matrix (CCM) – Cloud Trust Protocol (CTP) – CloudAudit (A6)
• CSA STAR Continuous is currently under development and the target date of delivery is 2015.
Copyright © 2014 Cloud Security Alliance www.cloudsecurityalliance.org
Hong Kong CSP is leading…
Also first three company that achieved C-STAR
EDUCATION AND USER CERTIFICATION
<insert speaker organization logo> 25 www.cloudsec.com | #CLOUDSEC
Introducing Certificate of Cloud Security Knowledge (CCSK)
• The industry’s first user certification program for secure cloud computing
• Based on CSA research framework, specifically the Security Guidance for Critical Area of Focus in Cloud Computing
• Designed to ensure that a broad range of professionals with responsibility related to cloud computing have a demonstrated awareness of the security threats and best practices for securing the cloud
Training Courses Available Today Hong Kong and Macau local training • CCSK Basic
– One day course to enable student to pass CCSK
• CCSK Plus – Two day course includes practical
cloud lab work • HP CCSK Basic
– 2 days extended course to enable student to pass CCSK
• HP CCSK Plus – 3 days extended course includes
practical cloud lab work • CCSP (by ISC2 and CSA)
Other region activities • CCSK Train-the-Trainer
– Three day course including CCSK Plus
• GRC Stack Training – Additional one day course to
use GRC Stack components
• PCI/DSS In the Cloud – Additional one day course
focusing on achieving PCI compliance in cloud computing
• http://cloudsecurityalliance.org/education/training/
CSA RESEARCH
<insert speaker organization logo> 28 www.cloudsec.com | #CLOUDSEC
Research framework • CSA research is organized
under a framework based on CSA Security Guidance for Critical Area of Focus in Cloud Computing
• Total of 14 domains organised under 3 key areas of focus – Architecture, Governance and Operational Security
Cloud Controls Matrix (CCM) Controls derived from guidance
Mapped to familiar frameworks: ISO 27001, COBIT, PCI, HIPAA, FISMA, FedRAMP
Rated as applicable to S-P-I
Customer vs Provider role
Help bridge the “cloud gap” for IT & IT auditors
Research Portfolio • Our research includes
fundamental projects needed to define and implement trust within the future of information technology
• CSA continues to be aggressive in producing critical research, education and tools
• Sponsorship opportunities • Selected research projects
in following slides
HK & MACAU CHAPTER ACTIVITIES
<insert speaker organization logo> 33 www.cloudsec.com | #CLOUDSEC
About HKM Local Chapter
• Launched in 2012 • Organization founded
Jul 2015
www.cloudsecurityalliance.org Copyright © 2015 Cloud Security Alliance
Corporate members (from Hong Kong)
Come and join us
How to participate? • For Enterprise
– Join us as corporate member
– Participate to drive the market standards
• For Individual – Join us as individual
members – Learn more about cloud
security topics • Join our upcoming
activities
Please visit our booth
Our upcoming activities • Causal monthly Chit-chat sessions
– 1 – 2 hrs session – Mainly for networking purpose
• Quarterly Technical sessions – 2 – 3 hrs session – Mainly for technical knowledge
sharing by members, vendors or technical experts
• Hot topics workshop sessions – 4 hrs session – Technical knowledge workshop
mainly for hands-on experience sharing related to Cloud Computing
Oct 2015: Security in Government Cloud
Dec 2015: Encryption technical solutions for Cloud users and Secure Cloud Storage
More topics … SDN, Hybrid Cloud, PaaS, Cloud Certification
Sep 2015: How Win 10 enhance cloud security?
Contact Email
chair@hkm.chapters.cloudsecurityalliance.org
WWW
www.csahkm.org
https://www.linkedin.com/grp/home?gid=4069005
https://www.facebook.com/pages/Cloud-Security-Alliance-Hong-Kong-Macau-Chapter/