About the Cloud Security Alliance

Jun.25, 2009 in Cloud Computing, Virtualization

The next presentation at the ISSA half-day seminar was on the “Cloud Security Alliance” and Security Guidance for Critical Areas of Focus in Cloud Computing by Jeff Reich. Here are my notes from this presentation:

Agenda

About the Cloud Security Alliance
Getting Involved
Guidance 1.0
Call to Action

About the Cloud Security Alliance

Not-for-profit organization
Inclusive membership, supporting broad spectrum of subject matter expertise: cloud experts, security, legal, compliance, virtualization, etc
We believe in Cloud Computing, we want to make it better

Getting Involved

Individual membership (free)
- Subject matter experts for research
- Interested in learning about the topic
- Administrative & organizational help
Corporate Sponsorship
- Help fund outreach, events
Affiliated Organizations (free)
- Joint projects in the community interest
Contact information on website

Download version 1.0 of the Security Guidance at http://www.cloudsecurityalliance.org/guidance

Overview of Guidance

15 domains
#1 is Architecture & Framework
Covers Governing in the Cloud (2-7) and Operating in the Cloud (8-15) as well

Assumptions & Objectives

Trying to bridge gap between cloud adopters and security practitioners
Broad “security program” view of the problem

Architecture Framework

Not “One Cloud”: Nuanced definition critical to understanding risks & mitigation
5 principal characteristics (abstration, sharing, SOA, elasticity, consumption/allocation)
3 delivery models
- Infrastructure as a Service
- Platform as a Service
- Software as a Service
4 deployment models: Public, Private, Managed, Hybrid

Governance & ERM

A portion of cloud cost savings must be invested into provider security
Third party transparency of cloud provider
Financial viability of cloud provider
Alignment of key performance indicators
PII best suited in private/hybrid cloud outside of significant due diligence of public cloud provider
Increased frequency of 3rd party risk assessments

Important thing to consider is the financial viability of your provider. You never want to have your data held hostage in a court battle.

Legal

Contracts must have flexible structure for dynamic cloud relationships
Plan for both an expected and unexpected termination of the relationship and an orderly return of your assets
Find conflicts between the laws the cloud provider must comply with and those governing the cloud customer

Compliance & Audit

Classify data and systems to understand compliance requirements
Understand data locations, copies

Information Lifecycle Management

Understand the logical segregation of information and protective controls imnplemented in storage, transfers, backups

Summary

Cloud Computing is real and transformational
Cloud Computing can and will be secured
Broad governance approach needed
Tactical fixes needed
Combination of updating existing best practices and creating completely new best practices
Common sense is not optional

Call to Action

Join us, help make our work better
www.cloudsecurityalliance.org
info@cloudsecurityalliance.org
Twitter: @cloudsa, #csaguide

Tags: about, alliance, cloud, framework, guidance, jeff, membership, objectives, reich, Security

Welcome to WebAdminBlog!

This blog site is run by Josh Sokol, the Founder and CEO of SimpleRisk, a free tool for Governance, Risk Management, and Compliance. Josh is a former Web Admin and Information Security Program Owner of National Instruments.

Categories
Recent Posts
Recent Comments
devops
Links
Security
Tags
21ct agile amazon analysis application appsec attack aws browser cloud Cloud Computing code Conferences data devops ec2 firewall google hansen internet lynxeon malware Management network Operations owasp PCI performance project rsnake SaaS secure Security strategies velocity velocity08 velocityconf velocityconf08 velocityconf09 Virtualization vpn vulnerability waf web wifi
Categories
- Advertising (2)
- Application Performance Management (14)
- Automation (4)
- Browsers (4)
- Cloud Computing (9)
  - Elastic Compute Cloud (3)
- Conferences (64)
  - BSides Austin 2013 (1)
  - BSides Austin 2016 (1)
  - OWASP AppSec DC 2009 (16)
  - OWASP AppSec NYC 2008 (18)
  - OWASP LASCON 2017 (1)
  - OWASP LASCON 2018 (1)
  - TRISC 2009 (8)
  - Velocity 2008 (8)
  - Velocity 2009 (8)
- Content Management (2)
- Featured (3)
- Green Computing (1)
- High Availability (1)
- Log Management (2)
- Management (4)
- Monitoring (4)
- Networking (12)
  - Firewalls (4)
  - NetFlow (4)
- Operating Systems (2)
  - Linux (2)
  - Mac OSX (1)
  - Unix (2)
- Operations (11)
- Popular (2)
- SaaS (2)
- Sarcasm (1)
- Search (1)
  - Enterprise Search (1)
- Security (75)
  - Access Management (1)
  - Capture the Flag (4)
  - Cloud Computing (4)
  - Compliance (1)
  - Disaster Recovery (1)
  - Malware (4)
  - Metrics (2)
  - OWASP (2)
  - PCI (2)
  - Phishing (2)
  - Physical (1)
  - Risk Management (2)
  - Virtualization (3)
  - Web Application Security (32)
    - Dynamic Analysis (1)
    - Static Analysis (1)
  - Wireless Networks (5)
- Service-Oriented Architecture (1)
- Software and Tools (15)
  - Crashplan (1)
  - Drobo (1)
  - GRC (1)
- Training (2)
- Uncategorized (1)
- Virtualization (4)

Blogroll
- Agile Operations Blog
- Agile Testing
- Agile Web Operations
- Amazon Web Services Blog
- dev2ops – Web Ops at Scale
- Gilligan on Data Web Analytics pro tips
- ISSA Home The Information Systems Security Association (ISSA)® is a not-for-profit, international organization of information security professionals and practitioners.
- Kitchen Soap, A WebOps Blog
- Michael Howard's Blog Software security guy at Microsoft.
- National Instruments Home The majority of the contributers here are current or past NI employees.
- OWASP Home The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software.
- RSnake's Blog ha.ckers.org web application security lab
- Server Fault
- Steve Souders’ Blog Google High Performance Guru
- The Madstop
- The Open Minded Enterprise
- The Simple Logic
- Transparent Uptime blog
Archives
- March 2019
- October 2017
- April 2016
- January 2016
- December 2015
- May 2015
- November 2014
- August 2014
- June 2014
- May 2014
- October 2013
- September 2013
- August 2013
- May 2013
- March 2013
- February 2013
- October 2012
- May 2011
- April 2011
- December 2010
- July 2010
- June 2010
- April 2010
- March 2010
- February 2010
- January 2010
- November 2009
- September 2009
- July 2009
- June 2009
- April 2009
- March 2009
- February 2009
- January 2009
- December 2008
- October 2008
- September 2008
- August 2008
- July 2008
- June 2008
- May 2008
Tag Cloud
21ct agile amazon analysis application appsec attack aws browser cloud Cloud Computing code Conferences data devops ec2 firewall google hansen internet lynxeon malware Management network Operations owasp PCI performance project rsnake SaaS secure Security strategies velocity velocity08 velocityconf velocityconf08 velocityconf09 Virtualization vpn vulnerability waf web wifi

Web Admin Blog

Real Web Admins. Real World Experience.

About the Cloud Security Alliance

Leave a Reply

Welcome to WebAdminBlog!

Categories

Recent Posts

Recent Comments

devops

Links

Security

Categories

Blogroll

Archives

Tag Cloud