Copyright © 2011 Cloud Security Alliance DANIELE CATTEDDU CSA Managing Director EMEA

Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance Global, not-for-profit organization Over 26,000 individual members, 100 corporate members, 50 chapters Building best practices and a trusted cloud ecosystem Agile philosophy, rapid development of applied research GRC: Balance compliance with risk management Reference models: build using existing standards Identity: a key foundation of a functioning cloud economy Champion interoperability Enable innovation Advocacy of prudent public policy “To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.”

Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance Will CSP be transparent about governance and operational issues? Will the user be considered compliant? Does the user know what legislation applies? Will a lack of standards drive unexpected obsolescence? Is cloud really better at security than traditional IT solution? Are the hackers waiting for me in the cloud?

Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance Keeping pace with cloud changes Globally incompatible legislation and policy Non-standard private & public clouds Lack of continuous risk management & compliance monitoring Incomplete identity management implementations Haphazard response to security incidents

Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance KEY AREAS Interoperability and portability Trust, security, and assurance Security innovation in the cloud Our proposals should be understood in the context of the CSA focus on security, assurance, and compliance.

Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance Public procurement to catalyse cloud adoption Developing a standard framework and guidelines for service and data asset classification Help customers decide which services and data can be moved in which type of cloud Defining requirements for data security, privacy, portability and secure deletion Designing models for cloud bursting Developing/publishing “buyer’s guides” and SLAs & RFPs for common services

Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance SHORT-TERM PRIORITIES Interoperability of security policy Security service level agreements Privacy level agreements Security as a Service Promoting the use of open standards

Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance POSITIVE IMPACT Overcome the lack of solid technical standards for interoperability & portability Guidance and support for SMEs Help CSPs in improving and customising cloud offerings based on explicit requirements

Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance ACTION 1: WHAT: Interoperable Security Policies and Measures HOW: Standardisation of security policy syntax and basic settings WHO: Public sector + research community + industry Expert group to collect requirements and define policy syntax, and framework for policy interoperability Research program framework, e.g. developing projects on security policy management automation. CSA will play an active role

Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance ACTION 2: WHAT: Security Service Level Agreements HOW: Develop quantitative and comparable measures for reporting parameters by leveraging existing efforts from ENISA, NIST and CSA WHO: Industry and/or ENISA to develop, Public Sector to endorse CSA is playing an active role

Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance ACTION 3: WHAT: Privacy Level Agreements (PLAs) HOW: Define a standard format for a CSP to declare the level of privacy (data protection and data security) that it sustains for the relevant data processing WHO: Industry + DP authorities + subject matter experts to develop PLAs and public sector to endorse CSA is playing an active role: PLA Outlines project to be launched Dec.2011

Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance ACTION 4: WHAT: Security as a Service HOW: Create a common vocabulary (define and, characterise) for cloud-based security services and keep records of providers offerings WHO: Industry and/or ENISA to develop, Public Sector to endorse CSA is playing an active role: SecaaS

Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance SHORT-TERM PRIORITIES Assessment Framework Transparency Registry Security Breach Notification CloudSIRT and Real-Time Security Monitoring Continuous Controls Monitoring and Auditing

Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance SHORT-TERM PRIORITIES (CONT.) Identity Model Consumer Education Applicable Law and Jurisdictions Government Access to Data e-Discovery

Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance ACTION 1: WHAT: Assessment Framework HOW: Integrated approach to assessment CSPs and their external suppliers. A single approach provides cross-mapping between existing standards (ISO 2700x, COBIT, PCI- DSS, ENISA Cloud IAF, CSA CCM and ISF SOGP) WHO: Industry and ENISA to refine existing framework, public sector to endorse and adopt CSA is playing an active role: CCM, CAMM, CAI & CloudAudit

Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance ACTION 2: WHAT: Transparency Registry HOW: Create a system to share and compare assessment results that would be managed and maintained by a European or national public institution, or from an independent trusted party or public/private partnership. Voluntary participation WHO: Public sector, PPP, or independent org. to establish and maintain, EC to endorse CSA is playing an active role: CSA STAR Registry

Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance ACTION 3: WHAT: Security Breach Notification HOW: Voluntary incident reporting mechanism. Inspired to Article 13a (3),2009/140/EC, and Article 4,2009/136/EC. WHO: Industry to develop, public sector to endorse CSA is playing an active role: CloudSIRT

Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance ACTION 4: WHAT: SIRT and Real-Time Security Monitoring HOW: Creation of EC-wide cloud-related SIRT; a single point for vendors and customers to get data on the latest risks and incidents. Real- time reporting solutions could voluntarily send non-sensitive data to the SIRT WHO: Public sector + research community + industry CSA is playing an active role: CloudSIRT

Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance ACTION 5 WHAT: Continuous Controls Monitoring and Auditing HOW: Research and development of frameworks and automated systems for continuous controls monitoring and auditing. WHO: Research community + public sector + industry CSA is playing an active role: GRC Stack

Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance ACTION 6: WHAT: Identity Model HOW: Support CSPs and SDOs, e.g. OASIS, develop secure and interoperable identity, access and compliance management configurations, and practices. WHO: EC + SDOs + research community+ industry CSA is playing an active role: Trusted Cloud Initiative (TCI) Reference Architecture

Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance ACTION 7: WHAT: Consumer Education HOW: Pan-European and national awareness raising campaigns to explain terminology and remove false perceptions around benefits, risks, and legal framework WHO: EC + MSs + Associations CSA is playing an active role

Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance ACTION 8: WHAT: Applicable Law and Jurisdictions HOW: Jurisdiction should be the ones of the country of origin of the user

Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance ACTION 9: WHAT: Government Access to Data HOW: Bilateral agreement between EC and the US federal government to set up clear rules of engagement and limitations to the right of a government to confiscate servers WHO: European Commission

Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance ACTION 10: WHAT: e-Discovery HOW: Bring forward Article 29 opinion on pre-trial discovery for cross-border civil litigation ( s/2009/wp158_en.pdf) s/2009/wp158_en.pdf

Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance KEY RESEARCH AREAS New encryption and key management approaches Format-preserving encryption Tokenisation Homomorphic encryption Cloud management technologies to enforce desired policies at data centres around the world.

Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance

Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance Popular best practices for securing cloud computing Flagship research project V3 released 11/2011 cloudsecurityalliance.org/gui dance Operating in the Cloud Governing the Cloud Guidance > 100k downloads: Guidance > 100k downloads: cloudsecurityalliance.org/guidanc e cloudsecurityalliance.org/guidanc e

Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance Family of 4 research projects Cloud Controls Matrix Consensus Assessments Initiative Cloud Audit Cloud Trust Protocol Tools for governance, risk and compliance management Control Requirements Provider Assertions Private, Community & Public Clouds

Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance Controls derived from guidance Mapped to familiar frameworks: ISO 27001, COBIT, PCI, HIPAA, FISMA, FedRAMP Rated as applicable to S-P- I Customer vs. provider role Help bridge the “cloud gap” for IT & IT auditors

Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance Research tools and processes to perform shared assessments of cloud providers Integrated with Controls Matrix Version 1 CAI Questionnaire released Oct. 2010, approximately 140 provider questions to identify presence of security controls or practices Use to assess cloud providers today, procurement negotiation, contract inclusion, quantify SLAs

Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance Open standard and API to automate provider audit assertions Change audit from data gathering to data analysis Necessary to provide audit & assurance at the scale demanded by cloud providers Uses Cloud Controls Matrix as controls namespace Use to instrument cloud for continuous controls monitoring

Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance Developed by CSC, transferred to CSA Open standard and API to verify control assertions “Question and Answer” asynchronous protocol, leverages SCAP (Secure Content Automation Protocol) Integrates with Cloud Audit Now we have all the components for continuous controls monitoring

Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance CSA STAR (Security, Trust and Assurance Registry) Public Registry of Cloud Provider self assessments Based on Consensus Assessments Initiative Questionnaire Provider may substitute documented Cloud Controls Matrix compliance Voluntary industry action promoting transparency Free market competition to provide quality assessments Provider may elect to provide assessments from third parties Available since October 2011

Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance Comprehensive Cloud Security Reference Architecture Secure & interoperable Identity in the cloud Getting SaaS, PaaS to be “Relying Parties” for corporate directories Scalable federation Outline responsibilities for Identity Providers Assemble reference architectures with existing standards

Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance TCI Reference Architecture

Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance Information Security Industry re-invented Define Security as a Service Articulate solution categories within Security as a Service Guidance for adoption of Security as a Service Align with other CSA research 14 th domain within CSA Guidance Version 3.

Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance Consensus research for emergency response in Cloud Enhance community’s ability to respond to incidents Standardised processes Supplemental best practices for SIRTs Hosted community of Cloud SIRTs Being spun out into a separate, related entity Fully functional SIRT launched at CSA Congress Nov

Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance CSA is a Cloud Security Standards Incubator not an SDO CSA research projects last approx. 6 months Research artifacts made available to SDOs, in some cases, SDOs may assume ownership CSA a neutral community for all SDOs Gives industry a fast track to standards alignment Established CAT C Liaison with ISO/IEC SC 27, WGs 1, 4 & 5 Co-editor of ISO/IEC SC 27 WG1 Cloud Computing Security Study Period Co-editor ISO Formal Liaison with ITU-T

Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance Help Us Secure Cloud Computing LinkedIn:

Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance Copyright © 2011 Cloud Security Alliance