Cloud Security: Critical Threats and Global Initiatives Jim Reavis, Executive Director July, 2010

Copyright © 2010 Cloud Security Alliance What is Cloud Computing? Compute as a utility: third major era of computing Mainframe PC Client/Server Cloud computing: On demand model for allocation and consumption of computing Cloud enabled by Moore’s Law: Costs of compute & storage approaching zero Hyperconnectivity: Robust bandwidth from dotcom investments Service Oriented Architecture (SOA) Scale: Major providers create massive IT capabilities

Copyright © 2010 Cloud Security Alliance Top Threats to Cloud Computing

Copyright © 2010 Cloud Security Alliance Shared Technology Vulnerabilities

Copyright © 2010 Cloud Security Alliance Data Loss / Data Leakage

Copyright © 2010 Cloud Security Alliance Malicious Insiders

Copyright © 2010 Cloud Security Alliance Interception or Hijacking of Traffic

Copyright © 2010 Cloud Security Alliance Insecure APIs

Copyright © 2010 Cloud Security Alliance Nefarious Use of Service

Copyright © 2010 Cloud Security Alliance Unknown Risk Profile

Copyright © 2010 Cloud Security Alliance How will Cloud Computing play out? Much investment in private clouds for 3-5 years Rise of mobile clouds Eventual 80/20 rule favoring public clouds Cloud assurance ecosystem being built Virtual private clouds compromise between public and private Long legacy of hybrid clouds Disruption to markets, IT, security best practices Challenges public policy and critical infrastructure

Copyright © 2010 Cloud Security Alliance About the Cloud Security Alliance Global, not-for-profit organization 10,000+ individual members Fast growing – chapters, translations, alliances Inclusive membership, supporting broad spectrum of subject matter expertise: cloud experts, security, legal, compliance, virtualization, etc We believe Cloud Computing has a robust future, we want to make it better “To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.”

Copyright © 2010 Cloud Security Alliance CSA Research Projects Go to for Research dashboard and Working Group signup

Copyright © 2010 Cloud Security Alliance Released Research CSA Guidance for Critical areas of Focus Popular best practices V2.1 CSA Cloud Controls Matrix Security controls framework mapped to existing regulations and standards Top Threats Released 2x annually Identity & Access Management “Dom12” paper Supporting Trusted Cloud Initiative

Copyright © 2010 Cloud Security Alliance Research & Initiatives in Progress Certificate of Cloud Security Knowledge (CCSK) Individual competency testing and certificate Trusted Cloud Initiative Interoperable IAM, reference models, cert criteria CSA Cloud Controls Matrix V2 Controls refinement, automation, increased mappings Consensus Assessments Initiative Common question sets to measure providers’ security capabilities

Copyright © 2010 Cloud Security Alliance Research Initiatives being Scoped CloudCERT Best practices research for emergency response in Cloud Standardized processes Hosted Community Cloud Security Metrics Library of recommended measurements & surveys Cloud Security Use Cases Document real world lessons learned

Copyright © 2010 Cloud Security Alliance Third Party Initiative Participation CloudAudit Common Assurance Maturity Model (CAMM) ENISA eGovernment Cloud-Standards.org NIST

Copyright © 2010 Cloud Security Alliance Schedule CSA Summit at BlackHat, July 28-29, Las Vegas CSA Congress, Nov 16-17, Orlando CSA Summit at RSA 2011 (tentative), SF Participating in most major events Several chapter launch events Other Summits as research requires

Thank you!