csa summit argentina-reavis
TRANSCRIPT
www.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance
Jim Reavis, CEO
June 2016
The Mandate for Global Cloud Security
www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance
About Jim Reavis
CEO and Founder of Cloud Security Alliance
25 years experience in information security
Honored to be a presenter at the inaugural CSA Argentina Summit
www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance
We will never “solve” information security…
State of permanent warfare
Battlefields change
Weapons change
Create enough security to ensure a profitable outcome
www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance
Tech consumerization…Changing compute, changing the world
www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance
CSA Maxims
As IT moves into the Cloud, so must Security
As IT loses control of the endpoint, Cloud is the only Security option
As the Internet of Things scales upwards, Cloud computing will be its data repository, application engine, provisioning system, Security platform and organizing concept
Security has a new battlefield
www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance
CSA Top Threats to Cloud for 2016
7. APTs8. Data Loss9. Due Diligence10.Nefarious Use and
Abuse11.Denial of Service12.Shared Technology
Issues
1. Data Breaches2. Compromised
Credentials and IAM3. Insecure APIs4. System and App
Vulnerabilities5. Account Hijacking6. Malicious Insiders
https://cloudsecurityalliance.org/group/top-threats/
www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance
Cloud in the Enterprise 2016
Awareness: Capturing data on current cloud usage within organizationOpportunistic: Identifying strong cloud adoption opportunities (Cloud First!)Strategic: Building cloud adoption program – security program, architecture, frameworks & business alignment
www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance
CSA Global Enterprise Advisory Board
Announced at CSA Summit @ RSAChaired by Vinay Patel, Head of Security, Citi Infrastructure, CitigroupPublic facing, demonstrate enterprise support of CSA publiclyIssue public “Calls to action” for industryAdvise CSA on strategyIssue annual “State of Cloud Security” report
https://cloudsecurityalliance.org/download/state-of-cloud-security-2016/
Citigroup, Johnson & Johnson, Caterpillar, Hertz, Lucasfilm, ADP, Coca Cola, United Healthcare and several others
www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance
Are Cloud Providers Secure?Uneven: Terrific Tier 1 Cloud Provider Security coexists with Poor and Unknown Provider Security
Secure Provider + Mature Customer may not equal secure relationship
Poor Integration & Alignment, e.g. Bring Your Own KeysCommunication Gaps, e.g. sharing event infoEnterprises want a holistic risk-based view of IT with Cloud as a seamless extension
Greater transparency will help enterprises close the gaps
www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance
Cloud Providers Must Make Cooperation a Priority
Threat intelligence and incident sharingTransparency on verifiable controls with strong integrity checksStandards development on common security requirementsSupport for multi-vendor enterprise
www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance
Cloud is Changing the Very Nature of Information Security
Servers are Dead, Long Live Services!
APIs, Automation, Agility, Disposable Infrastructure
SDN, IoT, Analytics, CASB
Better Ways to Handle Old Problems
Fight the Legacy Mindset
www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance
National, Regional & Industry-Specific Regulations Provide Important Challenges
Policies rapidly outdated by technology changesDuplicative nature of many regulationsConflicting regulationsGlobal nature of enterprises and cloud providers vs regional regulatory authoritiesKnowledge gaps for regulators and auditors in addressing cloud computing
Engagement with Regulatory Decision Makers Key
www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance
Industry Skills Gap
One million unfilled information security jobsLagging skillsets among the employed
www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance
What have leading organizations learned?Understanding different types of Clouds and your RoleDue diligence is critical, Data is key Identity is very importantForcing legacy tools & architectures on cloud security problems doesn’t workHeavy-handed blocking of cloud services backfires on infosecKey role of intermediaries (Cloud Access Security Broker)
www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance
Think Virtually!
www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance
How CSA delivers the secure cloud
www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance
About the Cloud Security Alliance
Global, not-for-profit organizationBuilding security best practices for next generation ITResearch and Educational ProgramsCloud Provider Certification – CSA STARUser Certification - CCSKThe globally authoritative source for Trust in the Cloud
“To promote the use of best practices for providing security assurance within Cloud Computing, and provide education
on the uses of Cloud Computing to help secure all other forms of computing.”
www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance
CSA Fast FactsFounded in 2009 Membership stats as of June 2016
75,000 individual members, 80 chapters globally330 corporate members
Operates in 3 DivisionsCSA Americas headquarters in SeattleCSA APAC, headquarters in SingaporeCSA Europe (responsible for Europe/Middle East/Africa), headquarters in Edinburgh UK
Over 30 research projects in 25 working groupsStrategic partnerships with governments, research institutions, professional associations and industrywww.cloudsecurityalliance.org
www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance
CCSK – User Certification
Certificate of Cloud Security Knowledge (CCSK)
Benchmark of cloud security competencyBased on CSA guidanceOnline web-based examinationwww.cloudsecurityalliance.org/education/ccsk/ Partnered with (ISC)2 to develop complementary certification: CCSPClose cloud security knowledge gaps
www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance
CSA STAR Provider CertificationCSA STAR (Security, Trust and Assurance Registry), 3 Level
Provider Certification ProgramManaged by CSA in partnership with world leading ISO certification bodies and audit firmsAdopted Worldwide by Providers, Enterprises and Governments www.cloudsecurityalliance.org/star
www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance
CSA STAR: Assisting Due Diligence
Level 1 STAR Self-AssessmentPublic Registry of Cloud Provider self assessments based on CSA standards
Level 2 STAR 3rd Party AuditsSTAR Certification: Integrates ISO/IEC 27001:2013 STAR Attestation: Based upon Type 2 SOC
Coming in Q4 2016: STARWatchAsk for provider’s STAR entry
If unavailable, ask provider to fill out CSA’s Cloud Controls Matrix or Consensus Assessments Initiative Questionnaire
www.cloudsecurityalliance.org/research/ccmwww.cloudsecurityalliance.org/research/cai
www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance
Research for 2016Guidance V4Global Enterprise Advisory BoardSoftware Defined PerimeterFinancial Services PlatformCCM/CAIQ/CTP/CloudAuditSecurity as a ServiceInternet of ThingsQuantum-Safe ComputingCASB enablement: OpenAPIOtherIt is all free!
https://cloudsecurityalliance.org/research
www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance
Emerging Trends We Are Evaluating
BlockchainContainers, micro servicesInternet of Things DevSecOps: DevOps applied to securityAnalyticsAutonomous computingArtificial IntelligenceQuantum-Safe Computing
www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance
A New Day forComputing
andTrust
www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance
Argentina has a strategic role
Developing a secure world, virtually, in software
www.cloudsecurityalliance.orgwww.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance
ContactHelp us solve tomorrow’s
problems today
WWWwww.cloudsecurityalliance.org
Twitter@cloudsa
www.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance
www.cloudsecurityalliance.orgCopyright © 2016 Cloud Security Alliance
THANK YOU