Building the Trustworthy Cloud Ecosystem www.cloudsecurityalliance.org Global, not-for-profit organization Building security best practices for next generation IT Research and Educational Programs Cloud Provider Certification User Certification The globally authoritative source for Trust in the Cloud “To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.” Copyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.org Founded in 2009 Membership stats as of Nov 2013 51,000 individual members, 70 chapters globally 190 corporate members Major cloud providers, tech companies, infosec leaders, governments, financial institutions, retail, healthcare and more Offices in Seattle USA, Singapore, Heraklion Greece Over 30 research projects in 25 working groups Strategic partnerships with governments, research institutions, professional associations and industry Copyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.org Lack of transparency from providers & gov’t Lack of visibility complicates compliance efforts Incompatible laws across jurisdictions Incomplete standards Still lacking true multi-tenant technologies & architecture Risk concentration concerns Maintaining logical control while losing physical control Copyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.org 1. Data Breaches 2. Data Loss 3. Account Hijacking 4. Insecure APIs 5. Denial of Service 6. Malicious Insiders 7. Abuse of Cloud Services 8. Insufficient Due Diligence 9. Shared Technology Issues https://cloudsecurityalliance.org/research/top-threats/ Copyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.org Copyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.org Copyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.org Industry standard catalog of cloud security issues and best practices Widespread adoption Translated into 6 languages 14 domains Use to help shape your cloud policies and security strategy https://cloudsecurityalliance.org/research/ security-guidance/ Copyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.org Security as a Service Research for gaining greater understanding for how to deliver security solutions via cloud models. Implementation Guidance for each SecaaS Category SIEM Identity & Access Mgt Data Loss Prevention Web Security Email Security Security Assessments Intrusion Mgt Encryption Business Continuity & Disaster Recovery Network Security https://cloudsecurityalliance.org/research/secaas/ Copyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.org Big Data Identifying scalable techniques for data-centric security and privacy problems Lead to crystallization of best practices for security and privacy in big data Help industry and government on adoption of best practices Establish liaisons with other organizations in order to coordinate the development of big data security and privacy standards Accelerate the adoption of novel research aimed to address security and privacy issues Close coordination with NIST Open Review: Big Data Analytics for Security Intelligence Expanded Top Ten Big Data Security and Privacy Challenges • Secure Computations in Distributed Programming Frameworks • Security Best Practices for NonRelational Data Stores • Secure Data Storage and Transactions Logs • End-Point Input Validation/Filtering • Real-Time Security Monitoring • Scalable and Composable PrivacyPreserving Data Mining and Analytics • Cryptographically Enforced DataCentric Security • Granular Access Control • Granular Audits • Data Provenance https://cloudsecurityalliance.org/research/big-data/ Copyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.org Mobile Securing application stores and other public entities deploying software to mobile devices Analysis of mobile security capabilities and features of key mobile operating systems Cloud-based management, provisioning, policy, and data management of mobile devices to achieve security objectives Guidelines for the mobile device security framework and mobile cloud architectures Solutions for resolving multiple usage roles related to BYOD, e.g. personal and business use of a common device Best practices for secure mobile application development https://cloudsecurityalliance.org/research/mobile/ Copyright © 2013 Cloud Se