Web Admin Blog Real Web Admins. Real World Experience.

About the Cloud Security Alliance

The next presentation at the ISSA half-day seminar was on the "Cloud Security Alliance" and Security Guidance for Critical Areas of Focus in Cloud Computing by Jeff Reich.  Here are my notes from this presentation:

Agenda

• About the Cloud Security Alliance
• Getting Involved
• Guidance 1.0
• Call to Action

About the Cloud Security Alliance

• Not-for-profit organization
• Inclusive membership, supporting broad spectrum of subject matter expertise: cloud experts, security, legal, compliance, virtualization, etc
• We believe in Cloud Computing, we want to make it better

Getting Involved

• Individual membership (free)
  • Subject matter experts for research
  • Interested in learning about the topic
  • Administrative & organizational help
• Corporate Sponsorship
  • Help fund outreach, events
• Affiliated Organizations (free)
  • Joint projects in the community interest
• Contact information on website

Download version 1.0 of the Security Guidance at http://www.cloudsecurityalliance.org/guidance

Overview of Guidance

• 15 domains
• #1 is Architecture & Framework
• Covers Governing in the Cloud (2-7) and Operating in the Cloud (8-15) as well

Assumptions & Objectives

• Trying to bridge gap between cloud adopters and security practitioners
• Broad "security program" view of the problem

Architecture Framework

• Not "One Cloud": Nuanced definition critical to understanding risks & mitigation
• 5 principal characteristics (abstration, sharing, SOA, elasticity, consumption/allocation)
• 3 delivery models
  • Infrastructure as a Service
  • Platform as a Service
  • Software as a Service
• 4 deployment models: Public, Private, Managed, Hybrid

Governance & ERM

• A portion of cloud cost savings must be invested into provider security
• Third party transparency of cloud provider
• Financial viability of cloud provider
• Alignment of key performance indicators
• PII best suited in private/hybrid cloud outside of significant due diligence of public cloud provider
• Increased frequency of 3rd party risk assessments

Important thing to consider is the financial viability of your provider.  You never want to have your data held hostage in a court battle.

Legal

• Contracts must have flexible structure for dynamic cloud relationships
• Plan for both an expected and unexpected termination of the relationship and an orderly return of your assets
• Find conflicts between the laws the cloud provider must comply with and those governing the cloud customer

Compliance & Audit

• Classify data and systems to understand compliance requirements
• Understand data locations, copies

Information Lifecycle Management

• Understand the logical segregation of information and protective controls imnplemented in storage, transfers, backups

Summary

• Cloud Computing is real and transformational
• Cloud Computing can and will be secured
• Broad governance approach needed
• Tactical fixes needed
• Combination of updating existing best practices and creating completely new best practices
• Common sense is not optional

Call to Action

• Join us, help make our work better
• www.cloudsecurityalliance.org
• info@cloudsecurityalliance.org
• Twitter: @cloudsa, #csaguide

About Josh

Josh graduated in 2002 from the University of Texas at Austin with a BS in Computer Science. He was formerly a member of the Internet Systems team at AMD, a Systems Administrator with BearingPoint, and worked on a contract for the US Army before becoming a member of the Web Systems team at National Instruments in January of 2007. He recently attained his CISSP certification and specializes in the area of web application security.