{"id":261,"date":"2009-06-25T14:03:41","date_gmt":"2009-06-25T19:03:41","guid":{"rendered":"http:\/\/www.webadminblog.com\/?p=261"},"modified":"2009-06-25T14:03:41","modified_gmt":"2009-06-25T19:03:41","slug":"about-the-cloud-security-alliance","status":"publish","type":"post","link":"https:\/\/www.webadminblog.com\/index.php\/2009\/06\/25\/about-the-cloud-security-alliance\/","title":{"rendered":"About the Cloud Security Alliance"},"content":{"rendered":"<p>The next presentation at the ISSA half-day seminar was on the &#8220;Cloud Security Alliance&#8221; and Security Guidance for Critical Areas of Focus in Cloud Computing by Jeff Reich.\u00a0 Here are my notes from this presentation:<\/p>\n<p><span style=\"text-decoration: underline;\"><strong>Agenda<\/strong><\/span><\/p>\n<ul>\n<li>About the Cloud Security Alliance<\/li>\n<li>Getting Involved<\/li>\n<li>Guidance 1.0<\/li>\n<li>Call to Action<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>About the Cloud Security Alliance<\/strong><\/span><\/p>\n<ul>\n<li>Not-for-profit organization<\/li>\n<li>Inclusive membership, supporting broad spectrum of subject matter expertise: cloud experts, security, legal, compliance, virtualization, etc<\/li>\n<li>We believe in Cloud Computing, we want to make it better<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Getting Involved<\/strong><\/span><\/p>\n<ul>\n<li>Individual membership (free)\n<ul>\n<li>Subject matter experts for research<\/li>\n<li>Interested in learning about the topic<\/li>\n<li>Administrative &amp; organizational help<\/li>\n<\/ul>\n<\/li>\n<li>Corporate Sponsorship\n<ul>\n<li>Help fund outreach, events<\/li>\n<\/ul>\n<\/li>\n<li>Affiliated Organizations (free)\n<ul>\n<li>Joint projects in the community interest<\/li>\n<\/ul>\n<\/li>\n<li>Contact information on website<\/li>\n<\/ul>\n<p>Download version 1.0 of the Security Guidance at http:\/\/www.cloudsecurityalliance.org\/guidance<\/p>\n<p><span style=\"text-decoration: underline;\"><strong>Overview of Guidance<\/strong><\/span><\/p>\n<ul>\n<li>15 domains<\/li>\n<li>#1 is Architecture &amp; Framework<\/li>\n<li>Covers Governing in the Cloud (2-7) and Operating in the Cloud (8-15) as well<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Assumptions &amp; Objectives<\/strong><\/span><\/p>\n<ul>\n<li>Trying to bridge gap between cloud adopters and security practitioners<\/li>\n<li>Broad &#8220;security program&#8221; view of the problem<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Architecture Framework<\/strong><\/span><\/p>\n<ul>\n<li>Not &#8220;One Cloud&#8221;: Nuanced definition critical to understanding risks &amp; mitigation<\/li>\n<li>5 principal characteristics (abstration, sharing, SOA, elasticity, consumption\/allocation)<\/li>\n<li>3 delivery models\n<ul>\n<li>Infrastructure as a Service<\/li>\n<li>Platform as a Service<\/li>\n<li>Software as a Service<\/li>\n<\/ul>\n<\/li>\n<li>4 deployment models: Public, Private, Managed, Hybrid<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Governance &amp; ERM<\/strong><\/span><\/p>\n<ul>\n<li>A portion of cloud cost savings must be invested into provider security<\/li>\n<li>Third party transparency of cloud provider<\/li>\n<li>Financial viability of cloud provider<\/li>\n<li>Alignment of key performance indicators<\/li>\n<li>PII best suited in private\/hybrid cloud outside of significant due diligence of public cloud provider<\/li>\n<li>Increased frequency of 3rd party risk assessments<\/li>\n<\/ul>\n<p>Important thing to consider is the financial viability of your provider.\u00a0 You never want to have your data held hostage in a court battle.<\/p>\n<p><span style=\"text-decoration: underline;\"><strong>Legal<\/strong><\/span><\/p>\n<ul>\n<li>Contracts must have flexible structure for dynamic cloud relationships<\/li>\n<li>Plan for both an expected and unexpected termination of the relationship and an orderly return of your assets<\/li>\n<li>Find conflicts between the laws the cloud provider must comply with and those governing the cloud customer<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Compliance &amp; Audit<\/strong><\/span><\/p>\n<ul>\n<li>Classify data and systems to understand compliance requirements<\/li>\n<li>Understand data locations, copies<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Information Lifecycle Management<\/strong><\/span><\/p>\n<ul>\n<li>Understand the logical segregation of information and protective controls imnplemented in storage, transfers, backups<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Summary<\/strong><\/span><\/p>\n<ul>\n<li>Cloud Computing is real and transformational<\/li>\n<li>Cloud Computing can and will be secured<\/li>\n<li>Broad governance approach needed<\/li>\n<li>Tactical fixes needed<\/li>\n<li>Combination of updating existing best practices and creating completely new best practices<\/li>\n<li>Common sense is not optional<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Call to Action<\/strong><\/span><\/p>\n<ul>\n<li>Join us, help make our work better<\/li>\n<li>www.cloudsecurityalliance.org<\/li>\n<li>info@cloudsecurityalliance.org<\/li>\n<li>Twitter: @cloudsa, #csaguide<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>The next presentation at the ISSA half-day seminar was on the &#8220;Cloud Security Alliance&#8221; and Security Guidance for Critical Areas of Focus in Cloud Computing by Jeff Reich.\u00a0 Here are my notes from this presentation: Agenda About the Cloud Security Alliance Getting Involved Guidance 1.0 Call to Action About the Cloud Security Alliance Not-for-profit organization [&hellip;]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[271,272],"tags":[277,273,39,147,274,278,276,275,279,622],"class_list":["post-261","post","type-post","status-publish","format-standard","hentry","category-cloud-computing-security","category-virtualization-security","tag-about","tag-alliance","tag-cloud","tag-framework","tag-guidance","tag-jeff","tag-membership","tag-objectives","tag-reich","tag-security"],"aioseo_notices":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/pfI0c-4d","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/261","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/comments?post=261"}],"version-history":[{"count":3,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/261\/revisions"}],"predecessor-version":[{"id":265,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/261\/revisions\/265"}],"wp:attachment":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/media?parent=261"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/categories?post=261"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/tags?post=261"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}