CSA

Businesses are now requiring a stronger collaboration between the development, security and operational functions. This addition of security creates DevSecOps. In the past, the security needs were either skipped or only addressed after the deployment of applications, or worse after security vulnerabilities were exploited. Such an approach increased risks to the deployment and contributed towards a more hostile relationship between security and the development and operations teams. DevSecOps focuses on creating a transparent and holistic management approach that leverages the synergies between the development, security and operational functions, making way towards a proactive and agile security stance. By addressing cultural changes within the work force and adhering to a new combination of tactics, security can become a functioning part across all life cycles and developments.

‘Vanilla’ cloud environments were typically not made to handle harsh environments like that of High Performance Computing (HPC) Cloud Security. Technical concerns for HPC are further complicated by the complex and ever-evolving threat landscape. As we increasingly see cases of pure HPC bare metal infrastructure interacting with the cloud such as I/O interfaces and processes, it brings along more ‘opportunities’ for malicious attacks. While this should be considered and integrated into security policies and guidelines, performance face the perilof being compromised as precious resources are carved out for security protocols and processes. The crossing of cloud and HPC environments often leads us to questions of how security in an HPC cloud environment can be implemented, enforced and ensured without the need to compromise performance. This Working Group strives to provide recommendations that can answer these questions.

This working group aims at creating PLA templates that can be a powerful self-regulatory harmonization tool, which is almost impossible to achieve at global level using traditional legislative means. This will provide a clear and effective way to communicate to (potential) customers a CSP’s level of personal data protection, especially when trans-border data flaw is concerned.

The CSA Open Certification WG is an industry initiative to allow global, accredited, trusted certification of cloud providers. It is a program for flexible, incremental and multi-layered cloud provider certification according to the CSA’s industry leading security guidance and control objectives. The program will integrate with popular third-party assessment and attestation statements developed within the public accounting community to avoid duplication of effort and cost.

The Software Defined Perimeter working grouped launched with the goal to develop a solution to stop network attacks against application infrastructure. With the adoption of cloud services the threat of network attacks against application infrastructure increases since servers can not be protected with traditional perimeter defense techniques.

As Industrial Control Systems (ICS) advance to the Internet of Things, ICS is connecting to the cloud, and the risk of cyber-attacks is increasing more than ever before. Noteworthy advanced cyber-attacks have occurred in recent years. On the other hand, asset owners understand cyber risks to connect ICS to external networks including cloud, but there are challenges to mitigate cyber risks due to system specifications differences between information systems and ICS. The ICS Security Working Group (WG) aims to develop security guidance to encourage asset owners and device manufacturers worldwide towards adopting best practices to secure ICS.

The Health Information Management Working Group aims to provide direct influence on how health information service providers deliver secure cloud solutions (services, transport, applications and storage) to their clients, and foster cloud awareness within all aspects of healthcare and related industries.

The Financial Services Stakeholders Platform main objective is to identify and share the challenges, risks and best practices for the development, deployment and management of secure cloud services in the financial services industry.

The Enterprise Resource Planning (ERP) WG seeks to develop best practices to enable organizations that run their business on large ERP implementations, such as SAP or Oracle applications, to securely migrate to and operate in cloud environments. Every ERP deployment is something that is unique to each organization. In most cases organizations spend months if not years customizing their SAP or Oracle implementations and also spend a significant amount of money with third party contractors to get the implementations done. This makes standard security measures more difficult to implement due to the differences of each deployment. With the complexity of these large implementations, combined with the criticality of data and processes housed in these applications, it is imperative that industry best practices be established to provide companies with security guidelines when migrating to the cloud in order to protect the organization’s critical infrastructure.

The Cloud Key Management Working Group aims to facilitate the standards for seamless integration between CSPs and key broker services. Standardization will take place across key management lifecycle operations and a common set of APIs, enabling consistent implementation of enterprise key policies. Customer-centric in principle, the goal will be for data stored or traversing the cloud and requiring encryption the corresponding encryption keys will be protected and their lifecycle managed by the customer. The purpose of the Cloud Key Management Working Group is to align cloud key management interoperability standards across service providers, maintain and develop API and key interoperability specifications, develop business model templates and specifications for standardized key interoperability, promote the adoption of key management standards and key brokering interoperability, and provide well documented guidelines and a standard approach to vendors to ensure seamless interoperability and compliance to those guidelines/standards.

From a user perspective, Cloud is a service. However, for Cloud Service Providers, integrators and channel partners who construct or build the Cloud, the Cloud architecture is comprised of many Cloud computing components. Examples of these components are hypervisors, Cloud operating systems components such as “Swift”, “Glance” for OpenStack, virtual desktop infrastructure platforms, cloud dedicated firewalls and so on. How can we evaluate the security of these Cloud components? Currently, most of the security standards related to Cloud Computing focus on the information security management system. However, these standards are insufficient to evaluate cloud component security because they focus on management security rather than the technical security requirements of the components. In order to address this gap, the Cloud Component Specifications working group proposes to develop internationally recognized technical security specifications for cloud components.

Given the longstanding and fervent belief in the value for incident sharing, new advancements in enabling technology, and the promising shifts in the legal landscape, the Cloud Security Alliance believes now is the time to act. For this reason we introduce the Cloud Cyber Incident Sharing Center or Cloud-CISC.