I attended the second annual Cloud Security Alliance Congress event a couple of weeks ago in Orlando Florida and wanted to pass on some of what I learned.
The Cloud Security Alliance (CSA), of which we are a member, was founded in 2008. It has emerged as a leading industry authority focused on promoting the use of best practices for providing security assurance within cloud computing, and providing education on the uses of cloud computing. In the course of three years, CSA has released 12 research reports, created a cloud provider registry, and established the only user certification related to the security knowledge of cloud computing. All its research products are the result of global collaboration and are provided at no cost, and royalty-free, to any organization that wants them (https://cloudsecurityalliance.org/about/).
The CSA Congress was a full two-day, multi-track conference preceded by in-depth training sessions. I attended hoping to get some insights into what cloud adopters, cloud providers and others are thinking about the benefits, challenges, and security aspects related to cloud computing. I wasn’t disappointed as there was no shortage of people sharing what they have learned about the cloud, and debating the finer points of security and privacy related topics.
One of the notable pre-conference offerings was a session on the components and use of the Governance, Risk and Compliance (GRC) Stack. This was a full day training that discussed the CSA guidance for GRC – Cloud Controls Matrix (CCM) and the Consensus Assessment Initiative Questions (CAIQ), automated audit tools, the Security, Trust and Assurance Registry (STAR), and briefings from various enterprises who have used these tools to assess GRC. The CCM and CAIQ form the basis of this work and provide excellent guidelines for assessing a cloud provider’s adherence to a baseline control framework (CCM) which is specifically designed for managing risk in the Cloud Supply Chain. Cloud providers can do a self-assessment of their cloud offerings and post their assessment to CSA STAR – an online registry hosted by the CSA scheduled to go live in the next few months. Potential cloud customers are then able to access the registry, free of charge, to see how various cloud providers reported their self-assessments and how their cloud products measure up against the CSA guidelines.
We participated in the creation of these frameworks along with many other providers and customers. We have also completed a self-assessment of our cloud services and will post the results to the CSA STAR when it goes live. Many of the customers I talk to about cloud security have been concerned about the lack of industry standards for the cloud; CSA STAR provides the closest cloud-based assessment to a standard that is currently available. That said, the CCM and CAIQ have gained importance in the last few months as they have been submitted to various international standards organizations, such as ISO, ITU-T and others, and are being considered for inclusion in emerging cloud standards as part of their working group processes. These standards processes generally take quite a while to complete, but it is looking likely they will contain many elements of the CSA CCM and CAIQ work in their final state.
Alongside telecommunications, other cloud providers and CERTs/CSIRTs and ISACs, we have been very active in another area of CSA work – the Cloud Security Incident Response Team (CloudSIRT) which was announced at the CSA Congress last year. Since then a working group has met at least once a month to hammer out a charter, membership criteria, information sharing details, and other logistics. CloudSIRT will soon start accepting membership applications. Once running, it will allow member organizations to share what is called operational threat data – real-time information about attacks in progress that might impact other members (or even be coming from other members without their knowledge), and require a significant, coordinated effort to identify the attackers, shut them down, and prevent reoccurrences. CloudSIRT will complement other information sharing initiatives that exist, and which Microsoft already participates in, such as the Virus Information Alliance.
The CSA is doing a commendable work in bringing together a broad coalition of industry practitioners, corporations, associations and other key stakeholders to create their body of research and work. Given the quality and influence of the work that the CSA has produced thus far, I’m looking forward to Microsoft’s continuing collaboration with the CSA, and learning from it.
If you are not already familiar with CSA and what it is seeking to achieve I strongly recommend you taking a look.