Presentation is loading. Please wait.

Presentation is loading. Please wait.

© Cloud Security Alliance, 2015 Jim Reavis CEO, Cloud Security Alliance.

Published byEverett Goodman Modified over 8 years ago

Similar presentations

Presentation on theme: "© Cloud Security Alliance, 2015 Jim Reavis CEO, Cloud Security Alliance."— Presentation transcript:

1 © Cloud Security Alliance, 2015 Jim Reavis CEO, Cloud Security Alliance

2 Agenda © Cloud Security Alliance, 2015 CSA History – CloudCERT White House Legislative Announcements How is CSA addressing the issue of information sharing? Cloud CISC Pilot Demo Next Steps Questions?

3 CSA History - CloudCERT CloudCERT was conceived of at the same time as the Cloud Security Alliance (CSA) Broad goal is to improve defenses of the cloud ecosystem against attackers Emphasis was placed on developing CSA due to broader scope and potential impact in industry CloudCERT initiative was formally announced 2010 Working Group has been meeting once a month since January 2011

4 White House Legislative Announcements Enable Cybersecurity Information Sharing Promotes private sector and government information sharing as well as private to private via Information Sharing and Analysis Organizations (ISAO’s) Encourages the development of ISAO’s by providing targeted liability protection that share with these entities Requires DHS, DoJ, and Privacy and Civil Liberties Board to develop disclosure guidelines

5 White House Legislative Announcements Modernize Law Enforcement Authorities to Combat Cyber Crime Enable stronger authority to shut down botnets and prosecute operators Criminalize the sale of US financial information like credit cards and bank account numbers overseas. Update the Racketeering Influenced and Corrupt Organizations Act so that it clearly applies to cyber crimes, and clarifies penalties Clarifies Computer Fraud and Abuse Act so that “insignificant” conduct does not fall within the scope of the statute, while making it clear it can be used to prosecute insiders.

6 White House Legislative Announcements National Data Breach Reporting Standardize that patchwork quilt of breach laws in place among 46 states into one Federal statute, and establish a single clear and timely notice requirement to ensure companies notify their employees and customers about security breaches

7 White House Legislative Announcements White House Summit on Cyber Security and Consumer Protection Summit was held on February 13 at Stanford Convene government and private sector leaders Topics include: information sharing, creating and improving cybersecurity practices and technologies, and improving the adoption of more secure payment technologies

8 How is addressing the issue of information sharing? © Cloud Security Alliance, 2015.

9 The Problem © Cloud Security Alliance, 2015 Attacks are becoming incredibly sophisticated. Knowing what happened is one thing. Knowing what to look for to see if it is happening to you – is key. ISAC’s have had limited success ISAC model is segmented by vertical (Financial Services, Energy, etc.). View across the sectors is critical to protecting companies today. ISACs do not allow for a Cloud Segment

10 The Problem © Cloud Security Alliance, 2015 ISAC Model requires sending sensitive data to a trusted third party. Company identity is known. Snowden incident has made sharing with trusted third parties undesirable today. Need is clear – a trusted method of sharing is required. Company identity is not known – so not subject to subpoena’s, etc. Incident data submission is quick and simple. Rapid analysis of data including correlation with other reports and open source data Alerts sent in minutes, not days/weeks Ability to anonymously discuss attacks with others and share solutions.

11 The Solution – Cloud CISC © Cloud Security Alliance, 2015 CSA Cloud Cyber Incident Sharing Center Cloud adoption is progressing at an accelerating pace. We are concerned that the lack of a robust, automated incident sharing function will inhibit the timely resolution of security incidents, hamper our ability to minimize the damage caused by incidents, and could ultimately have a serious negative impact on the industry. The CSA Cloud CISC will: Provide a truly anonymous, global cyber security incident sharing platform for enterprises; Educate the public and private community on Cloud Security Develop vendor neutral best practices and technical standards Develop policies aligning Cloud CISC to industry and governmental standards on an international basis.

12 How to get Involved © Cloud Security Alliance, 2015 Work Group Co-chair Currently seeking leadership for this initiative 2-3 Co-chairs (1appointed by CSA) Co-chair Requirements Appointed Co-chair must be an employee of a CSA Member Company Additional Co-chairs are decided by vote Time commitment required Contact research@cloudsecurityalliance.org for additional details and questions research@cloudsecurityalliance.org

13 How to get Involved © Cloud Security Alliance, 2015 Work Group Participant Currently seeking Volunteers for the following areas: Sub Group to focus on Researching, Developing & Promoting Vendor Neutral Best Practices Sub Group to define technical standards for information sharing Sub Group focused on Information Sharing Policy development and outreach Sub Group that will liaise with the standard development communities (SDOs) Contact research@cloudsecurityalliance.org if you are interested in getting involved research@cloudsecurityalliance.org

14 How to get Involved © Cloud Security Alliance, 2015 We need support from our CSA Provider Community to participate in Cloud CISC Pilot CALL TO ACTION: Submit Incident Report Data Data Types Title Date Region Type of Attack Known Remediation Contact pilot@cloudsecurityalliance.org if you are interested in getting involved with the pilotpilot@cloudsecurityalliance.org

15 How to get Involved © Cloud Security Alliance, 2015 CISC Pilot Participant We need support from our CSA Provider Community to participate in Cloud CISC Pilot CALL TO ACTION: Submit Incident Report Data Examples: Title Date Region Type of Attack Known Remediation

16 How the Cloud CISC Pilot Works © Cloud Security Alliance, 2015 Anonymous Authentication When users transmit sanitized reports, we execute a public anonymous authentication protocol that: Confirms the user is a member of the community, without disclosing the identity of the user, and Delivers a mathematic proof that the user has connected with Cloud CISC and that Cloud CISC does not know identity of the user.

17 The Cloud CISC methodology allows for easy sharing while preserving complete anonymity. Share Unattributable Reports Protects company identity 2 Correlate & Analyze Immediately correlates report with open source and other submitted reports 3 Alerts & Review Alerts members to new report for review along with correlated, actionable information 4 Rate & Collaborate Reports are rated to increase relevance and members collaborate with Cloud CISC Coordinator. 5 Scrub Incident Reports of Identifying Information Protects customer PII and corporate IP – mitigating discovery concerns. 1 Powered by

18 CISC Pilot Demo © Cloud Security Alliance, 2015.

19 Cloud CISC Next Steps © Cloud Security Alliance, 2015 Kick-Off Call & Develop a 6 month Information Sharing Pilot Starting in May/June 2015 Develop and deliver educational programs on Cloud Security and the need for information sharing for both the public and private sector – ongoing based on results Identify areas of potential CSA research based on Pilot results Q1 2016 Identify best practices and need for technical standards Nov 2015 - May 2016 Identify need for policies and alignment across industries and governments. Nov 2015 – May 2016

20 ? ? ? ? © Cloud Security Alliance, 2015

Download ppt "© Cloud Security Alliance, 2015 Jim Reavis CEO, Cloud Security Alliance."

Similar presentations

Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.

Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.
HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.

HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.
The Financial Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act (GLBA) UNDERSTANDING AND DEVELOPING A STRATEGIC PLAN TO BECOME COMPLIANT.

The Financial Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act (GLBA) UNDERSTANDING AND DEVELOPING A STRATEGIC PLAN TO BECOME COMPLIANT.
ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.

ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.
2015 – a forward glance 17 February 2015. South Africa has a sophisticated credit bureau system www.cba.co.za.

2015 – a forward glance 17 February South Africa has a sophisticated credit bureau system
David A. Brown Chief Information Security Officer State of Ohio

David A. Brown Chief Information Security Officer State of Ohio
Legal Agreements and Policy Work Group Co-facilitators: Linda Attarian and Jill Moore Dial: 1-866-427-0083 Enter room#: *8041709* (don’t forget the asterisks.

Legal Agreements and Policy Work Group Co-facilitators: Linda Attarian and Jill Moore Dial: Enter room#: * * (don’t forget the asterisks.
Chapter 10 White-Collar and Organized Crime. Introduction ► White-collar crimes – criminal offenses committed by people in upper socioeconomic strata.

Chapter 10 White-Collar and Organized Crime. Introduction ► White-collar crimes – criminal offenses committed by people in upper socioeconomic strata.
Are Large Scale Data Breaches Inevitable? Douglas E. Salane Center for Cybercrime Studies John Jay College of Criminal Justice Cyber Infrastructure Protection.

Are Large Scale Data Breaches Inevitable? Douglas E. Salane Center for Cybercrime Studies John Jay College of Criminal Justice Cyber Infrastructure Protection.
Tim Moss Chief Executive of Companies House and Registrar of Companies for England and Wales.

Tim Moss Chief Executive of Companies House and Registrar of Companies for England and Wales.
Security Governance Technology Executive Club

Security Governance Technology Executive Club
Resiliency Rules: 7 Steps for Critical Infrastructure Protection.

Resiliency Rules: 7 Steps for Critical Infrastructure Protection.
Privacy and Security of Personal Information Emily Hackett, Executive Director Voice: 202-861-2476 Cell: 202-329-0017

Privacy and Security of Personal Information Emily Hackett, Executive Director Voice: Cell:
Jim Reavis, Executive Director Cloud Security Alliance November 22, 2010 Developing a Baseline On Cloud Security.

Jim Reavis, Executive Director Cloud Security Alliance November 22, 2010 Developing a Baseline On Cloud Security.
ADVANCING EFFICIENCYADVANCING COMMERCE eInvoicing European Directive & UK Plans Steve Shirley, Senior Director, Public Sector October 29, 2014.

ADVANCING EFFICIENCYADVANCING COMMERCE eInvoicing European Directive & UK Plans Steve Shirley, Senior Director, Public Sector October 29, 2014.
Bill Newhouse Program Lead National Initiative for Cybersecurity Education Cybersecurity R&D Coordination National Institute of Standards and Technology.

Bill Newhouse Program Lead National Initiative for Cybersecurity Education Cybersecurity R&D Coordination National Institute of Standards and Technology.
Eric J. Pritchard One Liberty Place, 46 th Floor 1650 Market Street Philadelphia, Pennsylvania (215) 496-7241

Eric J. Pritchard One Liberty Place, 46 th Floor 1650 Market Street Philadelphia, Pennsylvania (215)
Internet 2 Corporate Value Proposition Stuart Kippelman (J&J) Jeff Lemmer (Ford) December 12, 2005.

Internet 2 Corporate Value Proposition Stuart Kippelman (J&J) Jeff Lemmer (Ford) December 12, 2005.
HROFFICE USER CONFERENCE 2005 Creating an Effective Ethics and Compliance Program Ascentis User Group September, 2005.

HROFFICE USER CONFERENCE 2005 Creating an Effective Ethics and Compliance Program Ascentis User Group September, 2005.
BITS Proprietary and Confidential © BITS 2003. Security and Technology Risks: Risk Mitigation Activities of US Financial Institutions John Carlson Senior.

BITS Proprietary and Confidential © BITS Security and Technology Risks: Risk Mitigation Activities of US Financial Institutions John Carlson Senior.

Similar presentations

Ads by Google