Copyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.org Much focus on securing data and systems in the cloud. What about providing security services FROM the cloud? That is Security as a Service (SecaaS)! Provisioning elastic, scalable security solutions and services to both cloud based and traditional on premises systems in pure cloud or hybrid models. Copyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.org One of the many CSA branches of research Bringing together an international group of users, potential users, vendors and brokers of SecaaS solution. Research SecaaS – balanced and vendor neutral Define types / categories of service Produce architectural and implementation guidance Continue research – category and guidance updates, more detailed architectures etc.. Find us here; https://cloudsecurityalliance.org/research/secaas/ Copyright © 2012 Cloud Security Alliance Copyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.org Co-Chairs Kevin Fielder, Canada Life Cameron Smith, Pertino Subcommittee leadership IAM Leads – Ulrich Lang, Valmiki Mukherjee DLP Leads – Wendy Cohen, Atul Shah Web Security Leads – Aradhna Chetal, Kapil Raina Email Security Lead – Mark Hahn Security Assessments Leads – John Hearton, Wolfgang Kandek Intrusion Management Lead – Tim Owen SIEM Lead – Jens Laundrup Encryption Lead – Vadim Saratovtsev, Geoff Webb, BCDR Lead – Kevin Fielder Network Security Lead – Ken Owens Copyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.org Born early 2011 Agreed structure and leadership Agreed 1st deliverable Defined categories (very high level) Split into categories with leads for each Created white paper ‘Defined Categories of Service 2011’ Breath! Early 2012 agreed on guidance as next output and unified format October 2012 – Produced guidance documents for all categories Breath again! Copyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.org SecaaS Implementation Guidance Ten category documents Requirements addressed Implementations considerations and concerns Implementation architecture and guidance References and useful links All guidance papers can be downloaded from the CSA website; https://cloudsecurityalliance.org/research/secaas/#_downloads Copyright © 2012 Cloud Security Alliance Copyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.org Implementation Guidance v2.0 Template Review Content Review Development of New Categories Broader Guidance Architectures Improve integration with wide CSA research Incident Management and Forensics Working Group Service Level Agreements Working Group Copyright © 2012 Cloud Security Alliance Copyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.org Defined Categories of Service (DCS) v2.0 - 2013 Review of 10 current categories of security as a service; Category 1: Identity and Access Management Category 2: Data Loss Prevention Category 3: Web Security Category 4: Email Security Category 5: Security Assessments Category 6: Intrusion Management Category 7: Security Information and Event Management (SIEM) Category 8: Encryption Category 9: Business Continuity and Disaster Recovery Category 10: Network Security The white paper can be downloaded from the CSA website; https://cloudsecurityalliance.org/research/secaas/#_downloads Copyright © 2012 Cloud Security Alliance Copyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.org Template Review Description Class, Core Functionalities, Optional Features Services Includes, Related Services, Related Technologies and Standards, Service Model, CSA Domains Threats Addressed/Benefits Challenges Reference Examples, References Copyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.org Continuous Monitoring as a Service Other additional categories to consider? Copyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.org Update existing documents v1.1 / v2 rolling releases Review categories, guidance template, content Links to other research Carriers, SLA, Forensics … Combined Guidance Broader overarching architecture examples Role-specific Guidance Copyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.org New Monthly Call Format – Education + Communication Increase use of Base Camp for ongoing communication ‘CSA Cloud Bytes’ series propose ideas here: https://cloudsecurityalliance.org/research/cloudbytes/#_proposals Identify the Next Big Thing … Update categories, revise guidance Link to other areas of research Increase depth of guidance for role-specific points of view Copyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.org “Educational webinar series for CSA working groups” https://cloudsecurityalliance.org/research/cloud-bytes/ Copyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.org CSA Cloud Bytes: SecaaS Implementation Series Introduction to the SecaaS Category Implementation Guidance Working Group process How to improve, how to get involved Copyright © 2012 Cloud Security Alliance Copyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.org Copyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.org Big thank you to all contributors! Category Leads Group members Technical writers CSA support Now is a great time to volunteer – Get involved! Help define the next steps and future of the group here: https://cloudsecurityalliance.org/research/secaas/#_get-involved Copyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.org For more info about CSA Cloud Bytes: SecaaS Implementation Series https://cloudsecurityalliance.org/secaas/ cloudbytes2@cloudsecurityalliance.org (through 10/29/2012) Help Us Secure Cloud Computing www.cloudsecurityalliance.org info@cloudsecurityalliance.org LinkedIn: www.linkedin.com/groups?gid=1864210 Twitter: @cloudsa, @CSAResearchGuy Copyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.org