Category Archives: CSA

CSA survey finds trust in the cloud increasing

Secure cloudSuspicion of the cloud has lifted so much that trust in cloud services is on par with on-premises applications, according to a survey by the Cloud Security Alliance.

Around 200 IT executives were quizzed about the state of cloud adoption, the evolving role of IT, and how enterprises approach cloud security. The results suggest that while trust in the cloud may be on the rise companies are trying to replicate the same security controls they did for their on-premises systems.

Cloud professionals are now caught between dual responsibilities, says the study: they are obliged to enable the business while at the same time they must tighten security. Only 35% of IT leaders believe that cloud-based systems of record are less secure than their on-premises counterparts. The other 65% say that the cloud is either more secure than on-premises software or equally secure. However, even when enterprise-ready cloud services are more secure than their own data centres, the users present more danger, which is why the ability to enforce corporate security policies is the number one barrier to moving applications to the cloud, said 68% of IT leaders. Another blockage was the need to comply with regulatory requirements (61%) and lack of budget to replace legacy systems (32%).

The top barrier to securing data is a lack of skilled security professionals as businesses are hiring IT security professionals faster than the market can train and develop experienced security professionals. In August, it was reported that JP Morgan expected to spend $500 million on cyber security in 2015, double its 2014 budget of $250 million. Rapid hiring is leading to a shortage of people to fill open positions. A 2015 report from labour analytics firm Burning Glass shows that cyber security job postings grew 91% from 2010 to 2014, more than three times the rate of growth in all IT jobs.

The most important new job is a chief IT security officer (CISO) the report found. Just 19% of companies without a CISO have a complete incident response plan while 54% of companies with a CISO have a complete incident response plan and those with a CISO are also more likely to have cyber insurance to protect against the cost of a data breach.

CSA lends prototype compliance tool to six-year cloud security project

The CSA is part of the STRATUS project, a six-year cybersecurity project

The CSA is part of the STRATUS project, a six-year cybersecurity project

The Cloud Security Alliance (CSA) said this week that it is lending a prototype data auditing and compliance regulation tool to the STRATUS initiative, a six-year multi-million dollar cybersecurity project funded by New Zealand’s Ministry of Business, Innovation, and Employment.

STRATUS, which stands for Security Technologies Returning Accountability, Transparency and User-centric Services in the Cloud, is a project being led by the University of Waikato intends to develop a series of security tools, techniques and capabilities to help give cloud users more control over how they secure the cloud services they use.

As part of the project the CSA showed how cloud data governance could be automated by applying auditing guidelines (CSA Cloud Control Matrix, ISO standards, etc.) and compliance regulations using a recently developed online tool.

The organisation, which is leading the data governance and accountability subproject within STRATUS, said it would also help support STRATUS’ commercialisation efforts.

“STRATUS’ approach to research commercialisation is different from typical scientific research grants,” said Dr. Ryan Ko, principal investigator of STRATUS, and CSA APAC research advisor.

“STRATUS understands that for cloud security innovation to reach a global audience, it will require a platform which will allow these cutting-edge cloud services to quickly align to global best practices and requirements – a core CSA strength given its strong research outputs such as the Cloud Controls Matrix and the Cloud Data Governance Working Group,” Ko said.

Aloysius Cheang, managing director for CSA APAC: “We have developed a prototype tool based on our work so far, that has received positive reviews. In addition, we are working to connect STRATUS and New Zealand to the CSA eco-system through our local chapter. More importantly, we are beginning to see some preliminary results of the efforts to connect to dots to commercialisation efforts as well as standardization efforts.”

The organisation reckons it should be able to show off the “fruit of these efforts” in November this year.

CSA, CipherCloud look to standardise APIs for cloud access security brokerage

The CSA and CipherCloud are leading an initiative to standardise API implementation for cloud access security brokerage

The CSA and CipherCloud are leading an initiative to standardise API implementation for cloud access security brokerage

The Cloud Security Alliance (CSA) and cloud security vendor CipherCloud are forming a working group to jointly develop best practice around API deployment for cloud access security brokerage services.

Cloud Security Open API Working Group, which at its founding will include contributions from Deloitte, InfoSys, Intel Security, and SAP among others, will jointly define protocols, guidelines and best practices for implementing data security services – encryption, tokenisation and other technologies – across cloud environments.

The CSA said the working group plans to develop API specifications and reference architectures to guide cloud-based data protection.

“Standards are an important frontier for the cloud security ecosystem,” said Jim Reavis, chief executive of CSA.

“The right set of working definitions can boost adoption. This working group will help foster a secure cloud-computing environment – a win for vendors, partners and users. Standardising APIs will help the ecosystem coalesce around a universal language and process for integrating security tools into the cloud applications,” Reavis said.

Pravin Kothari, founder and chief executive of CipherCloud said: “Cloud is the killer app for security innovation. But currently, inefficiencies at the technical level in the form of custom connector protocols can hold back innovations in cloud security. Defining a uniform set of standards can enable us all to operate from the same playbook. As a pioneer in [cloud access security brokerage], we are excited to co-lead this initiative with CSA to accelerate security across clouds.”

The initiative may enhance the ability to integrate various cloud services securely according the Jeff Margolies, principal at Deloitte, and open up what is generally considered to be a fairly closed, proprietary-dominated space.

“Currently the cloud security ecosystem lacks basic integration standards for connecting third-party security solutions to cloud applications, platforms and infrastructure,” he said, adding that the working group may help consolidate standards among vendors and cloud customers.

CSA tool helps cloud users evaluate data protection posture of providers

The CSA says the tool can help customers and providers improve their cloud data protection practices

The CSA says the tool can help customers and providers improve their cloud data protection practices

The Cloud Security Alliance this week unveiled the next generation of a tool designed to enable cloud customers to evaluate the level of data protection precautions implemented by cloud service providers.

The Privacy Level Agreement (PLA) v2 tool aims to give customers a better sense of the extent to which their providers have practices, procedures and technologies in place to ensure data protection vis-à-vis European data privacy regulations.

It also provides a guidance for cloud service providers to achieve compliance with privacy legislation in EU, and on how these providers can disclose the level of personal data protection they offer to customers.

“The continued reliance and adoption of the PLA by cloud service providers worldwide has been an important building block for developing a modern and ethical privacy-rich framework to address the security challenges facing enterprises worldwide,” said Daniele Catteddu, EMEA managing director of CSA.

“This next version that addresses personal data protection compliance will be of significant importance in building the confidence of cloud consumers,” Catteddu said.

The tool, originally created in 2013, was developed by the PLA working group, which was organised to help transpose the Art. 29 Working Party and EU National Data Protection Regulator’s recommendations on cloud computing into an outline CSPs can use to disclose personal data handling practices.

“PLA v2 is a valuable tool to guide CSPs of any size to address EU personal data protection compliance,” said Paolo Balboni, co-chair of the PLA Working Group and founding partner of ICT Legal Consulting. “In a market where customers still struggle to assess CSP data protection compliance, PLA v2 aims to fill this gap and facilitate customer understanding.”