Research Artifacts

Cloud Adoption and Security in India

Cloud Adoption and Security in India

The “State on Cloud Adoption and Security in 2016: India” survey was circulated in an effort to understand and evaluate cloud computing trends in India. We hope to understand cloud adoption plans and usage from different industries in India and how cloud adoption can have an impact on organization business strategies and plans. This report is part of the CSA APAC cloud adoption state initiative, which aims to provide insights on cloud adoption in different APAC countries, to recognize APAC countries which are leading the cloud adoption trend as well as to identify the countries with opportunities for cloud computing adoption.

Release Date: 11/22/2016
Cloud Adoption Practices & Priorities in the Chinese Financial Sector

Cloud Adoption Practices & Priorities in the Chinese Financial Sector

We circulated the “Financial Services Industry Cloud Adoption Survey: China” survey to IT and security professionals in the Financial Services Institutions (FSIs) in China. The goal was not only to raise awareness around Cloud service adoption, but also to provide insight into how finance, government, insurance, and security decision makers take action in their organization within China. These actions included consolidating and standardizing the most secure Cloud services, knowing what policies would have the most impact as well as understanding where to focus for educating users.

Release Date: 10/28/2016
Defeating Insider Threats

Defeating Insider Threats

As a follow up to the Top Threats in Cloud Computing and from the months of May to July 2016 we surveyed approximately 100 professionals on the extent of the following:

  • Employees leaking critical information and tradecraft on illicit sites
  • Data types and formats being exfiltrated along with exfiltration mechanisms
  • Why so many data threats go undetected
  • What happens to the data after it has been exfiltrated
  • Tools to disrupt and prevent the data exfiltration cycle
  • Possibilities to expunge traces of data once exfiltrated

Release Date: 10/19/2016
Mitigating Risk

Mitigating Risk

With several years of cloud adoption in organizations, approaches to security have been evolving rapidly. To dig deeper into these concerns and the controls being used to mitigate both sanctioned and unsanctioned cloud security risks, the Cloud Security Alliance and Bitglass conducted a survey of 176 IT security leaders. Respondents revealed that visibility and control remain major issues for many organizations. In fact, more than half do not have adequate visibility and have experienced a security incident due to lack of appropriate controls. Based o_x001F_ of our responses approximately 93 percent of individuals are still concerned about shadow IT compared to this time last year. On the topic of whether cloud vendors should be forced to cooperate with government requests for data, just over half opposed to cooperation.

Release Date: 08/17/2016
Mobile Application Security Testing

Mobile Application Security Testing

The Mobile Application Security Testing (MAST) Initiative is a research which aims to help organizations and individuals reduce the possible risk exposures and security threat in using mobile applications. MAST aims define a framework for secure mobile application development, achieving privacy and security by design. Implementation of MAST will result in clearly articulated recommendations and best practices in the use of mobile applications.

Mobile application security testing and vetting processes utilized through MAST involve both static and dynamic analyses to evaluate security vulnerabilities of mobile applications for platforms such as Android, iOS and Windows. These processes cover permissions, exposed communications, potentially dangerous functionality, application collusion, obfuscation, excessive power consumption and traditional software vulnerabilities. It also covers internal communications such as debug flag and activities and external communications such as GPS, NFC access as well as checking the links that are written in the source code. In addition to security testing and vetting, the initiative has also proposed processes and procedures for security incidence response.

The use of mobile applications has become unavoidable, almost a necessity, in today's world. More people are starting to question the security of mobile applications and it's about time that you take a look at what the Cloud Security Alliance has to say about mobile application security!

Release Date: 06/30/2016
Quantum Random Number Generators

Quantum Random Number Generators

A random number is generated by a process whose outcome is unpredictable, and which cannot be reliably reproduced. Randomness, quantitatively measured by entropy, is the measure of uncertainty or disorder within a set of data. The higher the level of unpredictability, the more random the data is and the more valuable it becomes, particularly for cryptographic operations. In this report from CSA's Quantum-Safe Security Working Group, Quantum Random Number Generators will go over the impacts of randomness on security. For security or other applications where high quality randomness is needed, physical approaches are taken to generate random bits. Generators based on quantum physical processes deliver the highest quality random data. Contrary to classical physics, quantum physics is fundamentally random.

Given the incomparable quality of the entropy delivered by such solutions, and their commercial viability, the challenges of selecting random number generators that will not expose your data to breaches has suddenly become much simpler. In fact, the question “What source of random should I use” has a simple, safe and commercially viable answer: Use Quantum!

Release Date: 06/09/2016
Cloud Controls Matrix v3.0.1 (10-6-16 Update)

Cloud Controls Matrix v3.0.1 (10-6-16 Update)

Cloud Security Alliance Releases Candidate Mapping of ISO 27002/27017/27018 Security Controls

At the Cloud Security Alliance Summit San Francisco 2016, the CSA announced the release of the Candidate Mappings of ISO 27002/27017/27018 to version 3.0.1 of the CSA Cloud Controls Matrix (CCM).

The ISO 27XXX series provides an overview of information security management systems. ISO 27002 provides further security techniques on controls based in ISO 27001. ISO 27017 adds this security code of conduct to the procurement of cloud services. Finally, ISO 27018 is the first international standard delivering security techniques on the privacy and protection of PII (Personally Identifiable Information).

Additional updates to control language, Cloud Service Delivery Model Applicability, and Supplier Relationship have been logged.

October 6 updates include updates to align for consistency with CAIQ

Release Date: 06/06/2016
Identity Security

Identity Security

The goal of the Identity Solutions: Security Beyond the Perimeter survey was to address Insufficient Identity, Credential, and Access Management and gain a better understanding and perception of enterprise security in the evolving Information Technology (IT) world.

Release Date: 04/19/2016
CSA STAR Program & Open Certification Framework in 2016 and Beyond

CSA STAR Program & Open Certification Framework in 2016 and Beyond

The Cloud Security Alliance (CSA) Security, Trust and Assurance Registry (STAR) program is the industry’s leading trust mark for cloud security. The CSA Open Certification Framework (OCF) is a program for flexible, incremental and multi-layered CSP certifications according to the CSA’s industry leading security guidance. The OCF/STAR program comprises a global cloud computing assurance framework with a scope of capabilities, flexibility of execution, and completeness of vision that far exceeds the risk and compliance objectives of other security audit and certification programs.

Release Date: 04/12/2016
Mobile Application Security Testing Initiative Revised Charter

Mobile Application Security Testing Initiative Revised Charter

Mobile applications are becoming an integral part of not just modern enterprises but also of human existence and a huge part of this shift is due to the emergence of cloud computing. The Mobile Application Security Testing initiative will aim to create a safer cloud ecosystem for mobile applications by creating systematic approaches to application testing and vetting that helps integrate and introduce quality control and compliance to mobile application development and management.

Release Date: 03/14/2016
Defining Categories of Security as a Service: Continuous Monitoring

Defining Categories of Security as a Service: Continuous Monitoring

In order to improve the understanding of Security as a Service and accelerate market acceptance, clear categorization and definitions of these services is necessary. This document provides a high overview of the business and technical elements needed to evaluate the risks associated with the category of Continuous Monitoring.

Release Date: 02/29/2016
‘The Treacherous Twelve’ Cloud Computing Top Threats in 2016

‘The Treacherous Twelve’ Cloud Computing Top Threats in 2016

“The Treacherous 12 - Cloud Computing Top Threats in 2016” plays a crucial role in the CSA research ecosystem. The purpose of the report is to provide organizations with an up-to-date, expert-informed understanding of cloud security concerns in order to make educated risk-management decisions regarding cloud adoption strategies. The report reflects the current consensus among security experts in CSA community about the most significant security issues in the cloud.

Sponsored by

Release Date: 02/29/2016
Security Position Paper - Network Function Virtualization

Security Position Paper - Network Function Virtualization

This white paper discusses some of the potential security issues and concerns, and offers guidance for securing a Virtual Network Function (NFV) based architecture, whereby security services are provisioned in the form of Virtual Network Functions (VNFs).

Release Date: 02/29/2016
State of Cloud Security 2016

State of Cloud Security 2016

Cloud computing is an incredible innovation. While at its heart a simple concept, the packaging of compute resources as an on demand service is having a fundamental impact on information technology with far reaching consequences. Cloud is disrupting most industries in a rapid fashion and is becoming the back end for all other forms of computing, such as mobile, Internet of Things and future technologies not yet conceived. As governments, businesses and consumers move to adopt cloud computing en masse, the stakes could not be higher to gain assurance that cloud is a safe, secure, transparent, and trusted platform.

This paper seeks to view the cloud computing industry through the lens of the enterprise information security practitioner. By articulating the state of cloud security from this viewpoint, we can better understand the gaps and solutions we must advocate for and help cloud providers better understand the needs of their consumers.

Release Date: 02/27/2016
Consensus Assessments Initiative Questionnaire v3.0.1 (12-5-16 Update)

Consensus Assessments Initiative Questionnaire v3.0.1 (12-5-16 Update)

Realigns the CAIQ questions to CCM v3.0.1 control domains and the Cloud Security Alliance "Security Guidance for Critical Areas of Focus in Cloud Computing V3.0"

Release Date: 02/01/2016
The Cloud Balancing Act for IT: Between Promise and Peril

The Cloud Balancing Act for IT: Between Promise and Peril

Cloud Adoption does not have to mean opening up your organization to increased security risks and threats if the right policies are in place. That’s what the findings from a new Cloud Security Alliance (CSA) survey, titled The Cloud Balancing Act for IT: Between Promise and Peril, indicated when it surveyed executives and IT managers worldwide. Security professionals indicated receiving, on average, 10.6 requests each month for new cloud services. Perhaps that’s why 71.2% of companies now have a formal process for users to request new cloud services.

The Cloud Balancing Act for IT Survey Report includes responses from more than 200 IT and security professionals varying in company size and industries from the Americas, EMEA and APAC regions. Sponsored by Skyhigh Networks, the survey covers several topics ranging from the need to hire CISOs to help curb the likelihood of cyber threats to just how much of the business IT is willing to hand over to cloud services from their legacy on-premises solutions.

Release Date: 01/13/2016
CloudTrust Protocol Prototype Source Code

CloudTrust Protocol Prototype Source Code

The Cloud Trust Protocol (CTP) is designed to be a mechanism by which cloud service customers can ask for and receive information related to the security of the services they use in the cloud, promoting transparency and trust.

The source code implements a CTP server that acts as a gateway between cloud customers and cloud providers:

  • A cloud provider can push security measurements to the CTP server.
  • A cloud customer can query the CTP server with the CTP API to access these measurements.

The source code is available here on Github.

Release Date: 12/10/2015
International Standardization Council Policies & Procedures

International Standardization Council Policies & Procedures

In today’s technological environment, standards play a critical role in product development and market competitiveness. Every input, behavior, and action has both a contributory and a potential legal consequence. These procedures help protect the International Standardization Council (ISC or Council) participants and the CSA by establishing the necessary framework for a sound process.

Release Date: 10/15/2015
CloudTrust Protocol Data Model and API

CloudTrust Protocol Data Model and API

The Cloud Trust Protocol (CTP) is designed to be a mechanism by which cloud service customers can ask for and receive information related to the security of the services they use in the cloud, promoting transparency and trust. This document focuses on the definition of the CTP Data Model and Application Programing Interface.

Release Date: 10/09/2015