Research Artifacts

Observations and Recommendations on Connected Vehicle Security

Observations and Recommendations on Connected Vehicle Security

The introduction of Connected Vehicles (CVs) has been discussed for many years. Pilot implementations currently underway are evaluating CV operations in realistic municipal environments. CVs are beginning to operate in complex environments composed of both legacy and modernized traffic infrastructure. Security systems, tools and guidance are needed to aid in protecting CVs and the supporting infrastructure.

Release Date: 05/25/2017
SDP for IaaS

SDP for IaaS

Release Date: 02/13/2017
Cloud Adoption and Security in India

Cloud Adoption and Security in India

The “State on Cloud Adoption and Security in 2016: India” survey was circulated in an effort to understand and evaluate cloud computing trends in India. We hope to understand cloud adoption plans and usage from different industries in India and how cloud adoption can have an impact on organization business strategies and plans. This report is part of the CSA APAC cloud adoption state initiative, which aims to provide insights on cloud adoption in different APAC countries, to recognize APAC countries which are leading the cloud adoption trend as well as to identify the countries with opportunities for cloud computing adoption.

Release Date: 11/22/2016
Cloud Adoption Practices & Priorities in the Chinese Financial Sector

Cloud Adoption Practices & Priorities in the Chinese Financial Sector

We circulated the “Financial Services Industry Cloud Adoption Survey: China” survey to IT and security professionals in the Financial Services Institutions (FSIs) in China. The goal was not only to raise awareness around Cloud service adoption, but also to provide insight into how finance, government, insurance, and security decision makers take action in their organization within China. These actions included consolidating and standardizing the most secure Cloud services, knowing what policies would have the most impact as well as understanding where to focus for educating users.

Release Date: 10/28/2016
Defeating Insider Threats

Defeating Insider Threats

As a follow up to the Top Threats in Cloud Computing and from the months of May to July 2016 we surveyed approximately 100 professionals on the extent of the following:

  • Employees leaking critical information and tradecraft on illicit sites
  • Data types and formats being exfiltrated along with exfiltration mechanisms
  • Why so many data threats go undetected
  • What happens to the data after it has been exfiltrated
  • Tools to disrupt and prevent the data exfiltration cycle
  • Possibilities to expunge traces of data once exfiltrated

Release Date: 10/19/2016
Mitigating Risk

Mitigating Risk

With several years of cloud adoption in organizations, approaches to security have been evolving rapidly. To dig deeper into these concerns and the controls being used to mitigate both sanctioned and unsanctioned cloud security risks, the Cloud Security Alliance and Bitglass conducted a survey of 176 IT security leaders. Respondents revealed that visibility and control remain major issues for many organizations. In fact, more than half do not have adequate visibility and have experienced a security incident due to lack of appropriate controls. Based o_x001F_ of our responses approximately 93 percent of individuals are still concerned about shadow IT compared to this time last year. On the topic of whether cloud vendors should be forced to cooperate with government requests for data, just over half opposed to cooperation.

Release Date: 08/17/2016
Mobile Application Security Testing

Mobile Application Security Testing

The Mobile Application Security Testing (MAST) Initiative is a research which aims to help organizations and individuals reduce the possible risk exposures and security threat in using mobile applications. MAST aims define a framework for secure mobile application development, achieving privacy and security by design. Implementation of MAST will result in clearly articulated recommendations and best practices in the use of mobile applications.

Mobile application security testing and vetting processes utilized through MAST involve both static and dynamic analyses to evaluate security vulnerabilities of mobile applications for platforms such as Android, iOS and Windows. These processes cover permissions, exposed communications, potentially dangerous functionality, application collusion, obfuscation, excessive power consumption and traditional software vulnerabilities. It also covers internal communications such as debug flag and activities and external communications such as GPS, NFC access as well as checking the links that are written in the source code. In addition to security testing and vetting, the initiative has also proposed processes and procedures for security incidence response.

The use of mobile applications has become unavoidable, almost a necessity, in today's world. More people are starting to question the security of mobile applications and it's about time that you take a look at what the Cloud Security Alliance has to say about mobile application security!

Release Date: 06/30/2016
Quantum Random Number Generators

Quantum Random Number Generators

A random number is generated by a process whose outcome is unpredictable, and which cannot be reliably reproduced. Randomness, quantitatively measured by entropy, is the measure of uncertainty or disorder within a set of data. The higher the level of unpredictability, the more random the data is and the more valuable it becomes, particularly for cryptographic operations. In this report from CSA's Quantum-Safe Security Working Group, Quantum Random Number Generators will go over the impacts of randomness on security. For security or other applications where high quality randomness is needed, physical approaches are taken to generate random bits. Generators based on quantum physical processes deliver the highest quality random data. Contrary to classical physics, quantum physics is fundamentally random.

Given the incomparable quality of the entropy delivered by such solutions, and their commercial viability, the challenges of selecting random number generators that will not expose your data to breaches has suddenly become much simpler. In fact, the question “What source of random should I use” has a simple, safe and commercially viable answer: Use Quantum!

Release Date: 06/09/2016
Cloud Controls Matrix v3.0.1 (10-6-16 Update)

Cloud Controls Matrix v3.0.1 (10-6-16 Update)

Cloud Security Alliance Releases Candidate Mapping of ISO 27002/27017/27018 Security Controls

At the Cloud Security Alliance Summit San Francisco 2016, the CSA announced the release of the Candidate Mappings of ISO 27002/27017/27018 to version 3.0.1 of the CSA Cloud Controls Matrix (CCM).

The ISO 27XXX series provides an overview of information security management systems. ISO 27002 provides further security techniques on controls based in ISO 27001. ISO 27017 adds this security code of conduct to the procurement of cloud services. Finally, ISO 27018 is the first international standard delivering security techniques on the privacy and protection of PII (Personally Identifiable Information).

Additional updates to control language, Cloud Service Delivery Model Applicability, and Supplier Relationship have been logged.

October 6 updates include updates to align for consistency with CAIQ

Release Date: 06/06/2016
Identity Security

Identity Security

The goal of the Identity Solutions: Security Beyond the Perimeter survey was to address Insufficient Identity, Credential, and Access Management and gain a better understanding and perception of enterprise security in the evolving Information Technology (IT) world.

Release Date: 04/19/2016
CSA STAR Program & Open Certification Framework in 2016 and Beyond

CSA STAR Program & Open Certification Framework in 2016 and Beyond

The Cloud Security Alliance (CSA) Security, Trust and Assurance Registry (STAR) program is the industry’s leading trust mark for cloud security. The CSA Open Certification Framework (OCF) is a program for flexible, incremental and multi-layered CSP certifications according to the CSA’s industry leading security guidance. The OCF/STAR program comprises a global cloud computing assurance framework with a scope of capabilities, flexibility of execution, and completeness of vision that far exceeds the risk and compliance objectives of other security audit and certification programs.

Release Date: 04/12/2016
Mobile Application Security Testing Initiative Revised Charter

Mobile Application Security Testing Initiative Revised Charter

Mobile applications are becoming an integral part of not just modern enterprises but also of human existence and a huge part of this shift is due to the emergence of cloud computing. The Mobile Application Security Testing initiative will aim to create a safer cloud ecosystem for mobile applications by creating systematic approaches to application testing and vetting that helps integrate and introduce quality control and compliance to mobile application development and management.

Release Date: 03/14/2016
Defining Categories of Security as a Service: Continuous Monitoring

Defining Categories of Security as a Service: Continuous Monitoring

In order to improve the understanding of Security as a Service and accelerate market acceptance, clear categorization and definitions of these services is necessary. This document provides a high overview of the business and technical elements needed to evaluate the risks associated with the category of Continuous Monitoring.

Release Date: 02/29/2016
‘The Treacherous Twelve’ Cloud Computing Top Threats in 2016

‘The Treacherous Twelve’ Cloud Computing Top Threats in 2016

“The Treacherous 12 - Cloud Computing Top Threats in 2016” plays a crucial role in the CSA research ecosystem. The purpose of the report is to provide organizations with an up-to-date, expert-informed understanding of cloud security concerns in order to make educated risk-management decisions regarding cloud adoption strategies. The report reflects the current consensus among security experts in CSA community about the most significant security issues in the cloud.

Sponsored by

Release Date: 02/29/2016