Collaborate Arrow to Content

Securosis

Securosis is an information security research and advisory firm dedicated to transparency, objectivity, and quality. We are totally obsessed with improving the practice of information security.

The Future of Security

A Disruptive Collision: The Trends and Technologies Transforming Security

Disruption defines the business of information security. New technologies change how businesses work, as well as what risks people take. attackers shift their strategies. But the better security professionals predict and prepare for these disruptions, the more effective we can be.

The Future of Security

The Future of Security

Disruption defines the business of information security. New technologies change how businesses work, as well as what risks people take. Attackers shift their strategies. But the better security professionals predict and prepare for these disruptions, the more effective we can be.

Release Date: February 25, 2014

The Future of Security: Executive Summary

The Future of Security: Executive Summary

Disruption defines the business of information security. New technologies change how businesses work, as well as what risks people take. Attackers shift their strategies. But the better security professionals predict and prepare for these disruptions, the more effective we can be.

Release Date: February 25, 2014

What CISOs Need to Know About Cloud Computing

Cloud is Different, but Not the Way You Think

There is no question cloud computing is fundamentally changing how we deliver and consume technology resources, but the main impacts to security are not outsourcing or sharing infrastructure with others. Cloud computing doesn’t necessarily reduce security risks, it shifts them.

Adapting Security for Cloud

Cloud computing poses new risks, while both increasing and decreasing existing risks. The trick is to leverage the security advantages, freeing up resources to cover the gaps.

Real-World Examples

Applications stacks are hypersegregated as the cloud platform places a virtual firewall around every single server, making it nearly impossible for an attacker to spread internally.

Cloud-aware security agents are automatically embedded in every virtual machine as they launch. They then automatically configure themselves based on policies and the environment.

Administrator access to the cloud management plane runs through security proxies to monitor all infrastructure changes.

SAFEcode

The Software Assurance Forum for Excellence in Code (SAFECode) is a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods. SAFECode is a global, industry-led effort to identify and promote best practices for developing and delivering more secure and reliable software, hardware and services.

About Practices for Secure Development of Cloud Applications

SAFECode and CSA partnered to determine whether additional software security guidance was needed to address unique threats to the cloud computing, and if so, to identify specific security practices in the context of identified threats. The joint technical working group analyzed existing secure software development practices and secure design considerations as outlined in the SAFECode publication “Fundamental Practices for Secure Software Development 2nd Edition” in the context of CSA guidance, including “The Notorious Nine: Cloud Computing Top Threats in 2013.”

While the working group’s efforts confirmed that each practice identified by SAFECode as fundamental to software security applied equally to cloud software, it also identified additional practices that should be adopted by those developing software for the cloud, given the unique threats faced in that domain. This new report represents the product of that collaboration and is intended to help readers better understand and implement best practices for secure cloud software development. It offers practical secure development guidance in the areas of multi-tenancy, trusted compute pools, tokenization of sensitive data, data encryption and key management, authentication and identity management, shared-domain issues and securing APIs.

“It is our hope that by bringing together practical experience in both cloud computing and software security, we are able to offer secure development guidance that is both highly actionable and effective at addressing the unique security considerations of cloud software developers,” said Said Tabet, Title, EMC and one of the paper’s primary authors. “We encourage individual enterprises to tailor our recommendations to meet their needs and to use them as part of a larger software security process that should continue to evolve alongside advancements in cloud computing.”

To aid others in adopting and using these practices effectively, this paper describes each identified security practice in the context of unique attributes of cloud computing and the associated threats as identified by CSA. The recommended practices are mapped to specific threats in order to provide a more detailed illustration of the security issues these practices aim to resolve and a starting point for those wishing to learn more. Each section offers specific action items for development and security teams, as well as useful references that provide additional implementation guidance.

Collaborative Research Downloads

SAFEcode/CSA: Practices for Secure Development of Cloud Applications

SAFEcode/CSA: Practices for Secure Development of Cloud Applications

SAFECode and CSA partnered to determine whether additional software security guidance was needed to address unique threats to the cloud computing, and if so, to identify specific security practices in the context of identified threats.

Release Date: December 04, 2013

Internet2

Internet2 is an exceptional community of U.S. and international leaders in research, academia, industry and government who create and collaborate via innovative technologies. Together, we accelerate research discovery, advance national and global education, and improve the delivery of public services. Our community touches nearly every major innovation that defines our modern digital lives—and continues to define "what’s next."

About the Net+ Initiative CCM v.3 Candidate Mappings

A team of 30 CIOs, CISOs, and other executives from Internet2’s membership (both higher education institutions and industry service providers) developed this extended version of the CCM. This version includes candidate mappings to address higher education security and compliance requirements.

The CCM provides fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider. As a framework the CCM provides organizations with the required structure, detail and clarity relating to information security tailored to the cloud industry. The CCM strengthens information security environments by emphasizing business requirements, the reduction and identification of consistent security threats and vulnerabilities in the cloud, and standardized security and operational risk management. This extended CCM will help to normalize security expectations for NET+ participants (both service providers and higher education institutions). It will also provide common cloud taxonomy and terminology and security measures implemented in the cloud.

Collaborative Research Downloads

Net+ Initiative CCM v.3 Candidate Mappings

Net+ Initiative CCM v.3 Candidate Mappings

A team of 30 CIOs, CISOs, and other executives from Internet2’s membership (both higher education institutions and industry service providers) developed this extended version of the CCM. This version includes candidate mappings to address higher education security and compliance requirements.

Release Date: December 01, 2013

ISACA

With more than 100,000 constituents in 180 countries, ISACA (www.isaca.org) is a leading global provider of knowledge, certifications, community, advocacy and education on information systems (IS) assurance and security, enterprise governance and management of IT, and IT-related risk and compliance. Founded in 1969, the nonprofit, independent ISACA hosts international conferences, publishes the ISACA Journal, and develops international IS auditing and control standards, which help its constituents ensure trust in, and value from, information systems. It also advances and attests IT skills and knowledge through the globally respected Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified in the Governance of Enterprise IT (CGEIT) and Certified in Risk and Information Systems Control (CRISC) designations.

About the Cloud Market Maturity Study

A collaborative project by ISACA and CSA, the Cloud Market Maturity study provides business and IT leaders with insight into the maturity of cloud computing and will help identify any changes in the market. The report, released today, provides detailed insight on the adoption of cloud services among all levels within today’s global enterprises and businesses, including the C-suite.

Collaborative Research Downloads

CSA/ISACA Cloud Market Maturity Study Results

A collaborative project by ISACA and CSA, the Cloud Market Maturity study provides business and IT leaders with insight into the maturity of cloud computing and will help identify any changes in the market.

Release Date: September 27, 2012

AICPA

The AICPA is the world’s largest member association representing the accounting profession, with nearly 386,000 members in 128 countries and a 125-year heritage of serving the public interest. AICPA members represent many areas of practice, including business and industry, public practice, government, education and consulting. The AICPA sets ethical standards for the profession and U.S. auditing standards for audits of private companies, nonprofit organizations, federal, state and local governments. It develops and grades the Uniform CPA Examination and offers specialty credentials for CPAs who concentrate on personal financial planning; fraud and forensics; business valuation; and information technology. Through a joint venture with the Chartered Institute of Management Accountants, it has established the Chartered Global Management Accountant designation to elevate management accounting globally.

About the CSA Position Paper on AICPA Service Organization Control Reports

The Cloud Security Alliance (CSA) has drafted the CSA Position Paper on AICPA Service Organization Control Reports as a means to educate its members and provide guidance on selecting the most appropriate reporting standard.

After careful consideration of alternatives, the Cloud Security Alliance has determined that for most cloud providers, a SOC 2 Type 2 attestation examination conducted in accordance with AICPA standard AT Section 101 (AT 101) utilizing the CSA Cloud Controls Matrix (CCM) as additional suitable criteria is likely to meet the assurance and reporting needs of the majority of users of cloud services.

Collaborative Research Downloads

CSA Position Paper on AICPA Service Organization Control Reports

CSA Position Paper on AICPA Service Organization Control Reports

The Cloud Security Alliance (CSA) has drafted the CSA Position Paper on AICPA Service Organization Control Reports as a means to educate its members and provide guidance on selecting the most appropriate reporting standard.

Release Date: February 25, 2013

CSA & Affiliate Collaborative Research

The Cloud Security Alliance partners with not-for-profit associations and industry groups with shared goals for promoting the use of best practices for providing security assurance within Cloud Computing. For a complete list of CSA Affiliate Members please refer to the Affiliate Member page.

Some affiliate partnerships will result in the production of collaborative research reports or other downloadable products. These may be accessed by selecting from the list of affiliate partners to the left.

Page Dividing Line