Charting the Course Through Disruption with CSA Research

COPYRIGHT © 2018 CLOUD SECURITY ALLIANCE
CHARTING THE COURSE
THROUGH DISRUPTION WITH
CSA RESEARCH
J.R. SANTOS, EXECUTIVE VICE PRESIDENT OF RESEARCH

I O T C O N N E C T E D
D E V I C E S B Y 2 0 2 0
The total number of “things” in the Internet of Things
(IoT) is forecast to reach 20.4 billion in 2020, which is
lower than Gartner’s previous prediction of 20.8 billion,
published in 2015.

The consumer segment is tipped to make up 63 per cent
of the total IoT application market in 2017 with 5.2
billion units. Businesses are on pace to employ 3.1
billion connected things in 2017.
20.4B
3 1 %
UP FROM 2016
8 . 4 B
FOR EC AST IN 2017
TITLE GOES H ER E
Quis nostrud exercitation.

T HE ZET TABYTE
E RA
The document presents some of the
main findings of Cisco’s global IP
traffic forecast and explores the
implications of IP traffic growth for
service providers.

“The cyber security industry faces a
massive problem: there are simply not
enough highly-skilled cyber security
professionals. This is already a massive
issue, but fast-forward to 2020 and the
shortfall is expected to reach 1.5 million”
- ISC2 Workforce Study
EX IST ING EMPLOYEES CAN’ T KEEP UP
WIT H T HE CHANG ES IN OUR INDUST RY
COLLEG E G RADUAT ES LACK T HE SKILL
AND EX PERIENCE
1 .5 M ILLION C Y BE R
SE C U RITY
P RO FE SSIONA LS
NE E D E D BY 2020

O UR ENVIRO NMENT IN C HANG ING
TH E R EGU LATOR Y & STAN D AR D S
LAN D SC APE W ILL C H AN GE AN D BEC OME
MOR E C OMPLEX
N EW ATTAC K SU R FAC ES
TEC H N OLOGY LAN D SC APE
C H AN GES R APID LY
D ATA W ILL C ON TIN U E TO EXPLOD E
9 9 %
TH R OU GH 2020, 99% OF
VU LN ER ABILITIES EXPLOITED W ILL
C ON TIN U E TO BE ON ES KN OW N BY
SEC U R ITY AN D IT PR OFESSION ALS
FOR AT LEAST ON E YEAR .
33.3 % BY 2020, A TH IR D OF
SU C C ESSFU L ATTAC KS
EXPER IEN C ED BY
EN TER PR ISES W ILL BE ON
TH EIR SH AD OW IT
R ESOU R C ES
8 . 3 %
GR OW TH R ATE FOR
IN FOR MATION SEC U R ITY
SPEN D . FOR C ASTED TO
BR EAK 101 B BY 2020
2 5 %
BY 2020, MOR E TH AN 25%
OF ID EN TIFIED
EN TER PR ISE ATTAC KS
WILL INVOLVE IOT

CLOUDSECURITYALLIANCE
SE C U RITY
P RO FE SSIONA LS
NE E D T O E VO LVE

1 9
ACT IVE WORKING
G ROUPS
2009
CSA FOUNDED
SIN GAPOR E //
ASIA PAC IFIC
H EAD QU AR TER S
ED IN BU R GH //
UK HEADQUARTERS
SEATTLE/BELLIN GH AM, W A //
U S H EAD QU AR TER S
9 0 , 0 0 0 +
INDIVIDUAL
MEMBERS
300+
CORPORAT E
MEMBERS
75+
CHAPT ERS
Strategic partnerships with
governments, research
institutions, professional
associations and industry
CSA research is
FREE!
OUR COMMUNITY

8
RESEARCH FOR THE INDUSTRY
• CSA HAS PRODUCED OVER 165 RESEARCH
ARTIFACTS
• WE HAVE A TOTAL OF 34 RESEARCH WORKING
GROUPS (26 CURRENTLY ACTIVE)
• OVER 4500 SUBJECT MATTER EXPERTS PARTICIPATE
HAVE BEEN INVOLVED
• 50+ CONFERENCES IN 2018
* DOES NOT INCLUDED SOME REGIONAL RESEARCH,
CCM MAPPINGS ACTIVITIES, GRANT DELIVERABLES,
COMMISSIONED PROJECTS,

9
INDUSTRY
COLLABORATION
FORMAL:
• ISO/IEC JTC 1 – IT AND CLOUD SECURITY TECHNIQUES
• ITU-T – PROCEDURES AND STANDARDS IN TELECOM
• IEEE – CYBERSECURITY AND PRIVACY STANDARDS COMMITTEE
• NIST – CLOUD SECURITY WORKING GROUP
• FCC - TECHNOLOGICAL ADVISORY COMMITTEE ON IOT
• DISA DODIN (GIG) – CLOUD COMPUTING SERVICES GUIDANCE
• DOD IC - CLOUD COMPUTING STANDARDS FOCUS GROUP
• ATIS - PACKET TECHNOLOGY AND SYSTEMS COMMITTEE ON 5G
• CIS – CLOUD SECURITY BENCHMARKS
• CLOUD SECURITY INDUSTRY SUMMIT – EXECUTIVE COUNCIL OF CLOUD
• ENISA – EU FUNDED RESEARCH ON RISK, INTEROPERABILITY, SLAS, AND MORE
• ISC2 – TRAINING AND EDUCATION PARTNER FOR CLOUD SECURITY
CERTIFICATION
• ISACA – CONTINUING EDUCATION PARTNER FOR IT CERTIFICATION
• CSA CORPORATE MEMBERS – COMMISSIONED WORK TO EXPLORE TRENDING
TOPICS
• AND MANY OTHERS
INFORMAL:
MPAA, SECURITY SMART CITIES, US FEDERAL HIGHWAY ADMINISTRATION,
HIMSS, HC3, FFIEC, FDIC, OCC, EBA, AND MORE

• COMMON FRAMEWORK FOR TECHNOLOGY, IS
MANAGEMENT
• ASSESSES THE OVERALL SECURITY RISK OF A CLOUD
SERVICE
• PROVIDES STANDARDIZED SECURITY, OPERATIONAL RISK
MANAGEMENT
• HARMONIZES TO SECURITY STANDARDS AND COMPLIANCE
FRAMEWORKS
CLOUD SECURITY CONTROLS
• QUESTIONS TO ENABLE CLOUD COMPUTING
ASSESSMENTS
• ESTABLISH THE PRESENCE AND TESTING OF SECURITY
CONTROLS
• DISCOVER PRESENCE OF SECURITY CAPABILITIES AND
GAPS
• DOCUMENT SECURITY CONTROLS IN IAAS, PAAS, SAAS
PROVIDER ASSESSMENT QUESTIONS
• PROVIDER LISTING OF SECURITY CONTROLS
• TRANSPARENCY, AUDITING, AND HARMONIZATION OF
STANDARDS
• LEVEL OF ASSURANCE MEETING REQUIREMENTS
• INDUSTRY ACCEPTABLE
PROVIDER ASSESSMENT REPORTS
• SOLUTION TO HELP ORGANIZATIONS MANAGE
COMPLIANCE
• ASSIGN MATURITY AND RELEVANCE SCORING
• PROVISION AND MANAGE USER ACCESS TO
ASSESSMENTS
• COMPARE ASSESSMENTS BASED ON COMMON CRITERIA
CLOUD SOLUTIONS MANAGEMENT
DASHBOARD
T O O L S F O R D U E D I L I G E N C E

About Security Guidance V4• FUNDAMENTAL CLOUD SECURITY RESEARCHTHAT STARTED
CSA
• 4TH VERSION, RELEASED JULY 2017
• ARCHITECTURE
• GOVERNING INTHE CLOUD
• GOVERNANCE AND ENTERPRISE RISK MANAGEMENT
• LEGAL
• COMPLIANCE & AUDIT MANAGEMENT
• INFORMATION GOVERNANCE
• OPERATING INTHE CLOUD
• MANAGEMENT PLANE & BUSINESS CONTINUITY
• INFRASTRUCTURE SECURITY
• VIRTUALIZATION & CONTAINERS
• INCIDENT RESPONSE
• APPLICATION SECURITY
• DATA SECURITY & ENCRYPTION
• IDENTITY MANAGEMENT
• SECURITY AS A SERVICE
• RELATEDTECHNOLOGIES

COPYRIGHT © 2018 CLOUD SECURITY ALLIANCECOPYRIGHT © 2018 CLOUD SECURITY ALLIANCE
Active Working Groups
• BLOCKCHAIN/DISTRIBUTED LEDGER
• CLOUD CYBER INCIDENT SHARING
• CLOUD COMPONENT SPECIFICATIONS
• CLOUD CONTROLS MATRIX
• CLOUD SECURITY SERVICES MANAGEMENT
• CONSENSUS ASSESSMENTS
• CONTAINERS AND MICROSERVICES
• ENTERPRISE ARCHITECTURE
• ERP SECURITY
• FINANCIAL SERVICES
• INTERNET OF THINGS
• MOBILE
• OPEN CERTIFICATION
• PRIVACY LEVEL AGREEMENT
• QUANTUM-SAFE SECURITY
• SECURITY AS A SERVICE
• SECURITY GUIDANCE
• SOFTWARE DEFINED PERIMETER
• TOP THREATS

Paused Working Groups
• BIG DATA
• CLOUD DATA CENTER SECURITY
• CLOUD DATA GOVERNANCE
• HEALTH INFORMATION MANAGEMENT
• INCIDENT MANAGEMENT AND FORENSICS
• SAAS GOVERNANCE

Dormant Working Groups
• CLOUDAUDIT
• CLOUDTRUST
• CLOUDTRUST PROTOCOL
• CLOUD VULNERABILITIES
• INNOVATION
• LEGAL
• OPEN API
• TELECOM
• VIRTUALIZATION

1 5
CREATING GUIDANCE AND
SECURITY CONTROLS FOR
NEW TYPES OF DEVICES,
SYSTEMS, AND DATA.
INTERNET OF
THINGS
STRIVES TO AUTOMATE
SECURITY TASKS BY
EMBEDDING SECURITY
INTO THE DEVOPS
WORKFLOW.
DEV(SEC)OPS
PROMISES TO
TRANSFORM SOCIETY ON
THE SCALE OF THE
INDUSTRIAL REVOLUTION
BEFORE IT.
BIG DATA, AI,
AUTOMATION
ORCHESTRATION,
INTEROPERABILITY,
CONNECTIVITY AND
ANALYTICS AT THE EDGE..
FOG
COMPUTING
TO SOLVE THE PROBLEM OF STOPPING
NETWORK ATTACKS ON APPLICATION
INFRASTRUCTURE THE SDP
WORKGROUP DEVELOPED A CLEAN
SHEET APPROACH THAT COMBINES ON
DEVICE AUTHENTICATION, IDENTITY-
BASED ACCESS AND DYNAMICALLY
PROVISIONED CONNECTIVITY.
SOFTWARE DEFINED
PERIMETER
ACTED AS A DIGITAL
LEDGER FOR
CRYPTOCURRENCY BUT
CAN NOW BE APPLIED IN
NEW USE CASES.
BLOCKCHAIN

201 8 RE SE A RCH
RE LE A SES
APPLICATION CONTAINERS AND MICROSERVICES
NIST Guidance for Containers and Microservices
CLOUD CONTROLS MATRIX (CCM)
Mapping Methodology
ISO 27001, 27002, 27017, 27018
ENTERPRISE RESOURCE PLANNING
State of ERP Security in the Cloud
TOP THREATS
Deep Dive Analysis
INTERNET OF THINGS
Blockchain for the IoT
CYBER INCIDENT SHARING
Best Practices for Cyber Incident Exchange

201 8 RE SE A RCH
RE LE A SES
HEALTH INFORMATION MANAGEMENT
State of Cloud in Healthcare
SOFTWARE DEFINED PERIMETER (SDP)
SDP Architecture Overview Document
Glossary of SDP Terminology
Awareness Poll/Survey (infographic)
QUANTUM SAFE SECURITY
A Day without RSA Whitepaper
Quantum Safe Security Awareness
Post Quantum Cryptography

201 8 RE SE A RCH
RE LE A SES
NEW WORKING GROUPS
ARTIFICIAL INTELLIGENCE
DEVOPS
CLOUD DATA GOVERNANCE
• Data Classification
HEALTHCARE
INTERNET OF THINGS
• Fog Computing

201 8 R E SE A R CH
RE LE A SES
SECURITY AS A SERVICE
SecaaS Categories of Services Document V.2
CASB Implementation Guidance
CLOUD SECURITY CONTROLS FRAMEWORK (CCM)
AICPA TSP 2017
NIST SP 800-53 Rev 5 Candidate Mapping
CONTAINERS AND MICROSERVICES
NIST 800 Level Document w/ Use Cases
INTERNET OF THINGS
IoT Security Controls for the Enterprise
OPEN CERTIFICATION FRAMEWORK
Benefits of STAR
STAR Level 3 (Continuous Monitoring)
FINANCIAL SERVICES
Key Management for SaaS
Entitlement Management
Risk Assessment Guide

201 8 R E SE A R CH
RE LE A SES
SOFTWARE DEFINED PERIMETER (SDP)
State of SDP
SDP Specification v2.0
ENTERPRISE RESOURCE PLANNING
IaaS considerations for implementing ERP
COMMISSIONED RESEARCH
GDPR Survey
BLOCKCHAIN
Use Cases for Blockchain

U SE FU L C SA LINKS
CLOUD CONTROLS MATRIX (CCM)
https://cloudsecurityalliance.org/group/cloud-controls-matrix/
CONSENSUS ASSESSMENT INITIATIVE QUESTIONNAIRE (CAIQ)
https://cloudsecurityalliance.org/group/consensus-assessments/
CSA STAR (Security, Trust and Assurance Registry), Provider Assurance Program
https://cloudsecurityalliance.org/star/
CSA CloudBytes Channel
https://cloudsecurityalliance.org/research/cloudbytes/#_overview
STARWatch
https://cloudsecurityalliance.org/star/watch/
DOWNLOAD CSA RESEARCH ARTIFACTS
https://cloudsecurityalliance.org/download

22
T H A N K Y O U
Let’s Connect
Email: lsantos@cloudsecurityalliance.org
Twitter: @CSAResearchGuy
LinkedIn: https://linkedin.com/in/lucianojrsantos
Our Workgroups: www.cloudsecurityalliance.org/research
Learn: www.cloudsecurityalliance.org/research/cloudbytes
Download: www.cloudsecurityalliance.org/download

Charting the Course Through Disruption with CSA Research

More Related Content

What's hot (18)

Similar to Charting the Course Through Disruption with CSA Research (20)

Recently uploaded (20)

Charting the Course Through Disruption with CSA Research