Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

4/21/2011
09:44 AM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Cloud Security Alliance Partners With ISO/IEC

Cloud Security Alliance will have a key role in the development of cloud security and privacy standards under ISO/IEC

London, ENGLAND – #CSASummit at #InfosecUK– April 20, 2011 – At the CSA Summit at Infosecurity Europe, the Cloud Security Alliance (CSA) announced that it will have a key role in the development of cloud security and privacy standards under ISO/IEC (International Organization for Standardization/International Electrotechnical Commission). The CSA has established a Category C liaison relationship with ISO/IEC’s Joint Technical Committee 1/Sub Committee 27 (JTC 1/SC 27), with Mr. Aloysius Cheang, CSA’s Asia Pacific Strategy Advisor and co-editor of ISO/IEC 27032 “Guidelines for Cybersecurity” International Standard appointed as the Liaison Officer between the CSA and ISO/IEC JTC 1/SC 27. Category C liaisons are organizations which make an effective technical contribution and participate actively in the working groups (WG) under SC 27.

Dr. Walter Fumy, SC 27 Chairman, said, "The security and privacy of cloud computing services are an ever-growing concern to users and consumers of these services. ISO/IEC JTC 1/SC 27 is now embarking on the development of a series of standards that will address the security and privacy issues of cloud computing services. This development is being carried out in collaboration with various standardization partners including ITU-T and ISO/IEC JTC 1/SC 38 together with CSA. This new cooperation with the CSA adds significant value to this work of ISO/IEC JTC 1/SC 27 as it facilitates an important communication channel for the promotion of cloud computing security standards amongst the information security community."

The Cloud Security Alliance will initially collaborate on two projects with the SC 27:

• A new work item proposal for cloud security, reinforcing previous work done on the Code of Practice for Information Security Management (ISMS) found in the ISO/IEC 27002 International Standard. The aim is to provide guidelines on information security controls for the use of cloud computing services based on ISMS security controls. This new work item on cloud security will be co-edited by Dr. Marlin Pohlman, CSA’s Global Strategy Director, Co-Chair Cloud Controls Matrix, Consensus Assessment and Cloud Audit for the CSA, and Chief Governance Officer of EMC. • Information security for supplier relationships part 1. This is a new part under the multi-part standard, ISO/IEC 27036, and it will be co-edited by Ms. Becky Swain, Co-Founder and Co-Chair, CSA Cloud Controls Matrix, CSA Silicon Valley Chapter Board Member.

"By working closely with ISO in the highly dynamic cloud computing environment, the industry can have confidence that CSA guidance will be enduring, and that they can align with it now," said CSA chairman of the board Dave Cullinane.

Remarked Prof. Edward Humphreys, Convenor WG 1 under SC 27, "It is the expectation of ISO/IEC JTC 1/SC 27 that the outreach of CSA to the cloud computing world of service providers, corporate vendors, industry groups and associations, as well as individual users, will complement the work of ISO/IEC JTC 1/SC 27 and its other standardization partners, and enable a flow of value-added business and user input to the development of ISO/IEC JTC 1/SC 27 cloud computing security and privacy standards."

Dr. Meng-Chow Kang, Convenor WG 4 under SC 27, stated, "The step towards standardization that CSA is taking is both strategic and critical. Strategic in that it could leverage standards to provide the required baselines to improve security and interoperability in cloud services. Critical in that this could help pave a way towards better security assurance of cloud services, a common concern of cloud users. WG 4, whose focus includes ICT services related security standards, is pleased with the new collaborative work with CSA in this regard."

Commented Prof. Dr. Kai Rannenberg, Convenor WG 5 under SC 27, "Given the ever rising importance of privacy and identity management for cloud computing and the advantages of an early integration of these topics WG 5 is pleased to collaborate with the Cloud Security Alliance through the new liaison. Informing both customers and end-users of such customers about any access or use of their personal information is an important task here, as is the clear and transparent delineation between the different service providers." Mr. Kin-Chong Chan, chairman of the SPSTC, ITSC Singapore, said, “The Security & Privacy Standards Technical Committee (SPSTC) under the Singapore IT Standards Committee (ITSC) recognizes the importance of having international standards in the area of cloud computing. In particular, there is a strong need to address the concerns of cloud security from both service provider and end-user perspectives. In this regard, we are pleased to bear witness to the establishment of the relationship between ISO/IEC JTC 1/SC 27 and CSA in Singapore where we played host for the 2011 Spring meetings and plenary. We look forward to work with the ISO/IEC JTC 1/SC 27 and CSA to develop and establish relevant international standards in the areas of management systems, controls, audit and governance, in particular the development and promotion of appropriate standards to address security requirements for providers and consumers of cloud computing services.”

About Cloud Security Alliance The Cloud Security Alliance is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing. The Cloud Security Alliance is led by a broad coalition of industry practitioners, corporations, associations and other key stakeholders. For further information, visit us at www.cloudsecurityalliance.org, and follow us on Twitter @cloudsa.

About ISO/IEC JTC 1 SC 27 ISO/IEC JTC 1/ SC 27 focuses on the development of standards for the protection of information and ICT. This includes generic methods, techniques and guidelines to address both security and privacy aspects, such as 1. Security requirements capture methodology; 2. Management of information and ICT security; in particular information security management systems (ISMS), security processes, security controls and services; 3. Cryptographic and other security mechanisms, including but not limited to mechanisms for protecting the accountability, availability, integrity and confidentiality of information; 4. Security management support documentation including terminology, guidelines as well as procedures for the registration of security components; 5. Security aspects of identity management, biometrics and privacy; 6. Conformance assessment, accreditation and auditing requirements in the area of information security; 7. Security evaluation criteria and methodology.

SC 27 engages in active liaison and collaboration with appropriate bodies to ensure the proper development and application of SC 27 standards and technical reports in relevant areas.

Media Contact: Zenobia Godschalk [email protected] 650.269.8315

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27218
PUBLISHED: 2020-11-28
In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request with a body that is ...
CVE-2020-29367
PUBLISHED: 2020-11-27
blosc2.c in Blosc C-Blosc2 through 2.0.0.beta.5 has a heap-based buffer overflow when there is a lack of space to write compressed data.
CVE-2020-26245
PUBLISHED: 2020-11-27
npm package systeminformation before version 4.30.5 is vulnerable to Prototype Pollution leading to Command Injection. The issue was fixed with a rewrite of shell sanitations to avoid prototyper pollution problems. The issue is fixed in version 4.30.5. If you cannot upgrade, be sure to check or sani...
CVE-2017-15682
PUBLISHED: 2020-11-27
In Crafter CMS Crafter Studio 3.0.1 an unauthenticated attacker is able to inject malicious JavaScript code resulting in a stored/blind XSS in the admin panel.
CVE-2017-15683
PUBLISHED: 2020-11-27
In Crafter CMS Crafter Studio 3.0.1 an unauthenticated attacker is able to create a site with specially crafted XML that allows the retrieval of OS files out-of-band.