Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

09:44 AM
Dark Reading
Dark Reading
Products and Releases

Cloud Security Alliance Partners With ISO/IEC

Cloud Security Alliance will have a key role in the development of cloud security and privacy standards under ISO/IEC

London, ENGLAND – #CSASummit at #InfosecUK– April 20, 2011 – At the CSA Summit at Infosecurity Europe, the Cloud Security Alliance (CSA) announced that it will have a key role in the development of cloud security and privacy standards under ISO/IEC (International Organization for Standardization/International Electrotechnical Commission). The CSA has established a Category C liaison relationship with ISO/IEC’s Joint Technical Committee 1/Sub Committee 27 (JTC 1/SC 27), with Mr. Aloysius Cheang, CSA’s Asia Pacific Strategy Advisor and co-editor of ISO/IEC 27032 “Guidelines for Cybersecurity” International Standard appointed as the Liaison Officer between the CSA and ISO/IEC JTC 1/SC 27. Category C liaisons are organizations which make an effective technical contribution and participate actively in the working groups (WG) under SC 27.

Dr. Walter Fumy, SC 27 Chairman, said, "The security and privacy of cloud computing services are an ever-growing concern to users and consumers of these services. ISO/IEC JTC 1/SC 27 is now embarking on the development of a series of standards that will address the security and privacy issues of cloud computing services. This development is being carried out in collaboration with various standardization partners including ITU-T and ISO/IEC JTC 1/SC 38 together with CSA. This new cooperation with the CSA adds significant value to this work of ISO/IEC JTC 1/SC 27 as it facilitates an important communication channel for the promotion of cloud computing security standards amongst the information security community."

The Cloud Security Alliance will initially collaborate on two projects with the SC 27:

• A new work item proposal for cloud security, reinforcing previous work done on the Code of Practice for Information Security Management (ISMS) found in the ISO/IEC 27002 International Standard. The aim is to provide guidelines on information security controls for the use of cloud computing services based on ISMS security controls. This new work item on cloud security will be co-edited by Dr. Marlin Pohlman, CSA’s Global Strategy Director, Co-Chair Cloud Controls Matrix, Consensus Assessment and Cloud Audit for the CSA, and Chief Governance Officer of EMC. • Information security for supplier relationships part 1. This is a new part under the multi-part standard, ISO/IEC 27036, and it will be co-edited by Ms. Becky Swain, Co-Founder and Co-Chair, CSA Cloud Controls Matrix, CSA Silicon Valley Chapter Board Member.

"By working closely with ISO in the highly dynamic cloud computing environment, the industry can have confidence that CSA guidance will be enduring, and that they can align with it now," said CSA chairman of the board Dave Cullinane.

Remarked Prof. Edward Humphreys, Convenor WG 1 under SC 27, "It is the expectation of ISO/IEC JTC 1/SC 27 that the outreach of CSA to the cloud computing world of service providers, corporate vendors, industry groups and associations, as well as individual users, will complement the work of ISO/IEC JTC 1/SC 27 and its other standardization partners, and enable a flow of value-added business and user input to the development of ISO/IEC JTC 1/SC 27 cloud computing security and privacy standards."

Dr. Meng-Chow Kang, Convenor WG 4 under SC 27, stated, "The step towards standardization that CSA is taking is both strategic and critical. Strategic in that it could leverage standards to provide the required baselines to improve security and interoperability in cloud services. Critical in that this could help pave a way towards better security assurance of cloud services, a common concern of cloud users. WG 4, whose focus includes ICT services related security standards, is pleased with the new collaborative work with CSA in this regard."

Commented Prof. Dr. Kai Rannenberg, Convenor WG 5 under SC 27, "Given the ever rising importance of privacy and identity management for cloud computing and the advantages of an early integration of these topics WG 5 is pleased to collaborate with the Cloud Security Alliance through the new liaison. Informing both customers and end-users of such customers about any access or use of their personal information is an important task here, as is the clear and transparent delineation between the different service providers." Mr. Kin-Chong Chan, chairman of the SPSTC, ITSC Singapore, said, “The Security & Privacy Standards Technical Committee (SPSTC) under the Singapore IT Standards Committee (ITSC) recognizes the importance of having international standards in the area of cloud computing. In particular, there is a strong need to address the concerns of cloud security from both service provider and end-user perspectives. In this regard, we are pleased to bear witness to the establishment of the relationship between ISO/IEC JTC 1/SC 27 and CSA in Singapore where we played host for the 2011 Spring meetings and plenary. We look forward to work with the ISO/IEC JTC 1/SC 27 and CSA to develop and establish relevant international standards in the areas of management systems, controls, audit and governance, in particular the development and promotion of appropriate standards to address security requirements for providers and consumers of cloud computing services.”

About Cloud Security Alliance The Cloud Security Alliance is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing. The Cloud Security Alliance is led by a broad coalition of industry practitioners, corporations, associations and other key stakeholders. For further information, visit us at www.cloudsecurityalliance.org, and follow us on Twitter @cloudsa.

About ISO/IEC JTC 1 SC 27 ISO/IEC JTC 1/ SC 27 focuses on the development of standards for the protection of information and ICT. This includes generic methods, techniques and guidelines to address both security and privacy aspects, such as 1. Security requirements capture methodology; 2. Management of information and ICT security; in particular information security management systems (ISMS), security processes, security controls and services; 3. Cryptographic and other security mechanisms, including but not limited to mechanisms for protecting the accountability, availability, integrity and confidentiality of information; 4. Security management support documentation including terminology, guidelines as well as procedures for the registration of security components; 5. Security aspects of identity management, biometrics and privacy; 6. Conformance assessment, accreditation and auditing requirements in the area of information security; 7. Security evaluation criteria and methodology.

SC 27 engages in active liaison and collaboration with appropriate bodies to ensure the proper development and application of SC 27 standards and technical reports in relevant areas.

Media Contact: Zenobia Godschalk [email protected] 650.269.8315

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel function where a lack of checks allows the exploitation of an integer overflow on the size parameter of the tz_map_shared_mem function.
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel�s tz_handle_trusted_app_smc function where a lack of integer overflow checks on the req_off and param_ofs variables leads to memory corruption of critical kernel structures.
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel where an integer overflow in the tz_map_shared_mem function can bypass boundary checks, which might lead to denial of service.
PUBLISHED: 2021-06-22
Trusty contains a vulnerability in TSEC TA which deserializes the incoming messages even though the TSEC TA does not expose any command. This vulnerability might allow an attacker to exploit the deserializer to impact code execution, causing information disclosure.
PUBLISHED: 2021-06-22
Trusty contains a vulnerability in all TAs whose deserializer does not reject messages with multiple occurrences of the same parameter. The deserialization of untrusted data might allow an attacker to exploit the deserializer to impact code execution.