CSA大中華區發佈《軟體定義邊界(SDP)和零信任》白皮書

CSA大中華區已發佈《軟體定義邊界(SDP)和零信任》白皮書,對如何使用SDP來實現零信任網絡(ZTN),為什麼將SDP應用於網絡連接,以及甚麼是最先進的ZTN實現等問題進行了分析解答。

軟體定義邊界(Software Defined Perimeter, SDP)是一個能夠為OSI七層協定棧提供安全防護的網絡安全架構,實現資產隱藏,並在允許連接到隱藏資產之前使用單個數據包通過單獨的控制和數據平面建立信任連接。 使用SDP實現的零信任網絡使組織能夠更好防禦新變種攻擊方法,以及改善企業所面臨攻擊面日益複雜和擴大的安全困境。

從本質上講,零信任是一種網絡安全概念,其核心思想是組織不應自動信任傳統邊界內外的任何事物,並旨在捍衛企業資產。 實施零信任需要在授予訪問許可權之前驗證所有嘗試連接到資產的事物,並在整個連接期間對會話進行持續評估。

軟體定義邊界(SDP)是零信任策略的最高級實現方案。 CSA已採用並宣導將以下結構應用於網絡連接:

  • 將建立信任的控制平面與傳輸實際數據的數據平面分開。
  • 使用動態全部拒絕(deny-all)防火牆(不是完全deny-all,而是允許例外)來隱藏基礎架構(例如,使伺服器變”黑”,不可見)
  • 丟棄所有未經授權的數據包並將它們用於記錄和分析流量。
  • 訪問受保護的服務之前,通過單包授權(SPA)協定來認證和授權使用者以及驗證設備。
  • 最小授權在此協定中是自帶的。

在該白皮書中,CSA全球SDP工作組和CSA大中華區SDP工作組的多位專家們對SDP如何實現零信任的戰略、價值、實施等內容做了原創和翻譯,相信對廣大的安全專家、CIO、CISO和公司業務高管在考慮企業的零信任落地時會有啟示和説明。

下載《軟體定義邊界(SDP)和零信任》白皮書

雲安全聯盟大中華區發佈 《雲計算的 11 類頂級威脅》

越來越多的企業正在將數據和應用程式遷移到雲中,這帶來了獨特的資訊安全挑戰。 保護企業在雲中數據的主要責任並不完全在於服務提供者,而主要在於客戶本身。 為了使組織對雲安全問題有新的瞭解,以便他們可以就雲採用策略做出有根據的決策,CSA 大中華區發佈了新版本的《雲計算的11類頂級威脅》(中文版),本報告主要關注11個與雲計算的共用、按需特性相關的問題。 以下是本報告關注的11個主要威脅:

1.資料洩漏。
2.配置錯誤與變更控制不足。
3.缺乏雲端安全架構與策略。
4.身份,憑證,存取和金鑰管理不足。
5.帳戶劫持。
6.內部威脅。
7.不安全的介面和 API 。
8.控制平面薄弱。
9.元結構與應用程式結構失效。
10.有限的雲使用可見度。
11.濫用及違法使用雲服務。

拒絕服務共享技術漏洞以及雲服務提供者數據丟失和系統漏洞之類的問題已不在本報告之列。 這表明由雲服務提供者負責的傳統安全問題似乎已經有效的緩解。 相反我們看到更多的是需要解決那些位於技術棧更高層次的安全問題這些問題是高級管理層決策的結果。

在調查中評分最高的新專案更加細微表明消費者對雲的理解日益成熟。 這些問題本質上是雲計算的固有特性表明消費者正在積極考慮向雲遷移的技術環境。 這些主題涉及潛在的控制平面缺陷元結構和應用結構故障以及有限的雲可見性。 這些新的重點與以前的《 關鍵威脅Top Threats》報告中更為突出的通用威脅風險和漏洞(即數據丟失拒絕服務)明顯不同。

CSA大中華區希望本報告能夠提高組織對最重要的安全問題及其應對措施的認識並在為雲遷移和安全性制定預算時將其考慮在內。 該報告提供了控制建議和參考示例旨在供合規風險和技術人員使用管理層也能夠從本報告的技術趨勢和概述中受益。

下載報告:雲計算的 11 類頂級威脅

(ISC)² Info Session: CCSP – The Industry’s Premier Cloud Security Certification

MAR-CCSP-Info_Session_Banner-APAC-1200x628-20200814

Earning the globally recognized #CCSP cloud security certification is a proven way to build your career and better secure critical assets in the cloud. Join ISC2’s 60-min live info-session on September 10 (Thursday) at 14:00 to learn more about the CCSP, its exam domains, experience requirements and available study resources. And, get to ask any question that will support your certification journey!

(ISC)² Info Session

Topic: CCSP – The Industry’s Premier Cloud Security Certification
Date: September 10, 2020 (Thursday)
Time: 14:00-15:00

Register now: https://www.isc2.org/News-and-Events/Webinars/APAC-Webinars?commid=432478&utm_source=csahk

雲安全聯盟大中華區發佈「使用者自治數碼身份安全白皮書」

用戶自治數碼身份安全白皮書數碼身份是保障數碼經濟安全的信任基石,業界目前的數碼身份體系一般都是中心化的,區塊鏈作為解決可信問題的分散式技術,給數碼身份自治的場景打開了天窗,比如減少分散雲計算中心化身份數據大量聚合的洩露風險,在邊緣計算分散式系統中使可信身份認證管理更加便捷私密等。

雲安全聯盟大中華區在810日舉辦的CSA Summit上發佈了《使用者自治數碼身份安全白皮書》該白皮書主要是針對於希望用DID來進行技術開發或者應用落地的專案或公司需要注意的一些安全與隱私的問題分析為什麼在新的數碼化轉型過程中DID能夠解決的痛點問題並對目前國際上已有的標準和案例進行介紹。

本白皮書目前是第一版本因為DID本身的一系列標準還在開發之中安全對於數碼身份是第一要素新的安全問題肯定會出現,歡迎讀者專家們能夠提出意見使下一個版本的覆蓋面更廣,對於行業的發展能有更大貢獻。

下載用戶自治數碼身份安全白皮書

CSA HKM to hold Annual General Meeting on June 16, 2020

The Cloud Security Alliance Hong Kong & Macau Chapter will hold its Annual General Meeting on June 16, 2020:

Date:   16 June 2020

Time:   7:00 (p.m.)

Place:  Unit 1605, Hang Shing Building, 363 Nathan Road, Kowloon

Agenda:

  • To receive and consider the Directors’ Report and Audited Financial Statements for the year ended 30 June 2019.
  • To elect directors.
  • To re-appoint auditors and to fix their remuneration.
  • To consider any other business.

The meeting is open to all members.  Due to the social distancing policies introduced by the Hong Kong Government, it is advised to attend the meeting online rather than in person.  Please contact membership@csahkm.org for the meeting link.

 

 

 

CSA HKM supports the Outstanding ICT Women Awards

hkcs_oictwa2020_home

To recognise and encourage female role models and to attract more females to join ICT industry, the FACE Club of Hong Kong Computer Society (HKCS) launched the first-ever “Outstanding ICT Women Awards” to reward the much praised female individuals in the ICT field and to showcase the impact that they have made to the local ICT industry and the community.

Cloud Security Alliance Hong Kong & Macau Chapter is proudly supporting the award.  Please visit http://www.hkcs.org.hk/oictwa/ for details.

CCSP Training Course in March 2020

In the ever-changing world of the cloud, you face unique security challenges every day — from new threats to sensitive data, to uneducated internal teams. The Certified Cloud Security Professional (CCSP) recognises IT and information security leaders who have the knowledge and competency to apply best practices to cloud security architecture, design, operations and service orchestration. It shows you’re on the forefront of cloud security.

The next CCSP course in Hong Kong will be organised in March 2020:

17-19 & 24-25 March 2020,
09:00-18:00
1/F, HKPC Building,
78 Tat Chee Avenue,
Kowloon, Hong Kong
Cantonese with handout in English For people who interested in cyber security

CSA HKM members are entitled to special discount for the course.  Click HERE for details.

Cloud Security Alliance Announces Industry’s First Credential for Cloud Auditing

The Cloud Security Alliance (CSA) has announced the Certificate of Cloud Auditing Knowledge (CCAK), the only credential for industry professionals that demonstrates expertise in the essential principles of auditing cloud computing systems. Set to be released in the second half of 2020, the CCAK aims to solve the current industry knowledge gap for IT audit and security professionals trained and certified for traditional on-premise IT auditing and assurance.

Designed to provide CISOs, security and compliance managers, internal and external auditors, and practitioners of tomorrow with the proven skillset to address the specific concerns that arise from the use of various forms of cloud services, the CCAK will provide a common baseline of expertise and shared nomenclature to ensure that IT auditors and other related stakeholders are communicating appropriately and accurately regarding the effectiveness of cloud security controls.

With its focus on cloud computing, the CCAK differs from traditional IT audit certification programs, which have many excellent elements, but were not developed with an understanding of cloud computing and its many nuances. An audited organization using cloud computing, for instance, will have a very different approach to satisfying control objectives, and a cloud tenant will certainly not have the same administrative access as in a legacy IT system and will employ a wide range of security controls that will be foreign to an audit and assurance professional grounded in traditional IT audit practices.

“Cloud computing represents a radical departure from legacy IT in virtually every respect. The new technology architecture, the nature of how cloud is provisioned, and the new shared responsibility model means that IT audits must be significantly altered to provide assurance to stakeholders that their cloud adoption is secure,” said Jim Reavis, co-founder and CEO, Cloud Security Alliance. “Because CSA already has developed the most widely adopted cloud security audit criteria and organizational certification, we are uniquely positioned to lead efforts to ensure industry professionals have the requisite skill set for auditing cloud environments.”

The CCAK’s holistic body of knowledge will be composed of the CSA’s Cloud Controls Matrix (CCM), the fundamental framework of cloud control objectives; its companion Consensus Assessments Initiative Questionnaire (CAIQ), the primary means for assessing a cloud provider’s adherence to CCM; and the Security, Trust, Assurance & Risk (STAR) program, the global leader in cloud security audits and self-assessments, in addition to new material.

For more than 10 years, CSA has led the development of the trusted cloud ecosystem, which notably includes the STAR program and the Certificate of Cloud Security Knowledge (CCSK), the gold standard for measuring professional competency in cloud security. The CCAK and the CCSK will complement one another in that the CCSK provides the knowledge that enables an expert to secure cloud systems that will, in turn, be successfully scrutinized by an expert holding the CCAK. In many cases, an industry professional will be well served by obtaining both certificates.

Because the CCAK is intended to create a common cloud audit understanding, it’s expected to become a mandatory requirement for IT auditors and highly recommended for IT managers and professionals, especially governance, risk management, compliance, and vendor/supply chain management.

Several opportunities exist for those looking to participate in the CCAK’s development. Individuals can volunteer to provide subject matter expertise or peer review, while organizations with a vested interest in cloud security can become a founding sponsor. Learn more about the Certificate for Cloud Auditing Knowledge and how to get involved.

CCSP Information Sharing Session

APAC-CCSP-Info-Session-708x212

To support continuous professional development for InfoSec and CloudSec professionals in the region, ISC2 will be running an information webinar for CCSP certification on November 7 at 14:00 HKT.  In this 60-min info session, you will learn:

  • Current trends in the cloud security space
  • Reasons why you should pursue the CCSP certification
  • Overview of the recent updates to the CCSP domains
  • How to earn the CCSP certification, including exam and experience requirements
  • And you have the opportunity to ask any question that you may have

Do not miss the opportunity and register at: https://www.isc2.org/News-and-Events/Webinars/APAC-Webinars?commid=372419&utm_source=csa_hk#

CSA HKM Supports CTF Open 2019

CTF Open 2019
Cloud Security Alliance Hong Kong & Macau Chapter is a supporting organsiation for the CTF Open 2019.  This will probably be the first CTF competition ever held in Hong Kong open to both students and general public.

Semi-Final Round

  • Date : October 5-6, 2019
  • Time : 12:00 pm October 5 to 6:00 pm October 6
  • Duration : 30 Hours
  • Style : Online Jeopardy
  • Category : Student (Hong Kong Full-Time Undergraduate Students) and Public (Open to everyone)
  • Teams : Each team must have 2 – 4 members

Grand Final Round

  • Date : October 19, 2019
  • Time: 10:00 am to 4:00 pm
  • Venue : Deloitte (35/F, One Pacific Place, 88 Queensway, Hong Kong)
  • Duration : 6 Hours
  • Style : On-site Jeopardy
  • Participants must bring and use their own personal computing devices

For details and registration, please visit: https://www.eventbrite.hk/e/hk-ctf-open-2019-opening-and-cyber-security-seminar-of-red-vs-blue-tickets-73305311159