At his 2019 CyberCrime Symposium presentation, Jim Reavis saluted the audience for participating in the annual event, noting the high ratio of return attendees.
“Clearly, it’s more than a conference – it’s a community,” said Reavis, who knows a thing or two about the importance of communities in the cybersecurity scheme. Since 2009, when he co-founded the Cloud Security Alliance (CSA), he’s been on a mission to build, educate, foster, and equip a global community dedicated to cloud security.
“Cybersecurity is now indistinguishable from national security, and with so much at stake, communities are critical to our industry,” said Reavis, CSA’s CEO. “Our jobs are to secure our organizations, but we really need to work together to secure everything.”
In his session, he outlined CSA’s integral role in defining cloud security best practices, its body of research, and the industry-standard frameworks, tools, and certifications its community has contributed to the cause.
Say Yea, not Nay
A 30-year info-security veteran, Reavis was always more interested in the blend of art and science in cyberwarfare than in technology alone. Influential in his decision to create CSA, he said, was a convergence of sorts. First, he saw the results of early virtualization work, and considered the long-standing problems it would help solve and new ones it would create. Meanwhile, he’d been reading some persuasive published materials that compared the software-defined world shift to evolution’s most-explosive periods and argued that computing, like electricity, was becoming a utility.
What if the info-sec community, rather than responding in its usual way, took a proactive stance toward the gathering cloud storm? With CSA bringing stakeholders together, Reavis thought, they could get a jump on large-scale cloud migration and be a positive voice as cloud clamor grew.
“If we started defining defensible best practices in 2009,” he said, “they’d be in place when adoption took off.”
That year, CSA published the first version of its Security Guidance. “We wanted to produce a comprehensive knowledgebase that put a stake in the ground, outlining best practices as well as unresolved security issues,” said Reavis.
CSA contributors periodically issue major Guidance updates, releasing v.4.0 in 2017. It addition to its larger purpose, it serves as the study guide for CSA’s Certificate of Cloud Security Knowledge, the first cloud security certification for users. Reavis encouraged attendees to check-out the CCSK, because “in 90% of breaches, the issue’s on the cloud tenant side.”
Today, CSA has a global footprint, with a membership comprising more than 96,000 individuals, 400 corporations, and leading cloud providers, systems integrators, and the Big 4 firms. Like the cloud itself, CSA takes an agile approach to research, regularly releasing new studies and other materials and iteratively updating them. Their site hosts more than 300 free research artifacts, accessible here: https://cloudsecurityalliance.org/research.
Top to Bottom
In year one, CSA also introduced its Cloud Reference Architecture. Adopting NIST’s standard definitions of cloud types, deployment models, and essential characteristics – for instance, private, public, hybrid; SaaS, PaaS, IaaS; elasticity and resource pooling – the framework presented the cloud as layered, with SaaS as the top layer, PaaS in the middle, and IaaS at the bottom. This model helps infosec pros visualize how different layers impact security programs, where new technologies might fit, and what security controls they’ll implement based on cloud computing’s shared responsibility model.
“This was visionary in 2008 because SaaS wasn’t available from big public providers – it came from application service providers, who had their own data centers and infrastructure,” said Reavis. But based on their tracking of cloud computing and economic efficiency trends, CSA contributors predicted that eventually, virtually all SaaS applications would mash-up across cloud types.
Building on this foundational architecture, CSA rolled out a suite of tools that help users assess risk, audit controls, and identify CSPs with strong security postures. These include:
- Cloud Controls Matrix (CCM). This baseline control framework is designed for cloud supply-chain risk management. It outlines more than 130 cloud-specific controls across 16 control domains, and delineates customer and provider control responsibilities. It also maps controls to other frameworks and security standards – ISO 27001, HIPAA, PCI, NIST, and FedRAMP, to name a few. “Traditionally, you had to pay a lot to understand how standards mapped to each other,” said Reavis. “In our view, these mappings should be freely available.”
- Consensus Assessment Initiative Questionnaire (CAIQ). CAIQ helps users assess their CCM compliance and develop assessment processes for their CSPs, who, in turn, use it to get a handle on their own security posture. “While the CCM outlines fundamental cloud control objectives, the questionnaire helps teams determine the presence of specific controls,” said Reavis.
- Security, Trust, and Assurance Registry (STAR). In 2011, in response to the countless, varied assessment questionnaires circulating among CSPs and users, CSA introduced the STAR provider program. It’s a searchable registry of documented security controls in cloud offerings, based on CCM and CAIQ standards. To date, the repository houses control documents from135 CSPs. Providers can conduct self-assessments or take things to a higher level, and get STAR-certified by third-party auditors.
- Code of Conduct for GDPR Compliance. More recently, CSA contributors issued this GDPR compliance template, and followed-up by adding an associated self-assessment questionnaire to the STAR program. CSPs use the tool to ensure they meet EU data protection standards, while customers apply it to assess CSP compliance.
As the CSA community grows, members and contributors continually ramp up research and other deliverables, focused on staying ahead of the cloud security curve. It has working groups researching, for example, such security question marks as AI, IoT, blockchain, and quantum computing.
Reavis implored attendees to become part of as many relevant communities as possible, as well as to “fight for the time you need to engage with other members” of professional associations and less-structured communities.
“We need to share information and practices that are working,” he said. “We can’t operate like those private fire departments of old, who worked for one company and watched nearby buildings burn to the ground because it wasn’t their job.”
This is the second in our series of posts presenting key takeaways from our 2019 CyberCrime Symposium, held Oct. 17-18. The program—Cloud Security—featured an incredible line-up of speakers. If you couldn’t get a seat at the event or want a refresher on various sessions, don’t miss upcoming installments.