Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog
Register for CSA’s free Virtual Cloud Trust Summit to tackle enterprise challenges in cloud assurance.

Cloud Security Alliance CEO’s Top Cloud Security Priorities

Home
Industry Insights
Cloud Security Alliance CEO’s Top Cloud Security Priorities

Blog Article Published: 10/02/2015

By Jim Reavis, CEO, Cloud Security Alliance.

code42 cloud security csaI would like to thank my friends at Code42 for again giving me a platform to talk about the cloud security issues on my mind. In this blog post, I wanted to discuss some of the changes I am seeing in how security professionals are rethinking best practices as a result of being exposed to cloud computing and what some of the security priorities are as organizations begin to depend upon a critical mass of cloud services.

From comfortable stasis…

Traditional IT systems have been characterized as being static in nature. Indeed, I spent the first 20 years of my career focused on architecture, implementation and security of traditional computer networks. File servers, routers, firewalls and hosts would be carefully sized, designed and put into production, with the hope that they could go years without a single reboot. We valued stability perhaps most of all, and would even develop odd, fond relationships with servers—treating them a bit like favorite pets. Systems would be patched and upgraded of course, but only when deemed absolutely necessary, and only after significant research and regression testing of the updates.

The information security solutions that grew up around this environment recognized the relative permanence of these systems and developed their security strategies accordingly. Detection and prevention of viruses, performing forensics on breaches and several other tasks are carefully integrated with systems, lest we disturb these permanent servers. Sometimes we couldn’t even eradicate malware, as the cure (a reboot with downtime) was worse than the disease. These static systems are actually very fragile.

To ephemeral clouds

By contrast, cloud computing is highly dynamic. We turn services on or off at will. Virtual machines are very transient, not eligible for pet names, unless as part of a cloud orchestration tool we are instantiating Rover001..RoverNNN. This ephemeral cloud is causing security professionals to tackle problems differently. Instead of a painstaking malware mitigation program, why not just turn the virtual machine off, start a new VM and point it at your data sets? Maybe we don’t care about all of the malware details from an operational perspective when we can just make it go away and start over.

This is just one example. The reality is, I don’t think we as a security community have yet grasped all of the implications of cloud computing’s essential characteristics, and have not employed enough imagination yet to replace our security strategies with brand new approaches; but clearly the wheels are turning. It is exciting to see the experts start with a blank slate, rather than duplicating a questionable security tool in cloud.

New approaches to old (and new) security problems

As we are in this phase of transitioning to cloud, security professionals are seeking their ground zero for sound security strategies. Many organizations are starting with their data and working outward from there. A lot goes into protecting data, so I’ll just mention a few priorities. Strong authentication is becoming so common, that it makes an old security professional positively giddy. When you think about some of the early so-called cloud breaches, they were actually not direct attacks on cloud providers, but account takeovers caused by attacks upon a user’s ID and password. We have a lot more to implement here, but it is going in the right direction. Closely related is identity federation. We simply cannot afford to have an employee’s login credentials stored at hundreds of provider locations and must federate our directories rather than duplicating them.

Encryption has proven to be a remarkably resilient security control. When you have the option, take it. CSAexpounds upon the importance of customer control of keys to create an appropriate separation of duties. The challenge for encryption going forward is to make it applicable in as many cloud use cases as possible. Notably, providing encryption for Software-as-a-Service (SaaS) is an important area CSA is focused on, with our new OpenAPI working group seeking to provide an approach that creates seamless encryption that works across any cloud provider.

Taking new approaches to old security problems is a great thing to see. Of course cloud will bring some interesting new security problems, but we’ll leave that for another blog post.

(This post first appeared on Code42's blog Data on the Edge)

Share this content on your favorite social network today!

Latest from CSA
AI Summit at RSAC 2024
The State of AI and Security Survey Report
Data Resiliency Survey 2024
Trending This Week
#1 What is the Cloud Controls Matrix (CCM)?
#2 Zero Trust and AI: Better Together
#3 Test Accounts: Another Compliance Risk
#4 AI Safety vs. AI Security: Navigating the Commonality and Differences
#5 Is PQC Broken Already? Implications of the Successful Break of a NIST Finalist
Enhance your cloud security skills with CSA's online training options.