Observations on CSA Summit at RSA – Part 1

By Katie Lewin, Federal Director, Cloud Security Alliance

CSA Summit at RSA was a day-long session on Securing the Converged Cloud organized around presentations and panels from leading vendors such as Centrify, Veracode, Microsoft, and Netskope, as well as a talk on “Effective Cybersecurity” by Ret. Gen. Keith Alexander and a fireside chat with Robert Herjavec of “Shark Tank” fame. (Session recordings from the CSA Summit are now available.)

Several themes emerged over the course of the day of presentations, panels and fireside chats:

• The cloud is still the most secure environment for data and acceptance of cloud as a secure environment for data storage is at the tipping point of acceptance by most IT users. In one survey cited, half of the respondents said that the cloud was more secure than on-premises.
• Identity continues to be important – the message of many of the speakers is that there are too many passwords and too many special privileges.
• Emphasis should be placed on data protection rather than device protection. Security is moving to Modern Data Controls – from device and identity security to data protection and controls. Rights management and data classification are the key indicators in data control.
• Security must move to a process that authenticates first and then connects as opposed to the current emphasis on connect and then authenticate.

Presentation slides will be available on the CSA web site.

Many speakers asserted that today’s security is not secure. Evidence of this includes breaches at Yahoo, USG Office of Personnel Management, 2016 Presidential election. Network perimeters are fading with cloud use, mobile devices, IoT devices and the mobile work force. Therefore, security in the age of access must focus on passwords.

Too many passwords and privileged users require a paradigm shift to identity management.

There is evidence that focusing on identity reduces the number of beaches. Businesses must take steps to implement identity management, including:

• Establish Identity assurance across the IT environment;
• Consolidate identities through single sign-on and then layer on multi-factor identification;
• Limit lateral movement – move to automated provisioning – identify who is still on staff and what they can access;
• Move to approval workflow for access requests; and
• Audit privilege access.

Speakers emphasized that transition to the cloud can be revolutionary rather than evolutionary. There were several real-life examples of a revolutionary transition. One large company wanted to eliminate its Intranet and rely solely on the Internet. The benefits of this approach included single sign-on, reduced complexity, establishment of standards, improved security and cost efficiency. In addition, the company did not have to secure and maintain network devices on its premises. In order to effect this transition, the company determined that they needed to concentrate on securing their data assets and not their appliances. The approach they took was to establish a strict policy-based access structure combined with micro-segmentation. This approach was successful. The Internet gives users access similar to private transactions; eliminates choke points of routing all transaction to a single data center. They were also able to optimize data center traffic using a hybrid cloud approach.

One of the highlights of the day was a speech from Ret. Gen. Keith Alexander on “Strategy of Effective Cybersecurity.” He began by outlining some of the current trends in cyber world:

• Technology is rapidly changing, and data available is increasing exponentially; but this information becomes outdated in 2 -3 year horizon.
• Advanced technology is playing a more important role in our lives – for example IBM’s Watson is now working on formulating chemo for brain cancer patients.
• Moving to the cloud is good – resulting in better security and cost savings especially for small and mid-size businesses.

However, there are threats that must be addressed in this environment. Cyber skills are now part of a nation’s power in the world. There are many examples of this, including cyber attacks from nation states aimed at other states. These attacks are evolving from disruptive to destructive.

What is the path forward to meet these threats? Entities must share meta data on attacks and intrusion attempts to have the information to formulate defensive strategies. There should also be Software as Service defensive tools on the cloud available for entities to share. These tools and strategies can be developed and implemented while also protecting civil liberties and privacy.

Product Announcement from AWS – Regulatory Product Mapping Tool

This tool maps security control frameworks to reveal overlap and gaps between various security methodologies. Currently, the product includes FedRAMP controls and the AWS set of controls. Other control sets will be added. This product could be useful in determining how long and how much it could cost a system to obtain an Authority to Operate from a Federal agency. Click for more information on this tool.