Speeding the Secure Cloud Adoption Process

By Vinay Patel, Chair, CSA Global Enterprise Advisory Board, and Managing Director, Citigroup

State of Cloud Security 2018 report coverInnovators and early adopters have been using cloud for years, taking advantage of the quicker deployment, greater scalability, and cost saving of services. The growth of cloud computing continues to accelerate, offering more solutions with added features and benefits, and with proper implementation, enhanced security. In the age of information digitalization and innovation, enterprise users must keep pace with consumer demand and new technology solutions ensuring they can meet both baseline capabilities and security requirements.

CSA’s new report, c This free resource provides a roadmap to developing best practices where providers, regulators, and the enterprise can come together in the establishment of baseline security requirements needed to protect organizational data.

The report, authored by the CSA Global Enterprise Advisory Board, examines such areas as the adoption of cloud and related technologies, what both enterprises and cloud providers are doing to ensure security requirements are met, how to best work with regulators, the evolving threat landscape, and goes on to touch upon the industry skills gap.

Among the report’s key takeaways are:

  • Exploration of case studies and potential use cases for blockchain, application containers, microservices and other technologies will be important to keep pace with market adoption and the creation of secure industry best practices.
  • With the rapid introduction of new features, safe default configurations and ensuring the proper use of features by enterprises should be a goal for providers.
  • As adversaries collaborate quickly, the information security community needs to respond to attacks swiftly with collaborative threat intelligence exchanges that include both providers and enterprise end users.
  • A staged approach on migrating sensitive data and critical applications to the cloud is recommended.
  • When meeting regulatory compliance, it is important for enterprises to practice strong security fundamentals to demonstrate compliance rather than use compliance to drive security requirements.

Understanding the use of cloud and related technologies will help in brokering the procurement and management of these services while maintaining proper responsibility of data security and ownership. Education and awareness still needs to improve around provider services and new technologies for the enterprise. Small-scale adoption projects need to be shared so that security challenges and patterns can be adopted to scale with the business and across industry verticals. This skills gap, particularly around cloud and newer IT technologies, needs to be met by the industry through partnership and collaboration between all parties of the cyber ecosystem.

The state of cloud security is a work in progress with an ever-increasing variety of challenges and potential solutions. It is incumbent upon the cloud user community, therefore, to collaborate and speak with an amplified voice to ensure that their key security issues are heard and addressed.

Download the full report.

Five Reasons to Reserve Your Seat at the CCSK Plus Hands-on Course at RSAC 2018

By Ryan Bergsma, Training Program Director, Cloud Security Alliance

man investing in Certificate of Cloud Security Knowledge courseThe IT job market is tough and it’s even tougher to stand out from the pack, whether it’s to your current boss or a prospective one. There is one thing, though, that can put you head and shoulders above the rest—achieving your Certificate of Cloud Security Knowledge (CCSK). CCSK certificate holders have an advantage over their colleagues and get noticed by employers across the IT industry, and no wonder.

It’s been called the “mother of all cloud computing security certifications” by CIO Magazine, and Search Cloud Security notes that it’s “a good alternative cloud security certification for an entry-level to midrange security professional with an interest in cloud security.” So it was no surprise when Certification Magazine listed CCSK at #1 on the Average Salary Survey 2016.

For those interested in taking their careers to the next level, we are offering the CCSK Plus Hands-on Course (San Francisco, April 15-16) at the 2018 RSA Conference.

Our intensive 2-day course gives you hands-on, in-depth cloud security training, where you’ll learn to apply your knowledge as you perform a series of exercises to complete a scenario bringing a fictional organization securely into the cloud.

Divided into six theoretical modules and six lab exercises, the course begins with a detailed description of cloud computing, and goes on to cover material from the official Security Guidance for Critical Areas of Focus in Cloud Computing, Cloud Controls Matrix v3.0.1 (CCM) documents from Cloud Security Alliance, and recommendations from the European Network and Information Security Agency (ENISA).

Still on the fence? Here are five reasons you need to register today.

  1. Get trained by THE best in the business. Rich Mogull, a prominent industry analyst and sought-after speaker at events such as RSAC and BlackHat, will be there to guide you through this 2-day, intensive cloud security course. Not only is he the most experienced CCSK trainer in the industry, but he created the course content. Need we say more?
  2. Gain actionable security knowledge. In addition to learning the foundational differences of cloud, you’ll acquire practical knowledge and the skills to build and maintain a secure cloud business environment right away. It’s good for you and good for your company.
  3. Make the boss sit up and notice. Your newfound knowledge will translate to increased confidence and credibility when working within the cloud, and just maybe a better job or dare we say, a raise?
  4. Move to the head of the class. By the end of the course, you’ll be prepared to take the CCSK exam to earn your Cloud Security Alliance CCSK v4.0 certificate, a highly regarded certification throughout the industry certifying competency in key cloud security areas. ‘Nuff said.
  5. Invest in your future. The course price includes the cost of the exam, a $395 value. That’s what we call a sound investment.

Still not convinced? Watch this and you will be.

Register.

CSA Summit at RSA Conference 2018 Turns Its Focus to Enterprise Grade Security: Will you be there?

By J.R. Santos,  Executive Vice President of Research, Cloud Security Alliance

CSA Summit at RSAC 2018Today’s enterprise cloud adoption has moved well beyond the early adopters to encompass a wide range of mission-critical business functions. As financial services, government and other industries with regulatory mandates have made significant steps into the cloud over the past year, it’s only fitting that this year’s CSA Summit at RSA Conference 2018, now in its ninth year, turn its attention to enterprise-grade security.

For both companies and governments, however, making this leap has not come without effort. It’s required a transformation in both the technology of security and the mindset of security professionals. To help facilitate this transformation, we’ll again be bringing together some of the best and brightest minds from across the industry to share the common practices that are enabling the shift to cloud as our dominant IT system.

Thought leaders from multi-national enterprises, government, cloud providers and the information security industry will be speaking on some of cloud security’s most pressing topics, including:

  • Appetite for Destruction – The Cloud Edition. Over the last two years, the multitude of data leaks and breaches in the cloud has skyrocketed. Many of these leaks are reminiscent of the past security lessons, and some show new attributes unique to our evolving computing environments. In this short talk, Raj Samani, chief scientist at McAfee, takes a look at the past, and peers toward the future.
  • Cloud Security Journey. Get a preview of how a major retailer solves the problem of security software chaos and fragmentation while addressing new security requirements in this session from Symantec and Albertsons Companies. You’ll get a real-world perspective on how they approached cloud security while addressing end-to-end compliance, data governance, and threat protection requirements.
  • A GDPR-Compliance & Preparation Report Card. With the impending May 2018 deadline for GDPR compliance, organizations worldwide need to account for the regulation in their security policies and programs. Join Netskope Chief Scientist Krishna Narayanaswamy and CSO Jason Clark for an interactive session that previews their recent study with the Cloud Security Alliance on how organizations are preparing for compliance.
  • The Software-Defined Perimeter in Action. Cyxtera’s Cybersecurity Officer Chris Day will chronicle how organizations have taken CSA’s Software-Defined Perimeter (SDP) from experimental to enterprise-grade. You’ll walk away with valuable insights and learn compelling best practices on how enterprises can make SDP adoption a reality.

Other discussions and panels will also explore new frontiers that are accelerating change in information security, such as artificial intelligence, blockchain and fog computing.

Register for RSAC and the Summit today using the discount code 18UCSAFD to receive $100 of the full conference pass to RSAC or receive a complimentary expo pass with the code X8ECLOUD. The CSA Summit is a free event for all registered conference attendees regardless of pass.

For those interested in taking their careers to the next level, we also are offering the CCSK Plus Hands-on Course (April 15-16) at the RSA Conference 2018. Our intensive 2-day course gives you hands-on, in-depth cloud security training, where you’ll learn to apply your knowledge as you perform a series of exercises to complete a scenario bringing a fictional organization securely into the cloud and emerge prepared to take the Certificate of Cloud Security Knowledge exam.

The CCSK gives you a distinct edge over your cloud security colleagues. Why else would CIO Magazine have called it the “Mother of all cloud computing security certifications?” Certification Magazine even listed CCSK at #1 on the Average Salary Survey 2016.

So what are you waiting for? Register now.

 

Electrify Your Digital Transformation with the Cloud

By Tori Ballantine, Product Marketing, Hyland

Taking your organization on a digital transformation journey isn’t just a whimsical idea; or something fun to daydream about; or an initiative that “other” companies probably have time to implement. It’s something that every organization needs to seriously consider. If your business isn’t digital, it needs to be in order to remain competitive.

So if you take it as a given that you need to embrace digital transformation to survive and thrive in the current landscape, the next logical step is to look at how the cloud fits into your strategy. Because sure, it’s possible to digitally transform without availing yourself of the massive benefits of the cloud. But why would you?

Why would you intentionally leave on the table what could be one of the strongest tools in your arsenal? Why would you take a pass on the opportunity to transform – and vastly improve – the processes at the crux of how your business works?

Lightning strikes
In the case of content services, including capabilities like content management, process management and case management, cloud adoption is rising by the day. Companies with existing on-premises solutions are considering the cloud as the hosting location for their critical information, and companies seeking new solutions are looking at cloud deployments to provide them with the functionality they require.

If your company was born in the digital age, it’s likely that you inherently operate digitally. If your company was founded in the time before, perhaps you’re playing catch up.

Both of these types of companies can find major benefits in the cloud. Data is created digitally, natively — but there is still paper that needs to be brought into the digital fold. The digitizing of information is just a small part of digital transformation. To truly take information management to the next level, the cloud offers transformative options that just aren’t available in a premises-bound solution.

People are overwhelmingly using the cloud in their personal lives, according to AIIM’s State of Information Management: Are Businesses Digitally Transforming or Stuck in Neutral? Of those polled, 75 percent use the cloud in their personal life and 68 percent report that they use the cloud for business. That’s nearly three-quarters of respondents!

When we look at the usage of cloud-based solutions in areas like enterprise content management (ECM) and related applications, 35 percent of respondents leverage the cloud as their primary content management solutions; for collaboration and secure file sharing; or for a combination of primary content management and file sharing. These respondents are deploying these solutions either exclusively in the cloud or as part of on-prem/cloud hybrid solutions.

Another 46 percent are migrating all their content to the cloud over time; planning to leverage the cloud but haven’t yet deployed; or are still experimenting with different options. They are in the process of discerning exactly how best to leverage the power of the cloud for their organizations.

And only 11 percent have no plans for the cloud. Eleven percent! Can your business afford to be in that minority?

More and more, the cloud is becoming table stakes in information management. Organizations are growing to understand that a secure cloud solution not only can save them time and money, but also provide them with stronger security features, better functionality and larger storage capacity.

The bright ideas
So, what are some of the ways that leveraging the cloud for your content services can digitally transform your business?

  • Disaster recovery. When your information is stored on-premises and calamity strikes — a fire, a robbery, a flood — you’re out of luck. When your information is in the cloud, it’s up and ready to keep your critical operations running.
  • Remote access. Today’s workforce wants to be mobile, and they need to access their critical information wherever they are. A cloud solution empowers your workers by granting them the ability to securely access critical information from remote locations.
  • Enhanced security. Enterprise-level cloud security has come a long way and offers sophisticated protection that is out of reach for many companies to manage internally.

Here are other highly appealing advantages of cloud-based enterprise solutions, based on a survey conducted by IDG Enterprise:

  • Increased uptime
  • 24/7 data availability
  • Operational cost savings
  • Improved incident response
  • Shared/aggregated security expertise of vendor
  • Access to industry experts on security threats

Whether you’re optimizing your current practices or rethinking them from the ground up, these elements can help you digitally transform your business by looking to the cloud.

Can you afford not to?

What’s Hindering the Adoption of Cloud Computing in Europe?

upload download cloud computingAs with their counterparts in North America, organizations across Europe are eagerly embracing cloud computing into their operating environment. However, despite the overall enthusiasm around the potential of cloud computing to transform their business practices, many CIOs have real concerns about migrating their sensitive data and applications to public cloud environments. Why? In essence, it boils down to a few core areas of concern:

  1. A perceived lack of clarity in existing Cloud Service Level Agreements and security policy agreements
  2. The application, monitoring, and enforcement of security SLA’s
  3. The relative immaturity of cloud services

These issues of course are far from new and, in fact, great progress has been made over the past five years to address these and other concerns around fostering greater trust in cloud computing. The one threat that is present across these issues is transparency – the greater transparency that a cloud service provider can provide into their approach to information security, the more confident organizations will be in adopting and trusting public cloud providers with their data and assets.

To this end, the European Commission (EC) launched the Cloud Selected Industry Group (SIG) on Certification in April of 2013 with the aim of supporting the identification of certifications and schemes deemed “appropriate” for the European Economic Area (EEA) market. Following this, ENISA (European Network and Information Security Agency) launched their Cloud Certification Schemes Metaframework (CCSM) initiative in 2014 to map detailed security requirements used in the public sector to describe security objectives in existing cloud certification schemes. And of course, the Cloud Security Alliance has also played a role in defining security-specific certification schemes with the creation the CSA Open Certification Framework (CSA OCF) which works to enable cloud providers to achieve a global, accredited and trusted certification.

Beyond defining a common set of standards and certifications, SLA’s have become an important proxy by which to gauge visibility into a Cloud provider’s security and privacy capabilities. The specification of security parameters in Cloud Service Level Agreements (“secSLAs)” has been recognized as a mechanism to bring more transparency and trust for both cloud service providers and their customers.  Unfortunately, the conspicuous lack of relevant Cloud security SLA standards has also become a barrier for their adoption. For these reasons, standardized Cloud secSLAs should become part of the more general SLAs/Master Service Agreements signed between the CSP and their customers. Current efforts from the CSA and ISO/IEC in this field are expected to bring some initial results by 2016.

This topic will be a key theme at this year’s EMEA Congress, taking place November 17-19 in Berlin, Germany, with a plenary panel on “Cloud Trust and Security Innovation” featuring Nathaly Rey, Head of Trust, Google for Work as well as a track on Secure SLA’s which is being led by Dr. Michaela Iorga, Senior Security Technical Lead for Cloud Computing, NIST.

To register for the EMEA Congress, visit: https://csacongress.org/event/emea-2015/#registration.