Cloud Security Alliance’s D.C. Metro Area Chapter announces the event of the year: the Cybersecurity Cruise!

By: Anil Karmel, President, CSA-DC Chapter & Co-Founder and CEO of C2 Labs, Inc.

About a year ago, CSA recognized the need to establish a local chapter serving the unique needs of the Washington D.C. Metro Area. It’s been my honor and privilege to serve as the President of this new Chapter alongside a distinguished group of thought leaders to execute on the mission of the Cloud Security Alliance. The Washington D.C. region is comprised of a diverse range of businesses, government organizations, and academic institutions as well as many heavily regulated industries such as the U.S. Government, Healthcare and Financial sector.

Our local mission is to:

  • Provide a forum for the local I.T. community to network and share lessons learned via a series of events focused on the unique needs of our region
  • Develop collaborative guidance for I.T. Modernization and Policy incorporating security by design in the form of position papers
  • Conduct compelling research on topics that are top of mind for our community

The CSA-DC events committee is excited to announce our signature event of the year on Thursday, September 26, from 4:00 – 8:30 pm. We will be cruising the historic Potomac River on a dinner cruise (open bar!) followed by a cybersecurity conversation with a rockstar panel. Register today to discuss The Boundary of Security & Privacy. Privacy is becoming an ever increasing concern in our world today. Social Networks today are now focusing on users’ privacy, given the inherent security risks posed by organizations’ access to personally identifiable information. The European Union has enacted GDPR valuing privacy, whereas on the opposite end of the spectrum, China has implemented a Social Credit System. What role do reputational systems play in our society? How do we design security controls for information systems balancing user’s rights to their personal information? Where’s the boundary of security and privacy? Join us to hear a distinguished panel of speakers discuss this topic in detail.


  • Robert Brese, VP & Executive Partner, Gartner


  • Dr. Ron Ross, Fellow, National Institute of Standards and Technology
  • Alex Ruiz, Director, Information Security, U.S. Card, Capital One
  • Shaun Khalfan, Vice President Information Security, Freddie Mac
  • Gregg “Skip” Bailey, Deputy Chief Information Officer, U.S. Census (Invited)

Register today as space is limited!

We’re also pleased to present our inaugural “Next Generation Thought Leader” Award. This award has been established by the Cloud Security Alliance’s D.C. Metro area chapter (CSA-DC) to provide recognition to individuals or teams who are shining the light and leading the way into the future with timely, high-value research expected to have a powerful and positive impact on the practice of cloud security. Based on an annual, peer-elected selection of research topics provided by members of the CSA-DC Chapter, this award is presented to researchers who have established a clear research direction and taken steps to advance the cloud security body of knowledge. We will award this individual on our cruise. We look forward to seeing you there!

Interested in getting involved? Please reach out to Anil Karmel or Kimberly Lessard

Join the conversation by following #CSADCCruise2019 #CSADC

Follow us on Twitter @CloudSADC, LinkedIn, YouTube, MeetUp

Highlights from the CSA Summit at Cyberweek

By Moshe Ferber, Chairman, Cloud Security Alliance, Israel and Damir Savanovic, Senior Innovation Analyst, Cloud Security Alliance

The city of Tel Aviv is crowded throughout the year with a buzzing cybersecurity ecosystem, but in the last week of June, this ecosystem comes to boil when Tel Aviv University hosts their annual Cyberweek conference – one of the largest cybersecurity conferences in the world with over 9,000 visitors from over 80 different countries.

In this wonderful habitat of cybersecurity innovation, the Cloud Security Alliance conducted its first Tel Aviv Summit at Cyberweek. During the week, CSA held a special CCSK training and a full day of lectures discussing the current state and future of cloud computing.

One of Cyberweek’s main attractions is the fact that Cyberweek organizers managed to make the conference attractive to many different audiences: the military, government & private sector all find something of interest at the various events. Whether they are decision makers or technology geeks, there is something for everyone. The same diversification was also obvious at the CSA Summit itself – decision makers were enjoying lectures such as…

  • The opening keynote by Damir Savanovic from CSA – who gave two excellent talks on cloud certifications and the future of Blockchain in the cloud
  • ABN AMRO CISO advisor – Olaf Streutker elaborating on the cloud octagon model, an innovative model that challenges enterprises to investigate risk from perspective other than that of the cloud service provider. (The Octagon Model white paper was released the same day by CSA Financial Services working group)
  • Yuval Segev – from the Israeli National Cyber Directorate explaining the INCD model for supply chain risk management (cloud adoption puts a heavy burden on supply chain evaluation)
  • Dr. Nicola Sfondrini sharing on CSA Italy success in assisting the Italian government on the successful cloud adoption journey.

For summit delegates who are more interested in technology innovation –

  • Eitan Satmary from the WIX security team talked about managing web security for millions of users environments while Boris Giterman from Dell EMC detailed their project for creating cloud trustworthiness in cooperation with the EU.
  • Attendees interested in the vibrant innovation scene in Israel and the role of startups in them – were able to enjoy a brilliant lecture from Ofer Smadari – Founder of Luminate (acquired by Symantec) about the journey from an idea about SDP (software-defined perimeter) to acquisition by one of the world’s largest companies.
  • Ivan Robles from CSA Spain shared an interesting view on how to perform audit & forensics in the cloud, while Ian Evans from OneTrust shared valuable advice on how to overcome today’s most common security & privacy challenges.
  • The closing keynote was delivered by Tim Rains from AWS, weighing in on the myths & opportunities of cloud security.

If you weren’t able to attend or would like a refresher, you can view the CSA Summit presentations on Youtube here.

2019 was the first time that a CSA Summit was held as part of the Tel Aviv Cyberweek, but we are sure that the combination of an excellent venue, vast variety of topics and the attractive audience of Cyberweek, are a recipe for making this event a regular at Cyberweek! Below are some photos from the CSA Summit and Cyberweek for you to enjoy.

CSA Summit Recap Part 2: CSP & CISO Perspective

By Elisa Morrison, Marketing Intern, Cloud Security Alliance

When CSA was started in 2009, Uber was just a German word for ‘Super’ and all CSA stood for was Community Supported Agriculture. Now in 2019, spending on cloud infrastructure has finally exceeded on-premises, and CSA is celebrating its 10th anniversary. For those who missed the Summit, this is the CSA Summit Recap Part 2, and in this post we will be highlighting key takeaways from sessions geared towards CSPs and CISOs.

Can you trust your eyes? Context as the basis for “Zero Trust” systems – Jason Garbis

During this session, Jason Garbis identified three steps towards implementing Zero Trust: reducing attack surfaces, securing access, and neutralizing adversaries. He also addressed how to adopt modern security architecture to make intelligent actions for trust. In implementing Zero Trust, Garbis highlighted the need for:

  • Authentication. From passwords to biometric to tokens. That said, authentication alone is not sufficient for adequate security, as he warned it is too late in the process.
  • Network technology changes. Firewall technology is too restricted (e.g. IP addresses are shared across multiple people). The question in these cases is yes or no access. This not Zero Trust. Better security is based on the role or person and data definition. This has more alternatives and is based on many attributes, as well as the role and data definition.
  • Access control requirements. There is a need for requirements that dynamically adjust based on context. If possible, organizations need to find a unified solution via Software-Defined Perimeter.

Securing Your IT Transformation to the Cloud – Jay Chaudhry, Bob Varnadoe, and Tom Filip

Every CEO wants to embrace cloud, but how can you do it securely? The old world was network-centric, and the data center was the center of universe. We could build a moat around our network with firewalls and proxies. The new world is user-centric, and the network control is fluid. Not to mention, the network is decoupled from security, and we rely on policy-based access as depicted in the picture below.

Slide: Old World vs New World

In order to address this challenge, organizations need to view security with a clean slate. Applications and network must be decoupled. More traffic on the cloud is encrypted, but offers a way for malicious users to get in, so proxy and firewalls should be used for inspection of traffic.

Ten Years in the Cloud – PANEL

The responsibility to protect consumers and enterprise has expanded dramatically. Meanwhile, the role of the CISO is changing – responsibilities now include both users and the company. CISOs are faced with challenges as legacy tools don’t always translate to the cloud. Now there is also a need to tie the value of the security program to business, and the function of security has changed especially in support. In light of these changes, the panel unearthed the following five themes in their discussion of lessons learned in the past 10 years of cloud.

  1. Identity as the new perimeter. How do we identify people are who they say they are?
  2. DevOps as critical for security. DevOps allows security to be embedded into the app, but it is also a risk since there is faster implementation and more developers.
  3. Ensuring that security is truly embedded in the code. Iterations in real-time require codified security.
  4. Threat and data privacy regulations. This is on the legislative to-do list for many states; comparable to the interest that privacy has in financial services and health care information.
  5. Security industry as a whole is failing us all. It is not solving problems in real-time; as software becomes more complex it poses security problems. Tools are multiplying but they do not address the overall security environment. Because of this, there’s a need for an orchestrated set of tools.

Finally! Cloud Security for Unmanaged Devices… for All Apps – Nico Popp

Now we have entered the gateway wars …Web vs. CASB vs. SDP. Whoever wins, the problem of BYOD and unmanaged devices still remains. There is also the issue that we can’t secure endpoint users’ mobile devices. As is, the technologies of mirror gateway and forward proxy solve the sins of “reverse proxy” and have become indispensable blades. Forward proxy is the solution for all apps when you can manage the endpoint, and mirror gateway can be used for all users, all endpoints and all sanctioned apps.

Lessons from the Cloud -David Cass


Cloud is a means to an end … and the end requires organizations to truly transform. This is especially important as regulators expect a high level of control in a cloud environment. Below are the key takeaways presented:

  • Cloud impacts the strategy and governance from the strategy, to controls, to monitoring, measuring, and managing information all the way to external communications.
  • The enterprise cloud requires a programmatic approach with data as the center of the universe and native controls only get you so far. Cloud is a journey, not just a change in technology.
  • Developing a cloud security strategy requires taking into account service consumption, IaaS, PaaS, and SaaS. It is also important to keep in mind that cloud is not just an IT initiative.

Security Re-Defined – Jason Clark and Bob Schuetter

This session examined how Valvoline went to the cloud to transform its security program and accelerate its digital transformation. When Valvoline split as an IPO with two global multi-billion startup they had no datacenter for either. The data was flowing like water, there was complexity and control created friction, not to mention a lack of visibility.

Slide: Digital transformation

They viewed cloud as security’s new north star, and said the ‘The Fourth Industrial Revolution’ was moving to the cloud. So how did they get there? The following are the five lessons they shared:

  1. Stop technical debt
  2. Go where your data is going
  3. Think big, move fast, and start small
  4. Organizational structure, training, and mindset
  5. Use the power of new analytics

Blockchain Demo

Slide: A simple claim example

Inspired by the cryptocurrency model, OpenCPEs is a way to revolutionize how security professionals measure their professional development experiences.

OpenCPEs provides a method of validating experiences listed on your resume without maintaining or storing an individual’s personal data. Learn more about this project by downloading the presentation slides.

The full slides to the summit presentations are available for download.

Top Ten Reasons You Need to Attend the CSA Summit @ RSA February 29th

Cloud Security Alliance’s 7th annual CSA Summit @ RSA will be our biggest yet, with educational sessions covering cloud security from every angle. This Monday event is free for any type of RSA Conference pass holder, so make your plans to attend. If you need any more enticement, below are the Top Ten reasons you need to be there:

  1. Leading edge discussions of containerization, new cloud attack vectors, Cloud Access Security Brokers (CASBs ), identity, Internet of Things (IoT) and much more!
  2. It is held on Leap Day, so if you are operating on an old calendar you probably didn’t have anything scheduled for February 29 anyway.
  3. Former SEC Commissioner Luis A. Aguilar provides his vision of how Boards of Directors must address emerging cybersecurity issues, how private and public companies must cope with rapid technological innovation and the role of the U.S. Securities and Exchange Commission must play now and in the future.
  4. Free lunch.
  5. Enterprise experts abound to share experiences. Learn how cloud is causing GE to completely rethink their network architecture and security controls. Hear Cisco CISO John Stewart discuss managing cloud security at scale in a decentralized world. Don’t miss Vinay Patel from Citi launch the CSA Global Enterprise Advisory Board.
  6. See a noted security celebrity get the annual CSA Leadership Award (hint: it won’t be Leonardo DiCaprio)
  7. Security experts provide guidance to overcome the CSA’s Top Threats to Cloud Computing, with the new report to be released at the Summit.
  8. Guaranteed no ransomware-infected USB drives in attendee bags.
  9. Herjavec Group CEO and top “Shark” Robert Herjavec discusses information security innovation and puts the industry’s top cloud providers on the hot seat

And the number one reason you need to attend the CSA Summit @ RSA February 29th:

  1. No 2016 Presidential Candidates Allowed in the Room.

Come to the Summit to Learn, Engage and Start your RSA week off right:

CSA to Hold Inaugural Federal Summit on May 5th in Washington DC

The CSA is excited to announce that it will be holding its inaugural Federal Summit 2015 on May 5th in Washington DC. The Cloud Security Alliance Federal Summit is a free for government event, comprised of information security professionals from civilian and defense agencies to share experiences and learn about the best practices for securing cloud computing and emerging security topics.

The one day event will feature security experts from the CSA including Jim Reavis, CEO of the CSA as well as Matt Goodrich, Program Director of FedRAMP and Dr. Michaela Iorga, Sr. Security Technical Lead for Cloud Computing, NIST. In addition to these featured speakers there will also be two panel discussions, the first one the topic of “”Managing Cloud Security: Considerations and Best Practices” and the second on “Cloud Implementation Lessons Learned”. The event will close with a keynote presentation by Keith Trippie , founder of The Trippie Group on the topic of “The Business of Cloud”.

Federal employees who are interested in attending the Federal Summit can register for the event here:

CSA Federal Summit 2015

SecureCloud Update: Neelie Kroes, VP of the European Commission to Give Opening Keynote Address

SecureCloud 2014 is now just under two months away and we are excited to announce that Neelie Kroes, Vice President of the European Commission, will be giving the opening keynote address on April 1st.

Neelie Kroes
Neelie Kroes, VP of the European Commission

Since 2010, Kroes has held the responsibility over the Digital Agenda for Europe. This portfolio includes the information and communications technology (ICT) and telecommunications sectors. As a strong promoter of the adoption of cloud computing in Europe, Kroes has been actively supporting actions to lower the barriers to the uptake of the cloud in the internal market. Kroes joins an all-star line-up of cloud security experts and visionaries, including Dr. Udo Helmbrecht, Dr. Richard Posch, Alan Boehme, Richard Mogull, as well as CSA CEO, Jim Reavis.

SecureCloud 2014 produced by the CSA, ENISA and Fraunhofer-FOKUS is an opportunity for government experts, industry experts and corporate decision makers to discuss and exchange ideas about how to shape the future of cloud computing security. It is also a place to learn from cloud computing experts about cloud computing security and privacy as well as to discuss about practical case studies from industry and government.

Early bird discount pricing is being offered through February 14.  To register for SecureCloud 2014 visit:





Five Distinguished Security Experts to Keynote SecureCloud 2014

SecureCloud 2014 is just around the corner and the CSA is pleased to announce the keynote speaker lineup for this must-attend event, which is taking place in Amsterdam on April 1-2.

Secure Cloud Speakers

This year’s event will feature keynote addresses from the following five security experts on a wide range of cloud security topics:

  • Prof. Dr. Udo Helmbrecht, executive director of the European Network and Information Security Agency (ENISA) will speak on the uptake of Cloud computing in Europe and how ENISA supports Cloud Security in the Member States.
  • Prof. Dr. Reinhard Posch, CIO for the Austrian Federal Government will present on the European Cloud Partnership and Austrian Government approach to cloud
  • Alan Boehme, Chief of Enterprise Architecture for The Coca-Cola Company will present on the CSA Software Defined Perimeter initiative
  • Jim Reavis, CEO of the Cloud Security Alliance will discuss trends and innovation in cloud security and CSA activities in 2014
  • Richard Mogull, CEO of Securosis will give the closing keynote on Automation & DevOps

If you haven’t already registered, early bird discount pricing is being offered through February 14. Registration information can be found at:

We look forward to seeing all of you in Amsterdam in the Spring!