CSA Summit Recap Part 1: Enterprise Perspective

By Elisa Morrison, Marketing Intern, Cloud Security Alliance

CSA’s 10th anniversary, coupled with the bestowal of the Decade of Excellence Awards gave a sense of accomplishment to this Summit that bodes well yet also challenges the CSA community to continue its pursuit of excellence.

The common theme was the ‘Journey to the Cloud’ and emphasized how organizations can not only go faster but also reduce costs during this journey. The Summit this year also touched on the future of privacy, disruptive technologies, and introduced CSA’s newest initiatives in Blockchain, IoT and the launch of the STAR Continuous auditing program. Part 1 of this CSA Summit Recap highlights sessions from the Summit geared toward the enterprise perspective.

Securing Your IT Transformation to the Cloud – Jay Chaudhry, Bob Varnadoe, and Tom Filip

Slide: Network security is becoming irrelevant

Every CEO wants to embrace cloud but how to do it securely? To answer this question this trio looked at the journeys other companies such as Kellogg and NRC took to the cloud. In Kellogg’s case they found that when it comes to your transformation the VMs of single-tenant won’t cut it. They also brought to light the question of  the ineffectiveness of services such as hybrid security. Why pay the tax for services not used?

For NCR, major themes were how to streamline connectivity and access to cloud service. The big question was how do end users access NCR data in a secure environment? They found that applications and network must be decoupled. And, while more traffic on the cloud is encrypted, it offers another way for malicious users to get in. Their solution was to use proxy and firewalls for inspection of traffic.

The Future of Privacy: Futile or Pretty Good? – Jon Callas

ACLU technology fellow Jon Callas brought to light the false dichotomy we see when discussing privacy. It is easy to be nihilistic about privacy, but positives are out there as well.

There is movement in the right direction that we can already see, examples include: GDPR, California Privacy Law, Illinois Biometric Privacy Law, and the Carpenter, Riley, and Oakland Magistrate decisions. There has also been a precedent set for laws with more privacy toward consumers. For organizations, privacy has also become the focus of competition and companies such as Apple, Google, and Microsoft all compete on privacy. Protocols such as TLS and DNS are also becoming a reality. Other positive trends include default encryption and that disasters are documented, reported on, and a concern.

Unfortunately, there has also been movement in the wrong direction. There is a balancing act between the design for security versus design for surveillance. The surveillance economy is increasing, and too many platforms and devices are now collecting data and selling it. Lastly, government arrogance and the overreach to legislate surveillance over security is an issue.

All in all, Callas summarized that the future is neither futile nor pretty good and it’s necessary to balance both moving forward.

From GDPR to California Privacy – Kevin Kiley

Slide: Steps to better vendor risk management

This session touched on third-party breaches, regulatory liability, the need for strong data processing paramount to scope and how to comply with GDPR and CCPA. Kiley identified a need for a holistic approach with more detailed vendor vetting requirements. He outlined five areas organizations should improve to better their vendor risk management.

  1. Onboarding. Who’s doing the work for procurement, privacy, or security?
  2. Populating & Triaging. Leverage templated vendor evaluation assessments and populate with granular details.
  3. Documentation and demonstration
  4. Monitoring vendors
  5. Offboarding

Building an Award-Winning Cloud Security Program – Pete Chronis and Keith Anderson

This session covered key lessons learned along the way as Turner built its award-winning cloud security program. One of the constant challenges Turner faced was the battle between the speed to market over security program. To improve their program, Turner enacted continuance compliance measurement by using open source for cloud plane assessment. They also ensured each user attestation was signed by both the executive and technical support. For accounts, they implemented intrusion prevention, detection, and security monitoring. They learned to define what good looks like, while also developing lexicon and definitions for security. It was emphasized that organizations should always be iterating from new > good > better. Lastly, when building your cloud security program they emphasized that not all things need to be secured the same and not all data needs the same level of security.

Case Study: Behind the Scenes of MGM Resorts’ Digital Transformation – Rajiv Gupta and Scott Howitt

MGM’s global user base meant they wanted to expand functions to guest services, check-in volume management and find a way of bringing new sites online faster. To accomplish this, MGM embarked on a cloud journey. Their journey was broken into business requirements (innovation velocity and M&A agility) along with necessary security requirements (dealing with sensitive data, the need to enable employees to move faster, and the ability to deploy a security platform).

Slide: Where is your sensitive data in the cloud?

As they described MGM’s digital transformation the question was raised, where is sensitive data stored in the cloud? An emerging issue that continues to come up is API management. Eighty-seven percent of companies permit employees to use unmanaged devices to access business apps, and the BYOD policy is often left unmanaged or unenforced. In addition, MGM found that on average number 14 misconfigured IaaS services are running at a given time in an average organization, and the average organization has 1527 DLP incidents in PaaS/IaaS in a month.

To address these challenges, organizations need to consider the relations between devices, network and the cloud. The session ended with three main points to keep in mind during your organization’s cloud journey. 1) Focus on your data. 2) Apply controls pertinent to your data. 3) Take a platform approach to your cloud security needs.

Taking Control of IoT – Hillary Baron

image of IoT connected devices overlayed on a cityscape

There is a gap in the security controls framework for IoT. With the landscape changing at a rapid pace and over 2020 billion IoT devices, the need is great. Added to that is the fact that IoT manufacturers typically do not build security into devices; hence the need for the security controls framework. You can learn more about the framework and its accompanying guidebook covered in this session here.

Panel – The Approaching Decade of Disruptive Technologies

While buzzwords can mean different things to different organizations, organizations should still implement processes among new and emerging technologies such as AI, Machine Learning, and Blockchain, and be conscious of what is implemented.

This session spent a lot of its time examining Zero Trust. The perimeter is in different locations for security, and it is challenging looking for the best place to establish the security perimeter. It can no longer be a fixed point, but must flex with the mobility of users, e.g. mobile phones require very flexible boundaries. Zero Trust can help address these issues, it’s BYOD-friendly. There are still challenges, but  Web Authentication helps as a standard for Zero Trust.

Cloud has revolutionized security in the past decade. With cloud, you inherit security and with it the idea of a simple system has gone out the window. One of the key questions that was asked was “Why are we not learning the security lessons from the cloud?” The answer? Because the number of developers grows exponentially among new technology.  

The key takeaway: Don’t assume your industry is different. Realize that others have faced these threats and have come up with successful treatment methodologies when approaching disruptive technologies.

CISO Guide to Surviving an Enterprise Cloud Journey – Andy Kirkland, Starbucks

Five years ago, the Director of  Information and Security for Starbucks, Andy Kirkland, recommended not going to the cloud for cautionary purposes. Since then, Starbucks migrated to the cloud and learned a lot on the way. Below is an outline of Starbucks’ survival tips for organizations wanting to survive a cloud journey:

  • Establish workload definitions to understand criteria
  • Utilize standardized controls across the enterprise
  • Provide security training for the technologist
  • Have a security incident triage tailored to your cloud provider
  • Establish visibility into cloud security control effectiveness
  • Define the security champion process to allow for security to scale

PANEL – CISO Counterpoint

In this keynote panel, leading CISOs discussed their cloud adoption experiences for enterprise applications. Jerry Archer, CSO for Sallie Mae, described their cloud adoption journey as “nibbling our way to success.” They started by putting things into the cloud that were small. By keeping up constant conversations with regulators, there were no surprises during the migration to the cloud. Now, they don’t have any physical supplies remaining. Other takeaways were that in 2019 containers have evolved and we now see: ember security, arbitrage workloads, and RAIN (Refracting Artificial Intelligence Networks).

Download the full summit presentation slides here.

Recommendations for IoT Firmware Update Processes: Addressing complexities in a vast ecosystem of connected devices

By Sabri KhemissaIT-OT-Cloud Cybersecurity Strategist,Thales

IoT Firmware Update Processes report coverTraditionally, updating software for IT assets involves three stages: analysis, staging, and distribution of the update—a process that usually occurs during off-hours for the business. Typically, these updates apply cryptographic controls (digital signatures) to safeguard the integrity and authenticity of the software. However, the Internet of Things (IoT), with its vast ecosystem of connected devices deployed in many environments, introduces a host of complexities that drive the need for process re-engineering.

Developers, for instance, cannot ignore the fact that their IoT is integrating into a complex system and must consider how it can be securely updated while still co-existing with other products. Implementers, meanwhile, must take into account the entire (and complex) system, including the specific constraints of each IoT component.

Complicating matters further, there are many variations in the IoT systems that require software and firmware updates. For example, some IoT systems are often on the move and require relatively large downloads—such as connected vehicles. Other IoT systems, like smart home and building devices, are more static. Regardless, the factors associated with network saturation during downloads to hundreds or even thousands of devices must be considered. Equally important is the impact of failed firmware updates on consumers.

Mitigating Attacks with IoT Firmware Update Guidelines

To assist enterprises in navigating myriad complexities, CSA’s IoT Working Group compiled a set of key recommendations for establishing a secure and scalable IoT update process. Our latest report, “Recommendations for IoT Firmware Update Processes,” offers 10 guidelines for IoT firmware and software updates that can be fully or partially integrated. Each suggestion can be adapted and designed for custom firmware updates that recognize unique constraints, dependencies and risks associated with IoT products, and the complex systems they involve. These recommendations target not only developers and implementers, but also vendors who must design solutions with security in mind.

It’s our hope that in addressing this process, attack vectors that can be exploited by hackers are mitigated. You can read the full report to get a deeper sense of the challenges involved and for a set of best practices to overcome them.

Securing the Internet of Things: Devices & Networks

By Ranjeet Khanna, Director of Product Management–IoT/Embedded Security, Entrust Datacard

The Internet of Things (IoT) is changing manufacturing for the better.

With data from billions of connected devices and trillions of sensors, supply chain and device manufacturing operators are taking advantage of new benefits. Think improved efficiency and greater flexibility among potential business models. But as the IoT assumes a bigger role across industries, security needs to take top priority. Here’s a look at four key challenges that must be taken care of before realizing the rewards of increased connectivity.

Reducing risk
Mitigating risk doesn’t always have to come at the expense of uptime and reliability. With the right IoT security solutions, manufacturers can assign trusted identities to all devices or applications to ensure fraudsters remain on the outside looking in. Better yet, the integration of identity management can also pave the way for improved visibility of business operations, scalability, and access control. Instead of getting caught off guard by unforeseen occurrences, manufacturers will be prepared to address problems throughout every step of the product lifecycle.

Setting the stage for data sharing
Data drives the IoT. As more data is shared across connected ecosystems, the potential for analytics-based and even predictive advancements increases.. Such improvements, however, aren’t all positive. Increased data sharing opens to the door to additional cyber attacks. To help keep sensitive information under wraps, businesses should consider embedding trusted identities for devices at the time of manufacturing. From electronic control units within cars to the connected devices that make up smart cities, introducing trusted identities promises to not only secure data sharing, but also improve supply chain integrity and speed up IoT deployments along the way.

Securing networks & protocols
Through the IoT, old networks and protocols are being introduced to new devices. Enterprise-grade encryption-based technologies keep both greenfield and brownfield environments secure, regardless of protocol. While this extra step may take some time, the benefits are well worth it. Whether it’s an additional source of revenue or heightened security, implementing solutions that are effective across systems, designs and protocols can help ensure improved security for years to come.

Tying identity to security
Physical and digital security may seem like different subjects on the surface, but a closer look reveals some valuable similarities. Just as authorization is needed to enter a highly secure building, sensitive information should only be made available to users with the proper credentials. Dependent upon a variety of conditions – such as the time of day or type of device – rule-based authentication is one way to ensure untrusted devices or users can’t access a secure environment.

Supply chain and device manufacturing operators have not yet taken full advantage of IoT’s impressive potential. By enabling fast-tracking of deployment timelines and allowing organizations to more quickly realize business value in areas such as process optimization and automation, ioTrust could soon change that. Leverage the power of ioTrust to stay one step ahead of the competition.

Note: This is part two in a four-part blog series on Securing the IoT.
Check out Part One: Connected Cars