FedSTAR Pilot Program Status

As the use of cloud technology has become more widespread, the concern about cloud security has increased. Government agencies and private sector users are concerned with protecting data and ensuring service availability.  Many countries and private entities have designed and implemented security programs to increase the level of assurance and trust of cloud services. As a result, multiple certifications and accreditation programs were created.  As of 2019, over 40 different security certification systems have been developed and implemented worldwide, including the CSA STAR program.

On the one hand, the introduction of certification and accreditation systems has simplified the creation of trusted relationships between Cloud Services Providers (CSPs) and customers and consequently streamlined the procurement processes. On the other hand, the proliferation of certification schemas has the side effect of generating compliance fatigue. This issue is having a significant impact on the resources that cloud services must apply to security. Many CSPs have dedicated staff for ensuring compliance with multiple security certifications governing their services. In addition to being a resources drain on existing CSPs, the need to comply with multiple security certifications is a major obstacle to market entry for new CSPs.  

About 18 months ago, CSA began working with the FedRAMP program office at the U.S. General Services Administration on the idea of FedSTAR, a program to facilitate the recognition between FedRAMP and STAR programs.  The FedSTAR project is part of a larger CSA initiative aimed at evolving STAR to a global framework for multiparty recognition of national, international, and sector-specific certification.

There is an equivalent program to FedSTAR in Europe with the EU-SEC project.  CSA introduced the idea of multiparty recognition to the stakeholder community, and there has been a lot of interest from both the government and private sectors. 

Both FedSTAR and EU-SEC projects have four primary goals:

  • Build a foundation for mutual recognition between national, international and sector-specific security certification, attestations and accreditations
  • Grant a trusted certification that is recognized by CSPs and customers
  • Reduce the compliance cost for CSPs that want to meet the requirements of both industry and government
  • Support requirements for continuous monitoring

The solution to this global problem is not to establish a new security certification system with different processes, evidence of compliance, and source controls. Rather, FedSTAR aims to develop a process that supports mutual recognition between the U.S. Federal government FedRAMP and CSA STAR. The solution is based on the fact that both FedRAMP and CSA STAR are grounded in sanctioned, widely-used sets of controls as the source of security compliance. 

 The goal of FedSTAR is that once a company has achieved either STAR Certification or FedRAMP authorization to operate, that company can obtain the other certification only by auditing the delta of controls that defines the gaps between the requirements of FedRAMP Moderate and Cloud Control Matrix (CCM). In support of this, the FedSTAR auditing team would be required to have both the STAR Certification Lead Auditor and 3PAO professional accreditations.

While STAR Certification and FedRAMP are not compatible as deployed, they have basic elements in common including the level of maturity of each program, the requirement for independent 3rd party assessors and the use of control-based reviews.

Our working assumption, based on initial research, is that the mutual recognition between the two systems would be easy to establish because of the overlap between the FedRAMP Moderate and CSA CCM certifications. 

These factors led to our decision to codify processes and measure the level of effort required for a CSP to go from FedRAMP moderate certification to CSA STAR certification. 

Where are we now? 

  • We have developed a gap analysis between CSA STAR and FedRAMP moderate
  • We have established a set of measures designed to quantify the time, staff and other resources needed to obtain a CSA STAR certification after receiving a FedRAMP moderate authorization to operate
  • We have identified one CSP who has agreed to include a CSA STAR certification assessment in its annual review for FedRAMP compliance; this effort will begin in late summer 2019. This will be our first pilot. 

Measures of Success

CSA has the working assumption that it will require a minimal level of effort to receive a CSA STAR certification starting from a FedRAMP Moderate ATO. However, this hypothesis must be validated. Therefore, working with members of the Third Party Independent Assessor community, we have established a set of measures that pilot participants have agreed to collect. These measures include both qualitative and quantitative criteria.

1) Readiness/Preparation time – Quantitative measure to understand the effort required by the auditee to prepare for a STAR Certification audit starting from a position of FedRAMP Moderate compliance – expressed in the number of man-days

2) Audit time – Quantitative measure of the time required to get the STAR certification? Specifically what effort is needed for documentation preparation and 3PAO assessment

3) Accuracy of the mapping and gap analysis – CSA has provided a “CCM-FedRAMP Mapping and Gap Analysis” to support this effort. We are asking for comments on the usefulness of the Map and the effectiveness of the “compensating controls” suggested by CSA

4) Re-use of audit evidences – Identification of those documents and evidences created during a FedRAMP audit that can be applied to the requirements of CCM V3.0.1

5) Skill Base – What are the skills required to complete a FedRAMP to CSA STAR audit?  Were there additional skills that the CSP need to provide to complete the STAR Certification? 

6)  The pilot will also collect information on the tools provided to facilitate pilot execution. 

Next Steps

Now is a critical time for the FedSTAR project. We have done the appropriate planning and infrastructure development. Our briefings on the program – done in conjunction with FedRAMP – have generated interest in the cloud community. The time is right to execute the pilots and analyze the results. One pilot program will begin in late Summer 2019. 

  • Need additional CSPs to sign-up to participate in the program
  • Need to establish a Focus Group to review pilot results and guide the program

Happy Birthday GDPR! – Defending Against Illegitimate Complaints

By John DiMaria; CSSBB, HISP, MHISP, AMBCI, CERP, Assurance Investigatory Fellow – Cloud Security Alliance

On May 25th we will celebrate the first birthday of GDPR. Yes, one year ago GDPR was sort of a four-letter word (or acronym if you will). People were in a panic of how they were going to comply and worse yet, many didn’t even know if they had to and even worse yet, some just ignored it all together.

The European Data Protection board (EDPB) published an infographic on compliance and enforcement of the GDPR from May 2018 to January 2019. It shows that 95,180 complaints have been made to EU national data protection authorities by individuals who believe their rights under the GDPR have been violated. Two thirds of the most common of these complaints had to do with telemarketing and promotional emails which practically every organization uses as the main tools for communication.

Now, we can discuss the some of the biggest fines levied like Google and Facebook, but that’s been done to death and quite frankly the largest percentage of companies globally don’t fall into the category of Google and Facebook, nor due their budgets even come close.

I would prefer to concentrate on a topic you don’t see covered in the news much…complaints and the time effort and cost to defend yourself even if you’re not guilty.

Think about it, anybody can log a complaint. Whether or not you are in violation is one issue, proving you are not is another. While this is a troubling issue for large enterprises, small and medium size organizations can have a particularly tough time as time money and resources are at a premium. As the EDPB report mentioned, 95,180 complaints have been made to EU national data protection authorities by individuals who “believe” their rights under the GDPR have been violated. As you can imagine this can send a company scrambling to pull all the data and evidence together to not only prove compliance, but to prove the effectiveness of the system. Further, what if you are called out, technically not guilty of the specific infraction logged, but in the course of the investigation major non-conformities are found in your process?

So what is the best way to protect yourself and ensure not only compliance, but readiness, both from a process and forensic perspective?

Ensure you have a good solid data governance program in place that covers both security and privacy aspects of your organization. While there are many ways to attack this, cloud service providers and users need to make sure the proper sector specific controls are in place not just generic ones and that your scope is fit-for-purpose. It must cover all of people, process and technology to ensure holistic coverage.

CSA has been researching solutions to address these issues and since 2011 CSA STAR has evolved into a total GRC solution for cloud service providers and it continues to improve.

The Security, Trust, Assurance, and Risk (STAR) Program was developed by the Cloud Security Alliance in order to provide the industry a standard for which enterprises procuring cloud services could make informed data driven decisions.

The STAR program encompasses four key principles of transparency, rigorous auditing, all-inclusive and harmonization of standards providing a single program and a comprehensive suite that covers both security and privacy compliance.

So what level is best for you? You can read our quick reference guide, but gap assessments are always the best starting point. Measure where you are at against where you want to go and act on the differences! Also, this allows you to give yourself credit for your strengths. Many organizations have a lot of good things going on, so just don’t assume you have a major hurdle. A combination of STAR Level 1 and the GDPR Code of Conduct self-assessment (or code of practice) is the one-two punch to the road of due diligence. If you are already certified to ISO/IEC 27001 or you get regular SOC2 assessments, then you may want to also consider STAR Level 2 certification or attestation which not only increases your level of transparency but also assurance because it is third party tested and certified. The GDPR COC is still in the self-assessment stage, but a third-party certification will be available as soon as the European Data Protection Board finalizes all the annexes related to accreditation and certification (est. Q4). However, your submission is vetted thoroughly by our GDPR experts and once approved, you can file a PLA Code of Conduct (CoC): Statement of Adherence Self-Assessment and your organization will be posted on the registry. After publication, your company will receive authorized use of a Compliance Mark, valid for 1 year. You are then expected to revise your assessment every time there is a change to the company policies or practices related to the service under assessment.

There is a small fee to cover administration, maintenance and the vetting process, but it shows due diligence and when you consider the potential millions of Euros in fines you face ( or % of annual global turnover – whichever is higher) for non-compliance[1], the fee is a drop in the bucket for some piece of mind. If you already think you are compliant then the GDPR COC self-assessment can serve as another set of eyes and also provide a public statement of transparency.

It makes sense no matter where you fall in the supply chain to take data privacy seriously. The CSA GDPR COC can help you establish a security-conscious culture. GDPR requires organizations to identify their security strategy and adopt adequate administrative and technical measures to protect personal data. Thanks to CSA’s research, the CSA GDPR COC provides the roadmap that will facilitate your organizations efforts to ensure, your processes will become more consolidated, ensuring good governance, compliance and prove that all important due diligence. Additionally, your data will be easier to use, and you will realize an underling value and ROI.

For more information and to discuss with one of our experts, contact us at [email protected]

[1] Up to €10 million, or 2% annual global turnover – whichever is higher; or for higher violations

Up to €20 million, or 4% annual global turnover – whichever is higher.

CSA STAR – The Answer to Less Complexity, Higher Level of Compliance, Data Governance, Reduced Risk and More Cost-Effective Management of Your Security and Privacy System

By John DiMaria, Assurance Investigatory Fellow, Cloud Security Alliance

STAR Registry: Security on the Cloud Verified

We just launched a major refresh of the CSA STAR (Security, Trust and Assurance Risk) program, and if you were at the CSA Summit at RSA, you got preview of what’s in store. So let me put things in a bit more context regarding the evolution of STAR.

The more complex systems become, the less secure they become, even though security technologies improve. There are many reasons for this, but it can all be traced back to the problem of complexity. Why? Because we give a lot of attention to technology, and we have increased silos of a plethora of regulations and standards. Therefore, we become fragmented and too complexed.

The adversary works in the world of the stack, and that complexity is where they thrive.

Ron Ross, Senior Scientist and Fellow at NIST

Complexed systems:

  • have more independent processes and that creates more security risks.
  • have more interfaces and interactions and create more security risks.
  • are harder to monitor and therefore, are more likely to have untested, unaudited portions.
  • are harder to develop and implement securely.
  • are harder for employees and stakeholders to understand and be trained on.

By using a single system for the ongoing management of compliance, regulatory, legal, and information security obligations, overlapping requirements can be identified, efficiencies leveraged, and greater visibility and assurance provided to the organization.

CSA STAR: Built to Support

To respond to these growing business concerns, the Cloud Security Alliance (CSA) created the Cloud Control Matrix (CCM). Developed in conjunction with an international industry working group, it specifies common controls which are relevant for cloud security and is the foundation on which the three pillars of CSA STAR are built.

In the same approach, we recently released the GDPR Code of Conduct (CoC). The GDPR CoC shows adherence to GDPR privacy requirements, streamlines contracting, accelerates sales cycles and provides assurance to the cloud customer of data privacy in conjunction with CSA STAR.

CSA STAR is being recognized as the international harmonized solution, leading the way of trust for cloud providers, users, and their stakeholders, by providing an integrated cost-effective solution that decreases complexity and increases trust and transparency while enabling organizations to secure their information, protect against cyber-threats, reduce risk, and strengthen their information governance. It creates trust and accountability in the cloud market with increasing levels of transparency and assurance. What’s more, it provides the solution to an increasingly complex and resource-demanding compliance landscape by providing technical standards, an integrated certification and attestation framework, and public registry of trusted data.

The STAR Registry documents the security and privacy controls provided by popular cloud computing offerings. This publicly accessible registry allows cloud customers to assess their security providers in order to make the best procurement decisions and also to manage their supply-chain. Additionally, it allows cloud service providers (CSPs) to benchmark themselves against like CSPs in their industry.

STARWatch can then be used for benchmarking and/or third-party risk management. STARWatch is a SaaS application to help organizations manage compliance with CSA STAR Registry requirements. STARWatch delivers the content of the CCM and Consensus Assessments Initiative Questionnaire (CAIQ) in a database format, enabling users to manage compliance of cloud services with CSA best practices.

While it is understood that ISO/IEC 27001, the international management systems standard for information security, and SOC 2 are both widely recognized and respected, their requirements are more generic. As such, there can be a perception that they do not focus on certain areas of security that are critical for particular sectors, such as cloud security, in enough detail.

By adopting STAR as an extension of your ISO/IEC 27001 or SOC 2 System, you’ll be sending a clear message to existing and potential customers that your security systems are robust and have addressed the specific issues critical to cloud security.

STAR Certification can boost customer and stakeholder confidence, enhance your corporate reputation, and give your business a competitive advantage.

Take the STAR Challenge

Take the first step in evaluating how your organization stacks up against the CCM. Fill out the self-assessment using the CAIQ and the CCM. You can then upload your information into the STAR Registry, taking credit for your compliance efforts.

Additionally you can evaluate yourself against the GDPR Code of Conduct. Just fill out the self-assessment, which can then be uploaded to the STAR Registry, along with your Statement of Adherence . Our team of experts will evaluate your submission and either respond with questions or approve your submission for posting. Again, you’ll be making a major statement about your compliance posture.

Once you have completed this step (or along the way) you can make decisions on whether there is a business case to move into Level 2 (certification and/or attestation).

Contact us to find out more about CSA STAR and the opportunities available for you to contribute and have a voice in this growing area of increasing trust and transparency in the cloud.

Continuous Auditing – STAR Continuous – Increasing Trust and Integrity

By John DiMaria, Assurance Investigatory Fellow, Cloud Security Alliance

As a SixSigma Black Belt I was brought up over the years with the philosophy of continual monitoring and improvement, moving from a reactive state to a preventive state. Actually, I wrote a white paper a couple of years ago on how SixSigma is applied to security.

The basic premise is it emphasizes early detection and prevention of problems, rather than the correction of problems after they have occurred. It eliminates the point in time “inspection” by deploying continuous monitoring and auditing. This approach basically saved the automotive industry back in the 1980s.

This age-old and proven process is the best way I can describe what CSA has done with the launch of another step in the direction of increasing transparency and assurance … continuous auditing.

Continuous auditing focuses on testing for the occurrence of a risk and the on-going effectiveness of a control. A framework and detailed procedures, along with technology, are key to enabling such an approach. Continuous auditing offers an enhanced way to understand risks and controls and improve on sampling from periodic reviews to ongoing testing.

STAR Continuous is a component of the CSA STAR Program that gives cloud service providers (CSP) the opportunity to integrate their approach to cloud security compliance and certification with additional capabilities to validate their security posture on an ongoing basis. Continuous auditing empowers an organization to make precise statements on the compliance status at any time over the whole time span in which the continuous audit process is executed, achieving an “always up-to-date” compliance status by increasing the frequency of the auditing process. 

Continuous auditing is not intended to replace traditional auditing, but rather is to be used as a tool to enhance audit effectiveness and increase transparency to stakeholders and interested parties.

STAR Continuous contains three models for continuous monitoring. Each of the three models provides a different level of assurance by covering requirements of continuous auditing with various levels of scrutiny. The three models are defined as:

1. Continuous self-assessment
2. Extended certification with continuous self-assessment
3. Continuous certification

chart showing levels of auditing

Essentially, the proposed framework starts from a simple process of the timely submission of self- assessment compliance reports and moves up to a continuous certification of the fulfillment of control objectives.

How does it help you as a cloud service provider?

• Provides top management with greater visibility, so that they can evaluate the effectiveness of their management system in real-time in relation to expectations of internal, regulatory and the cloud security industry standards;

• Implements an audit that is designed to reflect how your organization’s objectives are aimed at optimizing the cloud services;

• Demonstrates progress and performance levels that go beyond the traditional “point in time” scenario; and

• For customers of cloud service providers, STAR Continuous will provide a greater understanding of the level of controls that are in place and their effectiveness.

CSA is committed to helping customers have a deeper understanding of their security postures. Since the STAR Registry was launched in 2011 as the first step in improving transparency and assurance in the cloud, it has evolved into a program that encompasses key principles of transparency, rigorous auditing, and harmonization of standards. Companies who use STAR indicate best practices and validate the security posture of their cloud offerings.

CSA STAR is being recognized as the international harmonized solution leading the way of trust for cloud providers, users and their stakeholders by providing an integrated, cost-effective solution that decreases complexity and increases assurance and transparency. It simultaneously enables organizations to secure their information, protect themselves from cyber-threats, reduce risk and strengthen their information governance and privacy platform.

Want to find out more? Contact us at [email protected]

Webinar: The Ever Changing Paradigm of Trust in the Cloud

By CSA Staff

abstract line connection on night city background implying cloud computing

The CSA closed its 10th annual Summit at RSA on Monday, and the consensus was that the cloud has come to dominate the technology landscape and revolutionize the market, creating a tectonic shift in accepted practice.

The advent of the cloud has been a huge advancement in technology. Today’s need for flexible access has led to an increase in business demand for cloud computing, bringing with it increased security and privacy concerns. How organizations evaluate Cloud Service Providers (CSPs) has become key to providing increased levels of assurance and transparency.

On Thursday, March 14 at 2 pm ET, John DiMaria, Cloud Security Alliance’s Assurance Investigatory Fellow and one of the key innovators in the evolution of CSA STAR, will share his insight on the:

  • current global landscape of cloud computing,
  • ongoing concerns regarding the cloud, and the
  • evolution of efforts to answer to the demand for higher transparency and assurance.

Join John DiMaria as he reviews the efforts being led by CSA to answer this call. You’ll walk away with a deeper understanding of how these efforts are aimed at helping organizations optimize processes, reduce costs, and decrease risk while simultaneously meeting the continuing rigorous international demands on cloud services allowing for the highest level of assurance and transparency.

Register today.

CSA Summit Recap Part 1: Enterprise Perspective

By Elisa Morrison, Marketing Intern, Cloud Security Alliance

CSA’s 10th anniversary, coupled with the bestowal of the Decade of Excellence Awards gave a sense of accomplishment to this Summit that bodes well yet also challenges the CSA community to continue its pursuit of excellence.

The common theme was the ‘Journey to the Cloud’ and emphasized how organizations can not only go faster but also reduce costs during this journey. The Summit this year also touched on the future of privacy, disruptive technologies, and introduced CSA’s newest initiatives in Blockchain, IoT and the launch of the STAR Continuous auditing program. Part 1 of this CSA Summit Recap highlights sessions from the Summit geared toward the enterprise perspective.

Securing Your IT Transformation to the Cloud – Jay Chaudhry, Bob Varnadoe, and Tom Filip

Slide: Network security is becoming irrelevant

Every CEO wants to embrace cloud but how to do it securely? To answer this question this trio looked at the journeys other companies such as Kellogg and NRC took to the cloud. In Kellogg’s case they found that when it comes to your transformation the VMs of single-tenant won’t cut it. They also brought to light the question of  the ineffectiveness of services such as hybrid security. Why pay the tax for services not used?

For NCR, major themes were how to streamline connectivity and access to cloud service. The big question was how do end users access NCR data in a secure environment? They found that applications and network must be decoupled. And, while more traffic on the cloud is encrypted, it offers another way for malicious users to get in. Their solution was to use proxy and firewalls for inspection of traffic.

The Future of Privacy: Futile or Pretty Good? – Jon Callas

ACLU technology fellow Jon Callas brought to light the false dichotomy we see when discussing privacy. It is easy to be nihilistic about privacy, but positives are out there as well.

There is movement in the right direction that we can already see, examples include: GDPR, California Privacy Law, Illinois Biometric Privacy Law, and the Carpenter, Riley, and Oakland Magistrate decisions. There has also been a precedent set for laws with more privacy toward consumers. For organizations, privacy has also become the focus of competition and companies such as Apple, Google, and Microsoft all compete on privacy. Protocols such as TLS and DNS are also becoming a reality. Other positive trends include default encryption and that disasters are documented, reported on, and a concern.

Unfortunately, there has also been movement in the wrong direction. There is a balancing act between the design for security versus design for surveillance. The surveillance economy is increasing, and too many platforms and devices are now collecting data and selling it. Lastly, government arrogance and the overreach to legislate surveillance over security is an issue.

All in all, Callas summarized that the future is neither futile nor pretty good and it’s necessary to balance both moving forward.

From GDPR to California Privacy – Kevin Kiley

Slide: Steps to better vendor risk management

This session touched on third-party breaches, regulatory liability, the need for strong data processing paramount to scope and how to comply with GDPR and CCPA. Kiley identified a need for a holistic approach with more detailed vendor vetting requirements. He outlined five areas organizations should improve to better their vendor risk management.

  1. Onboarding. Who’s doing the work for procurement, privacy, or security?
  2. Populating & Triaging. Leverage templated vendor evaluation assessments and populate with granular details.
  3. Documentation and demonstration
  4. Monitoring vendors
  5. Offboarding

Building an Award-Winning Cloud Security Program – Pete Chronis and Keith Anderson

This session covered key lessons learned along the way as Turner built its award-winning cloud security program. One of the constant challenges Turner faced was the battle between the speed to market over security program. To improve their program, Turner enacted continuance compliance measurement by using open source for cloud plane assessment. They also ensured each user attestation was signed by both the executive and technical support. For accounts, they implemented intrusion prevention, detection, and security monitoring. They learned to define what good looks like, while also developing lexicon and definitions for security. It was emphasized that organizations should always be iterating from new > good > better. Lastly, when building your cloud security program they emphasized that not all things need to be secured the same and not all data needs the same level of security.

Case Study: Behind the Scenes of MGM Resorts’ Digital Transformation – Rajiv Gupta and Scott Howitt

MGM’s global user base meant they wanted to expand functions to guest services, check-in volume management and find a way of bringing new sites online faster. To accomplish this, MGM embarked on a cloud journey. Their journey was broken into business requirements (innovation velocity and M&A agility) along with necessary security requirements (dealing with sensitive data, the need to enable employees to move faster, and the ability to deploy a security platform).

Slide: Where is your sensitive data in the cloud?

As they described MGM’s digital transformation the question was raised, where is sensitive data stored in the cloud? An emerging issue that continues to come up is API management. Eighty-seven percent of companies permit employees to use unmanaged devices to access business apps, and the BYOD policy is often left unmanaged or unenforced. In addition, MGM found that on average number 14 misconfigured IaaS services are running at a given time in an average organization, and the average organization has 1527 DLP incidents in PaaS/IaaS in a month.

To address these challenges, organizations need to consider the relations between devices, network and the cloud. The session ended with three main points to keep in mind during your organization’s cloud journey. 1) Focus on your data. 2) Apply controls pertinent to your data. 3) Take a platform approach to your cloud security needs.

Taking Control of IoT – Hillary Baron

image of IoT connected devices overlayed on a cityscape

There is a gap in the security controls framework for IoT. With the landscape changing at a rapid pace and over 2020 billion IoT devices, the need is great. Added to that is the fact that IoT manufacturers typically do not build security into devices; hence the need for the security controls framework. You can learn more about the framework and its accompanying guidebook covered in this session here.

Panel – The Approaching Decade of Disruptive Technologies

While buzzwords can mean different things to different organizations, organizations should still implement processes among new and emerging technologies such as AI, Machine Learning, and Blockchain, and be conscious of what is implemented.

This session spent a lot of its time examining Zero Trust. The perimeter is in different locations for security, and it is challenging looking for the best place to establish the security perimeter. It can no longer be a fixed point, but must flex with the mobility of users, e.g. mobile phones require very flexible boundaries. Zero Trust can help address these issues, it’s BYOD-friendly. There are still challenges, but  Web Authentication helps as a standard for Zero Trust.

Cloud has revolutionized security in the past decade. With cloud, you inherit security and with it the idea of a simple system has gone out the window. One of the key questions that was asked was “Why are we not learning the security lessons from the cloud?” The answer? Because the number of developers grows exponentially among new technology.  

The key takeaway: Don’t assume your industry is different. Realize that others have faced these threats and have come up with successful treatment methodologies when approaching disruptive technologies.

CISO Guide to Surviving an Enterprise Cloud Journey – Andy Kirkland, Starbucks

Five years ago, the Director of  Information and Security for Starbucks, Andy Kirkland, recommended not going to the cloud for cautionary purposes. Since then, Starbucks migrated to the cloud and learned a lot on the way. Below is an outline of Starbucks’ survival tips for organizations wanting to survive a cloud journey:

  • Establish workload definitions to understand criteria
  • Utilize standardized controls across the enterprise
  • Provide security training for the technologist
  • Have a security incident triage tailored to your cloud provider
  • Establish visibility into cloud security control effectiveness
  • Define the security champion process to allow for security to scale

PANEL – CISO Counterpoint

In this keynote panel, leading CISOs discussed their cloud adoption experiences for enterprise applications. Jerry Archer, CSO for Sallie Mae, described their cloud adoption journey as “nibbling our way to success.” They started by putting things into the cloud that were small. By keeping up constant conversations with regulators, there were no surprises during the migration to the cloud. Now, they don’t have any physical supplies remaining. Other takeaways were that in 2019 containers have evolved and we now see: ember security, arbitrage workloads, and RAIN (Refracting Artificial Intelligence Networks).

Download the full summit presentation slides here.