Cloud Security Alliance (CSA) - Experts & Thought Leaders

Wing Security, the pioneer in SaaS Security announced its membership in the Cloud Security Alliance (CSA), the organisation dedicated to defining standards, certifications, and best practices to help ensure a secure cloud computing environment. Cloud security standards Association with the CSA underscores Wing Security's commitment to collaborating on cloud security standards and empowering organisations to safely leverage SaaS applications. Wing Security's automated SSPM solution, which offers unparalleled visibility and control for more than 300,000 SaaS applications, is vital for businesses to mitigate and remediate security risks efficiently. Advanced, automated SaaS security solutions "Our alignment with the CSA is a natural extension of our mission to bring advanced, automated SaaS security solutions to the mid-market," said Galit Lubetzky Sharon, CEO of Wing Security. "As SaaS usage proliferates in the business world, so do the security challenges. We look forward to contributing our expertise in SSPM and automation to the CSA community, helping define robust security practices that benefit all cloud users." Security strategies Leveraging its CSA membership, Wing Security will continue to innovate and support CISOs Wing Security's SSPM platform has been instrumental in enabling organisations to safeguard their data and systems against the increasing prevalence of SaaS vulnerabilities, as evidenced by recent incidents involving high-profile threat actors. Leveraging its CSA membership, Wing Security will continue to innovate and support chief information security officers (CISOs) in enhancing their company's security strategies. Advanced approach "We welcome Wing Security to the CSA community," said Illena Armstrong, President, of Cloud Security Alliance. "Wing's focus on automating SaaS security through its SSPM solutions brings valuable insights to the wider community and their clients." "Their advanced approach to managing and securing SaaS applications significantly contributes to the industry's ongoing efforts to foster a safe and secure cloud computing environment." Flexible and innovative SSPM solutions Wing Security's SSPM platform automates the identification, management, and remediation of SaaS application risks, catering to the dynamic needs of mid-market companies. With a focus on minimising effort and cost for CISOs, Wing Security's tiered product lineup meets companies wherever they are on their security journey. Wing Security's flexible and innovative SSPM solutions help organisations improve operational efficiency and bridge the resource gap in SaaS security.

Vectra AI, a pioneer in Network Detection and Response (NDR) announced that it has joined the Cloud Security Alliance (CSA), the world’s leading organisation dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. Network detection solution Vectra and its flagship Cognito threat-detection and response platform enable the world’s most consequential enterprise organisations to identify, hunt, and investigate cyberattacks in real-time – from cloud and data centre workloads to user and IoT devices. As a Cloud Security Alliance member, Vectra will bring its expertise from providing network detection and response and analysing attack behaviours in cloud environments to help the alliance build highly informed educational programs on cloud security.   Authority comment The company will collaborate with CSA members to help develop and deliver educational initiatives“Over the past year, we have witnessed a continuous series of the most impactful and widespread cyber attacks in history. This has shed light on the need for more informed educational initiatives on cloud security for IT professionals in every industry,” said Marty Sanders, SVP of Americas at Vectra. “As we join with CSA, we remain dedicated to working collaboratively with other cloud computing experts to create a world where all attacks on cloud environments can be prevented.” Initiatives towards best practices in cloud tech The company will collaborate with CSA members to help develop and deliver educational initiatives on security best practices for cloud technologies while also participating in research projects and events facilitated by the alliance. “As a provider of network detection and response for thousands of organisations, Vectra has a wide breadth of expertise in preventing and stopping in-progress attacks in the cloud and analysing threat behaviour,” said Jim Reavis, CEO, Cloud Security Alliance. “With this level of knowledge, we are thrilled to welcome Vectra to CSA and look forward to working with its team of cloud security experts to educate and raise awareness of the best practices needed to secure every cloud ecosystem across the globe."

360 Advanced, Inc. has announced that it has joined the Cloud Security Alliance (CSA), introducing a new security offering for cloud service providers. As a member of the Cloud Security Alliance, 360 Advanced can now provide CSA - Security, Trust, Assurance and Risk (STAR) Attestations. CSA STAR Attestation provides guidelines for Certified Public Accountants to conduct SOC 2 engagements, using criteria from the American Institute of Certified Public Accountants’ (AICPA) Trust Services Principles (TSP) and the CSA Cloud Controls Matrix (CCM). CSA STAR Attestations Created as a collaborative effort between CSA and AIPCA, STAR Attestation couples traditional SOC 2 reporting with cloud-specific content, to result in a rigorous, independent assessment of a service provider’s system and controls, including a description of the service auditor’s tests of controls. These technology-neutral, third-party assessments report on the day-to-day effectiveness of a company’s controls. Upon completion, cloud service providers are added to the CSA’s free, publicly available registry, allowing prospective clients to verify that a vendor’s security posture meets industry requirements. Enhancing cyber security and data protection We’re pleased to welcome 360 Advanced to the Cloud Security Alliance (CSA)" “We are very excited to add this offering for our cloud provider clients. As cloud applications continue to grow, this will allow us to provide an additional service that will help our clients show a higher level of diligence, when it comes to securing their clients’ data,” explained Eric Ratcliffe, Director of Compliance Strategy for 360 Advanced. “We’re pleased to welcome 360 Advanced to the Cloud Security Alliance (CSA) and look forward to working together with them, to strengthen the cloud security and compliance industries, in the years to come,” said Cloud Security Alliance’s Co-Founder and Chief Executive Officer (CEO), Jim Reavis. According to IDG, 73 percent of organisations reported using at least one cloud application in 2018. An additional 17 percent planned to do so by the end of 2019. Privacy and security, main concerns at the enterprise level This rapid growth has been driven by companies’ desire to reduce the complexity and costs of information technology. Ultimately, however, privacy and security have remained concerns – especially at the enterprise level. While providers of any size can benefit from a CSA Star Attestation, large enterprises face higher expectations of transparency and compliance. Prospective clients often ask for assurance that adequate security and privacy measures are in place. 360 Advanced’s independent validation To help meet these expectations, 360 Advanced can provide independent validation that controls have been established to protect confidential data. Attestations include a final deliverables report that outlines the control testing and control activities. “We look forward to helping our clients stay at the forefront of their ever-changing industry,” said Eric Ratcliffe, adding “As always, that includes collaborative audit and assessment services that go beyond basic, check-the-box assessments.”

Currently and unfortunately, there is no such thing as Cloud Police. If there were, two-thirds or more of the companies using ‘cloud’ in their advertising and documentation would be in Cloud Jail for seriously misusing the word in their marketing. The term ‘Cloud’ is over-used and misused—sometimes intentionally and knowingly, but also often in ignorance. It’s just a word—but in the context of cloud computing technology, it does have a specific meaning in the United States. We may lack cloud police, but we do have a resource that defines cloud. Video surveillance system The National Institute of Standards and Technology (NIST) spells out the requirements in The NIST Definition of Cloud Computing. Regardless of where in the world your video system is located, there are certain, fundamental attributes of a ‘Cloud Video Surveillance System.’ A true cloud system would have significant advantages over a traditional on-premises server-based system A modern security video surveillance system is composed of securely connected video cameras (IP cameras and/or analogue cameras with encoders), video recorders, video display monitors, and video management software for managing equipment configuration and system performance configurations and for providing system operations functionality. Based on the NIST definition of cloud computing and its essential characteristics, a true cloud system would have significant advantages over a traditional on-premises server-based system. Cloud video management system Here's what a cloud video management system should provide: Infinite Scalability and an ‘Only Pay for What You Use.’ Cloud video surveillance systems are a subscription-based business model. Integrators derive recurring monthly revenue from the subscription, and the end-user only pays for what they use. True cloud systems do not charge you for unused disk space. Cloud Video System can be Operated and Managed from Anywhere. System management capabilities are off-site from camera locations for all system functionality. It should not be necessary to be on-site to view or export video or change system or device Redundant System Functionality. The software system functionality is redundant, so in the event of a computing or networking failure, alternate computing and/or networking resources immediately take over without human interaction. Recorder Isolation. Camera locations should transmit video off-site to a secure, SaaS service provider location. Redundant Video Storage. Video should be stored redundantly for business continuity and disaster recovery purposes, and automatically swap-in redundant storage if primary storage fails. Cybersecure Systems and Devices. On-site hardware, data transmission, and cloud systems must be cybersecure. Individual cameras must be protected from other cameras or devices on the network that could be malware-infected. Intelligent Video Data Transmission and Video Data The installer and users should be able to configure and adjust video traffic bandwidth usage--such as the percentage of available bandwidth. On-premises appliances should intelligently buffer video being sent to the cloud to accommodate fluctuations in internet bandwidth availability. Retention Assurance for Every Camera. Recorded video retention periods must be individually configurable on a per-camera basis. Instant Changes. Changes to video retention and/or user privileges must be instantly accomplished with the flip of a switch. Internet-Based Integrations. Integrations with system functionality must be available through a single secure and well-engineered applications programming interface (API) available via a secure internet connection to the cloud-based system software. Service Provider Account Management. Centralised monitoring and management of reseller accounts dashboard. System Performance Metrics. Maintain and chart a seven-day performance window of Camera LAN and internet packet loss, Camera LAN and Cloud Bandwidth Usage, per-camera video storage in hourly increments. Automatic Cloud System Upgrades. Feature and system security upgrades to cloud system software and cloud user applications, including periodic software and firmware updates on-premises appliances, should be automatically provided as they are released. On-Demand Periodic Full Hardware Replacement. To keep subscribed on-premises system physical hardware technologically current, provide on-demand complete hardware replacement at no charge every six years. Cloud computing characteristics Cloud mis-marketing commonly occurs when vendors use public cloud data centre capabilities—such as AWS, Google or Azure--to provide parts of their customer solution, without actually providing the customer with the full benefits of cloud computing. In these cases, vendors are wrongfully labeling the products or services ‘cloud’ offerings. Common mis-labeling includes: On-Premises System Backups to Cloud Data Centre Locations. Whether it is a private or public cloud data centre storing a system backup in a cloud location, if a manual action is required to restore the backup system, this is not a cloud system. Client-Server Based Applications Running in a Virtual Server. When a client-server application is installed in a virtual server in a public cloud—the same way it is done within an on-premises virtual server data centre—this is not a cloud application and does not provide the end-user with the benefits of cloud computing. Browser-Based Client-Server Applications. Software running in a ‘cloud’ data centre can provide a browser-based interface without conforming to the essential cloud computing characteristics. The browser is not the determining factor in a cloud system. Server Database Partitioning. The partitioning of a single client-server application database into separate customer partitions is not a cloud ‘multi-tenant’ model, because a shared database does not provide ‘different physical and virtual resources dynamically assigned and reassigned according to consumer demand,’ this is not a cloud-system architecture. Client-Server Camera Licences ‘Priced’ as a Subscription. Software companies that re-price their client-server software licenses into monthly billings and call them cloud subscriptions are not providing a cloud subscriber application Remotely Executed Upgrades. Remotely executed periodic upgrades of on-premises system software, performed as part of a service or support fee, are not a cloud computing service—regardless of whether the software upgrade image is stored in a cloud location. Assumed Cybersecurity. Service providers will on occasion mistake the cybersecurity credentials and certifications of their public cloud partner with the cybersecurity of the software service provider’s own application. See sidebar ‘Assessing A Vendor’s Cybersecurity Credentials.’ Cloud-Based applications Based on the nature of its software functionality, true cloud provides maximum value for the subscriber So how do we sum up true cloud? Based on the nature of its software functionality, true cloud provides maximum value for the subscriber because it’s engineered to take advantage of the characteristics of cloud computing to be cost-effective, flexible, and high performing for all use cases. Any vendor providing cloud-based applications should be able to explain in detail how they have applied the cloud computing characteristics--on-demand self-service, broad network access, resource pooling, rapid elasticity or expansion, and measured service--for the benefit of the subscriber. Provide independent validation Assessing a Vendor’s Cybersecurity Credentials - When end-users and resellers assess the cybersecurity credentials of vendors, it’s essential to check the documentation, read the fine print, and ask the right questions. Fortunately, there are some easy best practices to follow. SOC 2 Type 2 and ISO 27001 are rigorous assessments that take six months or more to complete It’s good news if your vendor has completed audits such as SOC 2 Type 2 and ISO 27001. Considered the gold standard of security audits, SOC 2 Type 2 and ISO 27001 are rigorous assessments that take six months or more to complete, and they provide independent validation that vendor’s policies and procedures meet and exceed cybersecurity standards. Internal vendor network Always take a close look at audits and credentials to determine if your vendor holds the cybersecurity credential themselves, or if the credential is held by one of their vendors. For example, some vendors who host software in the cloud—whether cloud applications or virtualised client-server applications—make the mistake of pointing to a SOC 2 Type 2 or ISO 27001 certification held by AWS or Azure or another public cloud whose services the vendor uses to run their software. However, such reports and certifications apply only to the cloud infrastructure on which the vendor’s software is running. The reports do not apply to the vendor’s software and the vendor’s own cybersecurity and data privacy practices, the vendor’s development environment, its technical support personnel or any internal vendor network that connects to its cloud system. Popular cloud computing The vendor itself must establish SOC 2 and ISO 27001 compliance for itself and provide that documentation The vendor itself must establish SOC 2 and ISO 27001 compliance for itself and provide that documentation. Other publicly available resources can be extremely helpful in assessing vendors’ cybersecurity credentials. A great example is the Security, Trust, Assurance, and Risk (STAR) Registry provided by the Cloud Security Alliance (CSA), that documents the security and privacy controls of popular cloud computing offerings. Vendors can submit a free questionnaire to show their security and compliance postures, including the regulations, standards, and frameworks they adhere to. Any cloud application service provider stating they have engineered sound cybersecurity for their cloud offering should back up that assertion by participating in the STAR registry program.—Ken Francis.