John Yeoh explains how CSA works with organizations on various aspects of cloud security to identify top risks, assess cloud service providers, establish baseline controls, and build best practices.
At the Black Hat USA 2019 cybersecurity conference in Las Vegas, CNET and CBS News Senior Producer Dan Patterson spoke with Cloud Security Alliance’s John Yeoh about how implementing new technology leads to success. The following transcript has been edited for clarity purposes.
John Yeoh: Best practice can be pretty general. But what we try to do with the CSA is work with different organizations, we have been adopting new technologies. We’ve worked with different providers and how they’re offering solutions with these new technologies, with these cloud services. And we just build patterns, understanding how people are doing successful implementations, how people are struggling with those challenges, with the successes. We build a blueprint, we build best practices and let people learn from them.
So one of the recent things we did, which I think is great, we have a top threats report that comes out every couple of years specific to the cloud. And it’s no coincidence that we see a lot of these concerns, threats, risks, vulnerabilities across all these major breaches. So some of the major ones that we’re seeing these days, which I thought was interesting, is that we’re seeing a lot of the concerns being up the technology stack.
So instead of just being concerned about cloud platforms, we’re now concerned about how do we configure towards these platforms, how do we architect within these cloud solutions and cloud tools? We’re seeing that at top of mind. And so when we’ve seen some of the recent breaches that happen, data breaches, wow, that’s a big concern for all of us of course. But how do we deal with that with the misconfigurations? Do we have sufficient controls and identity in place? These are things that are still at top of mind, and so what we do as we try to build, we try to have these concerns, share the business impacts, and then help people build in mitigations, countermeasures, security controls that defend against and protect the organization against these threats. The cloud today is more complex than ever. It really is. Not only are we utilizing multiple cloud platforms, but at times, we’re using hundreds, maybe even thousands of cloud services. So how do we do that?
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)
I feel like it’s the same old tale we’re telling our employees, right? We’re like the nagging mothers, “Hey, security should be top of mind.” We’re trying to build that security culture within our organization, and it’s not super easy. Security teams can be completely avoided when we looked at just purchasing a cloud service that we need. Because at the end of the day, hey, for me, I want to get my job done faster and easier and security can kind of be second thought sometimes, so we are trying to help people build these communities better.
When we talk about how we advanced in the cloud kind of over the last 10 years, we’re talking about people that are transitioning to the cloud. We talk about people that are in the cloud, but when they want to build on top of the controls they have currently. So when you think about security protection, a lot of these are imposed upon us where I have a regulation that I have to meet. And so that’s how I kind of take those business requirements, those security requirements, and I transferred that to the cloud.
Well, now we have so much more tooling and cloud that we’re saying, “Hey, there are ways to enhance that security posture with new tools that are cloud relative, things like DevOps methodologies,” and that’s where it starts.
So now that we have more people that own the process, that own the security process, we can not just get to the executives that are trying to say, Hey, let’s implement these security policies, but now we’re getting to the developers, we’re getting to practitioners, we’re getting to even the compliance folks that need to be aware of security, aware of even privacy and how to implement that as we’re building applications, as we’re building tools within our organization. I think that’s the key is how do we get from top to bottom. It’s about reaching that broad audience, giving people at every single level tools to add security into what they’re doing.
And so I kind of talked earlier about, hey, it’s great that I’m aware of these top threats and that we even have some business impacts and some countermeasures that you can use against them.
Now, implementation, it becomes a little bit differently, right? Because I think every organization is going to implement those security controls a little bit differently. CSA has a lot of tools out there that are specific for developers on how I would implement this type of control on my environment.
I think a big one too is making sure that all the providers that you’re leveraging, the third parties that you use. And this is nothing new, right? We’ve been using third parties for a long time, but today we rely heavily on cloud services for more than just traditionally what we’ve used them for. Now, security, they’re owning a lot of our infrastructure and even host a lot of our data. So we need to be able to communicate that down to these layers, and that’s when you need guidance on these new practices. You know, I mentioned DevOps earlier, and I think we just put together a piece called six pillars for DevOps. And what that does is it helps people really start from scratch and build this security community within their organization that talks about how you can align some of your current compliance regulations into security. And then it talks about how you can advance your security posture with automation and other DevOps tooling, so it’s kind of a process.
SEE: Apple opens up hacker-friendly iPhone to researchers at Black Hat (CNET)
I think it’s always going to be a challenge for how we communicate. But as long as we have providers that are able to help train your staff on their services, as long as you have best practices that allow you to make sure you have established security baselines on what’s the minimum that you should be able to do to secure your cloud platform… I think that’s going to be important.
So when you talk about top threats, we talk about establishing baseline security controls. I think that’s pretty important. When we moved to the cloud, we always have all these different frameworks and business requirements and security requirements that we’ve had to adhere to, but they have never been cloud-specific. So a great best practice that CSA’s provided is on security guidance for critical areas of focus in cloud computing. And it starts from assessment assessing cloud service providers. It goes into architecting, how would you better architect. For example, some people will move applications to these hosted cloud environments, but there’s also opportunities to rearchitect, so where you can take advantage of native security tooling that these cloud platforms are offering. Which also gives you more tooling and more notifications on, hey, do we have any vulnerabilities in my environment?
Because what we’re seeing from these cloud platforms, and I’ll tell you one of the major cloud platforms this year has already come up with 1,800 different features and functions for their platform, which I think is amazing. The biggest challenge I think for the enterprise, and the end-user, is understanding 1,800 solutions. Do I have these available to me? Are they particular in my environment? Are they turned off or on automatically? They need to understand these things better, but these are some of the best practices we try to help people to understand how do we assess our vendors, how do we build our applications and leverage these cloud tools better. And then going forward, how can we leverage our cloud operations for new technologies to, if we’re doing anything in IoT, if we’re, if we’re looking to really give ourselves competitive advantages in other areas; hopefully, we give you a baseline, a foundation to do that.
CSA has something called the cloud controls matrix. It’s a cloud security controls framework, and it comes with a questionnaire that actually you can give to providers that say, “Hey, yes or no, is this control present in my environment?”
And what’s great about that is it’s a standard questionnaire that is available to all providers. It’s standard across the industry when it comes to cloud and cloud services; we have over 400 different solutions. Right now, cloud services that actually leverage that questionnaire and say, This is where my security posture is today.” It’s available for free. It’s open to the public, and you can see how each cloud service actually meets or even exceeds these baseline security requirements established through CSA criteria.