CSA 2022 Priorities: Cloud & Collaboration

This time of year I am often asked to make industry predictions, which I do – poorly. So this time around, I thought I would focus on making predictions about what Cloud Security Alliance will be working on in 2022, I should get at least 50% of it right. Let’s get started!

Zero Trust

This is certainly one of the most hyped terms in our industry. It is not a new term, having been coined by John Kindervag at Forrester in 2010. Even then it was not new, as it described concepts articulated by the Jericho Forum and others much earlier. The idea is that no part of a computer and networking system can be implicitly trusted, including the humans operating it. Therefore, we must put measures in place to provide assurance that the systems and their components are operating appropriately, typically under a “least privilege” model and continuously verified.

My viewpoint is that Zero Trust came roaring back into prominence as the consequences of Work From Home (WFH) began to sink in at the beginning of the pandemic. An example is a security-conscious organization that had office desktop PCs with hardened corporate images and used security tokens for two factor authentication. The security team felt pretty good about the implementation, but then that PC went home and the team realized they needed to contend with a home Wi-Fi system and possibly curious teenagers. The location of the device had been implicitly trusted when it should not have been.

The industry has jumped on the Zero Trust bandwagon and there are a lot of helpful solutions and guidance out there. However, it seems as though we have been confusing the market by too closely correlating Zero Trust with specific technologies and architectures, when what we should be doing is taking a step back and recasting Zero Trust as a philosophy, documenting technology-neutral strategies and methodologies, and then provide a foundation for technology specifics. CSA is developing an initiative that will be launched in January with a mission to create research, training, and professional credentialing and provide a resource center for the community to host any sort of ZT information.

CxO Trust Initiative

This year we launched our program to develop research and training and provide a community for the C-Suite. While CISOs are obviously a major constituency of this group, we are also getting CEOs, CIOs, CFOs, etc., involved to broaden our perspective. We are already seeing some terrific results. We had the team from Starbucks develop a ransomware tabletop exercise that was highly lauded by attendees at our first CxO Trust Summit. We developed a rapid response whitepaper to provide CISA Director Jen Easterly with private sector concerns regarding the US federal government’s cybersecurity roadmap. We constituted an advisory council that has provided excellent recommendations for our CxO research roadmap. In 2022, we expect to hold 4 CxO Trust conferences, deliver multiple research whitepapers and create advisory councils within multiple regions around the world.

STAR: The World’s Cloud Assurance Ecosystem

Many of you are likely aware of the CSA Security, Trust, Assurance & Risk (STAR) Program, which was initially launched in 2011. Most of you may associate CSA STAR with our online registry on over 1,500 cloud provider security statements. It is the largest such registry in the world and one of the best places to go to begin your cloud provider due diligence. STAR is so compelling that many countries in the world require a STAR listing for cloud providers seeking to provide government cloud services. STAR is actually the most complete and rich ecosystem of tools, training, assessment firms and online information:

• Cloud Controls Matrix (CCM): The definitive control objectives for cloud systems, used heavily around the world.
• Consensus Assessments Initiative Questionnaire (CAIQ): The CCM-derived questionnaire for assessing cloud provider control implementations.
• STAR Attestation & Certification: 3^rd party auditing services aligned with SOC2 and ISO/IEC 27001, respectively, performed by the world’s leading assurance firms.
• Certificate of Cloud Auditing Knowledge (CCAK): The professional credential for individuals to show cloud auditing expertise.
• STAR Registry: The online source bringing this all together and also accessible via API.

We have always provided information about the benefits of STAR and its components to individual cloud providers and customers. In 2022 we will initiate programs to facilitate adoption of the entire ecosystem by larger communities. This will mean STAR for companies within a specific industry. It also will mean STAR for national governments. Not all countries have US-level resources to create a FedRAMP program for cloud assurance. We are very excited to see STAR everywhere!

Top Secret (Sort Of)

We also have some projects in the works that we are not ready to talk about yet, but will challenge much of the status quo in cybersecurity. As technology becomes ever more dynamic, our standards, training, certifications, vulnerability tracking and general knowledge must adapt to a cloud-centric view of cybersecurity.

I hope I can predict that most of you reading this will want to get more involved in Cloud Security Alliance and help us solve the big security problems plaguing our global economy and make this world just a little bit better for all of humanity. CSA has had a lot of successes because of a phenomenal volunteer community from around the world, and I hope to see a lot of you in person next year!