The CxO Trust Cloud Change Notification Project

In the two years since we kicked it off, the Cloud Security Alliance’s CxO Trust Initiative has provided valuable guidance as to the key strategies necessary to advance cloud and cybersecurity within the C-Suite. We consult the CxO Trust Advisory Council regularly on issues that arise in the industry to get perspectives aligned with business leaders. With that in mind, we are announcing a new research project that we are hosting within our CxO Trust Initiative that fits into a larger umbrella of Enterprise - Cloud Service Provider Coordination. As we will explain below, in the latest project, we believe that structured and proactive coordination between CSPs and leading edge enterprises should accelerate to address more of these types of problems.

Generally speaking, the importance of viewing your organization’s technology providers as strategic partners is more important now than ever. This is particularly true in the cloud. The intrinsic nature of cloud being available through APIs and accessed through self-service orchestration has profound implications. A cloud customer may assemble cloud applications composed of many components and via layers of abstraction. The dependencies that ensue will range from the obvious to the obscure. As enterprises seek to entrust crown jewel data to cloud platforms and develop highly resilient systems, it is important to understand the impact of cloud’s dynamic nature and how changes may have unintended consequences impacting that resilience.

At a high level, this issue is well understood and there is a large body of knowledge and a variety of initiatives intended to address change management in the cloud. A Software Bill of Materials (SBOM) is a comprehensive inventory or list of all components, including libraries, frameworks, and dependencies, used within a software product or application. An SBOM provides transparency into the building blocks of software, making it easier to understand, manage, and maintain the components that are integrated into a product. While SBOM’s scope is intended to solve a broad range of issues, the transparent articulation of dependencies is fundamental to change management.

CSA’s Cloud Controls Matrix (CCM), a widely used framework for governing the cloud, has an entire domain devoted to this topic: Change Controls and Configuration Management. The controls address many aspects of change control, e.g. policy, process, quality testing, rollback, and many more. A related project we have underway is the Shared Security Responsibility Model (SSRM). SSRM is taking an in-depth look at each of the CCM controls to provide fairly detailed guidance on the CSP’s vs. the tenant’s responsibilities. SSRM is in the process of addressing shared responsibility for change management.

Barclays is one CSA corporate member that is taking a close look at this topic and advocating for industry action for solutions to address the “change management knowledge gap.” They have a wealth of knowledge and experience in deploying enterprise grade cloud applications. Jez Goldstone, Director of Security Architecture, Cloud & Innovation at Barclays recently authored a blog, Don’t Keep Us in the Dark: Addressing the Cloud Change Management Gap, providing more insights into this pain point from a tenant point of view. He also proposed one idea - using JSON data structures at the cloud provider - to enable automated ingestion of this information. CSA research analyst Sean Heide has performed some interesting experimentation using ChatGPT to create a methodology to automate this effort using JSON as well.

We understand that this can be a complex topic and do not wish to oversimplify it. Change is the constant in the cloud and changes are pushed out for a wide variety of reasons. It could very well be the case that as enterprises have a better understanding of CSP considerations, they may adjust the solution requirements they have.

All of which brings us to this announcement. We are issuing a call to action to major cloud providers and enterprise users to join Barclays and share their experiences and find solutions that make tangible progress. We see this as not initially a best practices and policy discussion, but a brainstorming and experimentation exercise to identify solutions to enable enterprise awareness of CSP changes at an early stage and at the right level to maintain resilient systems. We encourage you to join the CxO Trust Working Group to collaborate with us on the standards, policies, and enabling technology to provide transparent change notification.