Night of the Living Cloud (aka CSA Federal Summit) Part 1 of 2

By Jim Reavis, Co-founder and Chief Executive Officer, CSA

If you want to get a feel for what the zombie apocalypse might be like, I highly recommend taking a business trip right now. It provides a surreal experience without the hassle of someone trying to eat your brains. It was thus for me as I traveled across the country to attend the Cloud Security Alliance Federal Summit.

The journey started with an uneventful flight from Seattle to Washington Dulles. The flight arrived four hours later than planned and arrived at a different airport as airlines are canceling flights and consolidating their passengers. This resulted in a flight that was reasonably full, except that middle seats were not being sold. The hotel was in Crystal City, which is right next to the Washington Reagan airport, my original destination. No problem there, my Uber driver apparently negotiated a private stretch of freeway as the drive from Dulles was accomplished in record time for my 30 years traveling to the capitol. As I checked into the Hyatt Regency and walked around the neighborhood, I had this uneasy feeling that something was wrong. Ah yes, no people! The area was desolate and the occasional lifeform existing behind a mask had a clear look of terror in their eyes as they demanded some social distance. This pandemic is a misanthrope’s dream!

Our event went off without a hitch, if by “without a hitch” you mean “no attendees”. There were actually a few people in the crowd, myself included, and they were treated to a tour de force of cybersecurity experts. We will be looking to repurpose the content to a larger audience soon, but what follows is a summary and links where available to the morning presentations. Next week we will cover the afternoon presentations.

The first speech was from Glenn Gerstell, Senior Adviser at the Center for Strategic & International Studies, and former NSA General Counsel. The title was Coming Up Next: More Regulation In Response to the Onrush of Technology, and I think the best way to describe the speech was that Glenn was wrestling with how we recast our regulatory and national security strategy in light of the rapid growth of the tech sector and its ability to surveil, influence citizens and amass unprecedented stores of information. The conclusion is that change must occur to recognize a new relationship between the public and private sector, but it is critical to have thoughtful policy discussions now. I asked Glenn if he thought major cloud providers must be classified as critical infrastructure. He agreed they were critical, but in keeping with his overall speech theme, he advocates a balance between looking at old laws being updated and applying existing regulations to new technology environments.

The second presentation was our own Jerry Archer, CSO at Sallie Mae, titled Implementing a Work from Home Security Strategy. This presentation is worth going through several times. Even though the content is only four slides, Jerry packed it with lessons learned and new considerations for WFH. Sallie Mae had a comprehensive pandemic contingency plan going into the COVID-19 response and they probably came out of it better than most, but there is still a lot of ongoing tuning. One quandary Jerry mentioned was trying to understand if a remote worker actually still works for your company and didn’t quit weeks ago without telling you.

Next, Zach Baldwin from GSA provided an update on FedRAMP via recorded video. The FY2020 goals of increased simplicity, improved automation, FedRAMP marketplace growth and improved community education were covered. OSCAL (Open Security Controls Assessment Language), development led by Dr. Michaela Iorga at NIST is the centerpiece of the automation initiatives.

After GSA, CSA board member and TruSTAR chairman Paul Kurtz presented Latest Trends in Intelligence Management. Paul made the very good point that we don’t have a very good definition of intelligence for cybersecurity and proffered one of his own, “The capacity of organizations to normalize, transform and automatically extract actionable insight and context from security tools and sources to expedite detection and response.” You can access Paul’s presentation here.

I took the last spot before lunch and gave a presentation titled Cloud Resilience: Tested by Pandemic. It contained some content you may have seen me discuss previously, basically outlining how cloud systems by and large worked as advertised during the shift to work from home and the cleanup underway to lock down security vulnerabilities created by the rapid shift to WFH. I also added some new content about the revised upward forecast in cloud security services and speculation that corporate data centers may be decommissioned two years earlier than predicted due to cloud. I also discussed some of my fears about a worse than expected economic recovery directly impacting cybersecurity and our ability to combat breaches. Check it out here.

I will summarize the afternoon presentations next week. In addition to the great content presented at the summit, we learned a lot about the logistics and best practices for conducting in person events in the near future. Configuring rooms for maximum social distancing, contactless food and beverage, ambient temperature sensors and hyper sanitization are the new norms. We will be interviewing all attendees at the 14 day point after the summit and will let you know if we all remain healthy.

Join us for the Virtual Federal Summit Webinar Series

In the Federal Summit Webinar Series, the Cloud Security Alliance will address many factors that are at play to implement a secure, user-friendly cloud instance and how rapidly developing cloud technology, risk management and shared responsibility across agencies is central to building a trusted cloud environment. Webinars are free for all to attend. Save your seat here.