Cloud 101CircleEventsBlog
Master CSA’s Security, Trust, Assurance, and Risk program—download the STAR Prep Kit for essential tools to enhance your assurance!

CSA 2022 Priorities: Cloud & Collaboration

Published 12/17/2021

CSA 2022 Priorities: Cloud & Collaboration
Written by Jim Reavis, Co-founder and Chief Executive Officer, CSA.


This time of year I am often asked to make industry predictions, which I do – poorly. So this time around, I thought I would focus on making predictions about what Cloud Security Alliance will be working on in 2022, I should get at least 50% of it right. Let’s get started!

Zero Trust

This is certainly one of the most hyped terms in our industry. It is not a new term, having been coined by John Kindervag at Forrester in 2010. Even then it was not new, as it described concepts articulated by the Jericho Forum and others much earlier. The idea is that no part of a computer and networking system can be implicitly trusted, including the humans operating it. Therefore, we must put measures in place to provide assurance that the systems and their components are operating appropriately, typically under a “least privilege” model and continuously verified.

My viewpoint is that Zero Trust came roaring back into prominence as the consequences of Work From Home (WFH) began to sink in at the beginning of the pandemic. An example is a security-conscious organization that had office desktop PCs with hardened corporate images and used security tokens for two factor authentication. The security team felt pretty good about the implementation, but then that PC went home and the team realized they needed to contend with a home Wi-Fi system and possibly curious teenagers. The location of the device had been implicitly trusted when it should not have been.

The industry has jumped on the Zero Trust bandwagon and there are a lot of helpful solutions and guidance out there. However, it seems as though we have been confusing the market by too closely correlating Zero Trust with specific technologies and architectures, when what we should be doing is taking a step back and recasting Zero Trust as a philosophy, documenting technology-neutral strategies and methodologies, and then provide a foundation for technology specifics. CSA is developing an initiative that will be launched in January with a mission to create research, training, and professional credentialing and provide a resource center for the community to host any sort of ZT information.

CxO Trust Initiative

This year we launched our program to develop research and training and provide a community for the C-Suite. While CISOs are obviously a major constituency of this group, we are also getting CEOs, CIOs, CFOs, etc., involved to broaden our perspective. We are already seeing some terrific results. We had the team from Starbucks develop a ransomware tabletop exercise that was highly lauded by attendees at our first CxO Trust Summit. We developed a rapid response whitepaper to provide CISA Director Jen Easterly with private sector concerns regarding the US federal government’s cybersecurity roadmap. We constituted an advisory council that has provided excellent recommendations for our CxO research roadmap. In 2022, we expect to hold 4 CxO Trust conferences, deliver multiple research whitepapers and create advisory councils within multiple regions around the world.

STAR: The World’s Cloud Assurance Ecosystem

Many of you are likely aware of the CSA Security, Trust, Assurance & Risk (STAR) Program, which was initially launched in 2011. Most of you may associate CSA STAR with our online registry on over 1,500 cloud provider security statements. It is the largest such registry in the world and one of the best places to go to begin your cloud provider due diligence. STAR is so compelling that many countries in the world require a STAR listing for cloud providers seeking to provide government cloud services. STAR is actually the most complete and rich ecosystem of tools, training, assessment firms and online information:

We have always provided information about the benefits of STAR and its components to individual cloud providers and customers. In 2022 we will initiate programs to facilitate adoption of the entire ecosystem by larger communities. This will mean STAR for companies within a specific industry. It also will mean STAR for national governments. Not all countries have US-level resources to create a FedRAMP program for cloud assurance. We are very excited to see STAR everywhere!

Top Secret (Sort Of)

We also have some projects in the works that we are not ready to talk about yet, but will challenge much of the status quo in cybersecurity. As technology becomes ever more dynamic, our standards, training, certifications, vulnerability tracking and general knowledge must adapt to a cloud-centric view of cybersecurity.

I hope I can predict that most of you reading this will want to get more involved in Cloud Security Alliance and help us solve the big security problems plaguing our global economy and make this world just a little bit better for all of humanity. CSA has had a lot of successes because of a phenomenal volunteer community from around the world, and I hope to see a lot of you in person next year!

Share this content on your favorite social network today!