IllenaArmstrong SeanHeide
Show transcript [en]
foreign
[Music] of indigenous peoples we also remain collectively accountable to respect
Valley College aims to uphold the intention of the numbered friendship treaties from the perspective of indigenous peoples we also remain collectively accountable to respect indigenous peoples legal and inherited rights recognizing we are all treating peoples there are words interactions Well Valley College honors the traditional lands of the Blackfoot Confederacy which includes the sixth attack the Ghana the bikaner and the Amish copy beginning First Nations as well as the nicora Wesley and bears power First Nations we also recognize the connection and autonomy of the metis nation Region III within the historical Northwest metis Homeland you join all nations in celebrating the unique histories traditions and cultures of indigenous peoples as we continue our journey on the road towards
reconciliation together
exactly
right good morning everyone hey for those who don't know me my name is Steve Porter I'm with the b-sides organizing committee and um welcome to besides Calgary 2022. it's our first in-person one in a couple years now and first of all can everybody hear me okay I'm nope okay you want me to Beef It Up a bit gotcha I'm a little soft-spoken I'm sorry
nope all right um so I got a few notes here just want to say welcome on behalf of the committee uh just to remind everybody this conference is for you I hope that everybody enjoys it and we've got a great lineup of speakers and presenters throughout the next couple of days I think we have 35 Plus presenters I think that's a bit of a record for b-sides here oh there we go um we've got all kinds of different challenges and workshops over the next couple of days as well uh we have an iot lab downstairs and the ctfs we have some wi-fi hacking uh even have a Tesla outside if anybody wants to try to unlock that and drive it off the
lot um I'm not kidding if you hack the Tesla you win a Tesla how about that I mean it's a 1 18 scale model of the one outside but it looks just like it I mean kind of count for something all right I'm getting laughs at nine o'clock in the morning this is good so I wanted to give a little bit of background uh first of all how many of you how many people are this is your first year for besides Calgary wow that's great um thank you for coming and I really know you're going to have a great time here make sure that you know make the conference about you do the things you
want to do attend the sessions you want to see do the challenges you want to do even if you're not a wi-fi hacking expert go downstairs learn it see how it's done have some fun this is a safe place for doing all of these things and not going to jail that's what our careers are about let's finish it I'm going Way Off Script here but that's kind of me um I have a bad habit of doing that maybe that's what James asked me to do this in the first place uh but yeah so besides Calgary a little bit of background we actually started this back in 2016. so we did our first two events up at state
and uh you know what the first year we actually planned organized lined up all the presenters got all the swag and sponsors and everything together in four months um it was kind of crazy it was definitely stupid um but we did it and it turned out to be a great event and the number one feedback we got from it was how come it took so long for us to do this and are we doing it again so we ended up doing it again the next year and we intended on this being an annual event and well life got in the way work got in the way people got busy so we took a little Hiatus there for a couple
years and that's when we uh we approached James Cairns our lead organizer now and Beau Valley College and said what about if you guys took it over and that's when it started up again in 2020. so big hand a big shout out for James um our lead organizer who's back here hiding behind the post from me and uh and everything that he's done to bring this event to you again for the past three years now we did have a little hiccup of course you know we were supposed to be an in-person event back in 2020. yeah these lockdown things really kind of sucked right so in a matter of I don't know how James was at three
months we had to go from being a planned in-person event to online and again we pulled it out um you know none of us are professional event planners let me just say that okay we do our best we manage to get things done and um then we thought maybe we'll be physical next year and nope again that didn't happen so here we are today though and we've got this together we have a great turnout uh We've we've sold 550 tickets I believe yeah okay um that's all we had accounted for we we couldn't sell any more so I'm really really excited about that thank you all for attending um just out of curiosity who was at the
2016 event [Music] okay we got a couple 2017 anybody attended all five of them one okay two that's all right we got a lot of swag from the old events and if you want you can give a donation and you could try to win a raffle or pick up a grab bag you can feel like you were there a lot of the presentations are also online so that's the other thing I should mention is that everything we're doing here is being recorded sorry not in any kind of weird way it'll all be online later it will so if you do miss one of the talks or one of the tracks you can go online in a few
weeks it'll be there and you can watch it and um and you know again get all the sessions that you really want I know what kind of a rabbit hole it is to go and start playing in the CTF next thing look at your watch and go whoops the day is over so um it'll all be there if you need it the recordings from last year are up there now if you want to watch anything from there and uh I think a lot of the other ones are on YouTube from the first two years so with that um I'm just going to kind of hand it back to James and to our Keynotes here we have a great keynote for today
from the cloud security Alliance and I'm looking forward to it myself and hopefully um you said everything goes well and everyone has fun if you do have any questions please feel free to tag one of us with the red red lanyards we're volunteers here we can help you out if anything is not working right or if you're looking for where you need to go for the next talks and um thank you again for showing up for besides Calgary
[Applause] thank you foreign thanks Steven thanks everyone for being here you know it wouldn't be a Tech conference without some tech Gremlins you know as you can see we're up here trying to do things and pulling cables and doing that we've been doing that for about oh well since since about four o'clock yesterday make sure we got it right and probably still don't and we notice the camera's starting to go off and do its own thing so we'll figure it out as we go uh just ask that you know realize this is the Grassroots conference really we're not a big 15 20 000 member you know conference so we're trying to do things a lot of these
people love the goodness of their heart their time and effort to do this I got a huge huge set of volunteers here today and as well as also been here before yesterday as well as before this exciting this thing this up I wanted to say just a quick welcome here on behalf of both Beau Valley College and the besides committee as well um I get the distinct opportunity of being able to help plan and work with among uh amazing set of people um to get this event running and to deal with all the issues that come up with it that we just don't want to make sure that we get this this out for the
community by the community um so just one just want to make sure also to say thank you to our our sponsors um of course bowelli College here as a platinum sponsor they allow me to be able to take some of my time to be able to organize and contact you and see what's how to get get people registered and everything like that I also want to give thank you to our gold sponsors and the zombie networks Microsoft Security net Solutions our silver sponsors trellix Tech democracy Forest Point crowdstrike phosphorus Cisco secure CGI and our bronze sponsor mnp digital as well as ion United to further sponsorship of the iot village it's pretty amazing to have a village that
was at Defcon this year to be actually at this event here first of all a small group like us um Steve you already took window my sales was amazing to see we had over 550 people that have registered we've got about 10 of our people that are at the event are actually online so if you're online hi too bad you're not here but we're glad that you're joining in with us everything that we try to do here is yeah we're trying to make sure that everything goes through here as well as hop in so if you even if you can't make it to one of the rooms here you can pull it up on your browser outside one of our
rooms one of the big places that's an overflow area is just to the outside here of n231 there's a lot of room that people want you know not sit in really hard chairs it's kind of more comfy that's the place to to be able to just kick back a little bit too um other than that one thing that we didn't have on the the agenda before that came up is we do have our RF workshop at the CTF Village um running on both 11 25 to 12 15 on both days so that's something if you are interested in that there is some seats there it's limited seating so make sure you get there ahead of time I'm sure you
can make sure make sure you have that spot other than that I am going to quit talking because I'm not a good public speaker and hand it over to the professionals Elena and Sean it's up to you now thank you very much
Hi how are you I'm I have a big mouth so this might I might have to stand back a little bit here um but I also need to see this screen so um let me see how I can how do I move my slides forward on this I'm going to do enter ah there we go um so we're back uh Cloud security Alliance has been back doing physical events all year we've been completely stoked about it um and we did go to RSA for the first time uh each year at RCA conference we hold a summit on the Monday of that event and it turned out great of course we saw a fewer people at the event but
hey you're missing the Zoolander gifts
off already okay
all right if you look over there
um so yeah so why don't I just continue until we figure out what what's happening but we um we're back and we're all about just meeting and greeting with new people getting together with some of our members Etc um to tell you a little bit about the cloud security Alliance we are a 500 corporate member strong non-profit organization vendor neutral uh and um along with that we also have about 150 000 individual members across the globe who are typically part of our chapters for our chapters we have um a little over 100 or so Global chapters so you could uh certainly look to participate in some of those as well um College Thanks James I don't want to mess up anything oh good
because I would and that's not the one I want to share but but the reason that we were established 14 or so years ago is really to work with the industry public and private entities to establish best practices standards that would enable organizations to understand uh how to secure their Cloud environments and back in the day um back in the day of course 14 years ago for for those of you who have been in the industry for a while like me um there were a ton of Skeptics about uh Cloud right but now here we are and um no no no uh and we're just uh the cloud has become foundational to everything we do and we see that through the
Investments that are being made and some of the Unicorn companies uh certainly uh some of those organizations are getting much more um VC funding than what you would typically see in the traditional cyber security um and even hybrid organizations um and so it's a booming a booming industry um where it's a multi-billion dollar uh Market um there we go is it are we good oh there it is okay um and uh and uh we've been throughout that 14-year span we definitely have been creating a number of controls Frameworks uh we've been working with the likes of nist and other organizations to ensure that we're getting you know those security mappings together that organizations uh can use
teams can use to deal with their ever-growing um uh Cloud uh environments and on top of that too we did launch with training curriculum so we have our certificate of cloud security knowledge as well as our certificate of cloud auditing knowledge that one we just launched about a year ago in partnership with isaka but that enables individuals to really validate their knowledge about Cloud which is extremely needed and I'll get into that a little bit and then we have another sort of validation if you will through our star program and I'll talk about that in a bit more detail as well but it's our security trust assurance and risk registry uh and there are all kinds of components that sort of
support that registry you can check out to see if a service is meeting certain security controls that you would want to see them offer when you're working with them so I just talked a little bit about this I mean organizations like Gartner and certainly us through our research we found that this is just a crazy business certainly covid helped to accelerate the journeys of a number of um companies workloads to the cloud um and that's that even is for those large large organizations which was a little bit surprising to me I thought they would have been a bit head of the game talk about this fact of the matter is cloud is foundational to everything we do
um and so there's really no business strategy without a cloud strategy at this point but organizations whether they like it or not um have to have it and most are opting for a multi-cloud environment now over the course of my one and a half years of being with um Cloud security Alliance in this particular position I have come across one organization that is all about one hyperscaler and that's it so but most are definitely going multi-cloud for the many reasons that you see here and that brings with it a number of concerns skills I don't think there's one cxo with whom I have spoken over the last year and a half who is um not
having trouble securing people for open positions so they're definitely looking to upskill they're coming to us we're seeing a number of organizations come to us not only to train their security teams or I.T teams some want to also make sure that their HR departments are educated about the cloud and Cloud security issues procurement Etc more and more of that is happening but again individuals can take the training too so a multitude of concerns with that and then on top of that multi-cloud strategy where organizations might be opting to work with let's say three hyperscalers you also have the number of cloud disparate cloud services through SAS micro Services Etc that organizations also are using and there are some uh
cxos who might not necessarily know what's in place hence that well I think it's over maybe more than Investments are in tools and service training security violations cyber Insurance I'd be Keen to find out if that still holds true I just read an article that um insurers are looking to up the cost by 174 and also increase the number of exclusions so we'll see what happens but all of this is an amalgamation of the day in the life of a cxo where you have moments of euphoria and then maybe some sadness and anger and fear especially if there's a regulator or an auditor of coming at you so CSA can help out we're looking not only to work with you to
help with today's pain points but we want to make sure that we're addressing those in the future and we do that through our research team Sean is going to talk a little bit more about that the education and certification that we offer certainly a number of different events and focus groups and working with different constituents who are supporting particular initiatives and then of course just networking but let me hand it over to Sean he's going to talk to you about some of the more recent research we've done and give you some practical tools that can help arm your teams to deal with class threats awesome thanks yeah hi everyone I really appreciate you having me here so my name
is Sean Heidi I am the technical research director for cloud security Alliance so essentially we have a research portfolio that I help lead that encompasses things like Enterprise architecture so the adoption of cloud and controls when you're moving to a cloud environment I also help lead as you can see up on the screen are top threats to cloud computing which is one of our annual surveys that we help companies kind of focus on mitigations and techniques I also helped lead our CSO our cxo trust which is our CSO an executive working group to kind of help Enterprises better understand at the Cecil level how they need to be interacting with the business how to approach the business and what security
means to an entire Enterprise space so this is one of you know honestly maybe I'm a bit biased one of our best uh releases we usually have annually uh this specific one the top threats to cloud computing uh the pandemic 11. this was our sixth installment of this we've been doing this survey for quite some time so year to year what we actually do is we will compile a list of what the industry sees with the working group on the top threats the risk that we're seeing any breaches that have happened and uh what was the factor behind that so we compile a list of about 40 or 50 items and then we scale that down for
surveys so what we do is we push a survey out and the whole purpose behind the survey is to give you the general Community a voice and actually being able to say yes I agree that these should be ranked in this specific order all of that culminates into this actually being created into a top threats document that businesses can utilize to find mitigations techniques business impacts which I will actually show you on one of the next slides this is an expert driven series our members and Volunteers in this working group are some of the best Minds in the business they work at Fortune 500s they're dealing with risks day to day so when you take a look at this top threats to
cloud computing I suggest everyone download this from the CSA website it's something that you can take a look at From anovis perspective all the way to an expert because there's going to be a little bit of something for everyone in this release now these results are often the result of shared on-demand nature of cloud so everything that we report in here as far as a threat or a risk is something that has been seen in a cloud instance over the last I would say two years so we do this annually but we've backed it to about two years this specific one covered all of the pandemic it was crazy times we saw such a massive
shift to Cloud that we had some new findings which I'll show you on the next slide so as you can see these were the 11 that we came up with like I said you start with 40 on the survey we had 11 that were so narrowly gapped in percentages that's that's where the cutoff is a lot of people ask me well how do you find 11. it's been 11 the last two times uh it's been 12 on one of them what we do is we find the deviation for that percentage so 11 to 12 that was a massive Gap that we said well okay so people probably aren't identifying with number 12 and on so we'll just keep that
tightly knit group to the 11. um and funny enough the number one uh so identity and access management basically privileged accounts that is the number one top threat or risk that enterprises have seen over the last two years during the pandemic now funny enough pre-pandemic that was actually number four on the list not many people actually cared about things like I am or privileged identity management and so what we saw was all of these things that cloud was super involved with like insecure interface facing apis and lack of architecture that were previously really low or maybe not even on this list they all shifted upwards and I think we can all kind of correlate why
because when we went remote with all of our jobs during the pandemic we had a different Focus we had to do Tech Stacks we had new applications we had to push through I mean it was a headache it still is a headache but now the things that people saw during those times uh were some of the key steps that we should have been focusing on all along and I think it really started showing who is on our Network who is on our computers how do we secure these things and so as we go down this list you can kind of see these steps are step by step for most standards and guidelines CIS critical controls in this Frameworks
these were all basic concepts that are now being correlated to the cloud um if we look at six and seven or sorry five and six insecure software development and unsecure third-party resources these didn't exist on previous surveys and funny enough you know I think as businesses had to start building your own products you had to start leveraging your development teams a lot more you had to bring in all these SAS applications you had no clue if they were secure how do you do a Security review they started showing up on the report and so it started to kind of shape the story like okay we need to focus on this as a business we have to
focus on these key items so this is bringing top threads to life so when you download the report or take a look at any of our research that we're doing in regards to top threats this is one of the first Pages you'll see in that actual report so as I said uh privileged accounts access and Key Management are security issue number one what we do is provide a very granular uh homegrown detailed description of what this means to us so our volunteers our experts come in we're not actually picking you know a regular description we're coming through and making sure that this is exactly detailing what that description is for the security issue and what we also wanted to prove
biome security has an issue uh with to the business executive teams it's really really hard to tell them hey we need this tool we need to focus on this and you know maybe getting turned down maybe some of you have a little bit better access to those uh with your management teams but the whole point of this report for this section was to provide a business impact description so you can say okay we have a privileged account issue we're not doing identity and access management the best we can how do I tell this to the business now so we wanted to provide key highlights there on the business impacts so you can go from here find one of those security
issues as a use case and you already kind of have a pre-built notion of what you can say now to your security teams and your executive teams as well on the right hand side one of the most important things that I think I continuously fight with with people on this on understanding cloud is there is a shared responsibility everyone it's a lot of people still to this day assume okay we're in the cloud they have security controls we can trust it that I I promise you that is not the case there's always going to be a shared responsibility that you need to focus on when it comes to securing your Enterprise space so what we offer is a
secure responsibility our security responsibility model which you know if you see the green check mark this one is going to be customer so identity and access management you as a customer that is your sole responsibility to provide for your business to ensure that you're doing roles and responsibilities you're doing privileged identity management access management that you're doing those correctly and that's on you and so it's up to you to find those standards and that's what we provide here is kind of a baseline for finding those controls that you can actually start implementing these things uh we also identify the architecture and the cloud service models that these impact so of course across um platform infrastructure and software
identity and privileged accounts is across all of those things and I guess before that well before that also in the report that is super handy is we have a stride model for those of you who understand the stride threat modeling we we provide a mapping to stride in the impacts of those security risks as well as our Cloud controls Matrix which if you're trying to understand what controls can get implemented for your specific Cloud infrastructure take a look at our Cloud controls Matrix and then when you take a look at the actual top threats report you can kind of start getting a feel for okay these controls go here and so what we did was we mapped it for you in the
report itself we did our best guess on what controls would be mitigations in prescriptive measures to kind of get a handle on that initially now the purpose of the top threats report is kind of to build a use case for yourself if you're new to security if you're a student or if you're an expert in the field who's been doing this a while I I do please say take a look at that report because what it's going to do is provide you the ability to build a use case on what's happening in the threat landscape things companies are seeing day to day and the things they should have done or should be doing to help mitigate those items
now one of the fun things we've been doing is cloud threat modeling so it's another one of the things in my research portfolio that I help lead this last year I think we've done four of these tabletop exercises one was for an executive tabletop which we ran through business profiles for executives and then we also did two in Minnesota and North Carolina where we actually had every uh like everyone in this room would have the chance to do it doesn't matter Your Role your expertise you have a place at that table to be able to kind of help build a role in what that looks for cloud threat modeling so when you go into a business if you're not doing
table tops as a fundamental exercise I don't think you're ever going to really truly understand how other businesses like business departments function when it comes to security everyone has a role in security and so the ability to look at Cloud threat modeling and bring that in you know even for fun if you're doing it in your free time or if you're taking it to your business everyone needs to at least consider doing threat modeling so we actually have a cloud threat modeling document we released with with game cards it's really fun we're really trying to build the gamification of cloud security we're doing a DND style for those of you who are into dice games
we're trying to do a Go Fish Style game so we're really trying to make it practical so people get a hands-on experience with it instead of just reading a standard yeah it's fun if you like to read but a lot of us are Hands-On technical people so we wanted to bring that to the table so you could see in real time how a threat needs meets a certain vulnerability how it meets a certain mitigation so we're trying to build that out with doing these tabletops as well and so this was Bridging the Gap between threat modeling and Cloud the cloud threat modeling guidance pulls from the top threats document you just saw so every top
threat that you see from the previous report is going to be incorporated into this so you can kind of take a look at how controls from whether it's the cloud controls Matrix whether it's miter attack or owas top 10 we map those together so you can build a very complex pitch pressure in a simple Manner and kind of see how you would mitigate that in your Enterprise space so the key takeaways for this is Baseline threat modeling processes and learning how to create Cloud throughout modeling from scratch we will tell you how to do it if you're a novice or how to build on that if you've been doing this for a while and this is really foundational Cloud
threat modeling this is at its simplest form and we're always looking for key takeaways so if you have suggestions on something better that you think would fit within the cloud threat modeling that we didn't take notice of we're always open to that with our working group and so we would love for you to join even if you're uh you know never done this before been in a working group we you can be a fly on the wall or you can come and join us and provide as much expert opinion as you would like okay one of the cool things we're actually doing also is our Cloud cyber incident Sharing Center or Cloud Sisk in other words uh this was in a partnership
with it ISAC so it's an incident response an incident sharing um intelligent sharing platform that we have at CSA now for members what we're doing is we're leveraging a platform uh to help kind of create this idea that everyone should be sharing their information when they see something suspicious in their Network the issue is with a lot of businesses that we're seeing uh there's not a lot of money for tooling there's not a lot of money our experts in Risk identification vulnerability management but what we can do is provide something where you have a place to get that data now things do exist um at T has a great sharing platform ITI Sac has tons of resources we brought
that into CSA so anyone who is a member or volunteering and wanting a centralized location to pull information from we've helped leverage that it's really helping teams who otherwise wouldn't have the funding or the tooling necessary to kind of understand what all these risks are that's happening and these vulnerabilities other businesses are sharing uh what we're really trying to adopt is this mindset that we shouldn't work in a silo security works best when everyone is coming together when you're sharing incidents or vulnerabilities something came up on a scan that someone else can get some usefulness for you it may not be useful for you but someone who doesn't have a very well developed shop in their business space that might
be very very critical for them and so it's really important to get this mindset of okay cyber incident sharing how do I get involved where do I start we have 50 current active users and members across the Enterprise space that are actively using this if anyone has ever used a threat intelligence platform essentially what our users are doing are going to a web page emails anything they see there is a built-in application where you just report it so if you see a you know a vulnerability come through on Twitter on Reddit if there's any thread you see you can actually add it to the platform and start building kind of a threat intelligence model from there
and also very quickly on the cisc we haven't made any formal announcement about it but we intend to we started with only our North American members onboarding them and we've now expanded out to Global members and the reason we were taking a phased approach obviously is we have to be careful to maintain that trusted environment that we're building with the ITI Sac for our members so organizations that might be owned by state governments or they might be on a sanction a U.S sanction list those even if there are members are going to be excluded so as a result of that one thing that we intend to do is not only use the information all the
threat indicators that we're collecting through the Sisk to build some really practical informative guides for our members our corporate members we will take some of that data and see how we can build some trend reports and also how it might be forming sort of a foundation for our research team to again you know suss out some of the the timely topics that we can share with the wider industry and that Harkens back to our mission to have offer some free resources to the to the wire industry so with key initiatives very quickly uh about a year and a half ago we did a soft launch of our cxo trust initiative I'll talk a little bit about that this
year we launched our zero trust advancement Center there's a heck of a lot going on uh with that we have a research working group um we I just finished uh composing our our first phase of a expert steering committee I'm working with John kindervog who we brought on to help lead the charge and that way again no formal announcements we're having the first meeting I want to say at the end of November after which we'll start announcing uh Who's involved but we're definitely working with the typical organizations one would expect cisa miter nist all those guys and then the the CSA star we mentioned earlier we'll talk a little bit about that we also are
finding from talking to our members and other contacts in the industry that Financial Services could use some support when it comes to their Cloud initiatives we are focusing on first law releasing sort of a state of cloud with financial services and then we will have a two-day virtual event uh come February 23rd uh 2023 next year um and of course the other thing that we're trying to tackle is just the vulnerabilities that are our foot and continue to rise in number traditional means to understand the vulnerabilities that need to be addressed can be a little bit slow we're trying now with our GSD effort to make it a bit more open source if you will
and a lot quicker and Sean will get into that too so the CSO trust we have been working with a number of cios cxo csos Etc through our membership through our chapter organizations for years and years and years but this effort really is looking to ensure that we're bringing in the CEOs the CEOs all of those the c-suite all of those members of the c-suite who have a vested interest in ensuring that their Cloud environments which are you know their their source of compute are are safe and sound and we're kind of taking a phased approach so we first launched with the tabletop exercises uh at the cxo summit last year we partnered with some of our friends at
Starbucks to help lead that went over very well we hadn't done that in a while and I thought it was pretty important that we get that going we also now this last event our September event for our cxo trust we worked with another organization called security innovation and the refrain rain we kept hearing over and over again during that event is that we need um security Executives need more support and educating their boards and talking to other Executives so that's going to be a key part of this initiative going forward we've had a number of meetings some of the members of the research team some of the members from the cto's office at CSA with quite a few different organizations
that offer different means to deliver training and so it's my intent that we could build a pool of Partners and then deliver different aspects but we're also talking to some of our friends about some you know micro learnings if you will which we've already launched the advisory Council it's reserved for our corporate Members Only We have I don't know close to 40 members there we meet six times a year but we're also going to them to get insight and advice when we're creating the curriculum for zero trust for example when we're hearing something about like you know I'm working with them now for example on a statement regarding Uber so they're just extremely committed to helping us evolve
the different offerings that we have for the uh the organization for the industry um and then in addition to that we also have the research working group which Sean mentioned earlier our first piece was the CSO perspectives and progress in deploying zero trusts so we did wed two initiatives to see what's cooking that front and it was especially need we felt that there was an especially key need there because as we kept getting requests for Consulting uh meetings with some of our members there just seemed to be a lot of confusion about zero trust and RSA didn't really help much you walk the floor and I don't know if there was one company that wasn't towning zero
trust in some Manner and that's just the way it goes when you know these companies jump on like oh Nick let's do let's talk about neck we don't do it but hey buy our stuff um they're not all like that I should say that they're not all like that members just a couple um not our members um but with that said um well I'm also working with our chapters uh a few key uh chapters to start where we're trying to establish more Regional or vertically focused steering committees um so we're kind of getting that um uh you know spread uh viewpoints across the globe leveraging all of the the members who are engaged with us
content development gonna do some new membership uh offerings like town halls and developer resource Library we've got plenty um training offerings already talked about that we're working on that diligently right now uh Sean and his team will be working on a research calendar um and then you know still more Regional virtual events as well as we have a job board through something called our Circle platform it's a social platform and it's all good but it could be so much better uh and so there's a business plan in place for us to have a much more robust um career platform that will need a number of different needs and so we're looking at building out the wireframes
there so now Sean's going to talk about zero trust yes thank you uh show a hand who here actually okay that's actually not as me as I thought um so as we talked about earlier we we had the release of the CSO perspectives uh in progress in deploying zero trust uh survey what this did was really dive into the executive mindset of the struggles they have had what they have seen when deploying zero trust I mean it's a it's a topic in a word that we hear a lot about but we really don't know the depth and granularity behind it um you know much of my research I've established businesses are doing it they just don't know that they're doing it uh
and that kind of showed in in the survey report it really showed the maturity and level and the priority of zero trust uh should people be doing it yes are we maybe um and it showed the benefits and drivers toward adopting zero trust challenges uh in the investment that's actually needed for it because zero trust is a massive uh massive investment that requires you know a lot of tools a lot of configurations a lot of expertise and is the market there right now or is the industry there right now maybe uh but you know it comes back to finding the right Talent the you know and even training people which is what CSA is addressing uh with our training program
uh and and these are just a few things I wanted to show this in the next slide are are just a few things out of that actual survey itself um the level of priority that and trust you have in your organization in regards to zero trust medium priority I guess that's fine you know it's it's a topic word like I said everyone kind of answered this how I thought they would uh where's the implementation process of zero trust within the strategy to your organization uh now this one's interesting to me maybe not to anyone else I usually find the the weird stuff in a lot of these surveys uh but they're 33 and 37 percent are in the planning
phases um now I kind of find that a little contradicting to the 20 in implementing I think the implementations are actually a bit higher these days so if you're using things like OCTA Azure crowdstrike these are all things that actually in some way or the other have a zero trust impact a zero trust footprint but are you correlating that to actually identity five what part of zero trust it has you know CSA has laid out the pillars for zero trust and what it means and you know through your networks your apps anything to do with identity and access management are you correlating those things that you're doing to actually how it coincides with zero trust odds are
you you might be but if you take a little bit deeper look I think you're doing a lot more than you think you are and that's just kind of my personal opinion on the zero trust matter when we actually do these surveys and you know it's it's good to see these numbers but I just beg people to look to see how much you've actually implemented and I think it would be quite the surprise has your organization benefited from the zero trust initiative um now staggering this is a very staggering number 63 percent said mostly but needs some improvement this correlates to the last slide we just showed you um it you know we are doing zero trust
but I think 63 that says need some improvement I think if you focus on what you're doing and tying it back to a standard framework getting the education and knowledge on what zero trust is fundamentally they get a lot along a lot further than you think and it's not bad to need Improvement but I don't think people are giving themselves enough credit or identifying the areas where they're already doing this so we have a zero trust advancement center with CSA what we wanted to do like I've been talking about is bringing the knowledge into one centralized location for everyone to learn so we're bringing the experts to you through our zero trust advancement Center it's not going anywhere it's where we're
headed it's it's been proven that it works and so we found that well where's the knowledge and education on it so we're trying to really build that into a central location where everyone can learn and it's a philosophy on informing strategy on zero trust and we wanted to do identity as a foundation continuous verification is technology neutral so we do the best practices that are relevant for each implementation because at CSA we remain vendor neutral we're never going to favor anyone we're going to find the best thing that works for you we're going to provide you the best education and knowledge without leaning towards One Direction and you know sometimes some people do lean towards
One Direction a little too hard and lose sight on the other side on things that can actually help supplement those things so we're trying to help curate that at uh CSA we're going to be coming out with a zero trust training curriculum uh and Q2 2023 if it stays on track certificate of zero trust knowledge uh this is to help complement our ccsk and CC AK certifications that we currently have which in the most basic description they are very very good if you've never had hands-on experience in Cloud if for ccsk or if you are experienced in technology and security maybe you are just now touching Cloud these are all meant to kind of help complement your career there's no
not really one level I would say that you meet where you wouldn't have to take that I think it's generally a good refresher no matter your level um we will have our zero Trust online Summit next month are we in October we are uh it will be next month and so we have a very good lineup of speakers for that a lot of people that are going to bring a lot of wealth knowledge I think I'm hosting a panel discussion on uh the current future and past of zero trust uh so if anyone is going to be attending that I I it's going to be a really good time and a lot of topics that I think
are going to be eye-opening over the last two years during the pandemic to now and where zero trust is going to be headed and this is open for research participation so our zero trust group if you are interested or have a working knowledge you know this is for any of our working groups we ask you come volunteer uh be a voice in the group be a fly on the wall it really doesn't matter we love attendance and we love all backgrounds and uh so please if you would like to volunteer for that we do suggest that so when you go to the zero trust advancement Center on the CSA web page this is the curation of all the content
I was talking about so we have we provide the architecture's guidance policies uh any recordings that we have currently done on xero trust we have reports uh so the CSO perspectives report uh DHS CSA draft report and then we also offer the standards that are out there currently for xero trust and this is what I said we're trying to curate the best of the best that's already been done everyone hears Us in technology and security never reinvent the wheel it is so true for zero trust everyone is doing something that can help someone else
um okay so this Harkens back to one of the key initiatives that I mentioned earlier um regarding our security trust assurance and risk um ecosystem if you will if you go to our website right now you'll be able to see the registry um and look up different companies and find out if they are meeting security requirements that you would want them to meet if you were to work with them and the way that we do this is and this is where I think we need you know the onus is ours to ensure that our constituents understand how this ecosystem works of all of the different uh Frameworks and questionnaires that we've created over the years uh and we update I think right
now on ccm1 like version four version four yeah all right so the cloud controls Matrix um if you check that out it has a I want to say 197 uh control objectives that fall under 17 um domains thank you uh and so we then mapped the cake to that CCM so that we and and I say the cake because the we're a bunch of acronym souls and this and this um industry but it's the consensus assessment initiative questionnaire henceforth known as cake and so organizations can leverage cake to um you know ask the questions of the their providers and make sure that they're meeting their their secure security obligations the CCM also allows that if you want to take a very
strategic assessment of your Cloud environments and really make sure that you're meeting those particular security controls uh it also will point out for organizations the pros uh the Professionals in that ecosystem um that are responsible for certain Frameworks excuse me certain controls certain objectives so it's a pretty comprehensive and all of that goes into supporting the Star Registry that those pieces are what we leverage for organizations to get either a self-assessment one or two and we'll talk a little bit more about that and then through the launch of the cca-k training we're also helping individuals you know get some knowledge on what it takes to be an auditor and what they need to know about the CCM and using the cake and all
that jazz so so that's the ecosystem and that's what the Star Registry is all about what we found over the last two years is that there have been individuals who have stood up Char chapters uh in different uh parts of the world because they found that their governments are now requiring uh the cloud providers and those regions meet certain meat self the self-assessment one of our Star Registry in order to operate there in order to sell their products to federal agencies there Italy's won Saudi Arabia is another and there there are a few others so we're we're that's just blowing up and we've got a number of Partnerships that we'll be announcing over the course of 2023
but we can get into the details real quick if you want you want to talk about I mean this it's self-explanatory but yeah sure yeah um yeah the the star program in its simplest form and like I was saying when when businesses during the pandemic didn't understand how to do a Security review of applications that's really what this is helping supplement the the cake in its truest form is to give to the vendor and make sure they are hitting the key uh controls and domains that you would want to see to help secure your Enterprise space so it's helpful in that instance and even if they aren't in CSA Star Registry you can actually help guide a lot of this
discussion so if you're uh focus is on security for your business for applications or procurement this is a starting point for you to have that discussion with vendors be like hey have you filled out a cake before do you know what the cake is maybe not uh well here it is can you please fill it out get it back to me you can actually let them know hey can you send this in uh to put in to csa's registry and then that way the next time another company asks for it it's already there it's published and there's proof of it now when we talk about star the cloud Assurance ecosystem the Star level one is what I just told
you about is that self-assessment that's via the cake or having a company go through the cloud controls Matrix down the list and verifying that they're meeting all of these controls for their product you can also do Star level 2 which is third party assessments but this is using an assessor Network so this is actually having the Auditors follow a guideline go through and make sure you're actually hitting that just like any other sock audit that you would go through PCI is kind of like that just utilizing the CCM and the cake models like I said the Star Registry it's an extensible API and it's meant to just store all of this and and the idea
behind it is it's visible to everyone anyone who wants to put in their security controls in the criteria they're meeting they can do so and it kind of opens up this ease then that okay they're focused on security there are some due diligence there they did this awesome let's let's uh move forward with procurement you know for whoever it may be um we have star extended programs uh so this is custom programs to extend the star uh and then also embedded which is a licensing program that CSA uh offers as well did you want to touch on this one this just uh talks about some of the partnership we have with with all of our
different Frameworks we are absolutely working with any of the name and organization more probably with them I'm definitely looking to map our CCM to different other sort of standards and and Frameworks um so the Cyber risk Institute is an organization focused on the financial uh Arena and they have their Cloud protection profile we've gone through a first phase of mapping our CCM to their profile we're now on to a second phase and making some really great Headway there we also have partnered with the Motion Picture Association to make CCM their standard for their members as well and as I noted we're talking to a number of other different organizations um and and the uh around the globe and
GSD is very important if you want to yeah yeah definitely uh raise a hands who here knows what a cve is uses them uh just get a show of hands really quick awesome we're Reinventing that uh so we have vulnerabilities and exploits so our Global Security database is to not take over but to kind of help provide a quicker way to respond to vulnerabilities that you're seeing in software and applications if you've dealt with cves it could take months sometimes to find something that's been exploited and have a correction or a pathway for a mitigation for it um and especially for those of you who are going down to the the iot shop later I'm going to try to steal a Tesla these
are things that we need to know about so we can have corrective action if you're on a blue team or a red team uh it kind of helps either side right um and so this is going to be vulnerability disclosure in an uh consistent manner I won't say it's terrible now but there is inconsistency with the flow of the current vulnerabilities that come out and the reporting methods on them through the Global Security database we're trying to help curate this process in a quicker manner with on-demand issuance of security identifiers tools to automate all of that and the ability of where all of that Ingress is coming from at a quicker rate of pace and also to help
enable the tools you're already using so you can pull from the Global Security database into your already required tool set if something's coming at a quicker rate into your tools that's just better for you to help identify vulnerabilities so this is something that we're currently working on with a lot of people uh it's it is catching wind currently for my current opinion so this if you're in the vulnerability space if you reference cves frequently if it's something you research you know take a look at the Global Security database I think it might interest you even if you want to come help and volunteer if there's something you're experienced in there again I harp on this all the time
I am the research director so I love people coming in and helping with research this is something that is going to grow fast and it's an opportunity to really help establish that and I believe you want me to touch on the event yeah of course awesome uh so like I said in November we have our zero trust virtual Summit it's going to be awesome the the lineup fantastic uh in February of next year that's coming up really fast our financial services virtual Summit and then our CSA Summit which we have at RSA which is going to be in April I believe we are going to have a lot more lineup of speakers for the CSA side of RSA so
if you're going there stop by talk to us and uh yeah I think we can go from there yeah I mean we we do have a boost at black hat and RSA conference on an annual basis so you could always come to the booth and hang out but we definitely have a number of events at those you know major events for the industry as well and very quickly as far as the virtual Summit for financial services February 15th and 16th I just learned that so we've got that scheduled but um that kind of wraps it up we we hit you with a lot of stuff um but we're definitely you know we're we're moving Full Speed Ahead so
um any questions I know we we tried to keep time good James okay if you'd like to talk to us about working with any of the research working groups or you want to learn more about training or any of that jazz don't hesitate to approach us or just Reach Out by LinkedIn we're happy to help so thank you [Applause]
Related talks
49:18
36:16
50:09
50:04
58:55
1:29:20