DiscoverCSA Security Update
CSA Security Update
Claim Ownership

CSA Security Update

Author: John DiMaria; Assurance Investigatory Fellow

Subscribed: 14Played: 62
Share

Description

CSA STAR is the industry's most powerful program for security assurance in the cloud.The Security Trust Assurance and Risk (STAR) Program encompasses key principles of transparency, rigorous auditing, and harmonization of standards. Companies who use STAR indicate best practices and validate the security posture of their cloud offerings.This podcast series explores CSA STAR as well as CSA best practices and research along with associated technologies and tools.
22 Episodes
Reverse
As organizations look to cloud services to process more sensitive and critical data, security, and risk management teams require tools to quickly assess and understand the types and rigor of security controls applied by cloud service providers. CSA STAR Attestation is the first cloud-specific attestation program designed to meet this need. Based on the CSA’s Cloud Controls Matrix (CCM), STAR is the only meta-framework of cloud-specific security controls, mapped to leading standards, that enables third party audit review to give security teams the support and trust they require to enable this move to the cloud.Listen as we interview Ashwin Chaudhary Director and CEO of Accedere group and discuss STAR Attestation, the advantages of SOC2 plus CCM, and the business value it brings to organizations.
As a cloud service provider (CSP) customer engagement is crucial. It impacts customer loyalty, which directly impacts the bottom line. The potential cost of incompetent customer engagement should be concerning to CSPs.The lines between cloud providers and cloud consumers keep getting fuzzier every day. What are the main challenges of cloud computing that users face?What is the growing paradigm shift in what users will expect from CSP’s moving forward as a minimum requirement? What are the top 3 or 4 risks of cloud computing they should be aware of on their end?Get answers to these questions and more as we interview Jennifer "Jen" Chermoshnyuk; Security and Trust Engineer for GitHub and shed some light on this critical subject matter. 
As organizations look to cloud services to process more sensitive and critical data, security and risk management teams require tools to quickly assess and understand the types and rigor of security controls applied by cloud service providers. CSA STAR Attestation is the first cloud-specific attestation program designed to meet this need. CSA STAR Attestation is a collaboration between CSA and the AICPA to provide guidelines for CPAs to conduct SOC 2 engagements using criteria from the AICPA (Trust Service Principles, AT 101) and the CSA Cloud Controls Matrix.1. What is CSA STAR & SOC2? What is CSA STAR & SOC2? 2. What are the prevalent business drivers which lead to the necessity of obtaining a CSA STAR & SOC2 attestation?3. Why should my business plan for a CSA STAR & SOC2 rather than react to the demand for the attestation?Join us as we interview Audrey Katcher; partner of RubinBrown’s Business Advisory Services Group, overseeing the group’s Information Technology Risk Services. She also serves as the Open Certification Framework Working group liaison for AICPA and made a significant contribution to the STAR Attestation guidelines.Listen as Audrey answers these questions and more regarding STAR Attestation and the assessment process.    
The Security Trust Assurance and Risk (STAR) Program encompasses key principles of transparency, rigorous auditing, and harmonization of standards. Companies who use STAR indicate best practices and validate the security posture of their cloud offerings.The STAR registry documents the security and privacy controls provided by popular cloud computing offerings. This publicly accessible registry allows cloud customers to assess their security providers in order to make the best procurement decisions.Listen as we interview Larry Greenblatt, Information Security Specialist at QAD as he takes us through his journey to CSA STAR Certification from business case to implementation to through the audit process as well as discussing the ROI and the importance the maturity evaluation and how this has facilitated improving their business overall.
IoT defines the journey of digital technology and data to enable organizations to perform better, boost well-being and respond to local and global challenges – presenting a huge opportunity but risk as well. With SMART Cites and SMART Nations emerging, a sustainable, pragmatic approach is necessary, ensuring the people, processes, and systems are secure. With predictions that three-quarters of the world’s 9 billion people will be city-dwellers by 2050, it’s vital we ensure cities provide a safe and pleasant environment that is sustainable and resilient to change. Listen as we interview David Mudd, Global Digital and Connected Product Certification Director with BSI Group and discuss these pressing issues as well as how IoT can make a positive impact on the environment and the business community in general as well as how CSA is working with industry through the development of the CSA IoT Control Matrix.
Excerpt from the most recent PODCAST interview with Jim Reavis; Co-Founder and CEO of Cloud Security Alliance discussing the activities and speakers at the upcoming CSA Summit at RSA!
2019 was another great year for CSA and it sets the stage for an even greater year in 2020.Listen to this insightful interview with Jim Reavis; Co-Founder and CEO of the Cloud Security Alliance as he provides a look back at the accomplishments and milestones achieved in 2019 and provides a look into the journey we will be taking in 2020.If you're not already, it is a great starting point to get involved with CSA and it's massive cloud community.
The Security Trust Assurance and Risk (STAR) Program encompasses key principles of transparency, rigorous auditing, and harmonization of standards. Companies who use STAR indicate best practices and validate the security posture of their cloud offerings.The STAR registry documents the security and privacy controls provided by popular cloud computing offerings. This publicly accessible registry allows cloud customers to assess their security providers in order to make the best procurement decisions.Listen as we interview Willibert Fabritius; Global Head of Information Security and Business Continuity of BSI Group and take the journey with us down the road to Level 2 CSA STAR Certification including use cases on implementation and auditing best practices.
As organizations look to cloud services to process more sensitive and critical data, security and risk management teams require tools to quickly assess and understand the types and rigor of security controls applied by cloud service providers. CSA STAR Attestation is the first cloud-specific attestation program designed to meet this need. CSA STAR Attestation is a collaboration between CSA and the AICPA to provide guidelines for CPAs to conduct SOC 2 engagements using criteria from the AICPA (Trust Services Criteria) and the CSA Cloud Controls Matrix.Listen as we interview Debbie Zaller; Principal, practice leader, and SME for Schellman & Company, LLC who leads the Midwest Region along with the Privacy, SOC 2 and SOC 3 service lines. We take you inside a STAR attestation engagement following the process from start to finish along with discussing the value having successfully completed a STAR Attestation audit. 
Forensic readiness is defined as the ability of an organization to maximize its potential to use good quality digital evidence to protect the organization, support the investigators while minimizing the costs of an investigation.Trust in the cloud is constantly under attack, so good data-driven decisions are critical. Determining whether a data source provides an acceptable level of digital evidence is one thing, but how do you safeguard data integrity to ensure that the information contained within supports the investigation with the proper content or context, transparency, and trust? Proving "Due Diligence" and "Standard of Care" is critical when building a case to protect your organization.Listen as I discuss this all-important topic with Lamont Orange; CISO, Netskope and we take the journey down the road of forensics and the importance of being prepared along with some best practice suggestions.
Security compliance based on third-party audit is becoming increasingly complex –especially as a result of the considerable number of national, international and industry-specific standards and certification schemes present in the market, generating "compliance fatigue", not to mention sometimes contradicting audit reports related to similar controls, That often translates into substantial costs for those service providersThe idea behind the MPRF is to provide a unified method of systematic and consistent activities with the goal of minimizing the burden of obtaining certification "Y" for a CSP, once it has already obtained certification "X". The MPRF’s purpose is, therefore, to use and promote a comparison analysis between different security frameworks, standards,and best practices.Listen as Damir Savanovic; Senior Analyst & Researcher; CSA and project manager for the EU-SEC project discusses this exciting evolution of the compliance eco-system and how it promises to change how we approach security assessments in the near future. 
As a cloud service provider, there are many security challenges that organizations have to face which include providing customers and regulators with the proper level of transparency and assurance that is needed to achieve the required level of trust. Many organizations are turning to CSA STAR in answer to mandates, provide a marketing differentiator or just raising the bar in terms of their level of assurance and transparency. Listen as  Deepak Gupta; Co-founder and CTO at LoginRadius explains their journey and approach to implementation. How they weaved the CCM controls into their current management system including all the stakeholders of the business as well as what challenges STAR solved for the organization. 
Security is not simply a CIO, CSO, or IT department issue. It is critical that organizations have a system in place that can prove the all important "Standard of Care" was deployed and maintained.Breaches, leaked documents, and cybersecurity attacks impact stock prices and competitive edge. It is a responsibility that must be shared amongst all employees. It is a matter of resilience and survival of the company.How should CEOs and board members get proactively involved in mitigating future challenges and get involved in the decision making process in an industry where there is so much "noise".As CEOs technical knowledge and security experience can vary quite a bit, what should they do when the vendors start crowding the door?Listen as Phillip Merrick; CEO of Fugue provides advice from the boardroom and how CEOs think and approach security VS the IT department.    
Ribose has achieved STAR Attestation, Certification and C-STAR along with being one of the first adopters of STAR Continuous. What was the main driver? What was the approach to implementation and how did they weave the STAR controls into their current management system to build one holistic integrated process?Listen as Ron Tse; Founder and CEO of Ribose as he addresses these questions along with discussing what challenges STAR addressed and predictions on what can be expected in the global compliance landscape.   
CSA research is such a big part of what CSA does, providing high quality relevant papers, studies and data free for all to take advantage of, yet in some cases is one of the best kept secrets on the amount of effort that goes into the output that has produced over 400 artifacts and to ensure its value and relevance.Collaborating with industry  and harnessing the right subject matter expertise to ensure good cross-functionality is critical when it comes to producing valuable  research.  Listen as John Yeoh: Global V.P. of Research for CSA provides insight to the research process, the people behind the scenes, some common pain points that have been identified and some of the great research coming down the pipeline to address tomorrow's problems today.
Business email compromise (BEC) scams are not going away anytime soon. For such a relatively low-tech type of financial fraud, it has proved to be a high-yield and lucrative enterprise for scammers. But the prevention measures are not expensive and not technology dependent.Listen as Ken Dunham;Senior Technical Director, Cyber Operations for Optiv discusses this growing issue, the process hackers use, the root cause and prevention recommendations you can use for cloud security when adopting the cloud and why transparency is so important.Episode is Not LivePublish: Aug. 14, 2019 @ 6AM EditPublishAmplify this EpisodeAdd Chapter Markers$.10/minuteTranscribe this EpisodePromote this EpisodeCreate a Video SoundbiteShare on FacebookShare on TwitterShare on LinkedInEmail Link to EpisodeDirect Link to MP3Embed this ONE Episode
Information sharing activities when combined  with other threat intelligence activities  can be seen as important part of the arrangements of human and non‐human activities that, together, form a critical part to achieving organizational resilience. There is a reciprocal relationship between all processes within an organization and the ways in which information is used and shared. Join us as we talk to Paul Kurtz; Former white house senior member relating to critical infrastructure and counterterrorism on the White House's National Security and Homeland Security Councils under Presidents Clinton and Bush and internationally recognized expert on cybersecurity and the co-founder and CEO of TruSTAR Technology. We discuss how to get the most out of your intelligence involving all applicable stakeholders to build this preventive culture that is weaved into the day-to-day way of operation incorporating more threat intelligence into every stage of the workflow. 
Continuous Monitoring enables automation of the current security practices of cloud providers. Providers publish their security practices according to CSA formatting and specifications, which customers and tool vendors can then retrieve and present in a variety of contexts. Continuous monitoring/auditing improves on the traditional point-in-time certification in both trust and transparency. Point-in-time audits while the foundation of many respected certifications, often contain a considerable time gap between audits, and by adopting continuous monitoring/auditing with an increased audit frequency, chances of deviation of the security posture becomes less. This empowers cloud service providers to make precise statements on compliance status of their cloud services covered by the continuous audit process, achieving an “always up-to-date” compliance status. There has been considerable amount of research and science that has gone into proving the business case for continuous monitoring and its effectiveness. Listen as we discuss the data in detail with Stephen Boyer, Founder and CTO of BitSight Technologies along with use cases that show how the paradigm is changing once again on how industry defines risk and security. 
CSA and Whistic identified the need for a lighter-weight assessment questionnaire in order to accommodate the shift to cloud procurement models, and to enable cybersecurity professionals to more easily engage with cloud vendors. CAIQ-Lite was developed to meet the demands of an increasingly fast-paced cybersecurity environment where adoption is becoming paramount when selecting a vendor security questionnaire. CAIQ-Lite contains 73 questions compared to the 295 found in the CAIQ, while maintaining representation of 100% of the original 16 control domains present in The Cloud Controls Matrix (CCM) 3.0.1.Listen as we talk with our guest Nick Sorensen, CEO of Whistic and discuss the research and statistical analysis that went into the creation of the CAIQ-Lite along with some use cases of how and when it should be used.
Dr. Ron Ross, Fellow and Senior Computer Scientist and Information Security Researcher in the computer security division at the National Institute of Standards and Technology (NIST) joins us to discuss the growing problem of too much complexity and the associated security issues that are growing because of it.  In this episode we discuss the problem, the root cause and the proven best practice solutions that will facilitate moving from a reactive to proactive culture providing organizational resilie
loading
Comments 
Download from Google Play
Download from App Store