Cloud Security Alliance Annual EMEA Congress Discussions

Cloud Security Alliance Annual EMEA Congress Discussions

Cloud Security Alliance Annual EMEA Congress Discussions

It was as cloudy as Edinburgh could be in the autumn, when the “Cloud Security Alliance Annual EMEA Congress” featuring about 300 Cloud Computing stake-holders, gathered for the event that was held during the last week of September, produced By MISTI Europe.csa-sm

The variety of organizations participating demonstrated the array of topics relevant to Cloud Computing adoption. Standards institutions – alongside government bodies, cloud providers and software vendors – demonstrated the challenges facing Cloud Computing. The considerable number of non-EU presenters further demonstrated the globalization process this technology is going through these days, as well as the EU’s role in its advancement.

The Congress’s topics could generally be divided into three major categories: government access to data (inspired by PRISM); the cloud providers’ lack of transparency; and the technological challenges facing Cloud Computing adoption.

The congress began with an excellent keynote presentation from Mikko Hypponen, Chief Research Officer for F-Secure. Circling the stage, Mr. Hypponen listed the new cyber threats facing the world, and predicted that will see be attacks on every device equipped with processor in order to use CPU time for Bitcoins mining, and that malware will start maliciously locking our cloud services for ransom.

Regarding government access to data, the F-Secure CRO mentioned how surprised he was to learn how far the NSA is willing to go in order to weaken the standards we all rely upon, and speculated that direct access to providers was not a result of providers cooperation, but rather due to massive hacking attempts by the NSA. The example given was the recent finding published by “Der Spiegel” about the British Intelligence services’ hacking the Belgian Telecom Company.

Another interesting lecture regarding governments’ access to data was given by Jon Callas, co-founder of PGP and Silent Circle. This top cryptographer reviewed the different sources for surveillance: the various nations’ surveillance levels such as anti-terror, crime prospecting, and economic espionage. Non-national surveillance includes that done by criminals; corporate espionage; and companies such as Google which utilize business models to collect customer data. Callas described the efforts Silent Circle is making in order to help customers avoid different kinds of surveillance, and described the process’s two pathways: technological tools such as encryption and ammonization, and procedures and policies that will define how to safely and confidentially guard the users.

In a later panel regarding PRISM, Mr. Callas revealed the story behind the difficult decision to close Silent Circle’s secure e-mail services, immediately after they had learned that another secure e-mail provider, Lavabit, was served with a federal warrant to reveal data. Current e-mail protocol is just too difficult to secure due to email headers and metadata information saved for each e-mail, he explained.

Government access to data is not the only thing preventing the required trust in Cloud Computing. Cloud provider transparency, or lack of it, is also a major obstacle. Microsoft, Google, HP, Amazon and Adobe all presented and shared their recent efforts to provide transparency to their operation, as well as ways to increase trust. Adriana Hall from Microsoft presented the latest survey regarding Cloud Computing adoption, revealing that although most customers expressed concerns regarding the security and privacy of their data in the cloud, a majority of the companies said that security had actually improved by moving to the cloud.  In her presentation, Ms. Hall exhibited the steps Microsoft is taking in order to increase trust – including complying with different regulations, and advertising their cloud products’ development and operations control to designated Trust centers.

Similar claims came from Adobe and Google, who were very keen to present the measures they are taking in order to protect data. David Lenoe, Director of Product Security at Adobe, described his goals as good architecture, solid code and security in operations. He elaborated on some of the steps Adobe is performing in order to achieve them:  SDLC adoption and security training incorporating the martial arts style, with different colored belts given to each level of security awareness. Eran Feigenbaum, Director of Security for Google apps, said that the question is not whether the data is protected in the cloud, but whether it is protected outside of it. He presented a survey demonstrating that 60% of corporate data is located on unprotected laptops. “Cloud providers are built differently“, he explained, “their software is built for resilience, and homogeneous environments make security more robust“.

In the race for transparency and trust, standardization is a cornerstone. The amount of time dedicated in the Congress for reviewing the topics of cloud standards demonstrates how much progress has been made on this subject in the last year. During the Congress, the Cloud Security Alliance announced the launch of its new STAR certificate for cloud providers. The certification, based on ISO27001, was developed along with BSI, and is the first independent and technology-neutral certification aimed at providing more transparency to the industry.

Certification and standards are also regarded by governments as important in promoting Cloud Computing. According to Tjabbe Bos from the cloud unit of the EU commission, the EU Cloud Computing strategy’s aim is to produce 3.8 million additional jobs, and to add 950 Billion EURO to the GDP by 2020.  The way to implement the strategy, Mr. Bos added, is through three key actions:  building safe and fair contracts; establishing EU partnerships among all cloud stakeholders; and cutting through the chaos of conflicting standards and regulations.  Later on, the ENISA head of secure infrastructure and services explained how ENISA is helping the EU to achieve its cloud strategy, by formalizing standards and certification, and establishing international and national corporations. “In the Japanese tsunami disaster, the only emergency services that were able to continue operating were the cloud-based ones“, Dr. Ouzounis revealed, “and therefore we treat it as critical infrastructure and our future digital life backbone“.

From the technological point of view, the challenges that occupied the crowd were similar to last year, and included new format and use cases for encryptions, challenges for authentication and identity management, API security, and mobile and big data.

encryption

The encryption solutions presented by companies such as Brainloop and Seclore were file level encryption (IRM) tools and services aiming at providing control, access list and audit throughout the document life cycle, and sharing. IRM and file level encryption technology has been around for some time, but failed to move forward at the enterprise level. Perhaps in the cloud era this technology will succeed, due to sharing and the flexible nature of cloud services. Other identity and authentication solutions were presented by PerfectCloud and Nok Nok labs, which presented the FIDO alliance solution for Internet authentication.

It was also agreed – in a panel about the future of Cloud Computing security trends – that API security will be a central component of the security architecture. “In a world of mobile and the Internet of things, everything is API based“, said Mark O’Neill, VP of Innovation at Axway, who demonstrated in his presentation the technology of the API gateway and how they can assist organizations in future API driven attacks.

An interesting and unique new technology was presented by SkyHigh security. According to Gartner, by 2015 35% of an organization’s IT spending will not be made by the IT department (called Shadow IT), mainly due to the ease of use and ease of purchase of Cloud Computing services. This information encapsulates a great threat to the status of the CIO. SkyHigh enables the IT department to track and analyze the different cloud services used by the organization – formally and informally – and understand the potential risk associated with those services. An example of the importance of discovering and managing such services was given by Michael Mattmiller from Microsoft, who shared a story about hospital personnel using a cloud knowledge sharing service to increase productivity among them. However, when the CIO found out and examined the data uploaded to the cloud and the provider service agreement, the hospital had to report a security breach to the authorities, and suffer the consequences.

In conclusion, when comparing the 2013 Congress to the previous one last year, the feeling is that cloud services have matured considerably, although there were some minor disruptions such as PRISM. While last year the debate revolved around the advantages and reasons to move to the cloud, this year the discussions were about when and how. A great contribution was made to this process by the governments and the different standardization institutes – which understood their role in the cloud adoption process; by the providers, who generally try to listen to customers and adopt more transparent offering; and by the Cloud Security Alliance, which exhibited a quick understanding of the different crossroads ahead and invested in the right tools for enabling safer cloud adoption.

moshe-ferberBy Moshe Ferber,

Moshe is an security entrepreneur and investor. With over 20 years’ experience in information security at various industry positions.  Currently focused on Cloud Computing as board member for Cloud  alliance Israeli Chapter, public speaker on various cloud aspects and investor at Clarisite and FortyCloud – Startup companies with innovative security solutions. More information can be found at: www.onlinecloudsec.com

About CloudTweaks

Established in 2009, CloudTweaks is recognized as one of the leading authorities in connected technology information and services.

We embrace and instill thought leadership insights, relevant and timely news related stories, unbiased benchmark reporting as well as offer green/cleantech learning and consultive services around the world.

Our vision is to create awareness and to help find innovative ways to connect our planet in a positive eco-friendly manner.

In the meantime, you may connect with CloudTweaks by following and sharing our resources.

View All Articles

Sorry, comments are closed for this post.

Comic
Cukes and the Cloud

Cukes and the Cloud

The Cloud, through bringing vast processing power to bear inexpensively, is enabling artificial intelligence. But, don’t think Skynet and the Terminator. Think cucumbers! Artificial Intelligence (A.I.) conjures up the images of vast cool intellects bent on our destruction or at best ignoring us the way we ignore ants. Reality is a lot different and much…

Ransomware’s Great Lessons

Ransomware’s Great Lessons

Ransomware The vision is chilling. It’s another busy day. An employee arrives and logs on to the network only to be confronted by a locked screen displaying a simple message: “Your files have been captured and encrypted. To release them, you must pay.” Ransomware has grown recently to become one of the primary threats to…

InformationWeek Reveals Top 125 Vendors Taking the Technology Industry by Storm

InformationWeek Reveals Top 125 Vendors Taking the Technology Industry by Storm

InformationWeek Reveals Top 125 Vendors Five-part series details companies to watch across five essential technology sectors SAN FRANCISCO, Sept. 27, 2016 /PRNewswire/ — InformationWeek released its list of “125 Vendors to Watch” in 2017. Selected by InformationWeek’s expert editorial team, the companies listed fall into one of five key themes: infrastructure, security, cloud, data management and…

Part 1 – Connected Vehicles: Paving The Way For IoT On Wheels

Part 1 – Connected Vehicles: Paving The Way For IoT On Wheels

Connected Vehicles From cars to combines, the IoT market potential of connected vehicles is so expansive that it will even eclipse that of the mobile phone. Connected personal vehicles will be the final link in a fully connected IoT ecosystem. This is an incredibly important moment to capitalize on given how much time people spend…

Embedded Sensors and the Wearable Personal Cloud

Embedded Sensors and the Wearable Personal Cloud

The Wearable Personal Cloud Wearable tech is one avenue of technology that’s encouraging cloud connections and getting us all onto interconnected networks, and with the continued miniaturization and advancement of computing the types of wearable tech are always expanding and providing us with new opportunities. A few years ago, smartwatches were rather clunky devices with…

THE FUTURE OF BIG DATA AND DNS ANALYTICS

THE FUTURE OF BIG DATA AND DNS ANALYTICS

Big Data and DNS Analytics Big Data is revolutionizing the way admins manage their DNS traffic. New management platforms are combining historical data with advanced analytics to inform admins about possible performance degradation in their networks. Not only that, but they also have the ability to suggest ways to optimize network configurations for faster routing.…

How To Humanize Your Data (And Why You Need To)

How To Humanize Your Data (And Why You Need To)

How To Humanize Your Data The modern enterprise is digital. It relies on accurate and timely data to support the information and process needs of its workforce and its customers. However, data suffers from a likability crisis. It’s as essential to us as oxygen, but because we don’t see it, we take it for granted.…

Staying on Top of Your Infrastructure-as-a-Service Security Responsibilities

Staying on Top of Your Infrastructure-as-a-Service Security Responsibilities

Infrastructure-as-a-Service Security It’s no secret many organizations rely on popular cloud providers like Amazon and Microsoft for access to computing infrastructure. The many perks of cloud services, such as the ability to quickly scale resources without the upfront cost of buying physical servers, have helped build a multibillion-dollar cloud industry that continues to grow each…

Adopting A Cohesive GRC Mindset For Cloud Security

Adopting A Cohesive GRC Mindset For Cloud Security

Cloud Security Mindset Businesses are becoming wise to the compelling benefits of cloud computing. When adopting cloud, they need a high level of confidence in how it will be risk-managed and controlled, to preserve the security of their information and integrity of their operations. Cloud implementation is sometimes built up over time in a business,…

The Security Gap: What Is Your Core Strength?

The Security Gap: What Is Your Core Strength?

The Security Gap You’re out of your mind if you think blocking access to file sharing services is filling a security gap. You’re out of your mind if you think making people jump through hoops like Citrix and VPNs to get at content is secure. You’re out of your mind if you think putting your…

The Internet of Things Lifts Off To The Cloud

The Internet of Things Lifts Off To The Cloud

The Staggering Size And Potential Of The Internet of Things Here’s a quick statistic that will blow your mind and give you a glimpse into the future. When you break that down, it translates to 127 new devices online every second. In only a decade from now, every single vehicle on earth will be connected…

Cloud Infographic – The Future Of Big Data

Cloud Infographic – The Future Of Big Data

The Future Of Big Data Big Data is BIG business and will continue to be one of the more predominant areas of focus in the coming years from small startups to large scale corporations. We’ve already covered on CloudTweaks how Big Data can be utilized in a number of interesting ways from preventing world hunger to helping teams win…

The Cloud Above Our Home

The Cloud Above Our Home

Our Home – Moving All Things Into The Cloud The promise of a smart home had excited the imagination of the movie makers long ago. If you have seen any TV shows in the nineties or before, the interpretation presented itself to us as a computerized personal assistant or a robot housekeeper. It was smart,…

M2M, IoT and Wearable Technology: Where To Next?

M2M, IoT and Wearable Technology: Where To Next?

M2M, IoT and Wearable Technology Profiling 600 companies and including 553 supporting tables and figures, recent reports into the M2M, IoT and Wearable Technology ecosystems forecast opportunities, challenges, strategies, and industry verticals for the sectors from 2015 to 2030. With many service providers looking for new ways to fit wearable technology with their M2M offerings…

Cloud Infographic – Big Data Predictions By 2023

Cloud Infographic – Big Data Predictions By 2023

Big Data Predictions By 2023 Everything we do online from social networking to e-commerce purchases, chatting, and even simple browsing yields tons of data that certain organizations collect and poll together with other partner organizations. The results are massive volumes of data, hence the name “Big Data”. This includes personal and behavioral profiles that are stored, managed, and…

Protecting Devices From Data Breach: Identity of Things (IDoT)

Protecting Devices From Data Breach: Identity of Things (IDoT)

How to Identify and Authenticate in the Expanding IoT Ecosystem It is a necessity to protect IoT devices and their associated data. As the IoT ecosystem continues to expand, the need to create an identity to newly-connected things is becoming increasingly crucial. These ‘things’ can include anything from basic sensors and gateways to industrial controls…