Cloud Security Alliance Annual EMEA Congress Discussions

Cloud Security Alliance Annual EMEA Congress Discussions

Cloud Security Alliance Annual EMEA Congress Discussions

It was as cloudy as Edinburgh could be in the autumn, when the “Cloud Security Alliance Annual EMEA Congress” featuring about 300 Cloud Computing stake-holders, gathered for the event that was held during the last week of September, produced By MISTI Europe.csa-sm

The variety of organizations participating demonstrated the array of topics relevant to Cloud Computing adoption. Standards institutions – alongside government bodies, cloud providers and software vendors – demonstrated the challenges facing Cloud Computing. The considerable number of non-EU presenters further demonstrated the globalization process this technology is going through these days, as well as the EU’s role in its advancement.

The Congress’s topics could generally be divided into three major categories: government access to data (inspired by PRISM); the cloud providers’ lack of transparency; and the technological challenges facing Cloud Computing adoption.

The congress began with an excellent keynote presentation from Mikko Hypponen, Chief Research Officer for F-Secure. Circling the stage, Mr. Hypponen listed the new cyber threats facing the world, and predicted that will see be attacks on every device equipped with processor in order to use CPU time for Bitcoins mining, and that malware will start maliciously locking our cloud services for ransom.

Regarding government access to data, the F-Secure CRO mentioned how surprised he was to learn how far the NSA is willing to go in order to weaken the standards we all rely upon, and speculated that direct access to providers was not a result of providers cooperation, but rather due to massive hacking attempts by the NSA. The example given was the recent finding published by “Der Spiegel” about the British Intelligence services’ hacking the Belgian Telecom Company.

Another interesting lecture regarding governments’ access to data was given by Jon Callas, co-founder of PGP and Silent Circle. This top cryptographer reviewed the different sources for surveillance: the various nations’ surveillance levels such as anti-terror, crime prospecting, and economic espionage. Non-national surveillance includes that done by criminals; corporate espionage; and companies such as Google which utilize business models to collect customer data. Callas described the efforts Silent Circle is making in order to help customers avoid different kinds of surveillance, and described the process’s two pathways: technological tools such as encryption and ammonization, and procedures and policies that will define how to safely and confidentially guard the users.

In a later panel regarding PRISM, Mr. Callas revealed the story behind the difficult decision to close Silent Circle’s secure e-mail services, immediately after they had learned that another secure e-mail provider, Lavabit, was served with a federal warrant to reveal data. Current e-mail protocol is just too difficult to secure due to email headers and metadata information saved for each e-mail, he explained.

Government access to data is not the only thing preventing the required trust in Cloud Computing. Cloud provider transparency, or lack of it, is also a major obstacle. Microsoft, Google, HP, Amazon and Adobe all presented and shared their recent efforts to provide transparency to their operation, as well as ways to increase trust. Adriana Hall from Microsoft presented the latest survey regarding Cloud Computing adoption, revealing that although most customers expressed concerns regarding the security and privacy of their data in the cloud, a majority of the companies said that security had actually improved by moving to the cloud.  In her presentation, Ms. Hall exhibited the steps Microsoft is taking in order to increase trust – including complying with different regulations, and advertising their cloud products’ development and operations control to designated Trust centers.

Similar claims came from Adobe and Google, who were very keen to present the measures they are taking in order to protect data. David Lenoe, Director of Product Security at Adobe, described his goals as good architecture, solid code and security in operations. He elaborated on some of the steps Adobe is performing in order to achieve them:  SDLC adoption and security training incorporating the martial arts style, with different colored belts given to each level of security awareness. Eran Feigenbaum, Director of Security for Google apps, said that the question is not whether the data is protected in the cloud, but whether it is protected outside of it. He presented a survey demonstrating that 60% of corporate data is located on unprotected laptops. “Cloud providers are built differently“, he explained, “their software is built for resilience, and homogeneous environments make security more robust“.

In the race for transparency and trust, standardization is a cornerstone. The amount of time dedicated in the Congress for reviewing the topics of cloud standards demonstrates how much progress has been made on this subject in the last year. During the Congress, the Cloud Security Alliance announced the launch of its new STAR certificate for cloud providers. The certification, based on ISO27001, was developed along with BSI, and is the first independent and technology-neutral certification aimed at providing more transparency to the industry.

Certification and standards are also regarded by governments as important in promoting Cloud Computing. According to Tjabbe Bos from the cloud unit of the EU commission, the EU Cloud Computing strategy’s aim is to produce 3.8 million additional jobs, and to add 950 Billion EURO to the GDP by 2020.  The way to implement the strategy, Mr. Bos added, is through three key actions:  building safe and fair contracts; establishing EU partnerships among all cloud stakeholders; and cutting through the chaos of conflicting standards and regulations.  Later on, the ENISA head of secure infrastructure and services explained how ENISA is helping the EU to achieve its cloud strategy, by formalizing standards and certification, and establishing international and national corporations. “In the Japanese tsunami disaster, the only emergency services that were able to continue operating were the cloud-based ones“, Dr. Ouzounis revealed, “and therefore we treat it as critical infrastructure and our future digital life backbone“.

From the technological point of view, the challenges that occupied the crowd were similar to last year, and included new format and use cases for encryptions, challenges for authentication and identity management, API security, and mobile and big data.

encryption

The encryption solutions presented by companies such as Brainloop and Seclore were file level encryption (IRM) tools and services aiming at providing control, access list and audit throughout the document life cycle, and sharing. IRM and file level encryption technology has been around for some time, but failed to move forward at the enterprise level. Perhaps in the cloud era this technology will succeed, due to sharing and the flexible nature of cloud services. Other identity and authentication solutions were presented by PerfectCloud and Nok Nok labs, which presented the FIDO alliance solution for Internet authentication.

It was also agreed – in a panel about the future of Cloud Computing security trends – that API security will be a central component of the security architecture. “In a world of mobile and the Internet of things, everything is API based“, said Mark O’Neill, VP of Innovation at Axway, who demonstrated in his presentation the technology of the API gateway and how they can assist organizations in future API driven attacks.

An interesting and unique new technology was presented by SkyHigh security. According to Gartner, by 2015 35% of an organization’s IT spending will not be made by the IT department (called Shadow IT), mainly due to the ease of use and ease of purchase of Cloud Computing services. This information encapsulates a great threat to the status of the CIO. SkyHigh enables the IT department to track and analyze the different cloud services used by the organization – formally and informally – and understand the potential risk associated with those services. An example of the importance of discovering and managing such services was given by Michael Mattmiller from Microsoft, who shared a story about hospital personnel using a cloud knowledge sharing service to increase productivity among them. However, when the CIO found out and examined the data uploaded to the cloud and the provider service agreement, the hospital had to report a security breach to the authorities, and suffer the consequences.

In conclusion, when comparing the 2013 Congress to the previous one last year, the feeling is that cloud services have matured considerably, although there were some minor disruptions such as PRISM. While last year the debate revolved around the advantages and reasons to move to the cloud, this year the discussions were about when and how. A great contribution was made to this process by the governments and the different standardization institutes – which understood their role in the cloud adoption process; by the providers, who generally try to listen to customers and adopt more transparent offering; and by the Cloud Security Alliance, which exhibited a quick understanding of the different crossroads ahead and invested in the right tools for enabling safer cloud adoption.

moshe-ferberBy Moshe Ferber,

Moshe is an security entrepreneur and investor. With over 20 years’ experience in information security at various industry positions.  Currently focused on Cloud Computing as board member for Cloud  alliance Israeli Chapter, public speaker on various cloud aspects and investor at Clarisite and FortyCloud – Startup companies with innovative security solutions. More information can be found at: www.onlinecloudsec.com

About CloudTweaks

Established in 2009, CloudTweaks is recognized as one of the leading authorities in connected technology information and services.

We embrace and instill thought leadership insights, relevant and timely news related stories, unbiased benchmark reporting as well as offer green/cleantech learning and consultive services around the world.

Our vision is to create awareness and to help find innovative ways to connect our planet in a positive eco-friendly manner.

In the meantime, you may connect with CloudTweaks by following and sharing our resources.

View All Articles

Sorry, comments are closed for this post.

Comic
When Sci-Fi Predictions Come To Fruition

When Sci-Fi Predictions Come To Fruition

Evolution of Technologies To paraphrase science fiction author Arthur C. Clark, those who make predictions about the future are either “considered conservative now and mocked later, or mocked now and proved right when they are no longer around to enjoy the acclaim.” The one thing we can be sure about, Clark ventured, is that “[the…

Facebook Hopes To Extend Internet Connectivity With Solar-Powered Drones

Facebook Hopes To Extend Internet Connectivity With Solar-Powered Drones

Facebook Inc (FB.O) said on Thursday it had completed a successful test flight of a solar-powered drone that it hopes will help it extend internet connectivity to every corner of the planet. Aquila, Facebook’s lightweight, high-altitude aircraft, flew at a few thousand feet for 96 minutes in Yuma, Arizona, Chief Executive Mark Zuckerberg wrote in…

When Will Women In Tech Become The Norm?

When Will Women In Tech Become The Norm?

Tech Diversity It is well known that the technology industry has been dominated by men, but it is also clear that the industry is working to change that. Diversity in the tech industry, especially where it applies to women in tech, has been a topic of discussion for years. Recently the Washington Technology Industry Association…

Four Keys For Telecoms Competing In A Digital World

Four Keys For Telecoms Competing In A Digital World

Competing in a Digital World Telecoms, otherwise largely known as Communications Service Providers (CSPs), have traditionally made the lion’s share of their revenue from providing pipes and infrastructure. Now CSPs face increased competition, not so much from each other, but with digital service providers (DSPs) like Netflix, Google, Amazon, Facebook, and Apple, all of whom…

Edtech and Virtual Reality – Exciting Learning Environment

Edtech and Virtual Reality – Exciting Learning Environment

Customizing Edutech Customized edtech learning solutions are becoming more commonplace as the education industry recognises their potential and begins transforming the traditional structures so as to incorporate innovative developments. From textbooks to tablets, chalkboards to virtual reality, edtech promises not only dynamic and exciting learning environments but better learning strategies and solutions. Virtual Reality and…

5 Ways To Ensure Your Cloud Solution Is Always Operational

5 Ways To Ensure Your Cloud Solution Is Always Operational

Ensure Your Cloud Is Always Operational We have become so accustomed to being online that we take for granted the technological advances that enable us to have instant access to everything and anything on the internet, wherever we are. In fact, it would likely be a little disconcerting if we really mapped out all that…

Connecting With Customers In The Cloud

Connecting With Customers In The Cloud

Customers in the Cloud Global enterprises in every industry are increasingly turning to cloud-based innovators like Salesforce, ServiceNow, WorkDay and Aria, to handle critical systems like billing, IT services, HCM and CRM. One need look no further than Salesforce’s and Amazon’s most recent earnings report, to see this indeed is not a passing fad, but…

Maintaining Network Performance And Security In Hybrid Cloud Environments

Maintaining Network Performance And Security In Hybrid Cloud Environments

Hybrid Cloud Environments After several years of steady cloud adoption in the enterprise, an interesting trend has emerged: More companies are retaining their existing, on-premise IT infrastructures while also embracing the latest cloud technologies. In fact, IDC predicts markets for such hybrid cloud environments will grow from the over $25 billion global market we saw…

Don’t Be Intimidated By Data Governance

Don’t Be Intimidated By Data Governance

Data Governance Data governance, the understanding of the raw data of an organization is an area IT departments have historically viewed as a lose-lose proposition. Not doing anything means organizations run the risk of data loss, data breaches and data anarchy – no control, no oversight – the Wild West with IT is just hoping…

The Cancer Moonshot: Collaboration Is Key

The Cancer Moonshot: Collaboration Is Key

Cancer Moonshot In his final State of the Union address in January 2016, President Obama announced a new American “moonshot” effort: finding a cure for cancer. The term “moonshot” comes from one of America’s greatest achievements, the moon landing. If the scientific community can achieve that kind of feat, then surely it can rally around…

Cloud Infographic: IoT For Automotive Deconstructed

Cloud Infographic: IoT For Automotive Deconstructed

IoT For Automotive Deconstructed The IoT automotive industry is moving rapidly with many exciting growth opportunities available. We’ve written about some of the risks and benefits as well as some of the players involved. One thing for certain as that the auto industry is starting to take notice and we can expect the implementation of a…

Explosive Growth Of Data-Driven Marketing

Explosive Growth Of Data-Driven Marketing

Data-Driven Marketing There is an absolute endless amount of data that is being accumulated, dissected, analyzed with the important bits extracted and used for a number of purposes. With the amount of data in the world has already reached into multiple zettabytes annually. A Zettabyte is one million petabytes or one thousand exabytes. With data…

Why Cloud Compliance Doesn’t Need To Be So Overly Complicated

Why Cloud Compliance Doesn’t Need To Be So Overly Complicated

Cloud Compliance  Regulatory compliance is an issue that has not only weighed heavily on the minds of executives, security and audit teams, but also today, even end users. Public cloud adds more complexity when varying degrees of infrastructure (depending on the cloud model) and data fall out of the hands of the company and into…

5 Essential Cloud Skills That Could Make Or Break Your IT Career

5 Essential Cloud Skills That Could Make Or Break Your IT Career

5 Essential Cloud Skills Cloud technology has completely changed the infrastructure and internal landscape of both small businesses and large corporations alike. No professionals in any industry understand this better than IT pros. In a cutthroat field like IT, candidates have to be multi-faceted and well-versed in the cloud universe. Employers want to know that…

How Data Science And Machine Learning Is Enabling Cloud Threat Protection

How Data Science And Machine Learning Is Enabling Cloud Threat Protection

Data Science and Machine Learning Security breaches have been consistently rising in the past few years. Just In 2015, companies detected 38 percent more security breaches than in the previous year, according to PwC’s Global State of Information Security Survey 2016. Those breaches are a major expense — an average of $3.79 million per company,…

4 Industries Being Transformed By The Internet of Things

4 Industries Being Transformed By The Internet of Things

Compelling IoT Industries Every year, more and more media organizations race to predict the trends that will come to shape the online landscape over the next twelve months. Many of these are wild and outlandish and should be consumed with a pinch of salt, yet others stand out for their sober and well-researched judgements. Online…