Cloud Security Alliance Annual EMEA Congress Discussions

Cloud Security Alliance Annual EMEA Congress Discussions

Cloud Security Alliance Annual EMEA Congress Discussions

It was as cloudy as Edinburgh could be in the autumn, when the “Cloud Security Alliance Annual EMEA Congress” featuring about 300 Cloud Computing stake-holders, gathered for the event that was held during the last week of September, produced By MISTI Europe.csa-sm

The variety of organizations participating demonstrated the array of topics relevant to Cloud Computing adoption. Standards institutions – alongside government bodies, cloud providers and software vendors – demonstrated the challenges facing Cloud Computing. The considerable number of non-EU presenters further demonstrated the globalization process this technology is going through these days, as well as the EU’s role in its advancement.

The Congress’s topics could generally be divided into three major categories: government access to data (inspired by PRISM); the cloud providers’ lack of transparency; and the technological challenges facing Cloud Computing adoption.

The congress began with an excellent keynote presentation from Mikko Hypponen, Chief Research Officer for F-Secure. Circling the stage, Mr. Hypponen listed the new cyber threats facing the world, and predicted that will see be attacks on every device equipped with processor in order to use CPU time for Bitcoins mining, and that malware will start maliciously locking our cloud services for ransom.

Regarding government access to data, the F-Secure CRO mentioned how surprised he was to learn how far the NSA is willing to go in order to weaken the standards we all rely upon, and speculated that direct access to providers was not a result of providers cooperation, but rather due to massive hacking attempts by the NSA. The example given was the recent finding published by “Der Spiegel” about the British Intelligence services’ hacking the Belgian Telecom Company.

Another interesting lecture regarding governments’ access to data was given by Jon Callas, co-founder of PGP and Silent Circle. This top cryptographer reviewed the different sources for surveillance: the various nations’ surveillance levels such as anti-terror, crime prospecting, and economic espionage. Non-national surveillance includes that done by criminals; corporate espionage; and companies such as Google which utilize business models to collect customer data. Callas described the efforts Silent Circle is making in order to help customers avoid different kinds of surveillance, and described the process’s two pathways: technological tools such as encryption and ammonization, and procedures and policies that will define how to safely and confidentially guard the users.

In a later panel regarding PRISM, Mr. Callas revealed the story behind the difficult decision to close Silent Circle’s secure e-mail services, immediately after they had learned that another secure e-mail provider, Lavabit, was served with a federal warrant to reveal data. Current e-mail protocol is just too difficult to secure due to email headers and metadata information saved for each e-mail, he explained.

Government access to data is not the only thing preventing the required trust in Cloud Computing. Cloud provider transparency, or lack of it, is also a major obstacle. Microsoft, Google, HP, Amazon and Adobe all presented and shared their recent efforts to provide transparency to their operation, as well as ways to increase trust. Adriana Hall from Microsoft presented the latest survey regarding Cloud Computing adoption, revealing that although most customers expressed concerns regarding the security and privacy of their data in the cloud, a majority of the companies said that security had actually improved by moving to the cloud.  In her presentation, Ms. Hall exhibited the steps Microsoft is taking in order to increase trust – including complying with different regulations, and advertising their cloud products’ development and operations control to designated Trust centers.

Similar claims came from Adobe and Google, who were very keen to present the measures they are taking in order to protect data. David Lenoe, Director of Product Security at Adobe, described his goals as good architecture, solid code and security in operations. He elaborated on some of the steps Adobe is performing in order to achieve them:  SDLC adoption and security training incorporating the martial arts style, with different colored belts given to each level of security awareness. Eran Feigenbaum, Director of Security for Google apps, said that the question is not whether the data is protected in the cloud, but whether it is protected outside of it. He presented a survey demonstrating that 60% of corporate data is located on unprotected laptops. “Cloud providers are built differently“, he explained, “their software is built for resilience, and homogeneous environments make security more robust“.

In the race for transparency and trust, standardization is a cornerstone. The amount of time dedicated in the Congress for reviewing the topics of cloud standards demonstrates how much progress has been made on this subject in the last year. During the Congress, the Cloud Security Alliance announced the launch of its new STAR certificate for cloud providers. The certification, based on ISO27001, was developed along with BSI, and is the first independent and technology-neutral certification aimed at providing more transparency to the industry.

Certification and standards are also regarded by governments as important in promoting Cloud Computing. According to Tjabbe Bos from the cloud unit of the EU commission, the EU Cloud Computing strategy’s aim is to produce 3.8 million additional jobs, and to add 950 Billion EURO to the GDP by 2020.  The way to implement the strategy, Mr. Bos added, is through three key actions:  building safe and fair contracts; establishing EU partnerships among all cloud stakeholders; and cutting through the chaos of conflicting standards and regulations.  Later on, the ENISA head of secure infrastructure and services explained how ENISA is helping the EU to achieve its cloud strategy, by formalizing standards and certification, and establishing international and national corporations. “In the Japanese tsunami disaster, the only emergency services that were able to continue operating were the cloud-based ones“, Dr. Ouzounis revealed, “and therefore we treat it as critical infrastructure and our future digital life backbone“.

From the technological point of view, the challenges that occupied the crowd were similar to last year, and included new format and use cases for encryptions, challenges for authentication and identity management, API security, and mobile and big data.

encryption

The encryption solutions presented by companies such as Brainloop and Seclore were file level encryption (IRM) tools and services aiming at providing control, access list and audit throughout the document life cycle, and sharing. IRM and file level encryption technology has been around for some time, but failed to move forward at the enterprise level. Perhaps in the cloud era this technology will succeed, due to sharing and the flexible nature of cloud services. Other identity and authentication solutions were presented by PerfectCloud and Nok Nok labs, which presented the FIDO alliance solution for Internet authentication.

It was also agreed – in a panel about the future of Cloud Computing security trends – that API security will be a central component of the security architecture. “In a world of mobile and the Internet of things, everything is API based“, said Mark O’Neill, VP of Innovation at Axway, who demonstrated in his presentation the technology of the API gateway and how they can assist organizations in future API driven attacks.

An interesting and unique new technology was presented by SkyHigh security. According to Gartner, by 2015 35% of an organization’s IT spending will not be made by the IT department (called Shadow IT), mainly due to the ease of use and ease of purchase of Cloud Computing services. This information encapsulates a great threat to the status of the CIO. SkyHigh enables the IT department to track and analyze the different cloud services used by the organization – formally and informally – and understand the potential risk associated with those services. An example of the importance of discovering and managing such services was given by Michael Mattmiller from Microsoft, who shared a story about hospital personnel using a cloud knowledge sharing service to increase productivity among them. However, when the CIO found out and examined the data uploaded to the cloud and the provider service agreement, the hospital had to report a security breach to the authorities, and suffer the consequences.

In conclusion, when comparing the 2013 Congress to the previous one last year, the feeling is that cloud services have matured considerably, although there were some minor disruptions such as PRISM. While last year the debate revolved around the advantages and reasons to move to the cloud, this year the discussions were about when and how. A great contribution was made to this process by the governments and the different standardization institutes – which understood their role in the cloud adoption process; by the providers, who generally try to listen to customers and adopt more transparent offering; and by the Cloud Security Alliance, which exhibited a quick understanding of the different crossroads ahead and invested in the right tools for enabling safer cloud adoption.

moshe-ferberBy Moshe Ferber,

Moshe is an security entrepreneur and investor. With over 20 years’ experience in information security at various industry positions.  Currently focused on Cloud Computing as board member for Cloud  alliance Israeli Chapter, public speaker on various cloud aspects and investor at Clarisite and FortyCloud – Startup companies with innovative security solutions. More information can be found at: www.onlinecloudsec.com

About CloudTweaks

Established in 2009, CloudTweaks is recognized as one of the leading authorities in connected technology information and services.

We embrace and instill thought leadership insights, relevant and timely news related stories, unbiased benchmark reporting as well as offer green/cleantech learning and consultive services around the world.

Our vision is to create awareness and to help find innovative ways to connect our planet in a positive eco-friendly manner.

In the meantime, you may connect with CloudTweaks by following and sharing our resources.

View All Articles

Sorry, comments are closed for this post.

From Startup To Becoming Enterprise Grade

From Startup To Becoming Enterprise Grade

Becoming Enterprise Grade How can an emerging business make a successful transition from selling to SMB customers that fueled their early growth to the enterprise customers that enable long-term profitability? What works with SMB customers often won’t get you a seat at the enterprise table. To make deep inroads into enterprise accounts, you have to…

What The FITARA Scorecard Tells Us About Government Cyber Security Preparedness

What The FITARA Scorecard Tells Us About Government Cyber Security Preparedness

Government Cyber Security Preparedness Last year’s massive data breach of Office of Personnel Management, as well as other recent cyber security incidents affecting federal agencies, underscored the urgency of bringing the federal government’s security infrastructure up to date. Although many agencies have made strides toward hardening their cyber security, outdated IT infrastructure and architecture is…

Five Cloud Questions Every CIO Needs To Know How To Answer

Five Cloud Questions Every CIO Needs To Know How To Answer

The Hot Seat Five cloud questions every CIO needs to know how to answer The cloud is a powerful thing, but here in the CloudTweaks community, we already know that. The challenge we have is validating the value it brings to today’s enterprise. Below, let’s review five questions we need to be ready to address…

Global Cloud Development An Open Question

Global Cloud Development An Open Question

Global Cloud Development Statistics and projections from Cisco’s Global Cloud Index show that the world’s data centers are already processing 4.7 zettabytes (4.7 million petabytes) per year. Cisco research says this amount will continue to grow by 23% annually for the next few years. (Inforgraphic Source: https://visual.ly/how-much-petabyte) If we project these numbers over the next 25…

Connecting To Information With Cyber Physical Systems

Connecting To Information With Cyber Physical Systems

CPS Device Trends On The Rise It isn’t, “Do you remember who starred in XYZ Movie?” It’s, “Can you look it up please?” “Did you ever think you would sit at the dinner table, and when a question came up, someone would look up the answer and share it with everyone?” The words echoed at…

Does Slack Live Up To The Hype?

Does Slack Live Up To The Hype?

Does Slack Live Up to the Hype? Slack’s the definition of a business success story. In just a couple years, it’s evolved from a gaming company’s internal communication tool to a globally used platform that was last valued at $2.8 billion. The popular collaboration tool, dubbed “social media for business,” first made an appearance on…

Managing Cloud Applications Among The Business Regulations

Managing Cloud Applications Among The Business Regulations

Managing  Cloud Business Regulations Cloud applications must be managed in a way that complies with the many different government standards in the United States. As more cloud applications are being implemented in businesses of every industry, companies need a way to ensure compliance. Some of these regulations include the Health Insurance Portability and Accountability Act (HIPPA),…

CloudTweaks is recognized as one of the leading influencers in cloud computing, infosec, big data and the internet of things (IoT) information. Our goal is to continue to build our growing information portal by providing the best in-depth articles, interviews, event listings, whitepapers, infographics and much more.

Sponsor