The CSA SECtember 2022 conference left me with pages of notes and plenty to think about. The speakers shared insights on everything from their own Zero Trust journey to economic theories of cybersecurity. And while everyone shared unique insights, I noticed that three topics seemed to pop up frequently across many presentations and panel discussions.
Slides and videos for some of these presentations are available on the CSA website.
1: Tech Is Just One Piece Of The Puzzle
One idea that came up quite a bit was that barriers to security are as much (or more) functional and process-based than theoretical. Most security professionals know what they need to do to achieve the level of security they want. It’s actually making it happen that’s the challenge. That means finding and hiring staff, getting board support, budgeting, and collaborating effectively across teams and stakeholders. It can also mean changing the way that other business groups perceive security as an enabler of the business instead of a roadblock or cost center.
Panel Discussion: Finding Cloud Security Balance and Perfecting Your Cloud Strategy
Rick Doten, CISO at Centene
Jerry Cochran, Deputy CIO of the Pacific Northwest National Laboratory
Of course, the security staff shortage was frequently mentioned in passing, but it was discussed in detail in the panel discussion with Rick Doten and Jerry Cochran. They talked about the increasing importance of hiring security staff with software development skills that can help them understand the lay of the land for things like containers and microservices. That’s hard enough as it is, but the added challenge is that those can be significantly different skill sets across different cloud providers. Oof.
The CISO's Corner: A Chat with Phil Venables
Phil Venables, Google Cloud CISO
Venables talked about the economic incentives that can, in many ways, define the strength of cloud security. He touched briefly on the difficult reality that if businesses don’t see security as benefiting their bottom line, they’re unlikely to invest in it. So the challenge is changing the incentives (or people’s perception of them) so what’s good for our collective cybersecurity is also business-positive.
He also said that factors like the economy of scale for big cloud providers can mean that big investments in technology are spread out, lowering the cost per unit price tag. Customers can get access to fancy tech without as much of a fancy-tech price tag. I think we can all see the subtext here, that big cloud is good, but it’s an interesting point.
Again on the big-cloud-is-good front, he made the case that currently the big three cloud providers—AWS, Azure, and GCP—are economically incentivized to provide better security. Customers choosing a cloud provider name the inherent security of the provider as their primary (or at the least, secondary) priority, meaning that the big three are competing with each other on the security of their services. It’s a sunshiny view of the three megacloud providers, but I’m not opposed to a little sunshine.
How NTT DATA Embarked on the Zero Trust Journey
Sushila Nair, Vice President of Security Services at NTT DATA
Sushila Nair made the point that one of the biggest challenges NTT DATA faced in their implementation of Zero Trust (ZT) was the people and process involved. One example of a process-oriented success? They managed to get the board’s support by making the case that, as a consultancy, NTT DATA needed to be a trusted advisor, and part of earning that trust was by doing ZT well themselves.
Cloud Security or Future Emerging Technologies: Practices For Effective Operational Governance
Joseph “Rich” Baich, CISO and Director of the Office of Cyber Security at the CIA
I’m going to give Richard Baich the final word on the topic, saying that new technology inevitably means we need to invest in training for teams. As he put it, “talent is critical to everything we do.”
2. A Tale Of Point Products And Platforms
Another idea that popped up a lot was that cloud security is marching inexorably toward a platform approach. Stick with me here for a minute before you yell surely not!
Panel Discussion: Zero Trust and Your Enterprise
Brett James, the Director of Transformation Strategy at Zscaler
Kapil Raina, VP of Zero Trust Marketing at Crowdstrike
Attitudes are shifting in favor of platforms, according to Brett James. The thinking used to be pets over cattle, where you have one thing but you do a really good job with it (I once met a dairy cow very originally named J342, so I get it). James argued that platforms are more efficient and cost-effective in terms of staff time, training, and overall price tag. With an average of 45 security products per organization and overworked employees, you just don’t have the time or money to pamper 45 Fifis.
Kapil Raina added that back when the world was simpler, a best-of-breed approach made sense. But now with increasing complexity of environments and TTPs, you can’t manage the volume of tools and you can’t respond quickly enough if you’re swiveling between best-of-breed tools.
And in her talk, Sushila Nair also mentioned the need to move away from best-of-breed solutions towards a platform approach in her presentation on NTT Data’s ZT journey—more on that in the next section.
3. Zero Trust Doesn't Have To Be Awful For Users
I was interested to hear this topic come up in a few talks. I’m no expert on ZT, so this might be old news to those well-versed in it. But my high-level impression of the ZT approach was previously:
- Limiting access and trust to the narrowest set of circumstances possible makes trying to hack a ZT organization like trying to bite into a pinecone (true).
- ZT can be a big challenge to implement in complex organizations and represents a foundational shift in the way you build your infrastructure (true).
- Limiting privileges means that users sometimes don’t have access to things they need, puts more hurdles in front of them, and generally makes their lives harder (false?).
Zero-Trust Networks = Better Enterprise Security
Aron Anderson, Senior Manager of Enterprise Security at Adobe
Anderson shared that one of Adobe’s goals for implementing a ZT framework was actually to improve the user experience by doing things like removing VPN requirements and improving authentication. That was, of course, in addition to goals like eliminating the opportunity for malicious lateral movement and protecting internal applications while providing a cloud-like experience.
Sushila Nair also mentioned in her presentation that NTT DATA was able to improve their user experience through their ZT implementation. She advised that you need to approach ZT from a user perspective. The security controls need to work for users so they don’t try to circumvent them. For example: everyone uses Apple Face ID because it's easy.
What Is Cloud Security Alliance?
Leveraging the expertise of industry practitioners, associations and governments, as well as its corporate and individual members to offer research, education, certification, events and products specific to cloud security, the Cloud Security Alliance (CSA) is a nonprofit organization that promotes research into best practices for securing cloud computing and the use of cloud technologies to secure other forms of computing.
That’s All, Folks
In my opinion, it’s a good day when I’ve learned something, so CSA’s SECtember was like several nuclear-super-powered good days all in a row. I’ve read a lot of discussion about the best-of-breed approach, so my interest was particularly piqued by the numerous references to the need to consolidate.
And, of course, the company that pays me to write cow-naming jokes also happens to have created a very extensive platform that secures everything from developer laptops to Kubernetes clusters. To learn all the point products you could replace with Uptycs, I’d recommend taking a look at our product overview tour.