RSA 2018 is in the books! The event welcomed 42,000 attendees to San Francisco, including cybersecurity professionals, vendors, media, and analysts. The themes of visibility and transparency repeatedly came up in discussions and presentations as organizations grapple with ever-increasing data flows across multiple technology platforms and cloud ecosystems. Another big topic of interest was the European Union’s upcoming General Data Protection Regulation (GDPR) and how it will affect organizations and their data.
RSA kicked off on Monday with the Cloud Security Alliance Summit at RSA. The day was packed with organizational examples of outcomes from their cloud migration initiatives to improve their business efficiency and security. Philippe Courtot, CEO of Qualys, walked the attendees through the 5 new tenets of security – visibility, accuracy, scale, immediacy, and transparent orchestration – to better monitor and defend the increasing attack surface from IoT, endpoint, and big data initiatives. Another important topic at CSA was highlighted in a presentation given by Matt Goodrich of the FedRAMP PMO. In conjunction with the CSA STAR certification, FedRAMP is exploring a way to provide mutual recognition for organizations that have gone through STAR and likewise for organizations that are pursuing FedRAMP through a program called FedSTAR. More details will be provided at the upcoming CSA Federal Summit on May 15 in Washington D.C.
Visibility and transparency, in addition to automation, came up again in discussions with colleagues in meetings, dinners or on the expo show floor. The importance for businesses to visualize their data and monitor performance with transparency across business units or partners will help organizations more quickly understand operational and security issues from data flows in the cloud, security in vendors (dynamic questionnaire/scanning), the orchestration of security processes and compliance automation.
For example, one application involved the concept of using automation to alert on and override application changes until they can be validated. In this use case, event data monitoring sends an alert to administrators that an application had a control change. While the control change was being investigated by administrators, another automation rule would revert the application back to the pre-changed version until further investigation concluded that the control change was warranted. (In the event it was malicious behavior, the attempt to gain access and information is prevented on this vector.) If proved legitimate, the control could be implemented; if not, the application would constantly revert back to the approved pre-change version.
Additionally, more organizations are seeking to move to a continuous compliance posture. Many organizations understand and pursue the benefit of security certification but are looking at ways to move to a continuous compliance posture, stating that point-in-time assessments are no longer good enough in today’s threat landscape. Accomplishing continuous compliance would aim to help in the areas of visibility and transparency to manage risk related to privacy, data, and security.
With the recent Facebook testimony on Capitol Hill related to improper use of personal data and the potentially significant fines that GDPR carries – up to 4% of global revenue – for a non-compliant organization, there was also concern among many about how best to manage data to prevent improper use and meet GDPR’s requirements. Coalfire’s Paul Sonntag, Practice Director – Global Privacy, participated in a panel discussion, Cloud Compliance Zeitgeist, at the CSA Summit at RSA. The panel had representation from BSi, Oracle, Onapsis, Safe-T, and Cobalt.
One of the panel’s discussion topics was the recommendation that organizations answer some key questions related to their data, such as: Where is that data? How does it move around your organization? What additional service providers touch or process the data, and what is their policy for data handling in regard to GDPR? How long you have to keep the data for legal and contractual purposes? The discussion also addressed that the fear of moving to the cloud for security reasons is greatly decreasing. In fact, many organizations are taking advantage of the benefits of security scale when it comes to the cloud through the shared responsibility model. While organizations that leverage cloud services for IaaS, PaaS, and SaaS still have their own responsibility to be secure with their data in the cloud, there is a great advantage to leveraging a cloud service provider’s responsibility of the cloud, depending on how far up they stack they provide services.
With many important initiatives around data privacy, security, visibility, transparency, and automation, it is more important than ever to have a trusted cybersecurity advisor at your side to help inform decisions to improve cybersecurity posture.