RSA 2018 recap: GDPR, Increasing Visibility and Transparency of Cloud Security

Andrew Barratt, Managing Director, Europe

RSA 2018 is in the books! The event welcomed 42,000 attendees to San Francisco, including cybersecurity professionals, vendors, media, and analysts. The themes of visibility and transparency repeatedly came up in discussions and presentations as organizations grapple with ever-increasing data flows across multiple technology platforms and cloud ecosystems. Another big topic of interest was the European Union’s upcoming General Data Protection Regulation (GDPR) and how it will affect organizations and their data.

RSA kicked off on Monday with the Cloud Security Alliance Summit at RSA. The day was packed with organizational examples of outcomes from their cloud migration initiatives to improve their business efficiency and security. Philippe Courtot, CEO of Qualys, walked the attendees through the 5 new tenets of security – visibility, accuracy, scale, immediacy, and transparent orchestration – to better monitor and defend the increasing attack surface from IoT, endpoint, and big data initiatives. Another important topic at CSA was highlighted in a presentation given by Matt Goodrich of the FedRAMP PMO. In conjunction with the CSA STAR certification, FedRAMP is exploring a way to provide mutual recognition for organizations that have gone through STAR and likewise for organizations that are pursuing FedRAMP through a program called FedSTAR. More details will be provided at the upcoming CSA Federal Summit on May 15 in Washington D.C.

Visibility and transparency, in addition to automation, came up again in discussions with colleagues in meetings, dinners or on the expo show floor. The importance for businesses to visualize their data and monitor performance with transparency across business units or partners will help organizations more quickly understand operational and security issues from data flows in the cloud, security in vendors (dynamic questionnaire/scanning), the orchestration of security processes and compliance automation.

For example, one application involved the concept of using automation to alert on and override application changes until they can be validated. In this use case, event data monitoring sends an alert to administrators that an application had a control change. While the control change was being investigated by administrators, another automation rule would revert the application back to the pre-changed version until further investigation concluded that the control change was warranted. (In the event it was malicious behavior, the attempt to gain access and information is prevented on this vector.) If proved legitimate, the control could be implemented; if not, the application would constantly revert back to the approved pre-change version. 

Additionally, more organizations are seeking to move to a continuous compliance posture. Many organizations understand and pursue the benefit of security certification but are looking at ways to move to a continuous compliance posture, stating that point-in-time assessments are no longer good enough in today’s threat landscape. Accomplishing continuous compliance would aim to help in the areas of visibility and transparency to manage risk related to privacy, data, and security.

With the recent Facebook testimony on Capitol Hill related to improper use of personal data and the potentially significant fines that GDPR carries – up to 4% of global revenue – for a non-compliant organization, there was also concern among many about how best to manage data to prevent improper use and meet GDPR’s requirements. Coalfire’s Paul Sonntag, Practice Director – Global Privacy, participated in a panel discussion, Cloud Compliance Zeitgeist, at the CSA Summit at RSA. The panel had representation from BSi, Oracle, Onapsis, Safe-T, and Cobalt.

One of the panel’s discussion topics was the recommendation that organizations answer some key questions related to their data, such as: Where is that data? How does it move around your organization? What additional service providers touch or process the data, and what is their policy for data handling in regard to GDPR? How long you have to keep the data for legal and contractual purposes? The discussion also addressed that the fear of moving to the cloud for security reasons is greatly decreasing. In fact, many organizations are taking advantage of the benefits of security scale when it comes to the cloud through the shared responsibility model. While organizations that leverage cloud services for IaaS, PaaS, and SaaS still have their own responsibility to be secure with their data in the cloud, there is a great advantage to leveraging a cloud service provider’s responsibility of the cloud, depending on how far up they stack they provide services.

With many important initiatives around data privacy, security, visibility, transparency, and automation, it is more important than ever to have a trusted cybersecurity advisor at your side to help inform decisions to improve cybersecurity posture.

Andrew Barratt


Andrew Barratt — Managing Director, Europe

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS