Hi [[ session.user.profile.firstName ]]

Introduction to the Cloud Controls Matrix v4.0

The presentation aims to provide a synopsis about the latest release of the Cloud Control Matrix version 4, a greater insight into its development and new components, the current activities of the CCM WG (ongoing works, published and future works) and finally an update on CSA’s STAR program and transition policy from CCMv3.0.1 to CCMv4.0.
Recorded Jul 29 2021 27 mins
Your place is confirmed,
we'll send you email reminders
Presented by
Lefteris SKOUTARIS (Program Manager, CSA)
Presentation preview: Introduction to the Cloud Controls Matrix v4.0
  • Channel
  • Channel profile
  • What's Real & What's Possible with Self-Service and Developer Speed Governance Oct 26 2021 5:00 pm UTC 60 mins
    John Steven, Chief Technology Officer, Concourse Labs
    Security, Cloud, Operations, and Product/Development groups are all building out their versions of the next cloud platform and governance controls. As each considers overlapping approaches including automated enforcement, shift left, and other posture management approaches one question dominates: "How can security keep pace with delivery?"

    Expect insight on how to:
    - Create security as code (SAC);
    - Integrate SAC into existing software delivery and governance lifecycles;
    - Evolve from 'guardrails' to preventative controls; and
    - Navigate follow-on action from monitoring and drift detection activities.

    Join John Steven, Concourse Labs CTO and co-author of the BSIMM study, as he shares his hands-on experience implementing security-as-code architectures and demonstrates best practices for developing security policy and controls, to automate DevSecOps and runtime cloud security.
  • CSA Continuous Recap Recorded: Oct 20 2021 30 mins
    Speaker to be Announced
    Session Details to be Announced
  • Cloud is code... oops did I say that? Recorded: Oct 20 2021 31 mins
    Larry Whiteside Jr., Co-Founder & President, Cyversity
    We are all aware of the digital transformation many organizations are undergoing. What’s not being said is that basically means a rush to utilize services that organizations are not prepared to secure. This new digital frontier is not just pushing technology forward, it's pushing security away from its origin in infrastructure to a new code-based infrastructure of which old security paradigms will no longer work. Here we will discuss this new paradigm and what security practitioners must now adapt to in order to protect it.
  • A Conversation About Threat Modeling in Today's Cloud Recorded: Oct 20 2021 53 mins
    Jon-Michael Brook, Principal Security Architect, Starbucks and Alexander Getsin, CISO, RiseUp
    Threat modeling is an essential practice for software and systems security. Cloud threat modeling expands on standard threat modeling practices to account for unique cloud services and an application’s qualities and consideration. The CSA Threat Model applies standard threat modeling methodologies to today’s unique cloud threat landscape, such as ransomware. Organizations will learn to develop a structured and repeatable approach for modeling threats in order to successfully anticipate and mitigate the latest threats to cloud computing.
  • Hiding In Plain Sight - An Untapped Path to Cloud Security Recorded: Oct 20 2021 24 mins
    Yaniv Bar-Dayan, CEO and Co-Founder, Vulcan Cyber
    All major cloud providers now offer a native vulnerability scanning service to help their customers identify potential cloud security issues. But is your team taking full advantage of these tools, and how are you using scan data to drive remediation outcomes and reduce the risk of cloud surfaces? Attend this session to learn what tools are available to you today from AWS, Azure and Google Cloud. More importantly, attend this session to learn how to integrate these tools into your cloud security programs for a more confident and scalable approach to cloud and multi-cloud risk remediation.
  • The Techonomic Cold War Recorded: Oct 20 2021 30 mins
    Kris Lovejoy, Principal, EY
    We are entering a prolonged phase of state interventionism which will blur the lines between government and business and give rise to new risks.

    What lies ahead is a “future of war” in which war is constantly being waged by state and non-state actors (using cyber-attacks, misinformation campaigns, etc.). Companies will often be collateral damage in this process, and will also face more volatility and risk from interventionist leaders. In many instances, the borders between government and business will become blurred as states engage in “digital mercantilism”.

    Are you prepared for the cyber risks of tomorrow, such as weaponized disinformation and deepfakes?
  • Catching Cloud Misconfigurations in Code Before They Manifest as Security Risks Recorded: Oct 20 2021 19 mins
    Yoni Leitersdorf, CEO & Founder, Indeni
    A recent study suggests that misconfiguration is the number one risk to cloud environments in 2021. With infrastructure-as-code (IaC), we have the opportunity to catch security issues within the CI/CD before they manifest themselves in the cloud. In this talk, we will dive into techniques for IaC threat modeling. This includes static and dynamic analyses that can prevent supply chain attacks due to overly permissive IAM roles, exposing sensitive data inadvertently, detect privilege escalation, drift, etc. We will also describe the various stages of implementing IaC security automation.
  • Managing and Measuring Risk on the Cloud Recorded: Oct 20 2021 33 mins
    John Yeoh, Cloud Security Alliance
    A recent CSA study evaluated over 600 security professionals and 25 enterprise security executives to better understand the challenges and effectiveness of current risk management practices towards the public cloud. This report shares the top benefits and challenges for risk practices towards cloud including the evaluation, assessment, and procurement of cloud services to the understanding of risk tolerance and why cloud is different.
  • Psychology of the Phish: Leveraging the Seven Principles of Influence Recorded: Oct 20 2021 24 mins
    Sourya Biswas, Technical Director, Risk Management & Governance (RM&G), NCC Group
    According to the X-Force Threat Intelligence Index 2020, produced by IBM X-Force Incident Response and Intelligence Services, phishing is still the number one attack vector in use today. Security professionals often overlook the "social" aspect of "social engineering", focusing on tool deployment instead. The success of phishing is predicated on exploiting normal human behavior for nefarious purposes. This session looks at phishing through this psychological lens, specifically on how the Seven Principles of Influence as expounded by Robert Cialdini are leveraged by attackers.
  • CxO Panel Discussion: Lessons Learned from our Journey to the Cloud Recorded: Oct 20 2021 46 mins
    Stacey Halota, Graham Holdings; Pratyush Rai, Kaplan North America
    Moving to the cloud is a big decision and encompasses areas including scope, risk, cost and many others. The benefits of a successful migration can be significant, but there is risk to any large project that must be managed. In this fireside chat we will speak to a CISO and CTO who made this journey (and are still on it) and get their insight into what went into the planning process, lessons learned along the way, what is working well, and what they would have done differently. During the journey three business units under different leadership combined into one that now encompasses two different cloud varieties and traditional data centers. In addition, the migration has spanned several years and is still taking place, so the evolution of their planning process and future roadmap will be discussed.

    Specific topics include:
    · Factors considered when moving to the cloud
    · Major factors affecting the initial and subsequent decisions
    · Information security considerations
    · Applying privacy law in the cloud
    · Managing risk in the cloud
    · Efficiency gains
    · Running cloud concurrently with traditional data centers
    · Tool selection process for a diverse environment
    · Cloud and the remote workforce
    · Lessons learned
    · Future plans and roadmap ahead
  • Ransomware Prevention with a Zero Trust Architecture Recorded: Oct 20 2021 26 mins
    Brad Moldenhauer, Sr. Director, Office of the CISO, Zscaler, Inc.
    The evolving threat landscape requires a different approach to defeating ransomware. Cybercriminals are getting bolder and more sophisticated, and no industry is off-limits. It's time to rebalance the equation in favor of enterprise defenders, with an agile security architecture that automatically learns and adapts to new attacks as they emerge. Join Zscaler Chief Security Officer Brad Moldenhauer as he shares his front-line experience implementing a zero trust architecture to holistically minimize the attack surface, prevent compromise, eliminate lateral movement, and top data theft to defeat today's most advanced ransomware attacks
  • The Impact of Cloud on the Landscape of Rapid Change Recorded: Oct 20 2021 34 mins
    Erik Avakian, CISSP, CRISC, CISA, CISM, CGCIO, ITIL v3, Chief Information Security Officer, Commonwealth of Pennsylvania
    The advent of cloud has transformed from what was once just a buzzword several years ago, into the fundamental way that the IT organizations of today and tomorrow are supporting the business objectives and critical operations of the entire organization. Whether public or private sector, all have either made the transition into the cloud, or are in some state of change or advancement to it. During this keynote we'll explore these fundamental changes in IT and how “cloud” has transformed the landscape of rapid change. But with this change, come new challenges that organizations are faced with as they make their journey to the cloud. Particularly, rapid changes in the security threat landscape and challenges with multi-cloud environments while organizations retain legacy systems. As such, must there be considerations for planning, data protection, risk management, compliance, visibility, regulatory controls, legal implications, and long term resiliency of the business during these transitions. We'll explore these challenges and various solutions that businesses are taking to manage their cloud environments and to keep costs in line with expectations. We’ll delve into some of the key ways to ensure all teams across the entire organization are working in tandem to make the entire technical business structure stay up and running reliable. And explore the long-term and more immediate security and privacy needs to consider including rapidly evolving threats like ransomware, insider threats, and supply chain risks.
  • North America Welcome Address Recorded: Oct 20 2021 29 mins
    Illena Armstrong, President, CSA
    Session Details to be Announced
  • International Data Transfers and the new Standard Contractual Clauses Recorded: Oct 20 2021 49 mins
    Nathaly Rey, Martim Taborda Barata, Tanya Forsheit, Neil Thacker
    Regulation (EU) 2016/679 – the General Data Protection Regulation, or GDPR – creates a need for organisations seeking to transfer personal data from within the EEA to third countries to implement safeguards which are appropriate to ensure the protection of those data. One common approach to this was for organisations to rely on the Standard Contractual Clauses – a set of European Commission-approved predetermined contractual provisions which would bind non-EEA data importers to rules aligned with European data protection standards. However, the viability of these Clauses to ensure the lawfulness of such transfers has been called into question by recent caselaw of the Court of Justice of the European Union (the infamous “Schrems II” decision). In response, the European Commission has updated the Standard Contractual Clauses, boosting their protections in accordance with the requirements of the GDPR and the mentioned caselaw. In this panel, we will discuss the novel Standard Contractual Clauses with top legal and practical experts, so as to exchange thoughts on their effectiveness in ensuring the protection of transferred data, the difficulties which they present for organisations seeking to make use of them, and whether they still present a reasonable solution for lawful cross-border data transfer in practice.

    Panelists:
    Nathaly Rey, Head of EMEA Data Governance, Google Cloud;
    Martim Taborda Barata, Public Policy & Government Relations, ICT Legal Consulting;
    Tanya Forsheit, Partner, Co-Chair Privacy, Security & Data Innovations Group, Loeb & Loeb LLP;
    Neil Thacker, CISO EMEA, Netskope
  • The Implementation Guidelines for the Cloud Controls Matrix v4 Recorded: Oct 20 2021 68 mins
    Vani Murthy, Ashish Vashishtha, Erik Johnson
    The Cloud Security Alliance has published the Implementation Guidelines for the Cloud Controls Matrix version 4. The CCMv4 Implementation Guidelines are tailored to the security and privacy control specifications of the 17 cloud security domains of the CCM, with their main goal being to provide “how-to” guidance and recommendations in support to their proper implementation.

    Given a certain CCM control specification, the document explains what should be done to effectively implement and monitor a CCM control in alignment to the Shared Security Responsibility Model (SSRM), which specific best practices should be followed, what the specific regulations of reference are, and what the differences are when implementing a control from the SaaS-PaaS-IaaS perspective.

    The CCM Implementation guidelines are a collaborative product from volunteering subject matter experts within the CCM Working Group, and it is based on shared CSPs and CSCs experiences in implementing and securing cloud services when leveraging the CCM controls.

    Speakers:
    Vani Murthy, Senior Information Security and Compliance Advisor, Akamai Technologies at Cambridge
    Ashish Vashishtha, Cybersecurity Sr. Risk Manager, Akamai Technologies at Cambridge
    Erik Johnson, Senior Enterprise Cloud Security Specialist, USA, Federal Reserve Information Technology
  • Understanding Supply Chain Attacks Recorded: Oct 20 2021 24 mins
    Eleni Tsekmezoglou, Expert in Cybersecurity, ENISA
    Even though supply chain attacks have been a cybersecurity concern for many years, there has been a big rise in their number and sophistication in 2020. This trend is continuing in 2021, posing an increasing risk for organizations. Due to the more robust security protection that high-value organizations have put in place, it is more effective for threat actors to move up the supply chain to exploit weak links outside their target’s cyber defences.

    The presentation aims at highlighting the key observations and major findings described in the ENISA “Threat Landscape for Supply Chain Attacks” report that was published in July 2021. A mapping and analysis of 24 supply chain attacks is provided based on incidents identified and reported from January 2020 to early July 2021, along with their classification based on a proposed taxonomy of their key characteristics and techniques. The analysis answers the questions: what are the most common attack techniques being used in supply chain attacks, what are the main customer assets that attackers are after and which is the relationship between attacks and assets targeted. A set of recommendations aimed at policymakers and organizations is presented, the adoption of which may increase the overall security posture against supply chain attacks.
  • The Continuous Audit Metrics Catalog Recorded: Oct 20 2021 31 mins
    Max Pritikin, Principal Software Engineer, Cisco Systems
    Cloud providers can take full advantage of continuous auditing once standards and best practices for automated assurance tooling exist. We have translated a subset of CCMv4 controls into quantitative characteristics of the cloud service in the form of ISO/IEC 19086 SLOs. The proposed practices for these metrics highlight interconnections between domains and demonstrates how even a small number of metrics can provide assurance for a large number of security objectives. This approach enables organizations to review and measure practices for effectiveness and supports automated certification and evaluation goals such as are found in CMMC Level4 and EU-SEC requirements.
  • Practical Preparations for the Post-Quantum World Recorded: Oct 20 2021 59 mins
    CSA Working Group
    Cryptographically significant quantum computers, computers that can break traditional asymmetric cryptography and significantly weaken popular symmetric encryption, will likely appear in the near-term future. If you have digitally stored and/or transmitted secrets you need protected for more than a few more years then you need to begin your post-quantum project now!

    Join this webinar to learn more about CSA Quantum-Safe Security Working Group's latest release titled Practical Preparations for the Post-Quantum World including:
    - Steps organizations can take now to protect long-term secrets
    - Near-term actions to prepare
    - Post-quantum alternatives to current methods
  • CCM “Granular Add-on” & CCM “Concentrated”: Enhancing Cloud Controls Compliance Recorded: Oct 20 2021 64 mins
    Rolf Becker, Ricky Arora, and Simon Hodgkinson
    CCMv4 is a broadly adopted and recognized instrument to assess and certify compliance with a globally standardised set of controls. The European User Group Entreprise & Cloud Data Protection (EuUG) which is joining the Cloud Security Alliance (CSA) as a Special Interest Group, has developed and proposes to enhance a more granular add-on of controls expanding in several control domains with specific controls e.g. addressing augmented data protection requirements resulting from region or industry specific regulatory guidance. In addition, the EuUG is working on concentrating cloud controls to facilitate a streamlined assessment and certification of compliance for small and mid sized XaaS providers without compromising on the trust and assurance level of the assessment results. The EuUG is proposing to develop both instruments and a related assessment service as CSA Special Interest Group in dedicated work streams and is inviting participation.
  • Zero-Trust: From Buzzword-land to Wake-up-and-do-your-homework Recorded: Oct 20 2021 40 mins
    Daniele Catteddu
    Zero Trust (ZT), a rather simple and powerful approach to cybersecurity, is built on the idea of "trust no one and always verify". Since its inception over 10 years ago, the ZT concept has evolved and matured, and, under the impulse of some recent security breaches as well as government policy changes (i.e. US executive order), it got to the attention of the wider audience.

    In this presentation, Daniele Catteddu, CTO at the Cloud Security Alliance (CSA), will provide an introduction to the key principles, tenants, and components of the ZT approach. Daniele will discuss the key steps for the creation of a ZT strategy, and present the CSA's work in the areas, namely the Software-Defined Perimeter body of knowledge and the ongoing development of a Zero Trust Architecture training program.
Educational series on cloud computing, security and privacy.
CSA CloudBytes was launched as a webinar series to help us educate the industry on all matters related to the cloud. Our channel is designed to inform our audience about trending topics, new technologies, and latest research. Learn more at cloudsecurityalliance.org. Join the Cloud Security Alliance on LinkedIn and follow us on twitter: @cloudsa

Embed in website or blog

Successfully added emails: 0
Remove all
  • Title: Introduction to the Cloud Controls Matrix v4.0
  • Live at: Jul 29 2021 3:15 am
  • Presented by: Lefteris SKOUTARIS (Program Manager, CSA)
  • From:
Your email has been sent.
or close