Hi [[ session.user.profile.firstName ]]

Establishing Cloud Audit Expertise

As the cloud becomes increasingly essential to organizational IT strategies, working knowledge of cloud security best practices is crucial. Cloud computing represents a radical departure from legacy IT which means that IT audits must be significantly altered to provide assurance to stakeholders that their cloud adoption is secure. Traditional IT audit education and certification programs are not developed with an understanding of cloud computing and its many nuances. Developed by CSA and ISACA, the Certificate of Cloud Auditing Knowledge (CCAK) credential and training program fills the need for vendor-neutral, technical training and credentials in cloud auditing. Learn how CCAK prepares you to address the unique challenges of auditing the cloud, ensuring the right controls for confidentiality, integrity and accessibility, and mitigating risks and costs of audit management and non-compliance.
Recorded Oct 1 2021 23 mins
Your place is confirmed,
we'll send you email reminders
Presented by
Ekta MISHRA (APAC Membership Director & Country Manager - India)
Presentation preview: Establishing Cloud Audit Expertise
  • Channel
  • Channel profile
  • The Implementation Guidelines for the Cloud Controls Matrix v4 Oct 20 2021 1:30 pm UTC 68 mins
    Vani Murthy, Ashish Vashishtha, Erik Johnson
    The Cloud Security Alliance has published the Implementation Guidelines for the Cloud Controls Matrix version 4. The CCMv4 Implementation Guidelines are tailored to the security and privacy control specifications of the 17 cloud security domains of the CCM, with their main goal being to provide “how-to” guidance and recommendations in support to their proper implementation.

    Given a certain CCM control specification, the document explains what should be done to effectively implement and monitor a CCM control in alignment to the Shared Security Responsibility Model (SSRM), which specific best practices should be followed, what the specific regulations of reference are, and what the differences are when implementing a control from the SaaS-PaaS-IaaS perspective.

    The CCM Implementation guidelines are a collaborative product from volunteering subject matter experts within the CCM Working Group, and it is based on shared CSPs and CSCs experiences in implementing and securing cloud services when leveraging the CCM controls.

    Speakers:
    Vani Murthy, Senior Information Security and Compliance Advisor, Akamai Technologies at Cambridge
    Ashish Vashishtha, Cybersecurity Sr. Risk Manager, Akamai Technologies at Cambridge
    Erik Johnson, Senior Enterprise Cloud Security Specialist, USA, Federal Reserve Information Technology
  • Understanding Supply Chain Attacks Oct 20 2021 1:00 pm UTC 22 mins
    Eleni Tsekmezoglou, Expert in Cybersecurity, ENISA
    Even though supply chain attacks have been a cybersecurity concern for many years, there has been a big rise in their number and sophistication in 2020. This trend is continuing in 2021, posing an increasing risk for organizations. Due to the more robust security protection that high-value organizations have put in place, it is more effective for threat actors to move up the supply chain to exploit weak links outside their target’s cyber defences.

    The presentation aims at highlighting the key observations and major findings described in the ENISA “Threat Landscape for Supply Chain Attacks” report that was published in July 2021. A mapping and analysis of 24 supply chain attacks is provided based on incidents identified and reported from January 2020 to early July 2021, along with their classification based on a proposed taxonomy of their key characteristics and techniques. The analysis answers the questions: what are the most common attack techniques being used in supply chain attacks, what are the main customer assets that attackers are after and which is the relationship between attacks and assets targeted. A set of recommendations aimed at policymakers and organizations is presented, the adoption of which may increase the overall security posture against supply chain attacks.
  • The Continuous Audit Metrics Catalog Oct 20 2021 12:30 pm UTC 29 mins
    Max Pritikin, Principal Software Engineer, Cisco Systems
    Cloud providers can take full advantage of continuous auditing once standards and best practices for automated assurance tooling exist. We have translated a subset of CCMv4 controls into quantitative characteristics of the cloud service in the form of ISO/IEC 19086 SLOs. The proposed practices for these metrics highlight interconnections between domains and demonstrates how even a small number of metrics can provide assurance for a large number of security objectives. This approach enables organizations to review and measure practices for effectiveness and supports automated certification and evaluation goals such as are found in CMMC Level4 and EU-SEC requirements.
  • Practical Preparations for the Post-Quantum World Oct 20 2021 11:30 am UTC 31 mins
    Ricky Arora
    Cryptographically significant quantum computers, computers that can break traditional asymmetric cryptography and significantly weaken popular symmetric encryption, will likely appear in the near-term future. If you have digitally stored and/or transmitted secrets you need protected for more than a few more years then you need to begin your post-quantum project now!

    Join this webinar to learn more about CSA Quantum-Safe Security Working Group's latest release titled Practical Preparations for the Post-Quantum World including:
    - Steps organizations can take now to protect long-term secrets
    - Near-term actions to prepare
    - Post-quantum alternatives to current methods
  • Understanding Supply Chain Attacks Oct 20 2021 10:30 am UTC 31 mins
    Eleni Tsekmezoglou, Expert in Cybersecurity, ENISA
    Even though supply chain attacks have been a cybersecurity concern for many years, there has been a big rise in their number and sophistication in 2020. This trend is continuing in 2021, posing an increasing risk for organizations. Due to the more robust security protection that high-value organizations have put in place, it is more effective for threat actors to move up the supply chain to exploit weak links outside their target’s cyber defences.

    The presentation aims at highlighting the key observations and major findings described in the ENISA “Threat Landscape for Supply Chain Attacks” report that was published in July 2021. A mapping and analysis of 24 supply chain attacks is provided based on incidents identified and reported from January 2020 to early July 2021, along with their classification based on a proposed taxonomy of their key characteristics and techniques. The analysis answers the questions: what are the most common attack techniques being used in supply chain attacks, what are the main customer assets that attackers are after and which is the relationship between attacks and assets targeted. A set of recommendations aimed at policymakers and organizations is presented, the adoption of which may increase the overall security posture against supply chain attacks.
  • CCM “Granular Add-on” & CCM “Concentrated”: Enhancing Cloud Controls Compliance Oct 20 2021 9:30 am UTC 64 mins
    Rolf Becker
    CCMv4 is a broadly adopted and recognized instrument to assess and certify compliance with a globally standardised set of controls. The European User Group Entreprise & Cloud Data Protection (EuUG) which is joining the Cloud Security Alliance (CSA) as a Special Interest Group, has developed and proposes to enhance a more granular add-on of controls expanding in several control domains with specific controls e.g. addressing augmented data protection requirements resulting from region or industry specific regulatory guidance. In addition, the EuUG is working on concentrating cloud controls to facilitate a streamlined assessment and certification of compliance for small and mid sized XaaS providers without compromising on the trust and assurance level of the assessment results. The EuUG is proposing to develop both instruments and a related assessment service as CSA Special Interest Group in dedicated work streams and is inviting participation.
  • Zero-Trust: From Buzzword-land to Wake-up-and-do-your-homework Oct 20 2021 9:00 am UTC 40 mins
    Daniele Catteddu
    Zero Trust (ZT) has been now around for over 10 years. A rather simple and at the same time powerful approach to cybersecurity, built of the idea of "trust no one and always verify". Since it first definition the ZT concept has evolved and matured, and under the impulse of some recent security breaches as well as the some governamental policy chnaghes (i.e. US executive order) it got to the attention of the wider audience.

    In this presentation, Daniele Catteddu, CTO at the Cloud Security Alliance (CSA), will provide an introduction of the key princiucples, tenants and components of the ZT approach, discuss the key steps for the creation of a ZT strategy and finally present the CSA's work in the areas, and namely the Software Defined Perimter body of knowlegege and the ongoung developement of a Zero Trust Architecture training program.
  • Securing Public Cloud Usage by Default Oct 20 2021 8:30 am UTC 14 mins
    Bogdan Ionita, Systems Design/Architecture Engineer, Adobe
    As more and more of us migrate their business to the cloud, nothing is more important than safeguarding that infrastructure, especially with the steadily increasing number of threats. For example, one recent study notes that hackers attack every 39 seconds, on average 2,244 times a day. In addition to the potential security issues, not having clear visibility into your public cloud usage by development and other teams can cause servicing costs to needlessly explode. This is especially true as more and more of us invest in multi-cloud, multi-platform environments.

    At Adobe, one of the primary ways we scale our efforts is through automation. This is an effective way to monitor our infrastructure and detect security drift. We term our approach here as ‘securing the public cloud by default.’ Our approach is designed to detect security gaps during provisioning and help prevent teams from creating insecure cloud resources. This effort has also helped us get more visibility into how we are using public cloud resources across the company so that we can optimize our usage costs.

    In this session, Bogdan Ionita will talk about the security and visibility issues possible as public cloud usage continues to increase, best practices you can use to develop your own strategy for tackling these issues, and examples from our own approach that may be helpful as you work to address the issues.
  • Panel Discussion: Perspectives on Cloud Usage as a CII Oct 20 2021 7:15 am UTC 42 mins
    Arun Vivek IYER; Steven SIM; Dr. Eiji Sasahara; Dr. Hing-Yan LEE
    When you think of national critical infrastructure, electricity distribution grids, transportation networks, banking systems, bridges, power plants, water filtration plants, airports, etc. come to mind. What about the clouds? With billions of people confined to their homes during the COVID-19 pandemic, the concept of "critical infrastructure" needs to be extended. To the traditional list, we may need to add cloud-based web conferencing (think Zoom, Webex, & Skype), online financial services, telehealth services, e-commerce, online delivery, and more.

    Cloud computing has come a long way since it came onto the scene some 15 years ago. An IDC study in October 2020 revealed that the total spending on cloud infrastructure has exceeded that on traditional IT on-premise infrastructure for the first time. A CIO magazine article dated April 2021 shared that CIOs have moved most, if not all, their IT to the cloud. During the pandemic outbreak, many enterprises have pivoted to the cloud; there has been increased cloud usage and greater cloud adoption.
  • Secure Connection Requirements of Hybrid Cloud Oct 20 2021 6:30 am UTC 41 mins
    Narudom Roongsiriwong, SVP, Senior Cloud Architect, Digital Innovation and Data Group, Bank of Ayudhya
    Hybrid cloud environments provide enterprises with diverse resources to run different workloads depending on the Cloud Service Customer (CSC) needs. On one hand, enterprises can quickly use innovative services, deploy Internet applications, and provide optimal performance through public clouds. At the same time, the security and reliability of the private cloud can be used to run core applications in the local data center. Therefore, hybrid clouds are becoming an essential form of enterprise cloud model that allows the best of both worlds approach.

    The hybrid deployment forms a diverse connected ecosystem. Data and applications flowing between clouds pose new security challenges as each cloud platform is proprietary and managed independently by Cloud Service Providers (CSPs) such as AWS, Microsoft, and Google. To successfully secure this unique and complex landscape, the enterprise should develop and employ cross-cloud security capabilities in these four areas: perimeter, transmission, storage, and management security.

    This presentation describes the applicability of the CSA Cloud Controls Matrix (CCM) to the hybrid cloud.
  • Understanding Cloud Computing Standards Oct 20 2021 5:45 am UTC 34 mins
    Dr. David Ross, Chair, CSA Australia Chapter & Managing Consultant, Telstra Purple
    Many cloud service users are aware of some of the international Cloud Computing standards, such as: ISO/IEC 17788:2014 Information technology — Cloud computing — Overview and vocabulary, which is referenced in the CSA’s own Security Guidance for Critical Areas of Focus in Cloud Computing v4.0 and the companion ISO/IEC 17789:2014 Information technology — Cloud computing — Reference architecture, or even ISO/IEC 27017:2015 Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services. However few cloud service users are truly aware of the full range international standards available to harmonise the utilisation of cloud computing services around the globe.

    This presentation informs the audience on the topics, content and use of the many available Cloud Computing standards, including how to obtain a number of these standards from the ISO’s free standards list, and provides a preview of the emerging work being developed for Cloud Computing users by the ISO/IEC Joint Technical Committee’s Sub-Committee on Cloud Computing and Distributed Systems, including a brand new definitive reference for cloud computing, providing an
    updated and consolidated cloud computing vocabulary, with terminology, definitions & concepts, Auditing Cloud Services, and Multi-cloud and other interoperation of multiple cloud services.
  • Risks and Opportunities in Data Governance and Data Management Oct 20 2021 5:00 am UTC 30 mins
    May Ann Lim, Executive Director, Asia Cloud Computing Association
    As countries and organisations grow in cloud technology maturity, there is an increasing need to understand and map out the nuances of data governance and data management, such as the need for data classification mechanisms, and the requirement to update technology and management policies to suit a cloud computing environment. Systems are also becoming increasingly complex, and yet there is a demand for more strongly integrated services. This presentation will share observations on data governance strategies observed in the market, and establish a possible methodology for organisations to think through what data management policies they could need to create and put in place, restructure, or re-configure.
  • Future Standards will be Functional Oct 20 2021 4:15 am UTC 29 mins
    Ronald Tse, CEO, Ribose & Co-Chair, CSA DevSecOps Working Group
    Standards today are published in document formats do not lend well to machine readability or automated compliance. In this session, we present a revolution of the understanding of standards - process and data requirements in standards can actually be expressed in a multi-modal model for machine execution.
  • Towards a Better Level of Protection of Personal Data Oct 20 2021 3:30 am UTC 24 mins
    Riwzi WUN, Partner, RHTLaw Asia, Singapore
    Against the backdrop of the growing importance of Data Protection and Cybersecurity in the New Normal, many countries in Asia have existing laws for personal data protection, but is enough being done? Harmonisation of laws could pave the way for better cooperation between countries. To be more effective, it should be important to have good interoperability processes or mechanisms between sovereign states. We need to explore ways to have better co-operation of enforcement measures of data protection laws (or the local equivalent) more seamlessly to improve the standard of protection. This level of co-operation within Asia could be extended to other regions in the world beyond Europe and the US, such as the Middle East, Africa and South America;

    In this regard, could Data Sovereignty also provide a partial solution to cybersecurity?
  • The Power of AND Oct 20 2021 2:45 am UTC 22 mins
    Stephanie HUNG, SVP Cloud Business, Mission Software and Services, Digital Systems, ST Engineering
    Accelerating cloud adoption for Enterprise and achieving security compliance, cloud assets protection, automation and continuous operations.

    We live in a connected world with an increasing pace and frequency of disruption. COVID 19 pandemic was a compelling event that forced many organizations to turn to digital technologies to maintain certain levels of business activities. Digital technologies will constitute a critical element of business continuity and organizational resilience to sudden external shocks. Many organizations look to cloud technology as an enabler for this transformational capability, how business create value, how people work and ultimately how people live. In cloud environments, IT support is automated and provided as a service with the latest digital technologies available to support functions, software, platform, and infrastructure as service. Cloud providers are continuously becoming more and more sophisticated when it comes to cybersecurity protection. However, we have seen Cyber Attacks on cloud systems have spiked 250% from 2019 to 2020. Data breaches are 3 times more likely to happen in the cloud. 99% of cloud breaches will be the customers fault through 2025. In this Power of AND, we share why organizations can accelerate cloud adoption AND at the same time how they strengthen their cyber security risk management capabilities, data and privacy protection, business continuity and operation resilience under disruptions.
  • Are We Having Second Thoughts of Migrating to Cloud? Oct 20 2021 2:00 am UTC 19 mins
    Ramesh Narayanaswamy, CTO, Aditya Birla Capital
    ​This session will discuss about the challenges which are still existing in migration and how to overcome it.
  • Welcome Address & Data Provenance and Cloud Security:Challenges & Opportunities Oct 20 2021 1:00 am UTC 44 mins
    ​​Jim REAVIS, Dr. Hing-Yan LEE & Prof. Ryan KO
    Opening Address
    ​​Jim REAVIS (CEO & Co-Founder, CSA)

    Welcome Remarks
    ​Dr. Hing-Yan LEE (EVP APAC, CSA)

    Data Provenance and Cloud Security: Challenges & Opportunities
    Prof. Ryan KO (Chair & Director, UQ Cyber Security, University of Queensland, Australia)

    At the heart of all cyber and cloud security attribution challenges is the problem of data provenance tracking and its reconstruction. In this talk, I will cover past, present and developing provenance research in computer science, and cover its relation and usefulness to accountability, traceability, trust, forensics and proactive cloud and cyber security. It will feature some of the cloud data provenance research I have conducted in the past decade, discussed unsolved (or seemingly unsolvable) problems, and will discuss some of the recent developments in academia, industry, and international standards.
  • Cloud Imposter: Using SSO to Stage a SaaS Invasion Oct 19 2021 5:00 pm UTC 60 mins
    Tyler Miller, Cloud Security Architect, Varonis
    Cyber Attack Workshop:
    Watch our attacker perform a sneaky spear-phishing attack to take over an admin’s account and impersonate high-profile users with a built-in SSO feature.

    Our imposter will steal hundreds of sensitive HR docs from the company’s Google Workspace, create hidden backdoor links, and jump over to Box to exfiltrate customer contracts.

    How the attack works:
    - Pre-attack recon to figure out who will be an easy target
    - Bypass MFA using an advanced phishing technique
    - Export the org’s Google Workspace user list
    - Impersonate the VP of HR, access her Google Workspace, and steal employee data
    - Create hidden sharing links to external Gmail accounts as a backdoor
    - Take over a Box super admin account
    -Exfiltrate data using a custom public sharing URL

    After the simulation, we will show you how proactive policies and cross-cloud investigation features can detect and prevent this type of attack.
Educational series on cloud computing, security and privacy.
CSA CloudBytes was launched as a webinar series to help us educate the industry on all matters related to the cloud. Our channel is designed to inform our audience about trending topics, new technologies, and latest research. Learn more at cloudsecurityalliance.org. Join the Cloud Security Alliance on LinkedIn and follow us on twitter: @cloudsa

Embed in website or blog

Successfully added emails: 0
Remove all
  • Title: Establishing Cloud Audit Expertise
  • Live at: Oct 1 2021 8:15 am
  • Presented by: Ekta MISHRA (APAC Membership Director & Country Manager - India)
  • From:
Your email has been sent.
or close