Name: Governance, Risk Management and Compliance
Start: 2024-11-04T11:07:00Z
End: 2024-11-04T11:07:16.000Z
Location: BrightTALK

CSA CloudBytes was launched as a webinar series to help us educate the industry on all matters related to the cloud. Our channel is designed to inform our audience about trending topics, new technologies, and latest research. Learn more at cloudsecurityalliance.org.  Join the Cloud Security Alliance on LinkedIn and follow us on twitter: @cloudsa

Security teams are drowning in data. Alerts, findings, metrics, dashboards — all technically “useful,” yet often failing to answer the most important question: what actually matters right now, and why? As artificial intelligence becomes more accessible across security programs, many organizations are experimenting with AI-driven tooling in the hope that it will bring clarity. But used inefficiently, AI can often amplify existing problems rather than solving them.

This discussion explores how AI is reshaping data-informed security decision-making — not as a silver bullet, but as a force multiplier that depends heavily on human judgment, context, and intent. We’ll examine why most AI in use today more closely resembles advanced machine learning than true autonomous intelligence, and why outcomes are still largely driven by the quality of inputs, assumptions, and program maturity.

Through an operational and security lens, the speakers will unpack how teams can move from raw signal volume to meaningful narratives that support better prioritization and risk decisions. We’ll discuss common failure modes, including over-reliance on automation, misinterpreted insights, and resistance from skeptical stakeholders. The conversation will also address how organizations can responsibly incorporate AI into existing security workflows without compromising trust, transparency, or accountability.

To ground the discussion, we’ll walk through a practical vulnerability management example, illustrating how an AI assistant can help surface recommendations that improve efficiency and decision quality — while still keeping humans firmly in control of outcomes. Ultimately, this session aims to help security leaders separate signal from noise, hype from value, and automation from understanding as they navigate an evolving AI landscape.

From Noise to Narrative: How AI Is Reshaping Data-Informed Security Decisions

AI agents are rapidly becoming the most powerful “users” inside the enterprise. They provision infrastructure, move data, and call APIs with broader and more persistent access than human employees, yet they operate outside traditional safety nets. Unlike human access, there is currently no clear ownership, no certification process, and no accountability model for these machine identities.

In this session, we examine how agentic AI has quietly broken the assumptions identity governance (IAM/IGA) was built on. We will explore:

-The Velocity Gap: Why traditional controls fail at machine speed.
-Inherited Risk: How AI agents bypass oversight by inheriting "ghost" permissions.
-The Auditor’s Dilemma: The uncomfortable question CISOs will soon face from boards: “Who approved this access, and who is accountable for what the AI actually did?”.

Your AI Agents Have More Access Than Your Employees. No One Is Accountable

As AI adoption accelerates across organizations, traditional security approaches focused solely on license management and non-human identities are missing the bigger picture. This webinar explores a comprehensive framework for AI security that recognizes the full spectrum of AI identities in your environment, from AI users and builders to AI agents, and provides actionable strategies for discovery, protection, and defense.

We'll examine how AI security can be looked at through an identity security lens and demonstrate how runtime intelligence reveals dramatically more AI usage than static configuration approaches. Attendees will learn practical methodologies for inventorying their complete AI footprint, identifying risky access patterns, and implementing high-fidelity detection capabilities that enable faster SOC response.

Key Takeaways:
- Understand the three critical categories of AI identities: users, builders, and agents
- Learn why runtime detection reveals 5x more AI activity than static license tracking
- Discover how to identify shadow AI usage and over-privileged AI identities
- Implement a governance framework aligned with NIST AI security guidelines
- Build detection strategies that go beyond traditional NHI approaches

AI Users, Builders, and Agents: Securing the Next Generation of Identities

AI adoption in the cloud is surging, with over 70% of organizations using managed AI services—but security risks are growing just as fast. This latest report uncovers key trends, including the rapid rise of DeepSeek, widespread AI experimentation, and critical security gaps that organizations must address now.

AI Series: The State of AI in the Cloud

The cloud has redefined what is possible in technology, enabling organizations to move faster, scale effortlessly, and innovate without boundaries. Yet the cloud’s defining qualities of speed, scalability, and elasticity have outpaced traditional security models that were built for static, on-premises environments rather than dynamic digital ecosystems. The next phase of cloud security requires a mindset shift that embraces the cloud’s speed, scale, and ephemeral nature as the foundation of a more adaptive and intelligent defense strategy. 

This session explores the next stage in the evolution of cloud security, moving from fragmented visibility and static configuration checks toward real-time insight, automated investigation, and adaptive response. Attendees will learn how automation and AI can help teams embrace the ephemeral nature of the cloud, gaining clarity and control without slowing innovation. 

Participants will gain practical insight into assessing cloud security maturity, identifying visibility gaps, and understanding how intelligent automation enables security teams to analyze activity across thousands of assets, reconstruct events within minutes, and make faster, more confident decisions. We will also discuss how different layers of security, including posture management, threat detection, and incident response, work together to deliver a unified, adaptive approach to securing modern environments. 

The session will inspire participants to view the cloud’s dynamic nature as an opportunity to transform it into an ally in defense, rather than a source of endless complexity.

Redefining Cloud Security in the Era of AI and Automation

Security operations are entering a new era, where AI doesn’t just automate tasks, but understands context, collaborates, and learns. The foundation of this evolution is the Agentic System: a connected network of AI entities designed to make coordinated decisions in complex environments.

In this session, we’ll break down what an agentic system truly is—from its core components to how they operate in a dynamic security operations center. We’ll explore the architecture behind agentic personas, skills, tools, and memory, and show how their interplay leads to faster, smarter, and more predictive defense.

Through practical examples and security-specific use cases, you’ll see how agentic systems are transforming the way teams detect, analyze, and respond to threats, and how to start thinking about building agentic principles into your own environment.

Key Takeaways:
- What defines an Agentic System and why it represents a new model for SecOps
- What makes up an agentic persona and how they can collaborate for a greater outcome.
- How skills, tools, and memory operate in real-time as an agentic system and why this beats standalone automation.
- The outcomes agentic systems can deliver — speed, precision, foresight, and scalability
- Real-world examples of how agentic architectures are reshaping modern security operations

The Anatomy of an Agentic AI System: Understanding the Architecture Behind Faster, Smarter, and Predictive Security

The Cloud Security Alliance recently released the first independent benchmark study of AI agents in the SOC. With 148 analysts across two investigation scenarios, the study delivered hard evidence on how AI makes analysts faster, more accurate, and more consistent.

Hear from CSA CEO Jim Reavis, former Robinhood CISO Caleb Sima, and Dropzone AI CEO Edward Wu as they unpack the results for SOC leaders deciding how to adopt AI today.

What you’ll learn:

• What the data really shows about AI-augmented analysts’ performance in accuracy, speed, and consistency
• Where AI delivers the most value in the SOC today, from Tier 1 triage to Tier 2 investigations
• How analysts felt about AI after hands-on use—and why 94% said their opinion of AI improved
• What SOC leaders should do next to turn research insights into operational advantage

AI in the SOC: Expert Perspectives on the CSA Benchmark Study

As of May 2024, the Wiz Research team has analyzed over 200 cloud security incidents, identified 65 threat actors, and tracked 155 attack techniques alone. With cloud adoption on the rise, security teams now need to understand the threat landscape to stay ahead of evolving risks. Watch the Wiz Research team's insights in this on-demand webinar, featuring an in-depth look at today’s cloud landscape, the latest industry trends, and the most notable threats, including: 
- Who’s targeting the cloud 
- The top 5 most common cloud threats 
- What your organization should prioritize today

How to Find Your Most Critical Risks in the Cloud

MCP servers serve as the backbone that enables AI agents to access the tools, data, and context they need to operate.

By connecting these agents to everything from internal APIs and databases to third-party SaaS systems, MCP turns isolated AI models into fully capable, action-driven agents.

New research by Astrix Security analyzed more than 5,200 open-source MCP servers and surfaced systemic risks:
1. 53% rely on static API keys or PATs
2. Only 8.5% use OAuth applications
3. 79% pass keys via simple environment variables

In this webinar, we will unpack the data, methodology, and what it means for your attack surface.

To help tackle these challenges, Astrix introduces its new open-source MCP Secret Wrapper, a practical way to eliminate hardcoded credentials by fetching secrets from a vault at runtime.

In this session, you will learn how to apply the wrapper for quick wins, how to enforce least-privilege and short-lived access at scale, and how to align with compliance without slowing down your teams.

State of MCP Server Security 2025: What 5,200 Servers Reveal, and the Open-Source Fix You Can Use Today

“What do we actually own in the cloud?” It’s a question security leaders ask every day—yet answers are rarely clear. 

In today’s cloud-driven world, assets, identities, and resources change faster than manual tracking can keep up, creating critical blind spots that attackers can exploit through misconfigurations or overprivileged accounts. For security operations, this speed demands an equally fast response. However, legacy asset management and siloed security tools often fall short, leaving gaps in visibility and costing precious minutes during detection and response.

Join us to see how modern SecOps can outpace attackers by unifying on-prem and cloud telemetry, identifying exposures inside and outside their firewall, and leveraging agentic AI and automation throughout detection, investigation, and response—ensuring cloud blind spots never become entry points.

Key Learnings:
• Why legacy asset management and manual processes can’t keep up with the speed of cloud
• The real risks behind inaccurate cloud inventories, invisible SaaS assets, and cloud exposures
• How AI and automation enable continuous discovery, faster detection, and smarter response in cloud security operations

Cloud Asset Blind Spots: Closing Gaps Before They're Exploited

You’re juggling multiple endpoints. Your remote workforce is creating security gaps. And identity attacks jumped 442% last year alone. In this webinar, you'll hear from Jason Kikta (CISO/SVP, Product at Automox) and Dmitri Alperovitch (Automox Chairman of the Board, co-founder of Crowdstrike) discuss pressing security concerns and real solutions, like:
- What’s actually happening in the current threat landscape
- How autonomous endpoint management eliminates security gaps
- Where Automox is headed next (Spoiler alert: It’s game-changing.)

State of Cybersecurity: A Reality Check

Every day, another AI “agent” for security operations emerges: a playbook runner, a data enricher, a script executor. But stitching together a few task-specific bots doesn’t solve the complex problems facing the SOC—it exacerbates them. On the other side, there’s this promise of an “Autonomous SOC” leveraging agents, but these generic systems don’t have the best understanding or oversight about your environment.

In this webinar, we’ll explore a more effective evolution: Autonomous, role-based, agentic AI personas. Join ReliaQuest President of Field Operations Colin O’Connor, ReliaQuest CTO Joe Partlow and guest speaker Forrester Principal Analyst Allie Mellen for a forward-looking conversation that cuts through the noise to uncover how agentic teammates reframe what’s possible for AI in the SOC. 

In this webinar, you'll learn:
• What distinguishes a task-based agent from a true teammate—and why that matters 
• The architecture of a hybrid human + AI SOC (and what it’s not: autonomous) 
• How to evaluate when to use agentic teammates—and when not to 
• What a future-ready operating model looks like in live use-case walkthroughs

The Case for Agentic Teammates: Moving Beyond Task Bots

The 2025 Identity Automation Crisis: What 500+ Leaders Exposed
Enterprises have never had more identity tools—SSO, password managers, privileged access controls, and governance platforms. On paper, the identity stack looks mature. But beneath the surface, a critical problem persists: the last mile of identity still runs on manual execution.

The new 2025 Identity Automation Gap Report, based on insights from 500+ IT and security leaders, shows just how wide the gap really is:
• 58% of former employees keep access to systems after leaving
• 41% still share passwords manually (yes, spreadsheets)
• Fewer than 4% of enterprises have fully automated core identity workflows

Join Matt Chiodi, CSO at Cerby, and Aaron Turner, Faculty at IANS, as they unpack what the data reveals and share practical ways to:
• Spot and close your biggest identity blind spots
• Extend automation to disconnected apps (without ripping out your stack)
• Turn manual execution into automated protection that’s secure, scalable, and resilient

The 2025 Identity Automation Crisis: What 500+ Leaders Exposed

The transformative power of AI is undeniable, yet unlocking its full potential requires enterprises to secure their enterprise data to safely scale AI systems. Building trustworthy AI Assistants and Agents necessitates a comprehensive understanding of your organization's data landscape – especially unstructured data – coupled with fine grained access controls to protect against accidental leakage of sensitive data, clever cyber attacks and inappropriate internal access.

Join Nikhil Girdhar from Securiti and Shanmugam Kandaswamy from AWS  as they discuss how to apply Securiti DSPM to accelerate the safe deployment of enterprise AI assistants and agents with Amazon Q Business. Gain technical insights on how to establish proactive data security and governance, and mitigate emerging AI risks, such as OWASP Top 10 for LLMs.

Attendees will learn how to:

• Create comprehensive Data+AI mapping with full data lineage and provenance
• Prevent unintended data access by users of AI Assistants by enabling stronger data access controls
• Mitigate emerging AI risks such as prompt injections and sensitive data exposure
• Improve the efficacy of AI responses by minimizing redundant, obsolete, and trivial (ROT) data

From Data to Deployment: Safeguarding Enterprise AI with Security and Governance

Conquering Cloud Security Pain Points addresses the critical security challenges enterprises face in the cloud. The agenda includes a discussion of the promise versus the reality of cloud security and a deep dive into six key pain points. The session will also present strategic approaches to overcome these challenges, such as fostering unified visibility and control, implementing consistent policy enforcement, and streamlining security change workflows. The presenter, David Geffen, CMO at AlgoSec, will also cover achieving continuous compliance, bridging the cloud security expertise gap, and embracing proactive risk prevention. The presentation concludes with key takeaways and next steps for a holistic security strategy.

Conquering Cloud Security Pain Points

Securing your organization is no longer just an IT issue; it's a financial necessity. This webinar explores how identity security can help companies reduce global cyber losses by billions. We'll discuss how these findings are reshaping corporate budgets and influencing how insurers assess risk.

Key Takeaways
• Financial Impact: Learn how strong identity security directly reduces your financial exposure to cyber threats.
• Evolving Threats: Discover how the changing the threat landscape and the security strategies needed to combat it.
• Actionable Advice: Get practical guidance on where to start with identity security and how executives can use this data to justify critical investments.

Join us to learn how to turn identity security from a cost into a competitive advantage.

From Risk to ROI: The business case for identity security

Generative AI tools like ChatGPT are rapidly being adopted across enterprises to drive efficiency, but they come with real and immediate security implications.

Recent studies show that 15% of employees are pasting data into GenAI tools, and 1 in 3 are unknowingly sharing sensitive information. These behaviors create a new layer of risk: inadvertent data leaks, compliance violations, and exposure of confidential assets.

As a result, most organizations face a blunt choice: block GenAI entirely or allow it unchecked. Neither option is valid in today’s world. But GenAI security and productivity shouldn’t be an “either-or” choice.

In this webinar, LayerX security leaders will break down how to secure GenAI usage without sacrificing its value. You’ll get a clear understanding of how these tools are being used, what risks they create, and what practical steps you can take to mitigate them.

Register for this webinar to learn:
• Industry Insights: See how and where GenAI is being used across the enterprise—by whom, for what, and how often.
• Risk Breakdown: Learn what kinds of sensitive data are being exposed, and what that means for your security and compliance posture.
• Protective Actions: Walk away with specific policies, controls, and tools to reduce risk while enabling safe GenAI adoption.
• Real World Lessons: Hear how leading security teams are addressing these challenges in real-world environments.

Whether you’re a CISO, a security architect, or part of the compliance team, this session will give you clear, actionable guidance to secure your organization’s GenAI usage—before it becomes a problem.

Register now and take control of GenAI security before it takes control of you.

Preventing GenAI Data Leakage: Enabling Innovation Without Compromising Security

This webinar offers cloud network security experts an in-depth look at the paradigm shift from traditional perimeter-based security to a modern application-centric approach. Discover why conventional data center security models, relying on static policies and firewalls, are ill-suited for the dynamic nature of cloud environments, which are characterized by the explosive growth of IaaS, PaaS, and SaaS. We will explore the critical challenges posed by vanishing perimeters, lack of visibility into cloud environments, and the complexities of securing highly dynamic resources like VMs, containers, and microservices. The session will detail the core principles of application-centric security, including achieving granular visibility into application dependencies, implementing Zero Trust frameworks with verification and validation checkpoints, and leveraging microsegmentation for enhanced isolation. Furthermore, learn how automation and orchestration are essential for consistent policy enforcement, faster response times, and increased efficiency in managing cloud security at scale across diverse multi-cloud and hybrid infrastructures.

The Evolution of Cloud Network Security: From Silos to Service-Centricity

In this presentation we introduce the Data Center Security (DCS) domain, which consists of fifteen control specifications essential for Cloud Service Providers (CSPs) to secure the physical infrastructure and environment hosting Cloud Service Customers' (CSCs) data and applications. This domain focuses on protecting physical assets, such as infrastructure and equipment, from security threats like unauthorized access and environmental hazards.

According to the Shared Security Responsibility Model (SSRM), CSPs are exclusively responsible for securing the datacenter’s physical infrastructure, managing environmental controls, and ensuring overall facility security. While CSCs are not directly responsible for these aspects, they should verify CSPs’ compliance with DCS controls, especially within the Audit and Assurance (A&A) domain.

This presentation will provide insights into how effective physical security measures are key to maintaining a safe and compliant cloud physical infrastructure.

Datacenter Security

In this presentation we focus on the Logging and Monitoring domain, which includes thirteen control specifications that help both Cloud Service Providers (CSPs) and Cloud Service Customers (CSCs) collect, store, analyze, and report on activities and events in their cloud environments. These controls are essential for detecting and responding to security incidents, addressing operational issues, identifying system anomalies, complying with regulatory requirements, auditing security controls, and improving overall security posture and performance.

Under the Shared Security Responsibility Model (SSRM), both CSPs and CSCs share responsibilities for implementing logging and monitoring controls. CSPs are typically responsible for logging and monitoring the underlying cloud infrastructure, such as network and system operations. CSCs, on the other hand, manage logging and monitoring within their deployed applications and services to ensure their specific security needs are addressed.

This presentation will help you understand how the implementation of logging and monitoring controls ensures enhanced visibility, accountability, and transparency of cloud operations. These practices are essential for identifying and mitigating security risks, optimizing cloud usage and performance, and maintaining secure, efficient, and compliant cloud environments.

Logging and Monitoring

In this presentation we explore the Interoperability and Portability (IPY) domain of the Cloud Control Matrix (CCM), which comprises four control specifications aimed at ensuring secure and seamless data exchange across multiple platforms and Cloud Service Providers (CSPs). These controls help Cloud Service Customers (CSCs) avoid vendor lock-in and foster an environment where interoperability and portability are not limited by security concerns.

In the Shared Security Responsibility Model (SSRM), both CSPs and CSCs independently share responsibility for ensuring interoperability and portability in the cloud ecosystem. CSPs are typically responsible for implementing standardized communication protocols, maintaining cross-platform compatibility, and ensuring secure data exchange. CSCs, on the other hand, must leverage these tools for secure data backup, transfer, and restoration, as well as manage the integration of cloud environments. Both parties are responsible for documenting data portability obligations, such as defining data ownership and migration procedures.

This presentation will help you understand how effective interoperability and portability controls contribute to a secure, flexible, and vendor-neutral cloud ecosystem.

Interoperability and Portability

In this presentation we explore Universal Endpoint Management (UEM) domain of the Cloud Controls Matrix, which includes fourteen control specifications focused on mitigating risks associated with endpoints, including mobile devices. The primary concerns in endpoint security relate to user behavior and awareness regarding acceptable use policies for devices, whether they are managed, unmanaged, enterprise-owned, or personal.

Under the Shared Security Responsibility Model (SSRM), both Cloud Service Providers (CSPs) and Cloud Service Customers (CSCs) have independent yet complementary roles in implementing UEM controls. CSPs are responsible for managing endpoint capabilities, including maintaining inventories, approving acceptable services and applications, and implementing security measures like automatic lock screens, firewalls, anti-malware, and data loss prevention technologies. CSCs, in turn, must securely manage their own devices, ensure compliance with CSP security policies, and protect their data.

Universal Endpoint Management

In this presentation we introduce the Security Incident Management, E-Discovery, and Cloud Forensics (SEF) domain, which comprises eight control specifications critical for managing and responding to security incidents, conducting e-discovery, and performing forensics in the cloud. These controls enable both Cloud Service Providers (CSPs) and Cloud Service Customers (CSCs) to detect, analyze, and respond to security incidents in a timely manner, minimizing disruption to business operations.

Under the Shared Security Responsibility Model (SSRM), both CSPs and CSCs are responsible for developing incident response plans, defining roles and responsibilities, implementing incident metrics, reporting to stakeholders, and escalating procedures to efficiently manage security incidents. Collaboration is key, with CSPs offering insights into infrastructure-level causes of incidents, while CSCs provide data, application, and user-specific context for thorough investigation and resolution.

Security Incident Management, E-Discovery, and Cloud Forensics

In this presentation we introduce the Audit and Assurance (A&A) domain within the Cloud Control Matrix (CCM). The A&A domain, consisting of six control specifications, plays a pivotal role in guiding both Cloud Service Providers (CSPs) and Cloud Service Customers (CSCs) to build the confidence required for critical decision-making, communication, and reporting. This domain focuses on key processes, including those embedded in the CCM, and ensures they are evaluated through rigorous assessment, verification, and validation activities.
Designed to support the audit management processes of both CSPs and CSCs, the A&A domain facilitates audit planning, risk analysis, security control assessments, and remediation. It further enables effective reporting and evaluation of attestations and supporting evidence, ensuring transparent and reliable oversight.
The Shared Security Responsibility Model (SSRM) clearly outlines the responsibilities of CSPs and CSCs in implementing the A&A controls within cloud environments. Each party is independently accountable for establishing comprehensive audit and assurance policies, conducting regular security assessments, and adhering to relevant standards and regulatory requirements. By aligning their A&A controls with the SSRM, both CSPs and CSCs can independently fulfill their assurance needs over the control processes defined by the CCM.

Audit and Assurance

In this presentation, we introduce the CCM's Application and Interface Security (AIS) domain. With seven control specifications, the AIS domain is focused on securing the software and interfaces used within cloud environments. It helps organizations identify and mitigate risks during the design and development phases of their cloud-based applications.

Effective implementation of cloud security controls in this domain is crucial for Cloud Service Providers (CSPs) to safeguard the integrity, confidentiality, and availability of their applications and interfaces. Ensuring a robust security posture at this level is critical to protecting the entire cloud landscape.

Following the Shared Security Responsibility Model (SSRM), the responsibility for securing cloud infrastructure is divided between CSPs and Cloud Service Customers (CSCs). CSPs must secure the foundational infrastructure by offering secure applications and APIs, adhering to secure coding practices, establishing application security baselines, and conducting automated security testing. They are also responsible for maintaining secure runtime environments. On the other hand, CSCs are tasked with securing their applications and interfaces, ensuring proper configuration, upgrading systems as needed, and integrating security measures into new versions of applications in line with best practices and the chosen cloud deployment model.

When both CSPs and CSCs align their efforts within the AIS domain, they help create a more secure cloud environment. This reduces the risk of application vulnerabilities and strengthens the confidentiality and integrity of data. Collaboration between the two parties fosters improved communication, enabling quicker responses to emerging threats and more efficient incident resolution.

Application and Interface Security

In this presentation we focus on the Human Resources (HRS) security domain, which comprises thirteen control specifications designed to help cloud organizations manage risks associated with insider threats. These controls ensure that personnel handling sensitive data are trustworthy, properly trained, and equipped to maintain the security posture of the organization, reducing risks like unauthorized access and data breaches caused by human factors.

Under the Shared Security Responsibility Model (SSRM), both Cloud Service Providers (CSPs) and Cloud Service Customers (CSCs) independently implement HRS security controls. This includes conducting background checks, providing continuous security training, and ensuring employees are aware of cloud security risks and best practices.

By implementing HRS controls, cloud organizations can enhance the security of their services through the employment of well-trained, vetted staff, mitigating the risks of security incidents due to human error or malicious actions.

Human Resources - Security Implementation Best Practices

In this presentation we cover the Threat and Vulnerability Management (TVM) domain, which features ten control specifications aimed at helping both Cloud Service Providers (CSPs) and Cloud Service Customers (CSCs) proactively identify and mitigate security threats and vulnerabilities in the cloud environment. These controls are designed to address evolving threats that could impact assets, security architectures, and solution components.

According to the Shared Security Responsibility Model (SSRM), CSPs and CSCs share responsibilities for implementing TVM controls. CSPs are responsible for identifying, assessing, reporting, and remediating vulnerabilities related to infrastructure, network devices, virtualization technologies, operating systems, and platform applications. CSCs, on the other hand, focus on vulnerabilities in their applications and APIs, including security settings and access misconfigurations.

Effective collaboration between CSPs and CSCs in implementing TVM controls enhances the overall cloud security posture by addressing vulnerabilities throughout the entire cloud infrastructure, from the underlying platforms to the deployed applications.

Threat and Vulnerability Management

In this presentation we delve into the Infrastructure and Virtualization Security (IVS) domain, which comprises nine control specifications designed to guide both Cloud Service Providers (CSPs) and Cloud Service Customers (CSCs) in securing infrastructure and virtualization technologies. This domain covers the protection of hardware, software, networks, and facilities essential for delivering IT services, as well as the virtualization technologies that abstract hardware resources into virtual environments.

Under the Shared Security Responsibility Model (SSRM), both CSPs and CSCs are typically responsible for implementing IVS controls. CSPs are generally tasked with securing the underlying infrastructure, including platform technologies (like hypervisors and virtual machines), network virtualization, and providing capabilities for resource planning. CSCs are responsible for securing their allocated resources within the virtualized environment, such as hardening guest operating systems, applying security patches, and managing access to platforms and control interfaces.

Infrastructure and Virtualization Security

In this presentation we introduce the Identity and Access Management (IAM) domain, which includes sixteen control specifications aimed at helping both Cloud Service Providers (CSPs) and Cloud Service Customers (CSCs) follow security best practices for managing identities and access to cloud resources. Key practices, such as the principle of least privilege, segregation of duties, multi-factor authentication, and role-based and attribute-based access control, are essential for securing access to cloud functions and data.

Under the Shared Security Responsibility Model (SSRM), both CSPs and CSCs share the responsibility for establishing secure access to the cloud environment. CSPs are typically responsible for offering robust identity and access capabilities, controls, and mechanisms. CSCs, in turn, define user roles, enforce strong authentication methods, and manage the full identity lifecycle, including provisioning, modifying, and revoking access, while continuously monitoring for suspicious activities. Collaboration between CSPs and CSCs in implementing IAM controls ensures that necessary protections are in place to prevent unauthorized access to CSC data and cloud resources.

Identity and Access Management

In this presentation we explore the Data Security and Privacy Lifecycle Management (DSP) domain, which includes nineteen control specifications focused on privacy and data security. These controls are globally applicable and not tied to any specific industry, country, or regulation, though they reflect common elements from major privacy regulations. Serving as a valuable baseline, these controls may require organizations in specific regions or sectors to implement additional data protection measures.

The DSP domain covers the entire data lifecycle, from creation to disposal, addressing critical aspects like data privacy, classification, retention, and disposal according to applicable laws, regulations, and risk levels. These controls assist both Cloud Service Providers (CSPs) and Cloud Service Customers (CSCs) in safeguarding data and ensuring compliance with relevant data protection laws.

In the Shared Security Responsibility Model (SSRM), CSPs are responsible for securing the cloud infrastructure and providing capabilities for secure data storage, access, and disposal. CSCs, in turn, are responsible for securing the data they store or process within the cloud, classifying it, leveraging CSP-provided tools like encryption, and ensuring compliance with data privacy regulations.

Data Security and Privacy Lifecycle Management

In this presentation we explore the Cryptography, Encryption, and Key Management (CEK) domain within the Cloud Control Matrix (CCM) that comprises twenty-one control specifications. The CEK domain focuses on safeguarding Cloud Service Customers' (CSCs) data through cryptographic techniques, encryption, and effective key management. It plays an essential role in ensuring compliance with encryption standards and maintaining the confidentiality and integrity of sensitive information in cloud environments.
Under the Shared Security Responsibility Model (SSRM), Cloud Service Providers (CSPs) govern cryptography, encryption, and key management practices, ensuring they align with industry best practices and regulatory standards. CSPs manage the underlying infrastructure, provide secure key storage, and deliver encryption services. Meanwhile, CSCs take responsibility for encrypting their own sensitive data before uploading it to the cloud, managing their encryption keys, and assigning roles and responsibilities within their applications and data. They also oversee cryptographic risk and change management processes specific to their environment.
Collaboration between CSPs and CSCs in implementing CEK security controls is mutually beneficial. For CSPs, it strengthens the confidentiality and integrity of CSCs’ data, boosting the security and compliance of cloud services. For CSCs, working with CSPs ensures their unique cryptographic needs are addressed, reinforcing data protection and regulatory compliance.

Cryptography, Encryption and Key Management

This presentation explores the Change Control and Configuration Management (CCCM) domain of the Cloud Control Matrix (CCM). With its nine control specifications, this domain focuses on mitigating risks associated with configuration changes to information technology (IT) assets by adherence to a robust change management process—regardless of whether IT assets are managed internally or externally. Proper handling of modifications is essential to ensure that changes do not introduce vulnerabilities or compromise the security and stability of cloud systems, which is critical for both Cloud Service Providers (CSPs) and Cloud Service Customers (CSCs).

Both CSPs and CSCs utilize the CCM controls to ensure that a secure cloud environment is configured and maintained in accordance with agreed service requirements. This domain ensures that IT asset configurations are only modified by an approved baseline and that any changes are authorized by the appropriate change management authority, whether CSP or CSC.

Change Control and Configuration Management

In this presentation, we introduce the CCM business Continuity Management and Operational Resilience domain, comprising eleven control specifications. This domain focuses on protecting the availability of essential business processes, infrastructure, and services. It aims to minimize disruptions and maintain business continuity, even in the face of unforeseen or disruptive events.

Implementing cloud security controls within this domain is vital for both Cloud Service Providers (CSPs) and Cloud Service Customers (CSCs) to guarantee uninterrupted service delivery and maintain operational resilience. By securing the cloud environment, both parties can work towards ensuring business stability during times of crisis.

CSPs and CSCs have distinct yet interconnected roles when it comes to ensuring infrastructure resilience and business continuity in cloud environments. CSPs are responsible for planning, developing, and deploying resilient technologies, services, policies, and processes that support the continuity and operational resilience of the cloud. They must also clearly communicate their resilience and recovery capabilities to CSCs, ensuring transparency during a disruption. CSCs, on the other hand, must assess and manage potential risks to their data, resources, and assets hosted in the cloud. Based on risk analyses, CSCs should develop and implement robust business continuity strategies tailored to their needs. This includes formulating comprehensive business continuity plans and procedures, designed to guide their operations during disruptive events.

By fulfilling their respective responsibilities and working together, CSPs and CSCs can maintain a resilient and reliable cloud environment. This collaboration is essential for ensuring that businesses can continue their operations seamlessly, even in the face of challenges.

Business Continuity Management and Operational Resilience (BCR)

CCM Implementation Guidelines v2

In this presentation we introduce the*Governance, Risk Management, and Compliance (GRC) domain of CCM, which consists of eight control specifications. These controls are designed to help Cloud Service Providers (CSPs) and Cloud Service Customers (CSCs) ensure that their governance, enterprise risk management (ERM), information security management, and compliance programs effectively address cloud-related concerns.

CSPs and CSCs are typically responsible for implementing their own governance, risk, and compliance controls to manage their cloud-based products, services, assets, and processes. The development of a GRC program is unique to each organization, tailored to its specific operations and needs.

Implementing GRC controls enables cloud organizations to effectively direct and manage their resources by providing a structured framework for risk management, regulatory compliance, and aligning security practices with business objectives.

Governance, Risk Management and Compliance

Governance

Risk Management

Compliance

Cloud computing has exploded over the past few years, delivering a previously unimagined level of workplace mobility and flexibility. The cloud computing community on BrightTALK is made up of thousands of engaged professionals learning from the latest cloud computing research and resources. Join the community to expand your cloud computing knowledge and have your questions answered in live sessions with industry experts and vendor representatives.

Cloud Computing

The IT security community on BrightTALK is composed of more than 200,000 IT security professionals trading relevant information on software assurance, network security and mobile security. Join the conversation by watching on-demand and live information security webinars and asking questions of experts and industry leaders.

IT Security

Increasing expectations for good governance, effective risk management and complex demands for corporate compliance are presenting a growing challenge for organizations of all sizes. Join industry thought leaders as they provide you with practical advice on how to implement successful risk and compliance management strategies across your organization. Browse risk management resources in the form of interactive webinars and videos and ask questions of expert GRC professionals.

IT Governance, Risk and Compliance

As an IT professional, many of the problems you face are multifaceted, complex and don’t lend themselves to simple solutions. The information technology community features useful and free information technology resources. Join to browse thousands of videos and webinars on ITIL best practices, IT security strategy and more presented by leading CTOs, CIOs and other technology experts.

Governance, Risk Management and Compliance

Presented by

About this talk

Cloud Security Alliance: CloudBytes