5 Things We Learned at CSA Congress 2014
Our team recently attended the 2014 CSA Congress. As members of the Cloud Security Alliance and passionate advocates for increased cloud security, we were interested to learn from this community of like-minded individuals as well as share some of our knowledge. Here’s what we learned:
- Security + Privacy = New Boundaries: This conference seemed to be highly attended by IT administrators looking to better understand cloud security as well as legal teams who will help companies put together their privacy plans, or help defend them when challenged. For the first time, the CSA Congress was joined with the IAPP Privacy Academy, which brought the worlds of privacy and security together. What brought them together was the cloud; in the cloud, the lines of responsibility between these two areas are becoming more blurred, and many of the IT admins in attendance were there to try and figure out what the new rules are.
- The CSA Is a Powerful Security Advocate: The CSA community is definitely active, and people are feverishly trying to figure out how to protect cloud-based access to their data. The myriad of regulations that govern data worldwide are continuing to grow in complexity and volume and are very difficult to track, which is why the CSA’s Cloud Controls Matrix (CCM) is an invaluable tool for those who need to continue complying with regulations while moving to the cloud. Staying ahead of new rules and regulations can be difficult, and the CSA is doing a good job helping its members to not only keep up, but also influence the regulations before they become law.
- SaaS Needs Protecting Too: Many attendees were focused on how to secure their own apps, and less concerned about how to secure SaaS apps. There was a learning curve when people had a conversation with us at the Spanning booth: “Wait, my SaaS vendor doesn’t protect my data from user error?” The answer is no, but that doesn’t mean those apps should remain unprotected. When you move your own apps to the cloud, you account for all the same security measures as you did when they were on-premises. But when you offload the work onto someone else’s SaaS application, you can’t assume that they have security 100% covered; you need to do the homework and make sure that all kinds of disasters – major weather events, hardware failure, hacking and malware attacks, user error, malicious insiders, etc – are all accounted for, and if your SaaS vendor doesn’t have them all covered, you need to make sure they’re taken care of on your end (especially the disasters that are initiated by users).
- On-premises Security Doesn’t Disappear in the Cloud: The majority of attendees get the fact that on-premises isn’t necessarily more secure than the cloud. And the cloud can be very secure (sometimes more secure than on-premises) if the proper measures are implemented. But even the ones who are a bit defensive about losing duties to the cloud realize that their end users will be in the cloud whether they are supposed to be or not. They are struggling to understand how to apply traditional security to the cloud – and the business isn’t waiting for them. Getting involved with the CSA is a good place to start.
- Looking Ahead: While Spanning has security built in to its DNA, there’s always more we could be doing. We plan to continue focusing on this important area to make sure we’re complying with all existing regulations, implementing procedures to keep up with the new ones, and continuing to offer our customers enterprise-grade backup with top-notch security baked in at every step.
If you’d like to read more about how to pass your audits in the cloud, you can download “Compliance in the Cloud: SaaS Data Backup and Recovery Get the Job Done.” Thanks to everyone who came to see us at the booth, and we look forward to continuing the conversation.