CSA Security Update

Most organizations are still securing AI like traditional systems, but AI changes the rules entirely. In this episode, leading security experts Jim Rotan and Manish Kumar Yadav from SAP reveal how AI’s probabilistic nature, supply chain risks, and emerging attack surfaces like prompt injection demand a complete overhaul of modern security strategy.From model poisoning to AI-driven data exfiltration, they break down the real risks in AI-powered environments—and what security teams must do differently. You’ll gain practical insights on adapting threat modeling, securing model provenance, implementing AI-specific guardrails, and embedding security early in the development lifecycle.This episode cuts through the hype to deliver actionable strategies for rethinking risk, strengthening defenses, and building resilient AI systems. If you’re responsible for protecting modern applications, this is essential listening.https://cloudsecurityalliance.org/star/

This episode explores how AI is transforming data management, governance, and security. Ben Wilcox, CTO with extensive cloud experience, discusses the shift from data sprawl to quality, the security implications, and best practices for organizations to prepare for AI-driven data strategies.Key TopicsImpact of AI on data sprawl and governanceImportance of data quality for AI effectivenessSecurity risks associated with uncontrolled data sprawlBest practices for AI data environment architectureThe role of data governance and lifecycle management in AIhttps://cloudsecurityalliance.org/star/

Cyberattacks dominate today’s headlines, and in many cases, the weakest link isn’t technology—it’s people. In this episode, cybersecurity leader and educator Francisco Garcia Martinez, a member of the Technical Operations Committee of the Cloud Security Alliance, Spanish Chapter (CSA-ES), explores why cybersecurity education must evolve to meet the realities of an AI-driven world. As some countries introduce AI into high school curricula, many education systems still rely on outdated programs that fail to teach the critical thinking and security awareness needed in today’s digital landscape. Fran discusses how universities, governments, and industry can better prepare the next generation by focusing on foundational security principles, analytical thinking, and real-world technologies like cloud and AI, ensuring cybersecurity becomes a core skill for everyone, not just technical professionals. https://cloudsecurityalliance.org/star/

Artificial intelligence is no longer confined to innovation labs or pilot programs. As enterprises deploy GenAI and MLOps platforms across Azure, AWS, and hybrid environments, AI is becoming a first-class cloud workload, and that shift is exposing security models that were never designed for autonomous, adaptive systems.In this episode, we’re joined by Milan Rana, Principal AI Architect at Headstorm, to explore what actually breaks when organizations scale AI in production. Drawing from hands-on experience building secure AI landing zones for regulated enterprises, Milan moves beyond theory to highlight real-world failure points, architectural tradeoffs, and governance gaps.https://cloudsecurityalliance.org/star/

In this episode, we delve into the transformative world of quantum computing and its implications for cybersecurity. Join us as William (Bill) Genovese, Chief Quantum Officer at Cyber Eagle Project, shares insights on how quantum technology is reshaping cyber risk, governance, and resilience. Discover why organizations must prepare now for a quantum future, the challenges of transitioning to post-quantum encryption, and the strategic steps leaders should take to safeguard their digital assets. Tune in to explore the intersection of quantum advancements and cybersecurity with industry experts.https://cloudsecurityalliance.org/star/

As organizations accelerate their adoption of cloud and AI technologies, internal audit teams face mounting pressure to evaluate increasingly complex hybrid and multi-cloud environments. In this episode, the Cloud Security Alliance’s John DiMaria sits down with Jerrad Bartczak of Advantage Partners to examine the rapidly evolving cloud risk landscape—spanning unclear shared responsibility, governance gaps, misconfigurations, credential sprawl, insecure APIs, and limited visibility into cloud data flows.Listeners will gain practical guidance on establishing strong cloud governance, clarifying accountability, assessing cloud and data security posture, evaluating identity and access controls, securing application development, and addressing third-party cloud risk. The conversation also explores how frameworks such as the CSA Cloud Controls Matrix can support a structured, multi-year cloud audit strategy. Ultimately, this episode reinforces that cloud security is a strategic business imperative that requires collaboration, continuous monitoring, and a unified approach to risk management.https://cloudsecurityalliance.org/star/

In this episode of CSA Security Update, host John DiMaria speaks with Walter Haydock, founder of StackAware, about the critical role of AI governance and compliance in today's rapidly evolving regulatory landscape. They discuss the importance of ISO 42001 as a framework for managing AI-related risks while fostering innovation. Walter shares insights on how certification can build trust with customers and streamline sales processes, as well as the challenges organizations face in navigating a patchwork of regulations. Drawing from his military background, Walter emphasizes the necessity of making informed decisions in risk management. The conversation concludes with a forward-looking perspective on the future of AI in business.https://cloudsecurityalliance.org/star/

As AI rapidly integrates into cloud environments, organizations are facing governance, risk, and compliance challenges that traditional frameworks like ISO 27001 were never designed to address. In this episode, we explore how ISO/IEC 42001, the new international standard for an Artificial Intelligence Management System (AIMS), provides a structured and auditable approach to responsible AI governance. You’ll learn how this standard helps organizations operationalize AI risk management while ensuring accountability, transparency, and compliance across modern cloud ecosystems.We break down practical strategies for integrating ISO/IEC 42001 into existing GRC programs—without duplicating effort or creating parallel processes. John DiMaria interviews Tanya Tandon, Senior GRC & Risk Advisor for VISO TRUST, who draws on real-world experience as an ISO/IEC 42001 Lead Auditor, offers actionable guidance for building trustworthy AI systems, preparing for certification, and managing third-party AI risks. Whether you’re a security leader, auditor, compliance professional, or AI practitioner, you’ll gain practical insights on embedding ISO 42001 requirements into daily AI operations and aligning them with broader enterprise GRC strategies.https://cloudsecurityalliance.org/star/

As organizations accelerate their adoption of cloud and AI technologies, internal audit teams are being pushed into a new era of complexity. In this episode, Cloud Security Alliance’s John DiMaria and Grant Thornton’s Vik Rai unpack the evolving risk landscape across hybrid and multi-cloud environments—and what auditors must do to keep pace.We explore today’s most critical cloud security challenges, including unclear shared responsibility, governance gaps, misconfigurations, credential sprawl, insecure APIs, and limited visibility into cloud data flows. Listeners will gain practical, actionable guidance on strengthening cloud governance, evaluating security posture, assessing identity and access controls, securing application development, and managing third-party cloud risk.You’ll also hear how frameworks like the CSA Cloud Controls Matrix (CCM) help internal audit teams build scalable, multi-year audit programs that align to modern cloud architectures.https://cloudsecurityalliance.org/star/

In this episode of CSA Security Update, host John DiMaria and guest Scott Fuhriman of Invary discuss the evolving landscape of cloud security, focusing on the critical vulnerabilities posed by implicit trust in foundational components like kernels and hypervisors. They explore the limitations of traditional security tools and the necessity of continuous integrity measurement as a proactive defense against modern threats, including zero-day attacks. The conversation underscores the importance of integrating integrity validation into existing security frameworks, while striking a balance between performance and security. Real-world use cases demonstrate the effectiveness of these measures, particularly in critical infrastructure. The episode concludes with insights into the future of cloud security, emphasizing the need for continuous verifiable proof to enhance trust and security in cloud environments.https://cloudsecurityalliance.org/star/

SummaryIn this episode, John DiMaria and John Earle discuss the rapid rise of AI in cybersecurity, drawing parallels to the early adoption of cloud security. They explore the importance of organizational culture, change management, and team dynamics in shaping security initiatives. The conversation emphasizes the need for effective communication and the role of security champions in overcoming resistance to change. Looking ahead, they highlight the qualities that will define successful security leaders in the evolving landscape of technology.Key takeawaysAI is transforming cybersecurity at an unprecedented pace.Organizational culture significantly impacts security performance.Change management is essential for security leaders.Understanding team dynamics can enhance security initiatives.Building security champions is crucial for program success.Effective communication fosters collaboration and trust.Resistance to change is a natural reaction that needs addressing.Security leaders must empathize with team concerns.Data engineering knowledge will be vital for future leaders.Proactive security measures are more effective than reactive ones.https://cloudsecurityalliance.org/star/

As organizations embrace generative AI, ensuring applications align with safeguards is critical. Today, we are here to explore how proper Guardrails can enable responsible AI by filtering harmful content, enforcing policies, and supporting compliance—all without slowing innovation. Join us as we interview Saptarshi Banerjee, Senior Solutions Architect at Amazon Web Services (AWS  Listeners will hear real-world use cases, governance best practices, and how to build AI solutions that are powerful, secure, and aligned with enterprise values. https://cloudsecurityalliance.org/star/

In this insightful episode, we explore the intricate world of GDPR compliance and how tools like codes of conduct can support cloud service providers. Our special guest, Gabriela Mercuri, Managing Director of SCOPE Europe, shares her expertise on the EU Cloud Code of Conduct (EU Cloud CoC), a pivotal GDPR compliance tool designed specifically for the cloud industry.Join us as we discuss the significance of these codes of conduct, their role in ensuring data protection, and how they offer a practical framework for companies striving to meet GDPR requirements. We will also delve into the ongoing collaboration between the EU Cloud CoC and the CSA, highlighting how this partnership enhances transparency, trust, and compliance across the cloud services landscape.Whether you’re a cloud service provider, a data protection professional, or simply interested in GDPR compliance, this episode will provide valuable insights into the evolving landscape of data protection and the practical steps companies can take to ensure compliance.https://cloudsecurityalliance.org/star/

The attack surface has expanded and evolved dramatically in an era where the industry is investing nearly a trillion dollars in cloud infrastructure, operations, and applications. Modern cloud development enables faster application building and introduces complex security challenges. As generative AI becomes increasingly integrated into our tools and processes, it promises to transform how we approach cybersecurity. But what does that mean for security and development teams today?Join us in this episode as we interview Tomer Schwartz, CTO and Co-founder, Dazz, and explore how AI can be a game-changer for security teams, especially resource-constrained teams, offering the ability to automatically discover and resolve cloud vulnerabilities at their root. We'll discuss whether human oversight will still be necessary before changes go live and when the true potential of GenAI is realized. We will also discuss how we can use AI to outsmart adversaries using it for malicious purposes. This is a must-listen for anyone interested in leveraging AI to enhance their security posture and protect against the next generation of cyber threats.https://cloudsecurityalliance.org/star/

In our latest episode, we delve into the innovative approach of auditing "themes" as introduced in the ISO/IEC 27001:2022 revision. This reorganization of domains marks a significant shift in how we think about and implement information security management. By centering our conversation on auditing themes, we explore how this new structure enhances the alignment of security practices with organizational goals and risks. We'll discuss the rationale behind this change, practical insights on transitioning to the new model, and the benefits it brings to ensuring a robust and comprehensive security audit. Join us as we interview David Forman, founder of Mastermind, as we unpack the implications of this pivotal update and provide guidance on how to prepare for your next certification body audit. https://cloudsecurityalliance.org/star/

In this exclusive interview, we have the honor of speaking with a representative from the Cloud Security Alliance (CSA), the esteemed recipient of the 2024 Global InfoSec Award for Cutting-Edge Cybersecurity Training. This award acknowledges CSA's groundbreaking Certificate of Competence in Zero Trust (CCZT), the industry's first authoritative training and certification program dedicated to Zero Trust architecture, components, and best practices.During this session, we will delve into the development and significance of the CCZT, exploring the motivations behind its creation and the goals CSA aimed to achieve. Our discussion will highlight the unique features of the CCZT program, its impact on professionals and organizations, and the feedback received from those who have completed the training. We will also examine the broader implications of Zero Trust in the current cybersecurity landscape, the challenges organizations face in adopting Zero Trust principles, and how the CCZT addresses these challenges.Join us as we uncover the reasons behind CSA's commitment to creating a trusted cloud ecosystem and its vision for the future of cybersecurity training. This conversation will provide valuable insights for professionals and organizations seeking to enhance their cybersecurity strategies and achieve excellence in the field.https://cloudsecurityalliance.org/star/

In the ever-expanding digital world, securing applications and the infrastructure they rely on is critical. This episode tackles three key security field acronyms: Application Security Posture Management (ASPM), Cloud Security Posture Management (CSPM), and Cloud-Native Application Protection Platform (CNAPP). While all focused on bolstering security posture, these target different aspects of one's security program.Listen as we interview Karthik Swarnam, Chief Security and Trust Officer at Armorcode, a CSA member, and take a deep dive into this subject. We discuss:Distinguishing between ASPM, CSPM, and CNAPP: Understand their functionalities, target areas, and how they differ in safeguarding your digital assets.Navigating the ever-changing security landscape of security solutions and making informed decisions toward building a mature software security program and maintaining a robust security posture.How these solutions integrate with the Cloud Control Matrix and the CSA STAR Program best practices to facilitate better security and reduce risk.https://cloudsecurityalliance.org/star/

In this episode, John DiMaria & Cameron Kline, Director of Attest Services at BARR Advisory, delve into the relationship between CSA STAR Level 2 and ISO 27001 standards, emphasizing the significant overlap in best practices, procedures, and controls for cloud service providers (CSPs) operating in medium- to high-risk environments. They highlight how collaboration with an auditing firm certified in both frameworks can expedite the compliance process, offering practical tips for streamlining attestations. Discover why dual compliance against CSA STAR Level 2 and ISO 27001 is paramount for CSPs to demonstrate their commitment to robust security practices and gain a competitive advantage. Cameron also discusses the strategic benefits of integrating CSA STAR Level 2 certification into existing compliance programs post-ISO 27001 audit, providing actionable insights for organizations considering this journey. Whether you're navigating compliance complexities or seeking optimization strategies, this episode equips you with the knowledge to leverage the synergy between CSA STAR Level 2 and ISO 27001 standards effectively.https://cloudsecurityalliance.org/star/

In a world where the speed of business is only outpaced by the speed of regulatory changes, staying compliant without slowing down has become the new competitive edge. In this episode, we delve into the heart of agile compliance with a special guest Travis Howerton; Co-Founder and Chief Executive Officer of RegScale, a pioneering company at the forefront of compliance automation.Discover how automated technology and continuous monitoring is revolutionizing the way organizations approach compliance, risk management, and governance in both the private and government sectors. Our guest will share insights into the challenges businesses face in today's regulatory environment and how these innovative solutions are helping to navigate these complexities with greater ease and efficiency.In this interview, we explore:The evolving landscape of regulatory compliance and its impact on businesses across sectors.How technological advances allow organizations leverage automation to streamline compliance processes, reduce risks, and enhance operational agility as well as resilience.Success stories of organizations that have transformed their compliance journey.Tips and strategies for organizations looking to adopt a more proactive and automated approach to compliance.The future of compliance management: trends to watch and predictions for the evolving role of technology in governance and risk management.Listen to an enlightening conversation that sheds light on the future of compliance and how the latest technology is not just enabling businesses to keep up but to get ahead. Whether you're a business leader, a compliance professional, or just curious about the intersection of technology and regulation, this episode will provide valuable insights into making compliance a driver for innovation and growth.https://cloudsecurityalliance.org/star/

In the latest CSA Security Update Podcast episode, we delve into the fascinating world of cybersecurity attestations and explore why CPA firms are increasingly leading the charge in this domain. Host John DiMaria is joined by Pawel Wilczynski, Cybersecurity Manager at Baker Newman Noyes (BNN), a top-ranked tax, assurance, and advisory firm and an accredited CSA STAR Assessment Firm.The episode delves into why CPA firms, traditionally known for financial audits, are exceptionally well-suited for cybersecurity attestations and how they apply their expertise in ensuring rigorous processes and adherence to standards like CSA STAR when performing cybersecurity assurance over cloud systems.This episode is a must-listen for anyone interested in understanding the critical role of CPA firms in the evolving landscape of cybersecurity attestations.https://cloudsecurityalliance.org/star/

In today's digital landscape, cloud security and governance are paramount. But how do we measure and attest to the security controls of cloud service providers? Enter the Cloud Security Alliance STAR Attestation and SOC2 - two prominent frameworks for assessing and ensuring cloud security. In this episode, we dive deep into the intricacies of CSA STAR Attestation, its relationship with SOC2, and their collective impact on cloud governance and cybersecurity. Join the CSA and our guests, Pat Nester and Michael Nouguier, as they shed light on these intertwined topics, helping businesses navigate the cloudy (pun intended) waters of modern IT infrastructure.https://cloudsecurityalliance.org/star/

In our enlightening interview with Steve Orrin, Federal CTO at Intel, we delve into the intricate world of government cloud technologies, the key role of FEDRAMP, and the future of CCM/STAR integration. Orrin provides an insider's perspective on how these powerful tools are shaping the landscape of data security and regulatory compliance in the digital age. We also explore the challenges and opportunities presented by these technologies, offering valuable insights for stakeholders navigating the complex government cloud infrastructure. This engaging conversation promises to deepen your understanding of these critical domains and their transformative impact on today's digital governance landscape.https://cloudsecurityalliance.org/star/

In this podcast interview, we sit down with Nandor Csonka, the global practice lead for cloud security services at NCC Group, to explore their adoption and implementation of the CSA Cloud Control Matrix (CCM). Nandor shares the initial process of why NCC Group adopted the CCM and the challenges they encountered as a non CSP (Cloud Service Provider), along with their strategies for overcoming them. He also highlights the specific benefits and improvements that resulted from the adoption within NCC Group. Furthermore, Nandor delves into the common challenges faced by clients when implementing the CSA CCM and provides insights on successful adoption strategies. We discuss the transition from older versions to CSA CCM V4 and its associated challenges. Lastly, Nandor sheds light on NCC Group's future involvement with the CSA CCM, including their journey to become an accredited CB (Certification Body) and CSA STAR (Security, Trust & Assurance Registry) auditing firm. He also shares his perspective on areas where organizations may need to focus more attention and allocate resources in the coming years. Join us for an insightful discussion on securing cloud technology and reducing risk with NCC Group's cloud security expert.https://cloudsecurityalliance.org/star/

This case study highlights Dell Technologies' journey towards adopting the Cloud Security Alliance's (CSA) Security, Trust, and Assurance Registry (STAR) program to enhance its cloud security. Dell Technologies addressed the continued challenges of the cloud by adopting the CSA STAR program, which provided a framework for assessing and documenting cloud providers' security and compliance posture.  Join us as we talk to Andrea Doherty; Technical lead for the Dell Technologies Security and Resiliency Organization's Trusted Cloud and Services program where she discusses Dell's challenges, objectives, and implementation outcomes.Find out how they were able to enhance their comprehensive security and compliance program, gain a competitive advantage, and enhance customer trust.https://cloudsecurityalliance.org/star/

Private cloud computing refers to a computing infrastructure setup where an organization operates its own cloud environment within its data center.What are the unique information security challenges faced day to day. VS other types of cloud, and how does one use the CSA Cloud Control Matrix to mitigate the risks?Due to heightened security issues over the last few years, are companies considering moving to a private cloud? What are the pros and cons and what is the best advise from those doing it?Listen as we interview Balasubramanian (Bala) Krishnamurthy; Head of Cloud Security & Cloud Automation Services at Nokia. Bala will take us on a virtual case study concerning the private cloud, its advantages, challenges, and their journey to achieving CSA STAR Certification, along with advice to all CSPs in the process of considering STAR Certification.https://cloudsecurityalliance.org/star/

As organizations look to cloud services to process more sensitive and critical data, security and risk management teams require tools to quickly assess and understand the types and rigor of security controls applied by cloud service providers. CSA STAR Attestation is the first cloud-specific attestation program designed to meet this need. CSA STAR Attestation is a collaboration between CSA and the AICPA to provide guidelines for CPAs to conduct SOC 2 engagements using criteria from the AICPA (Trust Service Principles,AT 101) and the CSA Cloud Controls Matrix.Requirements for the cloud can be quite different than non-cloud environments, so a generic approach to security compliance is not a viable solution for providing evidence of assurance in the cloud. Unique considerations must be given to:• Understanding the scope of the cloud computing environment.• Do the current security controls cover the unique aspects of the cloud environment?• Can the current risk assessment capture the risks correctly?• Audit trails that prove the effectivenessJoin me as I interview  two Principles from Schellman, Ryan Mackie and Gary Nelson as they take you on a journey down the road to Cloud Attestation and provide details of the audit,  advice on implementation and the value proposition. https://cloudsecurityalliance.org/star/

As we’re seeing more cyber attacks in software, open-source software, etc., there is a crucial need for businesses to future-proof against emerging threats. - How  can companies take preventative (vs reactive) measures, including embedding security into the software as it’s being built (security by design)- Urgency for daily scans- How the CCM and STAR Program can facilitate reducing risk and understanding the Shared Responsibility Model.- What to expect in 2022 (more supply chain attacks expected)Get the answers to all these topics and more as we interview Farshad Abasi, Founder and Chief Security Officer of Forward Security. In this episode, we discuss software design and development, network and system architecture and cybersecurity, management. https://cloudsecurityalliance.org/star/

STAR Certification is the internationally recognized cloud security certification program from CSA that specifies comprehensive and stringent cloud security requirements on CSPs. The CSA Cloud Controls Matrix (CCM) is the de-facto standard for cloud security assurance and compliance, widely used in assessing cloud security performance of cloud implementations.Ribose Achieved the world’s first STAR Certification with CSA Cloud Controls Matrix v4 that was released in January 2021. Recorded live from Hong Kong, Ronald Tse; CEO and founder of RIBOSE, takes us through their journey with STAR over the years and discusses the value, ROI and future of STAR and the work being done to increase the value of the auditing and compliance landscape.https://cloudsecurityalliance.org/star/

As the businesses change the world changes and so does the standards industry. Being up to speed on those changes and paying attention to such changes can help company's succeed.CSA is dedicated to keep our followers up-to-date on these changes and how they may affect the users and provide guidance and information on what can be expected moving forward as well as what organizations should be concerned about as well as tips on preparing for these changes.Listen as we interview Ryan Mackie of Schellman and Eric Hibbard of Samsung, both members of SC27 and discuss the most critical changes already released as well as those yet to come and what organizations can expect as well as what you should be thinking about.https://cloudsecurityalliance.org/star/

In order to fight against ransomware in the cloud, you need to have a multifaceted strategy so you can be better prepared to protect against and respond to attacks. But IT organizations often struggle to understand the priorities and the appropriate approach to mitigate risk and minimize the impact of ransomware. With more tools and software, organizations many times throw money at technology solutions and do not address people and processes not to mention sector-specific controls to help detect, prevent, respond to ransomware not to mention other malware attacks.Listen as we discuss the subject and solutions with Greg Edwards; CEO of CryptoStopper.In this episode we get into:Practical steps to defend against RansomewareThe importance of implementing sector-specific controls as there is no "Onesize fits all solution".The powerful impact you can have by including all of People, Process and Technologyhttps://cloudsecurityalliance.org/star/

Cloud computing has created new security vulnerabilities, including security issues whose full impacts are still emerging.  With the massive growth the cloud industry is experiencing, it's a "buyer beware" environment for sure. The procurement process can be a daunting task for clients since each cloud service provider shows its security methods unique ways, making comparisons between sellers time-consuming. CSA facilitates this process. "We take security very seriously, focusing on protecting our customers and ourselves. In a constantly shifting landscape, we map out security threats and risks to plan current and future dangers. As the next step in our security journey, we’ve joined the Cloud Security Alliance (CSA), where we will be actively participating in an organization that raises awareness for cloud security best practices globally. With our membership, we will help and participate in cloud security-specific research, education, certification, events, and products". ~Nick Murison; Ardoq~ Listen as we interview Nick Murison; CISO of Adoq and explore yet another case of how organizations are utilizing the STAR program and associated tools to help them improve their security posture meet compliance requirements and decrease risk and complexity.https://cloudsecurityalliance.org/star/

Through a funded initiative called the EU-SEC Project, CSA has analyzed the issue of the proliferation of cloud security standards and compliance schemes, and has observed that many security requirements and control objectives in different standards are largely overlapping.As a consequence, the process of adhering to different standards, laws and regulations for CSPs is inefficient, with a lot of duplicated work that unduly increases costs and complexity.The idea behind the MPRF is not to create yet another cloud certification or auditing architecture. Instead, it aims to provide a unified method of systematic and consistent activities with the goal of minimizing the burden and complexity of compliance and obtaining certification.CSA partners with organizations like the Center for Internet Security (CIS) and The Cyber Risk Institute as well as our approved Assessment Firms to work together to build a process that eliminates redundancy, complexity, reduces cost and facilitates lower risk all the while building a culture of resiliency.Join us as we interview representatives from CIS, CRI and Shellman and discuss this State of the art in cloud service monitoring and certification.https://cloudsecurityalliance.org/star/

Saxo Bank became the first bank in the world to earn the Cloud Security Alliance STAR Level 2 Attestation and Trusted Cloud Provider accreditation.This milestone in the bank’s technology aspirations means Saxo Bank qualifies for and adheres to the highest and most comprehensive principles in terms of transparency, privacy, security and harmonization of standards across its IT systems, services and infrastructure that supports the business and different client segments from back-office systems to open APIs. The CSA STAR Level 2 attestation is verified and validated by a third-party auditor.The admission to the CSA and STAR Level 2 attestation demonstrates Saxo’s commitment to holistic security and is set to further accelerate the bank’s growth as a capital markets solutions provider for partners looking to run their investment infrastructure as a Service.Listen as we interview Mads Hasling; Group CISO at Saxo Bank and he takes us on the journey to STAR Attestation from implementation, to successful attestation to looking at and measuring the ROI.https://cloudsecurityalliance.org/star/

The  mission of the CSA CxO Trust is to help Chief Information Security Officers (CISOs) better understand the priorities of their peers within the C-Suite and to also enable CISOs with tools to communicate business risk, governance, and compliance issues of cloud computing and cybersecurity in the proper context to their peers within the C-Suite and their boards of directors. This initiative will be forward looking and innovative in advancing cloud computing and cybersecurity within the C-Suite.Join us as we interview Illena Armstrong;  President of CSA and discuss the details about the CSA CxO as well as what are the biggest challenges for the "C-Suite" in today's environment, how the CxO initiative will help mitigate risk and some tips on how to engage with high-ranking officers of a company.https://cloudsecurityalliance.org/star/

"There is a proliferation of security products. As more high-value assets come online, the cybersecurity threats grow and the application environments rapidly change. Security teams are stretched thin trying to continuously map the desired business outcomes to disparate product configurations in these environments"."What we lack as an industry is a cohesive and a high-level approach to enabling security teams to deliver cybersecurity outcomes. A different approach to security is needed".~Vishwas Manral, Forbes Councils Member~Join us as we interview Vishwas Manral Forbes Councils Member, founder and CEO at NanoSec (acquired by McAfee) and chief cloud architect of cloud security at McAfee as well as co-chair of the Cloud Security Alliance, Silicon Valley. We discuss a more powerful common sense approach to laying the ground work for a more robust cybersecurity posture that will ensure organizations are more resilient by using the core business requirements as the input. https://cloudsecurityalliance.org/star/

The Cloud Control Matrix (CCM) is composed of 197 control objectives that are structured in 17 domains covering all key aspects of cloud technology. It can be used as a tool for the systematic assessment of cloud implementation and provides guidance on which security controls should be implemented by which actor within the cloud supply chain. The CCM is considered the de-facto standard for cloud security and privacy.Listen as we interview Harry Lu; The current Co-Chair of the Cloud Security Alliance Cloud Control Matrix Working Group and discuss the CCM, the advantages it brings to organizations, how it mitigates risk, the benefits, and how it facilitates the reduction of complexity in a business, plus an insight into the just-released CCM V4 and the future of the CCM.https://cloudsecurityalliance.org/star/

The CCM is used as the standard to assess the security posture of organizations on the Security, Trust, Assurance, and Risk (STAR) registry. The STAR program promotes flexible, incremental, and multi-layered certifications that integrate with popular third-party assessments to avoid duplication of effort and cost. Security providers can fill out the extended question set that aligns with the CCM and send it to potential and current clients to demonstrate compliance to industry standards, frameworks, and regulations. It is recommended that providers submit the completed CAIQ to the STAR Registry so it is publicly available to all clients.Join us as we interview Chris Dixon; Governance, Risk & Compliance Manager at TokenEx  and listen as he takes us on their journey utilizing the CCM and STAR including What problems does it solve or how did it help mitigate risk?How has using the CCM helped Tokenex reach some of its security targets?What are the major benefits?https://cloudsecurityalliance.org/star/

As organizations look to cloud services to process more sensitive and critical data, security, and risk management teams require tools to quickly assess and understand the types and rigor of security controls applied by cloud service providers. CSA STAR Attestation is the first cloud-specific attestation program designed to meet this need. Based on the CSA’s Cloud Controls Matrix (CCM), STAR is the only meta-framework of cloud-specific security controls, mapped to leading standards, that enables third party audit review to give security teams the support and trust they require to enable this move to the cloud.Listen as we interview Ashwin Chaudhary Director and CEO of Accedere group and discuss STAR Attestation, the advantages of SOC2 plus CCM, and the business value it brings to organizations.https://cloudsecurityalliance.org/star/

As a cloud service provider (CSP) customer engagement is crucial. It impacts customer loyalty, which directly impacts the bottom line. The potential cost of incompetent customer engagement should be concerning to CSPs.The lines between cloud providers and cloud consumers keep getting fuzzier every day. What are the main challenges of cloud computing that users face?What is the growing paradigm shift in what users will expect from CSP’s moving forward as a minimum requirement? What are the top 3 or 4 risks of cloud computing they should be aware of on their end?Get answers to these questions and more as we interview Jennifer "Jen" Chermoshnyuk; Security and Trust Engineer for GitHub and shed some light on this critical subject matter. https://cloudsecurityalliance.org/star/

As organizations look to cloud services to process more sensitive and critical data, security and risk management teams require tools to quickly assess and understand the types and rigor of security controls applied by cloud service providers. CSA STAR Attestation is the first cloud-specific attestation program designed to meet this need. CSA STAR Attestation is a collaboration between CSA and the AICPA to provide guidelines for CPAs to conduct SOC 2 engagements using criteria from the AICPA (Trust Service Principles, AT 101) and the CSA Cloud Controls Matrix.1. What is CSA STAR & SOC2? What is CSA STAR & SOC2? 2. What are the prevalent business drivers which lead to the necessity of obtaining a CSA STAR & SOC2 attestation?3. Why should my business plan for a CSA STAR & SOC2 rather than react to the demand for the attestation?Join us as we interview Audrey Katcher; partner of RubinBrown’s Business Advisory Services Group, overseeing the group’s Information Technology Risk Services. She also serves as the Open Certification Framework Working group liaison for AICPA and made a significant contribution to the STAR Attestation guidelines.Listen as Audrey answers these questions and more regarding STAR Attestation and the assessment process.    https://cloudsecurityalliance.org/star/

The Security Trust Assurance and Risk (STAR) Program encompasses key principles of transparency, rigorous auditing, and harmonization of standards. Companies who use STAR indicate best practices and validate the security posture of their cloud offerings.The STAR registry documents the security and privacy controls provided by popular cloud computing offerings. This publicly accessible registry allows cloud customers to assess their security providers in order to make the best procurement decisions.Listen as we interview Larry Greenblatt, Information Security Specialist at QAD as he takes us through his journey to CSA STAR Certification from business case to implementation to through the audit process as well as discussing the ROI and the importance the maturity evaluation and how this has facilitated improving their business overall.https://cloudsecurityalliance.org/star/

IoT defines the journey of digital technology and data to enable organizations to perform better, boost well-being and respond to local and global challenges – presenting a huge opportunity but risk as well. With SMART Cites and SMART Nations emerging, a sustainable, pragmatic approach is necessary, ensuring the people, processes, and systems are secure. With predictions that three-quarters of the world’s 9 billion people will be city-dwellers by 2050, it’s vital we ensure cities provide a safe and pleasant environment that is sustainable and resilient to change. Listen as we interview David Mudd, Global Digital and Connected Product Certification Director with BSI Group and discuss these pressing issues as well as how IoT can make a positive impact on the environment and the business community in general as well as how CSA is working with industry through the development of the CSA IoT Control Matrix.https://cloudsecurityalliance.org/star/

Excerpt from the most recent PODCAST interview with Jim Reavis; Co-Founder and CEO of Cloud Security Alliance discussing the activities and speakers at the upcoming CSA Summit at RSA!https://cloudsecurityalliance.org/star/

2019 was another great year for CSA and it sets the stage for an even greater year in 2020.Listen to this insightful interview with Jim Reavis; Co-Founder and CEO of the Cloud Security Alliance as he provides a look back at the accomplishments and milestones achieved in 2019 and provides a look into the journey we will be taking in 2020.If you're not already, it is a great starting point to get involved with CSA and it's massive cloud community.https://cloudsecurityalliance.org/star/

The Security Trust Assurance and Risk (STAR) Program encompasses key principles of transparency, rigorous auditing, and harmonization of standards. Companies who use STAR indicate best practices and validate the security posture of their cloud offerings.The STAR registry documents the security and privacy controls provided by popular cloud computing offerings. This publicly accessible registry allows cloud customers to assess their security providers in order to make the best procurement decisions.Listen as we interview Willibert Fabritius; Global Head of Information Security and Business Continuity of BSI Group and take the journey with us down the road to Level 2 CSA STAR Certification including use cases on implementation and auditing best practices.https://cloudsecurityalliance.org/star/

As organizations look to cloud services to process more sensitive and critical data, security and risk management teams require tools to quickly assess and understand the types and rigor of security controls applied by cloud service providers. CSA STAR Attestation is the first cloud-specific attestation program designed to meet this need. CSA STAR Attestation is a collaboration between CSA and the AICPA to provide guidelines for CPAs to conduct SOC 2 engagements using criteria from the AICPA (Trust Services Criteria) and the CSA Cloud Controls Matrix.Listen as we interview Debbie Zaller; Principal, practice leader, and SME for Schellman & Company, LLC who leads the Midwest Region along with the Privacy, SOC 2 and SOC 3 service lines. We take you inside a STAR attestation engagement following the process from start to finish along with discussing the value having successfully completed a STAR Attestation audit. https://cloudsecurityalliance.org/star/

Forensic readiness is defined as the ability of an organization to maximize its potential to use good quality digital evidence to protect the organization, support the investigators while minimizing the costs of an investigation.Trust in the cloud is constantly under attack, so good data-driven decisions are critical. Determining whether a data source provides an acceptable level of digital evidence is one thing, but how do you safeguard data integrity to ensure that the information contained within supports the investigation with the proper content or context, transparency, and trust? Proving "Due Diligence" and "Standard of Care" is critical when building a case to protect your organization.Listen as I discuss this all-important topic with Lamont Orange; CISO, Netskope and we take the journey down the road of forensics and the importance of being prepared along with some best practice suggestions.https://cloudsecurityalliance.org/star/

Security compliance based on third-party audit is becoming increasingly complex –especially as a result of the considerable number of national, international and industry-specific standards and certification schemes present in the market, generating "compliance fatigue", not to mention sometimes contradicting audit reports related to similar controls, That often translates into substantial costs for those service providersThe idea behind the MPRF is to provide a unified method of systematic and consistent activities with the goal of minimizing the burden of obtaining certification "Y" for a CSP, once it has already obtained certification "X". The MPRF’s purpose is, therefore, to use and promote a comparison analysis between different security frameworks, standards,and best practices.Listen as Damir Savanovic; Senior Analyst & Researcher; CSA and project manager for the EU-SEC project discusses this exciting evolution of the compliance eco-system and how it promises to change how we approach security assessments in the near future. https://cloudsecurityalliance.org/star/

As a cloud service provider, there are many security challenges that organizations have to face which include providing customers and regulators with the proper level of transparency and assurance that is needed to achieve the required level of trust. Many organizations are turning to CSA STAR in answer to mandates, provide a marketing differentiator or just raising the bar in terms of their level of assurance and transparency. Listen as  Deepak Gupta; Co-founder and CTO at LoginRadius explains their journey and approach to implementation. How they weaved the CCM controls into their current management system including all the stakeholders of the business as well as what challenges STAR solved for the organization. https://cloudsecurityalliance.org/star/

Security is not simply a CIO, CSO, or IT department issue. It is critical that organizations have a system in place that can prove the all important "Standard of Care" was deployed and maintained.Breaches, leaked documents, and cybersecurity attacks impact stock prices and competitive edge. It is a responsibility that must be shared amongst all employees. It is a matter of resilience and survival of the company.How should CEOs and board members get proactively involved in mitigating future challenges and get involved in the decision making process in an industry where there is so much "noise".As CEOs technical knowledge and security experience can vary quite a bit, what should they do when the vendors start crowding the door?Listen as Phillip Merrick; CEO of Fugue provides advice from the boardroom and how CEOs think and approach security VS the IT department.    https://cloudsecurityalliance.org/star/