SaaS App Security

The Top Cloud Risks For Business, And How To Avoid Them

Hillary Baron, Senior Technical Director For Research at the Cloud Security Alliance, speaks to Expert Insights to discuss how organizations can stay secure against cloud security risks.

Hillary Baran CSA Interview

The Cloud Security Alliance (CSA) is a world leading not-for-profit organization that focusses on developing best-practices and standards within cloud security. CSA raises awareness and teaches best practices to organizations around the world, helping organizations implement secure cloud computing processes, and educating experts on best practices with a range of topics. 

Hillary Baron is the Senior Technical Director for Research at Senior Technical Director for Research, specializing in analytics for their research department. Baron has a background in research, including evaluation research and the like. She has worked with CSA for seven years, mostly focusing on research around emerging cloud technologies. 

We spoke to Baron after RSA 2022 to learn more about the work CSA is doing to improve cloud security globally, the biggest cloud risks facing organizations at the moment, and her recommendations for how organizations can ensure their customers and employees stay protected. 

Can you give us an overview of the Cloud Security Alliance and the work that you do? 

Sure! CSA is a global not-for-profit that focuses on developing best practices and standards within cloud security. The idea is bringing together the community, so that we can all learn from one another and produce papers that are consensus based, which helps everyone to do security better together.

I’m in the research department, so that’s primarily the lens I have of CSA. But we also have local chapters that help people to network within their own community and talk through problems that may be unique to their area. And then we do offer training to help people get basic knowledge of cloud security as they move into this space. Because certainly the skills gap is an issue, and we hope to help with that. 

Primarily, what I focus on is the research component. We focus on a wide variety of different topics, but the big thing with CSA is that our research is free, we don’t put it behind a paywall, you don’t have to be a member. We want everybody to be able to do cloud computing securely.

What kind of research are you typically working on at CSA?

It really runs the gamut, we have about maybe 30 different working groups. We have everything from more foundational pieces, like our ‘Cloud Controls Matrix’ (or CCM), also sometimes referred to as CAIQ. It’s a lot of different names for the same thing! And essentially, that’s the foundational piece. It’s a checklist of things that you need to be doing in your cloud environment to keep it secure. 

We have other things focused on emerging technologies, that’s my specialty. So, I’ve got a soft spot for that. We have a framework specializing on IoT; looking at that ecosystem and how to keep that secure. We’ve also got programs related to blockchain and the DLT. 

It’s really just a matter of what people’s interests are because we’ve probably got something on it!

What are the main cloud security challenges that you’re seeing at the moment; what are the major pain points today? 

I think the main pain point that we’re really starting to feel, and this is nothing new, is the skills gap. We have a lack of qualified staff. Part of that is just that the education system just isn’t caught up. Cloud moves so quickly that it’s really hard to be able to adjust and modify constantly, as rapidly as the industry changes. So, that’s really difficult because you don’t have that direct pipeline. I think, too, for a lot of people, when they think of tech, don’t think of security. What it all boils down to is we’ve got a lack of butts on seats. 

Also, especially in the wake of the health crisis that we recently have been going through, a lot of organizations very rapidly moved to remote working. And there has been a rapid acceleration of movement to the cloud, and digital transformation to support that remote work. So, there were a lot of organizations whose hand was forced a little bit when it came to moving to the cloud, and now they’re saying: “Do we have the people to really support our security now we’re in this environment?” 

Trying to find those people is pretty tricky. That’s one of the big things that we see coming up time and time again on our surveys. We ask: “Hey, how did that misconfiguration happen in your organization?” and we hear it was a lack of knowledge, human error. Those things happen when enterprises lack the actual skill sets they need.

I think beyond that, visibility’s been kind of a continuous issue. And that really ties into multi-cloud, and more complex environments that we’re seeing—a lot of SaaS services and IaaS environments. There are a lot of pieces of the cloud environment.

Visibility is getting easier, there are certainly tools out there. But it’s still a challenge, particularly if it’s not considered at the outset.

How do you think the industry can best solve some of these challenges, particularly around the skills gap? What is CSA’s advice to organizations?

It’s a pretty complex issue!  So, there are lots of different ways that we can tackle it. Obviously, training up your current staff is always going to be the most direct route especially if the training is constant and continuous. This isn’t a situation where you send someone to a conference, or they get a certification and now they’re good! Because that environment changes, there’s always new technology and security threats. So, there’s a constant need for more education to stay up-to-date. I think that’s one of the ways that we see most people trying to tackle it. 

Certifications are also a good place to start. Especially if you just don’t have the people that you need. Sometimes this does involve taking a chance on a person and getting them trained up and getting them into the space, even though they may be in a related area, and maybe not have that expertise just yet. Providing mentorship, that’s another huge thing we see. This is getting someone who’s much more experienced in the space; they may be close to retirement, or maybe they just have several years of experience, and they pass that on to someone else who is newer to the space or a bit younger and help them to navigate the ins and outs.

Obviously, I am going to be a biased here and say CSA always has papers. We’re always publishing something that people can be consuming, that can help them sharpen their skill set or provide them additional knowledge on an area that may be helpful for them. 

But the other thing that I’ll say is that educating our current staff and future staff is great, but we can also supplement a lot of this with the use of automation. And that can come in a lot of different forms, a lot of different products, especially with technology with AI or machine learning. The more that we can move towards automation, the more we free up knowledgeable security staff to think more strategically rather than being bogged down with the minutia of the job.

Automation can also help reduce human error, which is always a factor, especially when we’ve got folks who are fatigued. The burnout rate for security in general is pretty high. I feel that automation is something that we talk about in passing, but it tends to get overlooked as a potential solution for the skills gap.

One of the big cloud security trends at the moment is this increasing move to Zero Trust technologies. What do you think of the importance of Zero Trust when it comes to cloud security?

Zero Trust has been kind of a buzzword, and I thought maybe it would be slowly petering out, but it seems to only have ramped up as the hot word to be using. We saw it a lot at RSA. And I think one thing that’s really important with popular buzzwords like this – and this goes for AI, ML, anything like that – I think sometimes we see this new hot thing and we say: “Oh, great! Someone wrote it on their marketing sheet and now I’m doing zero trust!” 

But sometimes these terms can be a little bit of a black box. We need to remember that  Zero Trust is strategy-based. There are a lot of different elements that are involved, and simply using one product that says it utilizes ‘Zero Trust’, doesn’t mean that you’ve developed and implemented the entire strategy.  

We’ve seen people talk about Zero Trust a lot recently, particularly in our recent surveys. Many organizations want to implement a Zero Trust strategy.  But we have to demystify the buzzword and separate it from a Zero Trust strategy. 

Finally, what is your advice to organizations who are dealing with some of the challenges we’ve discussed around cloud security, and are looking to improve their resilience? 

Like everything, this is multipronged. I think the most important thing is that you’re evaluating the services. And, you know, it can get tricky, right? Because the service providers are getting 1000s of evaluations, they’re getting sent spreadsheet after spreadsheet, so that does cause problems, particularly with the timeline. Service providers don’t have the ability to respond quickly or at all to evaluations of their security posture. 

We do have our ‘STAR Registry’, which is essentially where technology providers can outline their security posture and people can use that as a basis to help people have an understanding of a product’s security posture at that point in time. 

When looking at your own environment, CCM provides a framework, but there are also others: NIST CSF is another one that is very commonly used in the industry. So, there are other frameworks out there that more or less provide you a checklist of what you need to be doing in an environment. It’s a great place to get started.

Read more about the CSA here: