KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Session at the European Identity & Cloud Conference 2013
May 16, 2013 15:00
Session at the European Identity & Cloud Conference 2013
May 16, 2013 15:00
So we are now moving from the challenges of the future law, through the issues of ensuring compliance and so forth into the real world. And we are now going to have two presentations. The first one is from Nikita Reva, who is with Mars. So please welcome Nikita Reva, who will talk about his, his experiences of tracking risk strategy within the cloud over to you. If you thank, thank you. Yes.
Check, check. Well, good afternoon, everybody. Thank you for having me. I know we have a large cloud corral today, so hopefully everybody can hear me. Okay. Yesterday I was in a Munich beer guard and having a nice we beer. And I was sitting next to the gentleman who happened to work for a large German based SAS provider. And he told me, oh, you're here to talk about cloud security in Munich.
Well, the Germans are scared of cloud and I don't, I don't know if you're gonna be successful because the Germans relatively are not so engaged with, with some of the cloud implementations. And yeah, I'd like to ask a question is, is that, is that a theme that, that we feel is, is present in Germany right now that there's fear around adopting cloud services and cloud strategy for my German colleagues, That There has been resistance in, in Germany to the cloud. There has been resistance across the whole of Europe for a variety of reasons which are to do with security and compliance.
And the laws in Germany are particularly strict regarding privacy. So I, I, I just carry on, on that assumption Indeed. Okay.
Well, in Mars, we've been looking at cloud for about three and a half years now, and I I'd like to talk about how we've established a strategy to manage these risks on a global scale. So Mars, as, as you may know, is a large global organization focusing on food manufacturing for, for human consumption treats and Snickers and such, which I'm sure most of you have enjoyed. And also for pet consumption pedigree, whi RO in for your, your other friends, your, your cats and your dogs and your fish. We established a crowd first strategy about three years ago.
And since then we've built a framework on how to assess cloud related risk and how to manage that and how to really fast track are strategy in, in consuming cloud services. So why are we here today?
So this, this graphic here represents a, a survey by right scale, which is a company that provisions cloud orchestration software, particularly for Amazon web services and, and Rackspace and a few others. And as we can see here from the graphic that there is quite a focus on, on cloud consumption around the world. This is from about a thousand organizations that right scale interviewed. So we can see there's a heavy cloud focus in about 26% of the organization. So we know this is important. We know this is happening.
Clearly, there's a whole conference here today about this, but what is the major concern? Well from the research that we've performed at Mars and research that I've performed myself, I'm, I'm one of the founding board members of the Chicago cloud security Alliance.
We, we found that there is a huge concern around risk and security, especially outside of the us inside of the us. Maybe not as much, but it's particularly within the European union be because primarily of the data privacy laws and, and the stringency that's in place for, for some of these items. So we know cloud is an enabler. We know it's becoming a competitive advantage for some companies, the ability to innovate and move quickly and respond to market demands is being enabled by, by cloud services.
But some companies are staying away from this because of the risks that, that they need to manage and not having a clear strategy in how to manage that risk. And really what we wanna do today is talk about our strategy that we've built in Mars over the last few years and how we did this. And really this is a case study for you to, to consume. And hopefully you'll find some value from, from this presentation.
So as, as we know, there's different types of cloud services, of course, out there there's infrastructure as a service, of course, there's also platform as a service and certainly says software as a service, the risks are different with each of these cloud tiers. Typically the responsibility for providing security and controls with, with infrastructure as a service is more so on the consumer than on the provider.
And as you go up the stack from infrastructure to software as a service, the responsibility for, for the controls shifts, generally speaking to more of a provider based focus, it's always gonna be a shared responsibility, but with a, with a SAS model, oftentimes the provider will address many of the controls for you with exception of maybe identity management, which is something you always have to, to be responsible for and have to understand.
So in this, in this different model of shared control environments between each stack, how do you determine what, where the right control level lies within each type of cloud infrastructure model? There, there's definitely a way, and we're gonna talk about that. This is a study done by information week, which is a large us based conglomerate around research and media.
And they, they did a study with in 2011 and 2012 to large, large, medium, and medium size companies around the world. And what they found is the primary concern is in these first two areas here, and it's primarily related to security and risk. And this is what's prohibiting companies from moving forward with cloud adoption. And we're here to talk about cloud. This is what's prohibiting cloud adoption. So what can we do to change this?
How can we enable ourselves to be more confident that we can effectively assess the risks and have a plan to, to manage them and mitigate them further, going into the, the, the study we found that organizations have different methods of assessing cloud risks. As you can see from the graphic here, that a large number of organizations perform their own assessments about 30% will perform their own assessments.
Some, some smaller percentage of that will go beyond that and will ask for things such as SSA 16 or stock corner stock two, or, or even stock three. In some cases, some will even go beyond that, but some apparently do no assessment and they just consume a cloud service at face value.
I, I think that's a concern. I think there needs to be some due diligence when you're consuming a service that you are likely not owning or managing yourself entirely. And some of them say that they don't use cloud.
I, I think this number is a little too high. I think they're using cloud or their employees are using cloud. They just don't know about it. I'm sure somebody in your organization is using something like Dropbox or Google docs without telling you. And is that creating exposure for your organization?
Well, perhaps it is. So there's, there's different ways of managing this. And what we're gonna talk about next is, is how did Mars get their hands around this cloud ecosystem? As part of our cloud strategy that we, we just started working on in the last three years?
Well, we've looked at about 90 different cloud service providers of different types. We started with SAS and then over time we moved progressively towards infrastructure and platform as a service. So we've seen everything. We've seen the small ones. We've seen the big ones. We've seen the very biggest, the most smallest. We've seen individuals doing this from their home and calling it a cloud service.
I was interviewing a gentleman from Washington state in the us in Seattle, and he was offering some very sophisticated software that he developed himself that would help us sell to Walmart, which as you may know, is a very large us based merchandiser. And this software was very meaningful for us.
However, his cloud service consisted of a server in his basement. And when we asked him if he could use Amazon web services, he told me why I have a server in my basement. I don't need to use Amazon web services.
Well, how is your server protected? Well, I have a dog. This was honestly his response and it's comical, but this is some, some of the things that you, you see when you talk to folks about what they're doing around security. So we develop a strategy that we like to call ISO plus, plus why ISO plus plus, cause we feel that ISO 27,000 is a good framework for information security management.
And we also feel that it gives you a nice level foundation that you can build on top of with other more specific area types of controls and thought leadership from organizations like CSA cloud security Alliance from the Anisa, the European Institute of security, also from the N organization, which is a us based government focused think tank that allows you to leverage some of the controls that the us is putting in place for cloud infrastructure. And also tow G more from an enterprise architecture management. When we built our strategy, we, we divided it into five.
What I call tiers and the, these different tiers are different areas that you need to identify as you move towards the consumption of, of cloud services. So you can see the first tier is more on understanding. What is your organizational strategy around cloud? Is it tactical? Is it strategic? Are you going and consuming a cloud service once and, and nothing else, or is there some kind of a larger focus around cloud first?
Well, our organization has decided that we're gonna be cloud first for anything that we feel can be put into a cloud environment, anything new we'll look at cloud first and then we'll look at internal resources cause we're not Oracle, we're not Microsoft. We don't have hundreds of programmers to dedicate, to developing an application. It's easier for us to go consume a service that's built for our, our, our requirements, as long as it meets our, our, our model and our proof of concept. We then also look at service type risk. Each tier of cloud services has different risk. We feel.
So we look at that specifically, we look at technical risk, which, which of course involves multi-tenant infrastructure and in a cloud environment. And then data risk regulatory is also always an important topic for us given that we're a large organization we're operating in a very international basis. And of course, business risk, ultimately it's for the business to decide whether we want to move forward with this cloud implementation or not it to some degree because they have to agree whether the level of risk that we're taking on is acceptable for our organization.
And it's not technical risk it's business risk, cuz at the, at the end of the day, if, if we, if we go ahead and use a cloud service like Workday for human resources management, and that system is down because of some breach or of some, some kind of an SLA outage, this is going to impact the business, not the security group, the security group will care about it, but ultimately the business is gonna come to us and say, why was my HR system down? And what can you do to prevent that?
So when we go through our risk management process, we ask the business to sign off on the risk that therefore they have a stake in it and they have ownership of the risk as well. Any questions so far? Okay. So how did we start? We started this in early 2011, so almost almost three years, really now we started really with looking at some very tactical type things in a SAS space.
And we, we started looking at how can we get assurance to what the providers are doing? And we started looking at things like SAS, 70 SSA, 16 other external reporting. And we started to also develop some basic interview questions and questionnaires based on cloud security Alliance, ISO and some other frameworks that we were borrowing from. As we progressed in our maturity, we started looking at also more than that.
We started developing a more comprehensive questionnaire and a more comprehensive process of asking the vendor of the question, soliciting the response, giving it some weight in the categorization of what their response means to us. Is there response a medium risk or is it a high risk and optimizing some of that using a software called RSA Archer, which is a, a GRC management system that we use for managing our, our entire risk strategy, but specifically with cloud, we're using it as well.
So we've advanced from the initial to what we call a point a more thorough point in time assessment later in 2012, we advanced on that further. And now what we're doing is ongoing governance. So we are deciding which vendors do we wanna assess once at the consumption phase point in time and which vendors do we wanna assess ongoing over our relationship with that vendor? Not all vendors need to be managed on an ongoing basis. In our opinion, this requires too much time and resources, which we don't have some vendors that are more tactical in nature that don't involve a, a, a high risk profile.
We choose to assess them in the beginning and then probably not come back to them unless there's a problem. Cause we have too much of this going on. Some of our very strategic and vendors that involve high risk scenarios, we will manage on an ongoing basis. So for example, we have some tax applications that are hosted in the cloud with a company called Thompson Reuters. That is very strategic for us. This allows us to pay our taxes effectively as a large organization.
And also this contains a lot of sensitive financial data that if compromise would place Mars in a bad position, that application we manage on a very ongoing basis annually, we have an entire cycle of review something, something more tactical. We wouldn't do that because the risk is lower. So when you think about risk management, you probably should think about some kind of a framework.
So we we've borrowed from the, the nest risk management framework, which, which as you can see, involves categorization of information, systems, selection of controls, implementation of controls, assessment of controls, authorization of the user, and then of course monitoring on an ongoing basis. So as I mentioned in my earlier points, we don't monitor everything. We monitor the things that are most meaningful to us. So let's say you have an understanding around how to put this risk management process in place.
Well, what controls do you pick? What controls do you care about? Are there the same controls for everybody?
Is, does it vary? Does it, does it depend on what kind of cloud consumption you're you're looking to, to perform? We think it does. And what we've done is we've, we've decided to go to the industry and, and look at cloud controls matrix as a basis for understanding controls in the cloud environment. Cloud controls matrix is a, is basically a spreadsheet that was developed by the cloud security Alliance within the last couple of years, that takes a number of, of cloud controls that the CSA has identified as being meaningful.
And it maps them to different regulatory requirements that you may face. So if, if your organization that is concerned with EU data, data, privacy directive, there are specific cloud controls that will allow you to meet that, that directive requirement. Or if you're concerned with PCI, there are specific controls, or if you're a organization that's concerned with socks in, in the us context, there are controls that you can look at. So this gives us an idea of, of how to get started and what controls to pick for each different cloud consumption model.
So some of the providers have picked up on CSA and they realize CSA is a, is sort of a, a niche organization that is driving some structure around cloud controls. And what they've done is they've created a registry where providers can attest to the CSA set of controls in a very transparent way for public publishing. They will attest to these controls and they'll publish them in the star registry, which is a registry that the CSA manages. You can review that there's about 20 providers right now that have done so, but we felt that wasn't enough.
We wanted to take this up another level and, and go further, further into it to understand specifically what, what each provider is doing. So for that, we look at external assurance like the SSA 16, so one, so two, so three that gives us kind of a snapshot at this point in time, we feel it's, it's not always very, very effective. So we look further, we ask providers for ISO certification.
We ask them for vulnerability or penetration testing, and you'll be surprised providers, as long as you ask the question the right way, and you're coming in with a, with a structured approach, they'll, they'll give you many of these things. And maybe it's because Mars is Mars is a large organization, but we've been able to negotiate penetration testing or vulnerability assessments with providers that we felt were not being fully honest with us. We felt like they were hiding something we didn't have.
We didn't feel we had a good control over what controls they have in place and how they're managing those controls. We've also been able to negotiate our own penetration testing using some of our own tools. So again, that this is kind of an overview of how we started. So our initial focus was let's look at industry and see what the, what folks are talking about. What is the CSA doing later? We expanded on that and we started looking at a little bit deeply looking into a more, a more deep focus around controls that that vendors may or may not have.
We also introduced infrastructure and, and platform as a service assessments in the beginning, we only started with SA because we felt that that was the most easiest type of cloud model to manage risk for. And now that we're optimized, we, we have a strong, a stronger process where we can decide what provider will we spend more time on or provider, will we spend less time on what types of questions will we, will we ask each provider? And this all goes back to the risk management framework that we talked about. Is the provider tactical in nature?
Is it, is it strategic in nature? Are you hosting sensitive data? Is it non-sensitive data? How meaningful is it to the business? So this is kind of an overview of our, of our toolkit. And you can see that we have these tiers that we'll talk further through. So we've really divided into 5, 5, 5 tiers or five platforms if you will. And each of these, as you can see, kind of has a certain theme. So of course the first one is, you know, make sure you have the business strategy, identifying and understand what your asset is.
The tier three goes into interviewing techniques, asking technical questions, understanding what controls you want to have in place. Four goes into compliance, regulatory type topics. And five is, is more around understanding what providers are not telling you. So providers, aren't always honest with you. Sometimes they'll have a salesperson fill out a questionnaire or fill, try to talk to us in a, in an interview session. And usually the salesperson, what do they care about? They want to sell the software and they want to go and, and that's it essentially, right?
They, they're not usually interested in security and they will, I don't wanna say the lie to you, but they won't tell you the complete story. And they'll try to maybe exaggerate what the provider is actually doing in our experience. So how do you see through that? How do you see that? They're not being very honest with you or they're not telling you the complete story.
Well, we have to understand how to approach this. And if you understand how to approach it effectively, you can ask the right questions and hopefully get the right response. As we mentioned earlier, ultimately once we finish the assessment, we make a presentation to our business stakeholders and we will ask them, how do you feel about these risks that we've identified? Are you willing to accept the, the risks at face value? Or do we need to do something to mitigate these risks? Are there any controls that we can further put in place that the provider maybe hasn't initially agreed to?
And at the end of the day, you're a consumer of a, of a commodity it cloud is now becoming a commodity. I think cloud is gonna dominate the software and infrastructure space for the next 10 years easily. I think companies will stop developing software independently and they will start consuming more cloud-based services with time. So when everything is a service and everything is a commodity, you have some leverage to say to this provider, I want you to do this because your competitors are doing this. So why can't you?
So you need to think, think through that in those terms, when you're negotiating, you're the consumer, you're buying the cloud. So go ahead and negotiate. Your biggest opportunity to negotiate is probably in the beginning during the sales cycle, cuz later on the, the negotiation, unless you have some contractual agreements, it will be more difficult typically. So this is a little bit of overview on our, our governance process for cloud consumption.
This is a, a to GAFE based enterprise architecture model. And essentially I just show, I wanted to show this graphic to show you how we look at our cloud strategy. What types of things do we look for when we go into a negotiation or a discussion rather with a cloud vendor, what gates do we have to pass through before we actually get to that discussion?
Well, these are the gates that our organization goes through. And my focus is specifically in the security and compliance space. So again, if your organization doesn't understand cloud, educate them, make sure you're team or whoever you're hiring consultants, third parties, cloud brokers, make sure they understand cloud, make sure they understand how this is unique, why it's different. There's a lot of information out there that can help you understand this.
I think the CSA has done an excellent job at developing thought leadership and focus on understanding cloud security and why it's unique and why it's different from traditional infrastructure based security. Of course you have to identify what your assets are, where the assets live. You have to understand your data flow. How will the data transfer from your internal organization externally?
Are you putting yourself in a bad position because you're using a, a provider that's us based and you're transferring PII information out of the European union for European union citizens to a us based provider that only has a us based hosting presence. If that's the case, what do you do? How do you manage that?
Well, there are ways to manage that, but in order for you to manage that, you have to understand where the data is going, how it's flowing and where actually it'll be resident, where will, where will it be sitting? Some providers can tell you this Google, for example, could not tell us where will the data be at any given time? They told us everywhere, what does, what does that mean? That's they have a lot of data centers, but their strategy for high availability is to replicate data between different data centers.
But they couldn't tell us at any given time where the data will be and for what we were trying to do with Google, that wasn't acceptable. So we decided to walk away and we ended up using a different provider because they Google couldn't tell us where the data would be. And as simple as that understand your business process in relation to the data flow, will, will your organization be placed in a, in a bad position?
If, if the data is not accessible from a certain region because of some regulatory requirements. So you could implement some cloud software holistically across your entire organization, but maybe some business units cannot use it because of some regulatory challenges that are difficult to overcome. Okay. So when you're interviewing providers, make sure you're coming into a, the discussion with an auditor, like person personality and auditor, like focus. So ask open ended questions.
Some of these things seem very basic, but you'll be surprised that some individuals don't don't fully understand how to interview providers. It's it's almost like an interview for your job. You're you're asking the person a question, wait for them to respond. Don't don't try to answer their own question, answer your, answer, your own question. Make sure you don't assume anything, right? So it's not fair to assume that providers are doing anything specifically in the security space because every provider is different.
We've seen many different scenarios where providers will have certifications, but when we ask them some technical questions, explain to me your incident management process, they will freeze. And they won't, they won't know how to respond to that.
Well, just because they're certified, just because they have SSA 16 or some other certification, it doesn't mean that they understand how to do incident management. And if that's meaningful for you, make sure you understand whether they're capable of doing this. And if they're not, maybe you can negotiate for them to put this in place. We've asked providers to put in place special patching schedules. Because when we interviewed the provider, they told us they patch Oracle once a year.
Well, Oracle releases patches at least four times a year, as far as I know, and this was, this would be a critical system that we would put put into a cloud infrastructure. And we felt once a year, patching for Oracle was not sufficient. And we were able to negotiate annual, quarterly patching rather instead of annual patching.
So some of these things are a little bit diff a little bit hidden and maybe not so obvious, but once you, once you see through some of the, the high level marketing materials that the vendors will try to show you, you can ask some technical questions and get, hopefully get some decent responses.
And if you have some consultants you can consult with or some third party, the gentleman before we spoke about sort of a cloud affiliation that is helping organizations manage, manage cloud consumption, maybe not in the security sense specifically, but there are organizations like CSA that will help you better understand what is the best practice for cloud security. And essentially you can leverage those organizations in your local municipalities, wherever you're a base to better understand how, how the, the provider is, is managing security.
So I think a lot of folks are challenged with cloud security because it's not traditional. It's not firewall based. Let's put everything inside of our, our, our DMZ inside of our firewalls and, and make sure that's managed.
This is, this is an entirely different, you're talking about multiple third parties. You're talking about data being potentially in multiple data centers. You're talking about virtualization technology that introduces a new series of technical challenges with, with data isolation. You're talking about a multi-tenant environment, think of Claude as a large apartment building, in some sense, especially if you're talking about public cloud and you're renting just one piece of that. So how do you know that the person next to you is doing the right thing?
Well, you have to understand how the vendor's managing some of these things in order to make that decision. Of course, we also talked about the third party assurances that do they have any certifications, ISO SSA, 16, those types of things?
Well, they, well, they provide you with a right to audit. So right to audit is very important because if, if your auditors come and ask you, can we audit this, this provider, this cloud provider. And if that capability is not put in place as part of the contractual agreement, the cloud provider may say, no, you cannot come. You cannot do an on onsite visit. You cannot even do a, a paper based audit. We don't support that. We don't have the resources for that.
Well, what do you do then? How do you respond to your auditors? You're gonna have an audit finding, and then you're gonna have a challenge in dealing with that. So make sure you, you think about this ahead of time before you go ahead and consume some of these services. And of course, regulations are very important. If you're dealing with any regulatory body, you have to always think about how will I manage my regulatory responsibility in a cloud-based model. You cannot assume that the provider will manage this, this dysphoria.
In some cases, they may manage some of the controls that are in place for the, for the regulation to be honored, but it's usually gonna be a shooter responsibility. So if you're talking about PCI, you, you have to look at it broadly and ask yourself well, as a organization that accepts credit cards, you should have a, a ISA independent security assessor on, on, on premise with your team to, to assess how your organization's managing PCI.
Well, if you're using a cloud infrastructure for PCI credit card processing, how will you be able to work with that organization to make sure your PCI responsibility is met? And how will your ISA work with their QSA potentially to review this? You need to think about some of these things. And the cloud is always gonna be a shared responsibility unless you're using a private cloud and you're have full ownership of the controls.
And even in that case, it wouldn't be full ownership because in reality, if you're using a private cloud off premise, some of the, some of the environmental controls would still be managed by the hosting providers, such as heating, cooling some of the backups, those types of things. So we do like to last providers, do you have a cloud security program? Is this something you've thought about if you're calling yourself a cloud provider, what does your security program look like? Is it a cloud security program? Is it just a bunch of things thrown together?
We've seen some organizations that have actually have provided us documents that are called cloud security management program built on what looks to be ISO. And some of them have had nothing. They've had literally nothing to show us on paper. And if it doesn't exist on paper, it probably doesn't really live in their organization. It's something that they do ad hoc. It's not something that they do as, as part of their business.
One of, some of the biggest areas that we've seen as concerns is, you know, developing secure code. And if you look at the OWAS top 10, there, there are still a lot of occurrences of things like SQL injections, cross site scripting, and a lot of the providers that we've reviewed, they've had those challenges. And this is a constant struggle because developing secure code is something we're still challenged with.
I, I, I would say almost an organization can honestly say that they have a very good control of developing secure code, because it requires educating programmers on developing secure code. And that's not what programmers typically like to do. They like to develop code. They don't always like to think about the security piece of it. I think bill gates said a couple years ago that it's gonna take Microsoft 10 years to put this mentality in place that they will develop secure systems from the beginning without having so many patches.
So the evolution of data privacy is also creating some challenges. As we know, there are regulations in the EU that are pending. We also know that there are regulations in China that are looking to align with what the EU is doing. So we think we're challenged with the EU regulations.
Now, China is saying, well, we like what the EU is doing. We're gonna regulate in the same way. And if you're doing any business in China, well, now you have to understand how am I gonna meet those regulations in China? The us is constantly expanding on breach notifications. They're not as progressive as far as what the EU is doing, but they are expanding and trying to become more advanced with having data privacy officers in most of the us states and breach notifications. And I believe 48 states as of, as of March. And then the Russians, of course the Russians will. Why not?
Let's, let's get on board with this as well. And let's, let's, let's do this anytime you wanna touch personal data and take it outside Russia, you need to do a risk assessment on it. So again, just a bit of summary of what we talked about, make sure you're really clear about what the provider will be liable for.
Again, the cloud is a should responsibility. You cannot assume the provider will, will take care of your controls unless you've explicitly identified that in the contract. And that's usually not the case. In most cases, the cloud is always gonna be a should responsibility as a, as a closing item on this slide here, just make sure you think about cloud vendor lock. And so are you putting yourself in a position to use a cloud vendor that, that you, you can't easily leave? Are they creating your data in some proprietary format that you then then cannot extract? How will you leave this vendor?
Once you have all this data sitting in the cloud, how do you extract it? Are they gonna give it to you in a DVD? Is it gonna be a hard drive? Is it gonna be a flat file? You may need to think about this because it's easy to buy something, but it's harder to sell it usually. And if you, if you need to sell your cloud or give it back, how do you get your data before you leave the cloud? We're gonna skip through this in the first sake of time, but this talks about really promising too much liability. We've seen vendors do this continuously.
Yes, we will do this. Yes, we will do this. How will we do it?
Oh, we don't know. Do you have a process for doing it?
Ah, we don't have that. So when you ask the serious questions, they typically have a different response. It's not so much marketing material. And it's when you ask substantial questions, then there's different challenges. Yeah. At the end of the day in our organization, the business has to accept the risk that, that we are presenting them with. And if your organization has the same mentality, make sure you present the risk that you've identified in a way that's appealing to them and that they understand.
So don't talk in technical terms, talk in business terms, how will this impact my line of business or my business process? Are we willing to take on this much risk for a cloud-based HR system or is this too much risk again, leverage your position in negotiations. Some things that I think will happen in the next few years, there's gonna be more standardization in security. The CSA is doing a lot of work in trying to standardize what cloud security looks like.
There's some certifications that are now appearing specifically around cloud security, the ISD square, the folks who are responsible for the C I S S P they're developing a cloud specific security certification. So I think there's gonna be a lot more focus on standardization and transparency as well, and also aggregation integration between different clouds. So we've, we've kind of have isolations of clouds now, but I think we're gonna start working more closely together and sharing data across multiple clouds, and that's gonna make security even more challenging.
So a few things for you to take home again, have a strategy, have a process, understand what the technical risk is, have a way of speaking to the business, and then also understand when am I gonna step away and say, no, this cloud is not for me. This cloud is, is too risky. It doesn't align with my risk model.
I'm gonna, I'm gonna walk away from this, this, this, this, this business deal. And you need to be ready for that because you can't just go in and, and consume everything because it's not, it's not practical and it's not pragmatic. Just one last slide here very quickly.
A few, a few bits about myself. Again, I'm with cloud security Alliance from Chicago chapter.
Also, you can connect with me on, on LinkedIn and Twitter. My handle is IP sec. Thank you for your attention. And please ask me some questions if you have it in any time later.
Yes, please. Thank you very much, Nikita. I think we're going to have to move on to the next presentation now from time, but there will be time for some questions after the, after the break. So perhaps if you could come back there, we can have a, a, a good discussion. And I think that the fact that this has gone on shows the difficulty that people have in making these choices. So thank you very much. And I'd now like to.