RSA Conference 2014 Q&A: Jim Reavis, CEO, Cloud Security Alliance

The CSA has more than 4000 individual members, and more than 200 corporate members
The CSA has more than 4000 individual members, and more than 200 corporate members

How old is the CSA?

We are now five years old. We launched at 2009 RSA Conference.

How has the CSA grown over that time?

We are getting pretty big. We have more than 4000 individual members, more than 200 corporate members, and strategic relationships with the US government and the EU, and expansion into Asia.

Our best practices are becoming the standard for both providers and users looking for expertise on how to do secure cloud.

At the CSA Congress last December, ADP’s V. Jay LaRosa said security professionals continue to have a “draconian lack of trust in the cloud”. Is this a myth, or have they embraced cloud services as the new normal?

Security people are paid to have that mentality. I feel there is almost a dual personality, and that they need to think this way – to always slow things down and not allow the organization to move to fast. We [CSA] try to steer them in a direction so that they do not hurt their cause. But there is some truth to what [LaRosa] says.

Do cloud service providers (CSPs) typically have better security in place than their clients would in-house?

Yes, absolutely. The gap is growing between what cloud providers are able to do and what can be accomplished in house. Things like intrusion protection, APT [advanced persistent threat] technologies, and such. Enterprises can maybe afford one of these tools that the large cloud providers can offer.

How has the NSA surveillance controversy affected the business of cloud service providers?

There is an impact, definitely. The US cloud providers, our initial survey showed, have experienced 10% cancellations in projects. There has also have been a slowdown in confirmation of projects out of Europe. It’s an impact on their business, but I don’t think it’s a long-term impact. Increased use of encryption will help, and US cloud providers separating themselves from government and issuing transparency reports will also.

What do you think personally about the NSA surveillance issue?

We are number one! We are awesome at surveillance [he says, laughing]. We have no greater or lesser intent than any of our allies, but we put a lot more money into it. I expect surveillance to happen, and I expect it to be an adversarial relationship with the tech industry. We need to understand the degree to which the tech industry is collaborating, and make sure that doesn’t happen. We expect the NSA to do this stuff, we just want to make sure we see no collaboration with them.

You called CSA’s Software-defined Perimeter (SDP) Initiative a disruptive approach to application security. Can you expand on this statement?

The idea is that we will change the way that VPNs are thought of and connect to any type of new class of device that might join the internet. The current approach is thinking that you must trust and harden a device and then let it into your network. Instead we want to create an ephemeral connection to that device, and not expose any IP addresses. Through SDP, you are allowing only a single application on a device that you don’t have to trust, to gain access back to your corporate network.

The amount if internet-connected devices is exploding, and SDP is the idea that we need to turn substantial portion of the internet from visible IP addresses into more of a dark space. The economics of it is that with 75% of these devices, we won’t be able to build security into them. This is DoD classified architecture, and we are trying to make that open source and accessible.

What stage is the SDP in at this point?

It’s not as far along as we would like to be, but we have some high-level definitions in place – some working prototypes. Our hope is to have a full published specification later this year. Much of it is open-source technology that needs to be put into a comprehensive package.

What’s Hot on Infosecurity Magazine?