The Inner Circle

 View Only
  • 1.  C-Level Guidance to Securing Serverless Architectures

    Posted May 20, 2022 06:13:00 AM

    CSA and the Serverless Working Group are excited to announce C-Level Guidance to Securing Serverless Architectures. This paper provides CISOs, CIOs, and others involved in administering and managing systems with an overview of serverless computing and risks and security concerns that come with implementing a secure serverless computing solution.

    Serverless platforms provide a more stream-lined and effective way to move to cloud-native services. The business benefits of serverless architectures are wide-reaching; they offer agility, accessible cost, and speed to market. Download and read the publication to explore ways to guide the C-Suite towards secure serverless architectures: C-Level Guidance to Securing Serverless Architectures | CSA

    #cloudsecurity #serverless #riskmanagement

    Cloudsecurityalliance remove preview
    C-Level Guidance to Securing Serverless Architectures | CSA
    The purpose of this document is to provide a high-level business overview of Serverless architectures, along with the risks and the security concerns when implementing a secure serverless solution.
    View this on Cloudsecurityalliance >





    ------------------------------
    Orbert .
    ------------------------------


  • 2.  RE: C-Level Guidance to Securing Serverless Architectures

    Posted May 23, 2022 07:54:00 AM
    Completely agree with:

    "The CIO is no longer an operational executive but an orchestration executive, as nowadays, there is
    no business strategy in organizations that does not involve technology"

    I would describe the ideal future CIO as an MBA'd experienced (business or tech) operations executive, ideally with Board Level sponsorship, with a strong technical background as a necessary, but secondary, requirement.

    For the CISO:

    "Security is becoming more of a shared business responsibility and many aspects of IT management
    now reside outside the CIO's and CISO's reporting structure."

    I have a more pragmatic observation, that this function is going away completely.  The CISO function is today being absorbed into the Dev(sec)Ops stack and automation is the key deliverable.  Having someone to design and advise on policy and control implementation and manage SecOps can/should be an SRE Lead with more security training. For nuanced and cross-functional security expertise - outsource this to specialist *teams* (internal or external).  eg things like red teaming, regulatory compliance, threat modeling, zero trust architecting, etc.

    Neither of these are serverless specific of course. Just overall shift left. But both are here today and will only accelerate.

    For the serverless specific stuff - a CIO should be able to present a cogent business plan for why and how to migrate to or green field a serverless initiative.  With an ROI defined including all the things you mention in the paper considered. A CISO role/team/function should be adding specific control guidance and evaluating tools and automation for covering Day 2 secops and operationalizing this for the explosion of data flows and app attack points that serverless introduces and is alien to many DevOps teams today.



    ------------------------------
    Robert Ficcaglia
    CTO
    SunStone Secure, LLC
    ------------------------------



  • 3.  RE: C-Level Guidance to Securing Serverless Architectures

    Posted May 24, 2022 08:34:00 AM
    Hi Robert,

    Thank you so much for taking a look at the paper and for your feedback.

    Perhaps we may use your quotes on CISO and CIO in the future in a blog article relevant to the topic, if that's ok with you too of course.

    Kind regards,
    Marina

    --
     

    Marina Bregkou
    Senior Research Analyst
    Cloud Security Alliance


    This e-mail account is used only for work-related purposes; it is not guaranteed that any correspondence sent to this address will be read by the addressee only, as it may be necessary, under certain circumstances, for third parties appointed by the Cloud Security Alliance to access this e-mail account. Please do not send any messages of a personal nature to this address.