Data governance practices, including classification, mapping, and access controls, are even more challenging with the technologies and applications that modern enterprises rely upon, including data lakes, APIs, and cloud storage. Adding to this operational complexity is the increasing regulation around privacy.

For too many security leaders, data visibility starts with the data breach. Only then are they aware of the data mismanagement within third-party applications that were discovered in the breach. Breach notification is the wrong time to realize that the service agreements with your vendors or partners did not require reasonable security practices over your organization’s data.

When a data breach happens, you often don’t know where it started or the application, vendor, or source involved. Without knowing how and why the data found its way to the Dark Web, there is no way to determine the appropriate response. “Batten down the hatches” is a bad order if you don’t know which hatches need battening. However, tighter data access controls will make it easier to know who had access to the stolen information. Leverage best practice principles like least privilege, need-to-know, and separation of duties and consider using digital watermarks to track and trace the movement of your sensitive data.

Dark web exposure

CISOs are pressured by the business to regain access to corporate data and bring systems back online quickly following a ransomware attack. In many cases, this haste to restore business functionality results in incomplete eradication of the threat actor and investigation of the true root cause of the attack is often overlooked. Frequently, this results in recycled extortion attempts as network access or exfiltrated corporate data are sold and traded in nefarious circles on the Dark Web. Because investigative practices were incomplete, how this data was compromised is never fully understood. 

Clearly, CIOs and CISOs must be engaged earlier in the data governance lifecycle. Specifically, both roles should understand data classifications, data flows and interfaces, and appropriate controls from an entity perspective. Their insights will help mitigate risk to corporate data either through internal data misuse or data compromise by a threat actor.

NIS2 Action Plan for the Cloud CISO

LEARN MORE

Data leaks from the inside out

Inadvertent misuse by employees can be just as impactful as data exfiltration by a threat actor. Take, for example, large language models (LLMs). Employees will leverage free and low-cost LLMs for research and analysis by inputting corporate data in their questions and queries into these models. These tools themselves are not the issue, it’s how they’re used that causes problems. CIOs and CISOs can write as many memos as they like regarding safe data handling, but expediency trumps data governance and security far too often.

LLMs ingest and potentially share your corporate data with other platform users when providing answers. Not only this, but the companies behind the LLMs – which profit from gathering and selling data – will have access to this information as well. In essence, you may lose intellectual property rights over the content uploaded to these systems. For example, look at Section 6.3 of CoPilot’s Terms of Service: 

“Customer grants to CoPilot a perpetual, worldwide, royalty-free, non-exclusive, irrevocable license to use reproduce, process, and display the Customer Data in an aggregated and anonymized format for CoPilot’s internal business purposes, including without limitation to develop and improve the Service, the System, and CoPilot’s other products and services.”

Third-party data mishandling

Then, there is the third-party data loss. Most corporations rely upon third-party services to collect, process, and store their data. Even when your third parties maintain strict security and data governance controls, there is always an exposure risk if your service provider is compromised. These incidents are not isolated and are now increasingly commonplace. Notable recent examples include the Lash Group, Change Healthcare, and American Express breaches. These breaches highlight how significant and impactful third-party incidents can be. 

As discussed in a previous blog, one way in which CISOs and CIOs can address this problem head on is by ensuring their vendors, suppliers, and partners have defensible security programs backed up by contract provisions that protect your company when security incidents occur. Your contracts should codify your security, privacy, and risk management requirements accordingly.

Unite and conquer

Data governance is a team sport, and IT and security teams cannot operate alone; they require collaboration with key business stakeholders across the organization. With different perspectives, these business stakeholders understand the context of third-party relationships, the nature and extent of the data employed by the company, and the potential impacts on the business if this data is compromised. It’s critical that any remnants of the historical rifts between DevOps and security that make effective data governance challenging be swept away. Visibility and risk mitigation in the cloud are underpinned by collaboration. Given the number of systems, technologies, services, and regulatory requirements that organizations confront, collaboration should not be viewed as a nice to have, but an operational imperative. 

CISOs and CIOs are uniquely positioned to drive this collaboration. One powerful option is to establish a data governance committee of key stakeholders from security, legal, compliance, investor relations, procurement, IT, risk management, and finance. Together, draft a committee charter that ensures stakeholders have a duty to report data governance risks. It should also outline roles and responsibilities throughout the data lifecycle of the organization, including who is authorized to make risk decisions related to specific, high-value data sets. In addition, use a risk register to capture identified risk factors and recommended risk mitigations. Companies that focus on data governance will likely be more resilient when confronting risks to company data.

Conclusion

Managing and securing data is a challenge and without visibility, managing data access is nearly impossible. Data governance practices are complicated by modern technologies and are further complicated by privacy regulations. Security incidents highlight visibility blind spots, revealing that our data is more widely distributed and shared than we often realize.

CISOs and CIOs must engage early in the data governance lifecycle to understand data classifications, mapping, and access controls, and bring this knowledge to stakeholders across the organization. Risk mitigation of data leaks comes from proper understanding, handling, and control throughout the data lifecycle of the organization, from employees to third parties.

The post Transforming enterprise data from leaky sieve to Fort Knox appeared first on Sysdig.

The new Parliament will have the hard task of keeping checks and balances, especially as lobbies and Member States all call for a slow-down in adopting tech legislation. Besides, digital matters and cybersecurity were quite absent from the campaign, so it is difficult to gauge if and how the newcomers will get going. Yet, the von der Leyen Commission is not set to stop proposing new legislation. 

Let’s keep in mind that some of the already adopted regulations will also undergo reviews during the 2024-2029 term. Such evaluations happen according to a precise timetable. This often includes an invitation to propose additional legislative measures on subjects that were too immature or too debated when the legislation was negotiated or that have been overtaken by technological, economic, or political developments.

So, we looked for some continuity. A few well-known names return to the Parliament, and we may reasonably assume they will keep track of their pet legislation in the current term.

Here are the five MEPs (Members of the European Parliament) to watch out for.

Bart Groothuis (Renew Europe, the Netherlands)

Bart Groothuis returns to the Parliament for a second term. His first one started a little later than his fellow MEPs: Groothuis entered the European Parliament in February 2020, when Brexit gave his country three extra seats. He debuted with a bang when he became the rapporteur for the NIS2 Directive. During his mandate, he also negotiated several texts on combatting disinformation and a plan to increase the EU’s chip production capacity (the EU Chips Act). You may remember headlines about his revelations about Chinese scanners and opinions on exporting chip-printing gear to China.

Why follow him: The NIS2 Directive imposing cybersecurity, auditing, and incident reporting requirements on critical enterprises and public administrations is being transposed in the Member States (until 17 October 2024). The Commission must re-examine it by 17 October 2027 at the latest and every three years thereafter. Groothuis will undoubtedly be keen to pitch in. A similar fate awaits the EU Chips Act, adopted in 2023 to double chip production in Europe by 2030 and achieve a global market share of 20%. The co-legislators have set a review clause for 20 September 2026 at the latest.

Brando Benifei (S&D, Italy)

First elected in 2014, Brando Benifei is back for a third term. Benifei is perhaps best known as the co-rapporteur of the AI Act alongside Romanian MEP Dragoș Tudorache (who was not reelected for 2024-2029). He says, “One of the greatest challenges today is developing artificial intelligence that respects fundamental rights.” Benifei has famously and tirelessly worked to ensure the now-adopted AI Act prohibits facial recognition, a hotly debated topic during the Act’s negotiations. Benifei even won an award for Best MEP of the mandate for his work on the AI Act.

Why follow him: Brando Benifei focused his campaign on capitalising on his efforts to bring fundamental human rights defence in the nascent AI sector. During his campaign, he pledged to closely monitor the implementation of the AI Act to support further investments in EU companies and “promote the European model of artificial intelligence in the world.” His leitmotiv is that no human is left behind: disruptive technologies must be in the service of humans, not vice versa. And he will have a lot to chew on: the AI Liability Directive is in the works, the newly minted AI Office is starting up, and the Commission plans further legislation on robotics and language systems (expected in 2025).

Henna Virkkunen (EPP, Finland)

Henna Virkkunen returns to the European Parliament for a third term. She was the Industry Committee’s draftswoman on the Digital Services Regulation (DSA). On behalf of the EPP, Virkkunen put forward two major demands: the protection of SMEs and obligations for online marketplaces for imported products, focusing on consumer protection. She is the shadow rapporteur for the soon-to-be-adopted Cyber Resilience Act and recently spoke out on the need for improved cybersecurity in Finland and Europe.

Why follow her: The Cyber Resilience Act is yet to be adopted, but once it is, it will be implemented gradually; the first global evaluation report is not expected until six years after its publication in the Official Journal of the EU – in other words, around 2030. However, after 45 months, the Commission is invited to assess the effectiveness of the single platform for reporting vulnerabilities and cyber incidents affecting the products covered. Besides, Virkkunen may not be an MEP for long: Finland has nominated her as future European Commissioner. Her desired portfolio comprises competitiveness, security and defence. 

Billy KELLEHER (Renew Europe, Ireland) 

First elected in 2019, Billy Kelleher returns to the Parliament for a second term. Although Kelleher is not traditionally seen as an MEP working on digital matters, we decided to feature him in this list because he was the rapporteur for DORA, the legislation ensuring cyber resilience for the financial sector. Kelleher was nuanced and pragmatic throughout the DORA negotiations, ensuring that the final framework “continues to allow institutions to adopt technology” while raising the bar to protect financial services across the EU. He has also been elected as First VP of the Renew Europe group in Parliament.

Why follow him: Kelleher is not a ‘tech MEP’ but a budget MEP. His interests include ESG reporting, financial markets, taxes, and investments. These are not the sexiest topics, but they are among the most important ones, given how many legal frameworks (AI, cyber, semiconductors) will rely on investments to strengthen the EU’s strategic autonomy and position globally. Also, while DORA will apply from 17 January 2025, the Commission has proposed a few other complementing acts that are up for discussion in Parliament, where Kelleher may want to chime in.

Markéta Gregorová (Greens/EFA, Czech Republic) 

First elected in 2019, Markéta Gregorová returns for a second term. The only Pirate MEP for the current term (there were four of them in the previous one), Gregorová is a staunch defender of fundamental liberties in the digital realm and has a particular interest in the Transcaucasian countries and Russia and in the future of warfare and hybrid threats. Gregorová was the co-rapporteur for the NIS2 Directive along with Bart Groothuis and has contributed to the State of European cyberdefence and the special committee for fighting disinformation and foreign interference across the EU.

Why follow her: An activist and proponent of progressive views, Gregorová seeks a stronger, more consolidated approach to EU foreign policy, particularly regarding human rights. We will undoubtedly hear from her as the infamous “chat control” legislation attempts to make strides, endangering encryption in Europe. Gregorová will probably pay attention to the NIS2 Directive revision, crafting other legislation, such as the Cyber Solidarity Act, and continue supporting fundamental rights in the EU neighbourhood.

Aaaand… we decided to include a bonus MEP. Enter Dóra Dávid from Hungary, hailing from the main opposition party to Hungary’s strongman Viktor Orbán.

Dóra Dávid (EPP, Hungary)

A King’s College London and Cambridge graduate, she specialises in competition law, consumer protection and data protection. A Londoner since her teens, Dávid has worked as a legal advisor at Meta since 2020, after three years at StubHub, the ticket resale platform (at the time owned by eBay). She has also worked for various international law firms, companies, and NGOs, and she was a trainee in the legal department of the European Commission.
Why follow her: Interestingly, Dávid is the second Meta employee turning MEP. She is thus joining Aura Salla (Finland), the former head of Meta’s Brussels public policy team, who has also joined the EPP’s ranks. Besides, with Hungary taking over the rotating presidency of the EU, Dávid will be a crucial lawmaker to watch. Finally, a competition law specialist, Dávid will probably have quite a lot on her plate as two major acts are up for revision: the P2B regulation (platform-to-business) and the Digital Markets Act. P2B will be reviewed in January 2025 and is expected to bring about additional transparency requirements for Big Tech. Following suit, the DMA will undergo revision by May 2026 at the latest; the previous Parliament had already stated its wish to add genAI products to a new version of the DMA.

The post 5 +1 MEPs to Watch as the New European Parliament Settles in appeared first on Sysdig.

Regulators worldwide are increasingly focused on cybersecurity and third party and supply chain risks to the economy. Of note, the following regulations highlight supply chain risk:

• Canada’s Critical Cyber Systems Protection Act proposes that risks to critical cyber systems from supply chain and third-party products and services are identified and managed and “designated operators” are obligated to mitigate these risks.
• EU’s NIS 2 Directive notes in Article 7 that Member States must adopt policies to address cybersecurity in ICT product and service supply chains. More broadly, in Article 21 it says that Member States must appropriately manage supply chain security risk.
• The U.S. established the Federal Acquisition Security Council in the Federal Acquisition Supply Chain Act of 2018 to complete supply chain risk assessments during government procurement and then in 2021 further reviewed supply chain risks and highlighted the need for resiliency in Executive Order 14017. 

This means that enterprises must dramatically change how they vet third-party providers and how they contract services.

Third party and supply chain risk management begins with the request for proposal (RFP) process. Use your RFPs to unambiguously convey your organization’s requirements from a security, privacy, and risk management perspective. Your prospective vendors and suppliers should know with absolute clarity that good security and privacy practices are a condition precedent for your business relationship. Your contracts should codify your security, privacy, and risk management requirements accordingly. 

The following are suggestions to include in your contracts with third-party providers moving forward to up level your security and manage your risk associated with these external parties. 

• Require your provider to evidence the status of their security programs and relate the program to a recognized security standard or framework such as NIST CSF or ISO 27001 and 27002.
• Look for assurances that your provider can meet your organization’s defined security controls and requirements. 
• Ensure that your contract has right-to-audit and breach notification clauses. Validate that the timing of breach notification is consistent with your organization’s disclosure obligations, such as CIRCIA. 
• Establish expectations for more technical due diligence as required (e.g., code reviews, pentests, and other high assurance reviews).
• Require your provider to inform you in advance of material changes to their cybersecurity program. The contract should include an exit clause if their changes undermine your organization’s security requirements.
• Require that your provider furnish a software bill of materials (SBOMs) that accurately describe software components or system elements.
• Ensure that your contracts stipulate ongoing stewardship meetings between security stakeholders of your organization and your provider’s security leadership. These meetings are integral to collectively reviewing new threats, changing security practices, service-level agreement (SLA) status, and other factors that could influence the assurance related to the contemplated services. Use these discussions to validate understandings, notably around service demarcation. 

Prioritizing security, privacy, and risk management in your contract negotiations sends a clear message. Third-party vendors and suppliers who proactively develop robust security programs simplify the onboarding process for organizations with due diligence requests and regulatory mandates. The efforts employed to establish clear, unambiguous security requirements from both sides at the beginning of the relationship will ultimately pay important dividends.

The post Want Your Third Parties To Take Security Seriously? appeared first on Sysdig.

The expansion to cover all industries is a long overdue change as the scope of “critical infrastructure” has grown to include almost nearly every industry these days. Given the current threat landscape and attacker techniques leveraging non-critical infrastructure to access critical infrastructure, the change just makes sense. The addition of the sixth pillar, Govern, and the map for implementing that framework, are where the biggest challenges lie. However, this also provides the greatest opportunities for security posture maturity and increased resiliency.  

What is new in the CSF 2.0 framework?

The NIST CSF 2.0 Framework is addressing a long standing cybersecurity gap with the addition of the Govern Function. However, before mapping the new pillar in your organization’s cybersecurity strategy, the framework states that your cybersecurity risk management strategy, expectations, and policy must be established, communicated, and monitored. NIST then defines the following: “The Govern Function provides outcomes to inform what an organization may do to achieve and prioritize the outcomes of the other five Functions in the context of its mission and stakeholder expectations. Governance activities are critical for incorporating cybersecurity into an organization’s broader enterprise risk management (ERM) strategy. Govern addresses an understanding of organizational context; the establishment of cybersecurity strategy and cybersecurity supply chain risk management; roles, responsibilities, and authorities; policy; and the oversight of cybersecurity strategy.” 

In short, the NIST CSF 2.0 is defining how to unify cybersecurity policies and responsibilities across an organization continuously instead of in the traditional monolithic fashion the industry is accustomed to. This pillar emphasizes that security risk is significantly impactful on an organization, and should be a consideration alongside other standard enterprise risks such as finances and reputation. 

Explanation of the CSF 2.0 framework: It’s not been a sprint 

NIST first published CSF v1.0 in 2014 following E.O. 13636, and last updated it in 2018 as v1.1. The recently published version 2.0 takes its cues from a shift in methodologies developers started over 20 years ago, a shift from monolithic waterfall development to lean agile development.  Moving to adopt this updated framework means that security will have to move out of its comfort zone and adopt an entirely new (to security) way of thinking about how to improve security processes and procedures. The good news is that the blueprint for this transformation already exists in the development world.

Looking at the recommendations for a continuous improvement model, NIST is advocating for a shift in security practices to embrace a lean agile methodology. Yes, we said it. Security is going to follow the lead of development and embrace its methodology. We promise it will make sense.

Looking at the software development life cycle and overlaying security practices, the case for adopting this framework becomes more compelling. Malicious actors don’t adjust tactics on a semi-annual or yearly basis. They are adapting after every attack, whether successful or unsuccessful. Cybersecurity needs to adjust to new threat tactics and techniques as quickly as malicious actors develop them. Shifting from a reactive to a proactive stance, cyber defenders will be better able to quickly and effectively respond as new attacks are discovered.  

Introducing the concept of continuous improvement to cybersecurity, which is a basis of the NIST CSF 2.0 Framework, enables a more dynamic response to addressing issues and shortcomings to incidents. At the same time, it starts covering gaps faster because progress is made towards closing a gap without having to wait for a “complete” policy to be produced, vetted, and finally implemented, which can take as little as a few weeks to as long as several months.  

Security Deployment Lifecycle

We are likening the implementation of NIST CSF 2.0 to the well-known Software Development Lifecycle (SDLC). Think of agile security practices as a Security Deployment Lifecycle. Regular evaluations and improvements are done using the concept of profiles. Profiles describe shared interests, goals, and outcomes for reducing cybersecurity risk among a number stakeholders within an organization (or community). Profiles are defined as either current or target profiles. The current profile is the current state of security for an organization. The target profile is a definition of where the organization wants to be after the next iteration of security policy and procedure updates. While the first inclination is to create a target profile that is an all-encompassing monolithic beast reminiscent of today’s security policies, that defeats the purpose of them. Instead, a scoped baseline organizational profile is the expected output of following the NIST CSF 2.0 Framework, and it will provide an enterprise-wide view into the organization’s overall security posture.

You can think of profiles as the shorter-term security policy goals used to make incremental improvements. Much as developers have sprints where parts of a feature get released with each one, setting a target profile and meeting it gets security teams incrementally closer to closing gaps.  The question that comes to mind is why would any security team want to only partially close a security gap? The answer is there are benefits to this approach.  

The first benefit is that a security policy can fail fast. Instead of developing an entire methodology, purchasing tools, documenting, and training, only to find out that the basis of the policy is flawed, the incremental approach allows for these flaws to be found sooner, encouraging a change in tactics sooner because there is less of an investment in the flawed approach. This has an additional benefit of saving money for organizations as they purchase only the tools and spend the time on efforts that are aligned with the strategy that will end up being utilized.

The second benefit is that waiting for large policy changes and new tools to be implemented to close a gap takes time. The incremental approach may not close the gap entirely, but it also doesn’t leave the gap fully exposed while the final strategy is implemented. This reduces the attack surface incrementally instead of leaving it wide open until a full implementation plan is put in place.

Taking a page from lean agile development, security can become highly adaptable and responsive to attacks with the ability to continuously harden cyber defenses. The key is in understanding how to navigate and implement this change and the challenges that come with it.  

What are the challenges?

Let’s break this down.  First, let’s acknowledge that the resistance from developers to move from a waterfall approach to a lean, agile one in the early 2000s was massive.  Many thought agile was going to lead to the end of stable software – the world as we know it was going to end, and it was the end of an industry. That didn’t happen, and you would be hard pressed to find a purely waterfall driven development shop today. The benefits to a lean agile development methodology have been well documented.  Obviously, security will rationally realize this and willingly agree to adopt this new paradigm. You can stop laughing now. We all know security, compliance, and the other related bulwarks will have to be dragged forward kicking and screaming. It’s human nature to resist change.

New tools, new processes, and new ideas need to be embraced for continuous improvement to succeed in cybersecurity. Furthermore, one of the most painful challenges with all of this is the regulations being created forcing security into speedy response and continuous improvement cycles. Regulations were once built to reinforce the monolithic approach to security. Best practice guidelines that once abound with the “yearly or major incident” parameters on when security policies should be reviewed and updated are also now using the words proactive, continuous, etc.  

Another challenge is in the changing of the gatekeeper. Traditionally, compliance and senior management drove policy in broad strokes and left directors and managers to manage practitioners to implement the policies as best as possible given toolset, knowledge, technical, and political limitations. New technologies, and ease of access to them, now require compliance to be a whole-organization responsibility. Stories abound of a critical business process being built around some piece of cloud software that someone put on their credit card. This way of thinking where security and compliance is “someone else’s” problem is no longer tenable, nor is the automatic “no” that drove the perceived need to bypass security to get the job done.

And not to be outdone, but us security minded folks will likely be the biggest challenge. Defensive thinking is all about the complete picture. Castles weren’t built by building a section of a wall and then moving on to another section of the castle. But we aren’t building castles to defend unmoving pieces of land anymore. We are defending a landscape that is ephemeral and in constant flux. Our way of defending this landscape has to shift as well.

But what are the opportunities?

It’s not all doom and gloom. This NIST CSF 2.0 change opens up a number of opportunities to better equip defenders and level the playing field, at least a little. Shifting to a continuous improvement model means that as new tools become available, defensive teams can start to test and incorporate them into their arsenal. It offers the opportunity to quickly adapt or discard policies and tools that don’t function as intended or that just aren’t meeting the business needs, and to be able to do it sooner, saving time and money.

Stepping into a role of elevated importance, managers and directors who are closer to the practitioners typically better understand the challenges, and are in a position to quickly identify and prioritize policies and tools most in need of adjusting based on the current situation.  Under this model, they not only have the authority to do so, but also the responsibility.  

Regulations will move (slowly) towards being truly useful and reduce (it’s too much to hope to eliminate) the “check the box” mentality that leads to meeting requirements while also being ineffective. During the transition, there will be a need to work with regulatory bodies and compliance to build a map that meets the existing requirements, but still allows for movement towards the new continuous improvement model.  One way to do this is to leverage “check the box” to provide regulatory cover as policies start to shift.  Leveraging the language for reviews to be “at least once a year” puts the goal post at the far end, but also opens up continuous improvement within the review cycle. The use of profiles will help with this as the current profile at the beginning of the compliance cycle will (ideally) always be less secure than the one at the end of the compliance cycle. This noted improvement, while not an exact match to either model, should provide a bridge for organizations to start implementing continuous improvement for security while waiting for the regulatory rules to catch up.

As for the security personnel, this is an opportunity. Continuous improvement removes, or at least minimizes, some of the most painful parts of maturing cybersecurity, That includes implementing policies and tools that are already out of date, the hoops that must be jumped through to get policies updated to reflect the changing threat landscape, and the difficulties in pivoting when looking to add new technology to support business needs. All of these get monumentally easier. If done well, the stigma of security being an impediment to businesses meeting changes in the market will go away.  Allowing for targeted, incremental improvements enables security to be more flexible, start closing gaps sooner, identify where policies work or fail sooner, and be better able to prioritize resources to meet rapidly changing business needs.  

A step forward for security teams 

Developers and security have long been on opposite sides of the business conversation.  Development opened a door many years ago and what was first seen as the end of good and stable software, has resulted in accelerated development of quality software where improvements are seen more often, and the ability to add new features and functionality is expected, and not a surprise.  Mistakes were made on that journey, but no one is arguing that it wasn’t a good decision.  We can learn from their mistakes, build on their successes, and move cybersecurity forward, being able to better meet the challenges of business needs and the ever escalating attacks from malicious actors. NIST adding continuous improvement and feedback mechanisms into the framework is a significant and positive step forward to enabling security teams to adapt to new technologies and threats quickly and effectively.

The post NIST CSF 2.0 – SDLC for Continuous Improvement of Security appeared first on Sysdig.

The EU’s unwavering commitment to digital transformation is one of its top priorities. The EU is actively shaping policies to enhance Europe’s capacities in new digital technologies, open new opportunities for businesses and consumers, support the EU’s green transition towards climate neutrality by 2050, bolster digital skills and workforce training, and digitalise public services while respecting fundamental rights and values. This steadfast commitment should reassure corporate leaders about the direction of EU policies.

However, the digital regulatory landscape across Europe remains varied, with some issues still subject to local implementation. Further complexity arises from Brexit, adding another layer of divergence in digital regulation.

The Commission’s Digital Decade policy programme sets specific targets for 2030 in areas like digital skills, secure and sustainable digital infrastructures, business digital transformation, and public service digitalisation. In May 2021, the European Parliament urged the Commission to address the challenges of the digital transition, harness the potential of the digital single market, improve AI use, and support digital innovation and skills.

This overview delineates five key legislative developments from the 2019-2024 term—the NIS2 Directive, the AI Act, the Cyber Resilience Act, the European Cloud Security Certification Scheme (EUCS), and the European Cybersecurity Competence Centre (ECCC)—each designed to address specific challenges in the digital environment. By understanding and strategically responding to these legislative goals, you can leverage these regulations to enhance your competitive edge in the digital marketplace.

The Heavy-Weight: The NIS2 Directive

As digital and physical are increasingly intertwined, new dangers arise. That’s where the NIS2 Directive comes in: it aims to bolster the security of critical infrastructure and industries by addressing gaps in cybersecurity preparedness.

The NIS2 Directive, the heir to the NIS1 Directive of 2016, the first piece of EU-wide legislation on cybersecurity, is a game-changer. It applies to entities that provide vital services or carry out specific activities within the EU. By setting stricter requirements and increasing regulatory oversight, NIS2 seeks to strengthen resilience across sectors.

Strategic Implications:

• EU Member States must elaborate national cybersecurity strategies. These will likely be a challenge as NIS2 marks a considerable increase in the number of companies and sectors in scope (more than 160,000 across the EU).
• Organisations must regularly assess and bolster their cybersecurity protocols to meet NIS2 requirements. An organisation’s leadership is also likely to be held liable for failing to meet the Directive’s requirements.
• Entities should establish robust cybersecurity partnerships with suppliers and partners to ensure a unified defence mechanism.
• NIS2 is expected to result in a harmonised EU regime for handling cyber incidents, with specific rules for incident reporting and enforcement across Europe.

What You Can Do:

We have elaborated a practical guide on translating compliance technicalities into actionable objectives so that every team knows its role in bolstering cyber resilience and reducing risk while providing quality products to your customers.

The Visionary: The AI Act

AI has the potential to improve essential services and provide tailored assistance. It can also optimise production processes and give European businesses a competitive edge. To ensure Europe makes the most of AI’s potential, the EU has accentuated the need for human-centric AI legislation to establish a trustworthy framework that can implement ethical standards, support jobs, help build competitive “AI made in Europe”, and influence global standards.

The AI Act, a landmark in regulating AI, is the first-ever binding framework on AI and a milestone in regulating this technology more widely. It regulates the development and deployment of AI, ensuring its ethical, safe, and transparent use. The scope of the Act extends to providers and users of AI systems used in the EU, regardless of their location. This coverage underscores the AI Act’s importance in shaping AI’s future and should make corporate leaders feel the need to adapt to the new regulations.

Strategic Implications:

• AI systems will be categorised based on risk levels, necessitating tailored compliance measures. The AI Act targets many entities, including AI system providers, importers, distributors, and deployers.
• Adhering to the AI Act involves more than mere compliance, particularly for cybersecurity teams; it’s about embracing a culture of transparency, responsibility, and continuous risk assessment in a framework that prioritises respecting fundamental rights and freedoms.

What You Can Do:

While each novel technology brings new considerations and risks to evaluate, the security profession must proactively address a handful of constants. In this context, Sysdig’s CTO provides valuable insights into the implications of the AI Act and how to navigate its requirements.

The Double-Faced: The Cyber Resilience Act

Protecting consumers and companies from the growing risks of the cyber world is another challenge on the EU’s digital agenda. As the number of connected devices, such as baby monitors or smartwatches, grows, it is crucial that they are secure and do not serve as potential gateways for cyberattacks.

That’s where the Cyber Resilience Act (CRA) kicks in. The main aim of the CRA is to introduce mandatory cybersecurity requirements for manufacturers and retailers to ensure that products with digital elements are designed, developed and maintained securely from the outset. These requirements cover the entire life cycle of the products and include aspects such as risk assessment, conformity testing, and continuous cybersecurity monitoring.

We have dubbed the CRA’ the double-faced’ because it will likely impact cybersecurity maturity and product market access significantly. On the one hand, products that comply with the new standards must bear the CE mark, enabling consumers and companies to make more informed decisions. On the other hand, the new standards and obligations may pose significant challenges for manufacturers and retailers, potentially affecting their ability to bring products to market.

Thus, one requirement is that no product or service in scope must reach the EU market bearing known vulnerabilities. Another obligation is a heavy-handed notification procedure for vulnerabilities and security incidents. Due diligence obligations also apply to importers and distributors of products and services in scope, who must ensure that these comply with essential cybersecurity requirements and bear the CE marking​.

Strategic Implications:

• The CRA mandates that all involved in product or service development ensure security from inception and throughout its lifecycle. Besides, updates must be provided at least five years after the end of life.
• Mandating a detailed recovery and incident response plan and a structured vulnerability management approach will create friction between business lines and cybersecurity teams.

What You Can Do:

We have elaborated a practical guide on translating compliance technicalities into actionable objectives so that every team knows its role in bolstering cyber resilience and reducing risk while providing quality products to your customers.

The Facilitator: The ECCC

The European Cybersecurity Competence Centre (ECCC) has emerged as a driving force in strengthening Europe’s digital skills landscape. Established to enhance Europe’s cybersecurity capabilities and competitiveness, the ECCC collaborates closely with a Network of National Coordination Centres to build a robust cybersecurity community.

The ECCC plays a pivotal role in addressing the digital skills gap by fostering research, innovation, and education in cybersecurity. This initiative emphasises the importance of public-private partnerships and cross-border collaboration in advancing digital skills across the continent, ultimately ensuring that people and businesses can fully utilise technological advancements.

Strategic Implications:

• The ECCC is tasked with pooling resources and expertise to enhance cybersecurity across the EU. It focuses on upskilling the workforce to meet the demands of a digital economy.
• Throughout its mandate, the Centre could support the implementation of specific policies such as the NIS2 Directive and the Cyber Resilience Act.
• Through its Strategic Agenda, the ECCC defines a vision for the EU investment in cybersecurity. The overarching goal is to increase the global competitiveness of the Union’s cybersecurity industry with a strong focus on SMEs and startups.

What You Can Do: 

Invest in continuous cybersecurity training and skills development programs for your workforce to ensure they remain adept at handling emerging cyber threats. And keep an eye on the ECCC’s funding opportunities.

The Political: The EUCS

The fifth achievement we bring to your attention is a particular one: how a technical matter – a cloud security certification scheme – has become a highly politicised debate over sovereignty. We have chosen this case since it serves as a cautionary tale: this scheme is the victim of a three-year deadlock which detracts from answering questions about the cybersecurity requirements themselves, scheme implementation, and standards harmonisation across the EU, all of which may have attendant effects on the region’s cybersecurity and resilience.

The EU’s 2020 joint declaration on the cloud initially described Europe’s aim and intention to boost the capability and reach of Europe’s CSPs. In December 2020, the EU Agency for Cybersecurity (ENISA) released a draft of what is best known as the EUCS. The EU Cloud Security Certification Scheme (EUCS) thus aims to create a harmonised cybersecurity certification framework across the EU to enhance trust and security in digital products and services.

Things sorely escalated when the negotiations on the scheme reached the topic of EU’ digital sovereignty’. ENISA’s strong commitment to the EUCS stems from perennial EU concerns about US firms providing foreign governments with EU data. Thus, aspirations to elevate EU CSPs and remove European dependence on US competitors have taken centre stage in the past three years. The EUCS’ digital sovereignty’ goals include strict CSP headquarters and operations requirements; if maintained, such obligations would effectively bar non-European CSPs from attaining the same high levels of assurance certification as European CSPs.

EU countries have been in a pitched battle over these ‘digital sovereignty’ provisions in the EUCS. France, Italy, and Spain have remained their primary supporters. The Netherlands, Denmark, Estonia, Greece, Ireland, Lithuania, Poland and Sweden reportedly issued a joint non-paper opposing these requirements in EUCS. To break the gridlock, the Belgian Presidency of the EU released a compromise earlier in 2024 –  a compromise… that will need to wait for the new European legislature to begin its term.

Strategic Implications:

• Establishing a cohesive certification process across EU member states makes sense for reinforcingto reinforce the Union’s global cybersecurity maturity. A harmonised standard will help to build consumer and stakeholder trust through certified security measures.
• ENISA designed the EUCS as a “voluntary” cybersecurity certification scheme that companies can leverage to demonstrate the soundness of their privacy and security measures. However, in practice, consumers may include the EUCS as a tender requirement, making the certification mandatory. Furthermore, the NIS2 allows EU governments and the European Commission to require that cloud customers only utilise cloud services certified by the EUCS.

What You Can Do:

Engage proactively with certification bodies to ensure your products and services meet EUCS requirements, thus enhancing market credibility. And ensure you have a steady supply of coffee coming your way while doing so.

The post Five Key Achievements in EU Digital Policy: An Actionable Overview for Corporate Leaders appeared first on Sysdig.

In this blog, we dive into the key insights from Sysdig’s Practical Cloud Security Guidance in the Era of Cybersecurity Regulation and highlight suggested priorities stemming from the leadership discussion points in the paper. This guidance will enhance the transparency of your risk management program and the resiliency of your security program through improved documentation and configuration. 

Combat risk with speed and transparency

The timely identification of security events and gathering relevant signals are crucial for meeting regulatory cybersecurity disclosure requirements and compliance standards. Organizations must establish efficient processes to detect potential security incidents promptly and collect necessary evidence to support regulatory disclosures. In addition, documenting these detection processes ensures transparency and accountability in demonstrating compliance with regulatory guidelines that require both the timely detection and disclosure of cybersecurity incidents.

Furthermore, information sharing also plays a vital role in strengthening global cybersecurity efforts. It is essential for organizations to openly coordinate and collaborate with other entities, including government agencies, regional and industry-specific organizations, and cybersecurity researchers, to share vulnerability disclosures and threat intelligence. By fostering open communication and collaboration, organizations can collectively enhance their cybersecurity defenses and respond more effectively to emerging threats.

Finally, documenting processes for Coordinated Vulnerability Disclosure (CVD) is essential for transparency and effective risk management programs. Sharing relevant data and insights through CVD processes helps organizations assess and mitigate risks more efficiently, contributing to overall cybersecurity resilience and preparedness. This documentation should also define procedures for receiving, evaluating, and addressing vulnerability reports from external parties, such as security researchers or affected organizations. Establishing comprehensive CVD practices contributes to a more secure ecosystem by facilitating responsible vulnerability disclosure and remediation practices.

Codify your risk management

Code artifacts are defensible and can be used as supportive evidence during regulatory, risk, and audit reviews. By adopting practices such as infrastructure as code (IaC), policy as code (PaC), and detection as code (DaC), organizations can translate complex risk management policies and procedures into executable code that becomes enforceable rules for consistency, accuracy, and compliance across enterprise environments. 

Infrastructure as Code

IaC is the practice of managing and provisioning computing infrastructure (virtual machines, networks, containers, etc.) through machine-readable definition files, rather than manual physical hardware configuration of each resource or the use of an interactive configuration tool. IaC can be automated using scripts and declarative definitions, and is therefore consistent and easily scalable for hundreds or thousands of resources.

Implementing IaC in an enterprise involves these steps:

• Choose an IaC tool for defining and managing infrastructure. Popular choices include Terraform, AWS CloudFormation, Azure Resource Manager, and Google Cloud Deployment Manager.
• Define infrastructure by writing code (declarative or imperative) to describe the desired state of your infrastructure. This can include servers, networking components, storage, security settings, etc.
• Store your infrastructure code in version control systems, like Git, to manage changes, track history, and collaborate with others.
• Automate deployment and management of your infrastructure based on code changes using Continuous Integration/Continuous Deployment (CI/CD) pipelines.
• Monitor and update your infrastructure code continuously so it reflects changes in requirements and best practices.

Policy as Code

PaC is the concept of codifying policies and governance rules for IT infrastructure and applications in the form of executable code, making it easier to audit. This approach also ensures that policies are consistently enforced across all environments and within the software development lifecycle (SDLC), and violations can be automatically detected and remediated. 

Implementing PaC in an enterprise involves these steps:

• Identify and define policies for security, compliance, access control, and operational best practices.
• Write policies as code using policy definition languages or frameworks such as Open Policy Agent (OPA), AWS Config Rules, Azure Policy, or custom scripts.
• Integrate with CI/CD pipelines by incorporating policy checks to automatically evaluate infrastructure and application changes against defined policies.
• Implement continuous monitoring to detect policy violations in real time and automatically enforce remediation actions.
• Generate reports and logs to track policy compliance and audit trails for governance purposes.

Detection as Code

DaC refers to the practice of incorporating security monitoring and detection capabilities directly into the code and infrastructure deployment processes of the DevOps pipeline. This approach aims to automate the deployment of security controls and monitoring mechanisms alongside the development and deployment of software applications and infrastructure components, therefore shifting security practices earlier in the SDLC. This practice means you don’t have to compromise on either security or the speed of innovation.

Implementing DaC in an enterprise involves these steps:

• Choose monitoring and detection tools that support integration with code and automation. This could include tools like Falco, Prometheus, Grafana, AWS CloudWatch, Azure Monitor, ELK Stack (Elasticsearch, Logstash, Kibana), or custom scripts.
• Define monitoring requirements by identifying the security events, metrics, logs, and indicators that need to be monitored for detecting potential threats or anomalies across the enterprise. This could include system logs, application logs, network traffic, user activities, etc.
• Write detection rules and logic as code using the chosen monitoring tools or frameworks. This involves writing queries, rules, alerts, and thresholds in a declarative or script-based format.
• Integrate with CI/CD pipelines to automatically deploy monitoring configurations alongside application deployments. Use IaC principles to provision and configure monitoring resources.
• Automate deployment using an infrastructure automation tool to provision and configure the detection and monitoring infrastructure as part of the deployment process. This might include monitoring agents, logging pipelines, and dashboards. 
• Implement continuous monitoring and real-time alerting based on predefined detection rules. Ensure that security events and anomalies are detected promptly and trigger automated responses or notifications.
• Monitor and tune detection rules continuously based on observed security events, feedback from incident response, and changing threat landscapes.
• Integrate with security orchestration platforms to automate incident response, investigation, and remediation workflows based on detected security events.
• Implement compliance checks and generate reports based on monitoring data to ensure adherence to security policies, regulations, and standards.

Fortify risk management with a secure supply chain

Exhaustive risk management involves comprehensive analysis of all code and dependencies to identify potential vulnerabilities and security issues.  Implementing “as code” approaches, such as IaC or PaC, supports the goal of ensuring authenticity, integrity, and validity of code and dependencies throughout the development and deployment lifecycle.

To further enhance security and reduce risk, it’s advisable to use private registries and repositories for pulling secure components rather than relying solely on public sources. However in practice, the opposite is true according to the Sysdig 2024 Cloud-Native Security and Usage Report. The report notes that a majority of organizations are still using public repositories. Public repositories may pose increased risks due to reduced visibility and potential exposure to malicious or compromised components.

In addition, during supply chain procurement, it’s critical to involve finance and legal teams to ensure Bills of Materials (BOMs) are included from the vendor and agreed upon. This proactive approach addresses potential attack surfaces and supply chain risks through transparency, mitigating the risk of incorporating insecure or unauthorized components into the software or system.

Maintaining and documenting your own BOMs based on engineering-chosen standards ensures transparency and accountability in managing software components. These BOMs should accurately describe the composition of software or system elements and align with regulatory standards and disclosure requirements, contributing to a robust risk management program that prioritizes security and mitigates potential threats in software development and supply chain management.

Minimize attack surface with policy guardrails

Risk is introduced when a system deviates from hardened, secure baselines. This can happen due to manual changes, software updates, or other factors that gradually alter the state of the system. Misconfigurations and drift create opportunities for attackers to exploit vulnerabilities and gain unauthorized access. To mitigate these risks, implement policy guardrails, or restrictive parameters, to enforce secure configurations and ensure that systems adhere to predefined security baselines.

These guardrails serve as proactive measures to prevent configuration or drift and maintain the integrity and security of an environment. By implementing drift control mechanisms, organizations can continuously monitor and enforce compliance with secure configurations, reducing the likelihood of security incidents resulting from misconfigurations.

Conclusion

Delivering secure and compliant services while adhering to diverse regulatory requirements is becoming increasingly more difficult. A proactive and continuous improvement approach is necessary to meet compliance requirements and maintain resiliency. The best way to do so is through transparency in coordination, collaboration, and documentation. 

The post Leadership Strategies for Risk Reduction, Transparency, and Speed appeared first on Sysdig.

This is a comprehensive guide to navigating the intricate landscape of cloud security and compliance with the combined perspectives of practitioners from both sides of the pond. This unique resource delivers practical guidance and actionable insights, setting you on a path to security and resilience while staying on the right side of the law. Our guidance is geared towards practical application, from combating risk with speed and transparency to fortifying risk management with a secure supply chain.

Let’s be smarter and stop being compliant to become secure and resilient

At the heart of our approach is a commitment to proactive risk management and adherence to requirements that nurture security instead of checkboxes. We’ve examined the requirements of four major regulatory frameworks and national cybersecurity strategies, including the EU’s NIS2 Directive and Cyber Resilience Act, the U.S. SEC cybersecurity disclosure rules, and the U.S. National Cybersecurity Strategy.

For each of the five pillars we identified, we present the specific requirements from each regulatory framework and match them with practical recommendations about implementing them. We then tackle them more adversarially, answering the candid question, “What could go wrong?” And because we know that translating technical operational realities to leadership can be challenging, we have added leadership discussion points for each pillar.

Beware: you risk finding regulations fun

This paper is not another marketing piece. We’ve written guidance each one of us co-authors longs for when seeing emails from compliance land in our inboxes. We’ve taken a hands-on approach to writing it, sharing real-world examples and best practices to help you improve your cloud security and compliance posture. 

We’ve also used the appropriate amount of technical terms to make the paper accessible and easy to understand for everyone, from beginners to experts, from implementers to more governance-oriented leadership. We have provided the entry points to enable teams that usually work in silos to start meeting around a common understanding. That’s why we are confident it will help you learn and build better – without all the fluff. So, if you’re feeling overwhelmed by the complexities of cloud security and compliance, don’t go down with the ship. Download our paper, “Practical Cloud Security in the Era of Cybersecurity Regulation“, and implement these in your cloud operations today. Let’s ride the wave of cloud security in the era of cybersecurity regulation together and keep that cloud safe and sound!

The post Cloud Security and Compliance: A Smarter Approach to Keeping Your Head Above Water appeared first on Sysdig.

Encompassing EU-wide regulations on data quality, transparency, human oversight, and accountability, the AI Act introduces stringent requirements that carry significant extraterritorial impacts and potential fines of up to €35 million or 7% of global annual revenue, whichever is greater. This landmark legislation is poised to influence a vast array of companies engaged in the EU market. The official document of the AI Act adopted by the European Parliament can be found here.

Originating from a proposal by the European Commission in April 2021, the AI Act underwent extensive negotiations, culminating in a political agreement in December 2023, detailed here. The AI Act is on the cusp of becoming enforceable, pending the European Parliament’s approval, initiating a crucial preparatory phase for organizations to align with its provisions.

AI adoption has quickly gone from a nice-to-have to global disruption. Now there is global race to ensure it happens ethically and safely.

Here are seven AI security regulations from around the world.

Risk-Based Reporting

The AI Act emphasizes a risk-based regulatory approach and targets a broad range of entities, including AI system providers, importers, distributors, and deployers. It distinguishes between AI applications by the level of risk they pose, from unacceptable and high-risk categories that demand stringent compliance, to limited and minimal-risk applications with fewer restrictions. 

The EU’s AI Act website features an interactive tool, the EU AI Act Compliance Checker, designed to help users determine whether their AI systems will be subject to new regulatory requirements. However, as the EU AI Act is still being negotiated, the tool currently serves only as a preliminary guide to estimate potential legal obligations under the forthcoming legislation.

Meanwhile, businesses are increasingly deploying AI workloads with potential vulnerabilities into their cloud-native environments, exposing them to attacks from adversaries. Here, an “AI workload” refers to a containerized application that includes any of the well-known AI software packages, but not limited to:

“transformers”

“tensorflow”

“NLTK”

“spaCy”

“OpenAI”

“keras”

“langchain”

“anthropic”

Understanding Risk Categorization

Key to the AI Act’s approach is the differentiation of AI systems based on risk categories, introducing specific prohibitions for AI practices deemed unacceptable based on their threat to fundamental human or privacy rights. In particular, high-risk AI systems are subject to comprehensive requirements aimed at ensuring safety, accuracy, and cybersecurity. The Act also addresses the emergent field of generative AI, introducing categories for general-purpose AI models based on their risk and impact.

General-purpose AI systems are versatile, designed to perform a broad array of tasks across multiple fields, often requiring minimal adjustments or fine-tuning. Their commercial utility is on the rise, fueled by an increase in available computational resources and innovative applications developed by users. Despite their growing prevalence, there is scant regulation to prevent these systems from accessing sensitive business information, potentially violating established data protection laws like the GDPR.

Thankfully, this pioneering legislation does not stand in isolation but operates in conjunction with existing EU laws on data protection and privacy, including the GDPR and the ePrivacy Directive. The AI Act’s enactment will represent a critical step toward establishing a balanced legislation that encourages AI innovation and technological advancements while fostering trust and protecting the fundamental rights of European citizens.

GenAI Adoption has created Cyber Security Opportunities

For organizations, particularly cybersecurity teams, adhering to the AI Act involves more than mere compliance; it’s about embracing a culture of transparency, responsibility, and continuous risk assessment. To effectively navigate this new legal landscape, organizations should consider conducting thorough audits of their AI systems, investing in AI literacy and ethical AI practices, and establishing robust governance frameworks to manage AI risks proactively. 

According to Gartner, “AI assistants like Microsoft Security Copilot, Sysdig Sage, and CrowdStrike Charlotte AI exemplify how these technologies can improve the efficiency of security operations. Security TSPs can leverage embedded AI capabilities to offer differentiated outcomes and services. Additionally, the need for GenAI-focused security consulting and professional services will arise as end users and TSPs drive AI innovation.”¹

Conclusion

Engaging with regulators, joining industry consortiums, and adhering to best practices in AI security and ethics are crucial steps for organizations to not only comply with the AI Act, but also foster a reliable AI ecosystem. Sysdig is committed to assisting organizations on their journey to secure AI workloads and mitigate active AI risks. We invite you to join us at the RSA Conference on May 6 – 9, 2024, where we will unveil our strategy for real-time AI Workload Security, with a special focus on our AI Audit capabilities that are essential for adherence to forthcoming compliance frameworks like the EU AI Act.

1. Gartner; Quick Answer: How GenAI Adoption Creates Cybersecurity Opportunities; Mark Wah, Lawrence Pingree, Matt Milone; ↩︎

The post How Businesses Can Comply with the EU’s Artificial Intelligence Act appeared first on Sysdig.

Cybersecurity is a significant concern for FSI executives, with 68% identifying it as a barrier to abducting new technologies. Regulatory pressure has increased, especially recently, with the arrival of the NIS2 directive and the DORA regulation in the European Union and the SEC disclosure guidelines in the United States. To meet compliance requirements, FSI providers must strive to detect incidents within a reasonable time frame.

A recent panel discussion organised by Sysdig gathered industry and regulatory experts to address the journey to the cloud in the context of growing pressure from cloud security regulations in financial services. Missed it? Fear not: this article covers the key takeaways.

Embracing the cloud: a balancing act

A multitude of factors drives cloud adoption in the financial sector. From needing to modernize legacy systems to wanting increased operational efficiency and innovation, financial institutions increasingly turn to cloud technology to stay competitive. Our participants hailing from UBS and Santander underlined that migration to cloud services offers many benefits to financial institutions: cost efficiency, flexibility, scalability, and enhanced visibility.

However, this transition has its challenges. One of the primary concerns surrounding cloud adoption is adopting a ‘cloud culture’ when it boils down to innovation and, more broadly, what tech teams can do differently in a cloud-native environment. This shift necessitates upskilling, reskilling, and internal negotiations to redefine team roles and responsibilities. This transformation requires clear communication and effective change management to ensure all team members understand the importance of adhering to new security standards and embracing their evolving organisational roles. Thus, planning, roadmaps and division of labour become paramount as roles such as FinOps emerge.

The right approach to cloud security is another challenge. “The real thing with the cloud is the configuration of the cloud and the cloud resources. Many people think that a lot of the resources provided by cloud service providers are secure out of the box. There is work that needs to be done,” highlighted one of the participants. Vulnerability management and threat detection happen differently in cloud-native environments than in traditional, on-premise architectures and practices.

The shift towards cloud-based infrastructure and the resultant influx of data has compelled organizations to reevaluate their monitoring and action prioritization strategies. Striking a balance is crucial, as the volume of data generated from cloud trail alerts and budgetary alarms can quickly become overwhelming. Consequently, organizations increasingly adopt a risk-based approach that identifies critical alerts and prioritises actions accordingly. This necessitates a concerted effort among teams to determine which alarms signify high-risk situations, demand immediate attention, and establish non-negotiable security configurations for particular environments.

Navigating regulatory frameworks: enter NIS2 and DORA

In the wake of increasing cyber threats and vulnerabilities, regulators have introduced stringent frameworks to bolster cybersecurity in the financial sector. The NIS2 Directive and the Digital Operational Resilience Act (DORA) are two such frameworks.

The NIS2 Directive aims to enhance the cybersecurity and resilience of critical infrastructure across the European Union. It imposes obligations on financial institutions to implement robust cybersecurity measures, report security incidents, and cooperate with competent authorities and other stakeholders.

DORA focuses on ensuring financial institutions’ operational resilience and cybersecurity, particularly those deemed systemically important. It mandates firms to identify and mitigate operational risks, including those arising from cyber threats, and to maintain essential business services during disruptions.

While both frameworks share common objectives, they differ in scope and requirements. NIS2 primarily targets operators of essential services in the EU (e.g., energy, transport, digital infrastructure), while DORA applies specifically to financial institutions. Moreover, DORA emphasises operational resilience, encompassing cybersecurity and broader business continuity and risk management aspects.

Organizations in the heavily regulated financial sector often face the challenge of effectively translating compliance rules into actionable guidelines for operational teams. Bridging the communication gap between compliance, risk management, and IT/Security operations is crucial for successfully implementing NIS2 and DORA. Traditional approaches may not resonate with operations teams, particularly when compliance professionals need more technical expertise to convey these requirements in a relatable manner. This disconnect creates a barrier between the rules that must be followed and the organization’s day-to-day operations, and the challenge grows when looking at cloud security regulations in financial services.

One participant highlighted: “Amongst the challenges for us was shifting the mindset from a policy perspective, namely from policy standards that had clearly been written in on-prem days where a file will must always sit in between you and the internet. That approach doesn’t really work for, say, S3 buckets. And so, working through those challenges ensures that we keep a level of control but also allow the teams to innovate and develop and take advantage of those cloud services.”

Regulatory challenges are commonly seen as a hurdle across industries, yet they also present opportunities for businesses to differentiate themselves. Although adhering to these regulations can be difficult, viewing them as essential guardrails can help organizations adopt a proactive approach. By embedding regulatory requirements into standard processes and embracing innovative thinking, businesses can ensure compliance and create a competitive advantage. When tackled strategically, regulatory compliance can drive business success.

Cloud security regulations in financial services

The drive to innovate and capitalize on the commercial benefits of a well-run cloud environment often clashes with pressures from cloud security regulations in financial services. Many organizations grapple with concentration risk as they often rely on a limited number of key platforms, raising concerns about market stability and resilience. Despite the emergence of new entrants, this issue persists and requires ongoing dialogue between industry players and regulators. 

Given the critical role of financial sector infrastructure in market operations, addressing these challenges is essential to ensuring the long-term health and stability of the financial system: “Operation of the markets and the consequences if that fails for reasons of resilience or over concentration: I think that’s particularly one that comes to mind in FSI capacity,” one participant highlighted.

One participant insisted on two major pain points: “The first one is about the security of third-party components. Vulnerabilities in third-party containers are a constant problem. I’ve had the conversation over the last 20 years: the software being delivered is not secure. Then, the other pain point is software that’s developed on a vanilla cloud. And then as teams port it across, they forget that a lot of the policies, and configurations on the bulk of the cloud service providers the banks use are very strict. So, then you’re literally trawling through log files, looking to find out what policy has caused them there not to work.”

Looking ahead: future trends and considerations

Cloud security regulations in financial services will continue to thrive. To transform challenges into opportunities, a more collaborative and translational approach is needed to ensure compliance and effective communication between teams. This will ultimately foster a culture of shared understanding and responsibility in adhering to new regulatory standards.

So, we asked the panelists what change they would like to see happen that would make cloud security and compliance easier.

One participant highlighted the need for cloud service providers to refrain from giving in to fast releases at the expense of security features. Another added that “the task at hand is also to make things workable across different environments and to ensure we can operate just as well on GCP or Azure as we do on AWS.” The third panelist insisted on mainstreaming as-code approaches for policy and compliance; these already exist but are still scarcely adopted.

Get insights on navigating changes and ensuring compliance in the rapidly evolving world of cloud technology!

Watch The Panel

The post Cloud Security Regulations in Financial Services appeared first on Sysdig.

What are the Google Cloud Technology Partner awards?

Google Cloud believes in going above and beyond for its customers and extensively leverages its partners as customer champions in this mission. To recognize the standout performance of its partners, Google Cloud hosts the partner awards.

The criteria for receiving the Partner of the Year award in the Technology category are consistently stringent. Previous champions included in this esteemed list are organizations and platforms such as NetApp, GitLab, and MongoDB, in their respective categories.

Criteria for Winning Technology Partner for Security

Aside from measuring the quantitative value of the impact created by the partner for Google Cloud customers, this award segment recognizes one partner that expertly augments Google Cloud’s security solutions to help meet and exceed the following quality/feature requirements:

• Visualization and monitoring of their customers’ network and application deployments for vulnerabilities
• Security and compliance risks management
• Remediation assistance and customer information protection

Note: Sysdig has won this for the Configuration, Vulnerability Management, and GRC segment.

5 key reasons Sysdig was chosen

1. Benefits to customers when leveraging Sysdig with Google Cloud

Today’s security landscape is defined by multi-cloud environments, dynamic containerized workloads, and evolving threats. Visibility gaps, threat detection complexities, and compliance demands hinder the ability to secure critical applications and infrastructure. In the cloud, every second counts. Sysdig stops attacks in real time by instantly detecting changes in risk with Runtime Insights built on open source Falco.

Sysdig works within the Google Cloud ecosystem and correlates signals across workloads, identities, and services to uncover hidden attack paths and prioritize the risks that matter most. Typical results that customers achieve when using Sysdig and Google Cloud together:

• Save 1.5 hours per vulnerability and 50% in operational overhead
• 3:1 tool consolidation with a unified cloud-native app protection platform
• Up to 95% reduction in vulnerability noise

Learn more about how Sysdig has helped various Google Cloud customers.

2. Sysdig provides a unified view of cloud posture

Sysdig correlates assets, activity, and risks across domains, giving real-time visibility into attacks. Customers can visualize exploitable links across resources to uncover attack paths to sensitive data. The Sysdig Cloud Attack Graph is enriched with runtime insights, and real-time detections reveal active lateral movement, helping customers quickly stop attacks.

3. Sysdig’s unique value proposition for prioritizing active cloud risk

Cloud Security Posture Management (CSPM) requirements have shifted as cloud adoption has accelerated. The first wave of cloud adoption required periodic posture assessments to ensure compliance and provide visibility into cloud assets. Today, that is not enough and we believe that organizations need to focus on “Active Cloud Risk.”

Sysdig helps manage the active risks within the production systems, eliminating alert fatigue and noise by up to 95%. It surfaces and prioritizes top risks that are exploitable and actively running, like in-use software packages with critical vulnerabilities. This way, our customers can easily connect the dots and uncover hidden attack paths that are enriched with in-use packages and live events. Learn more.

4. Sysdig’s robust partnership with Google Cloud

Our partnership was formalized three-plus years ago and already serves and creates value for more than 75 organizations across the globe today. This strategic relationship is based on shared values and holistic alignment on topics like Generative AI, and contributions/collaborations for various CNCF-graduated open source projects, such as Falco and Kubernetes. Customers can purchase Sysdig through the Google Cloud Marketplace, and Sysdig is hosted natively as a SaaS on Google Cloud. Visit our Google Cloud Security landing page to learn more.

5. Sysdig integrates seamlessly with the Google Cloud ecosystem

Sysdig’s Cloud-Native Application Protection Platform (CNAPP) helps customers protect their Google VMs, GKE, Anthos, Google Cloud Run/Build, Google Cloud Registries, Google COS, and Google Cloud Artifact Registries.

Further, it seamlessly integrates with Google Cloud security products, such as Google Security Command Center and Google Chronicle SIEM, so that all the security data enriched by Sysdig can be used directly by Google Cloud security infrastructure. Learn more.

Ready to see Sysdig + Google Cloud in action?

Click the banner below to learn more about how you can use Sysdig to secure your Google Cloud infrastructure via a virtual hands-on workshop.

If you prefer something short and hands off, join our joint webinar with Google Cloud:

Additional resources:

1. Sysdig and Google Cloud joint solution brief
2. Sysdig and Google Cloud partnership page
3. Sysdig and Google Cloud webinars

The post Why Sysdig has been recognized as the Google Cloud Technology Partner of the Year 2024 appeared first on Sysdig.