CSA Security Update

CSA STAR Case Study - Guest: Deepak Gupta; Co-founder and CTO at LoginRadius

John DiMaria; Assurance Investigatory Fellow

As a cloud service provider, there are many security challenges that organizations have to face which include providing customers and regulators with the proper level of transparency and assurance that is needed to achieve the required level of trust. 

Many organizations are turning to CSA STAR in answer to mandates, provide a marketing differentiator or just raising the bar in terms of their level of assurance and transparency. 

Listen as  Deepak Gupta; Co-founder and CTO at LoginRadius explains their journey and approach to implementation. How they weaved the CCM controls into their current management system including all the stakeholders of the business as well as what challenges STAR solved for the organization. 

https://cloudsecurityalliance.org/star/

Speaker 1:

Hello everyone and welcome to another episode of the cloud security Alliance podcast series, CSA security updates. I'm your host John de Maria CSA as the world's leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environments. We aren't as the subject matter expertise, industry associations, governments, and members to offer the best in research education certification events and

Speaker 2:

products. Hello everyone and welcome to another great episode of the CSA security update. I am your host John de Maria. And today our special guest is Deepak Gupta who is the co founder and CTO of login radius. A welcome goop down. How are you? Hey Joanne. I'm good. Thank you so much. Yeah, so I'm really great to have yard, uh, because uh, as we tried to do not only, uh, as a member of CSA, but uh, also as someone who has just actually gone through 27,001 certification. Congratulations on that. And, um, we've also gone through the CSA star, uh, attestation, uh, which is, uh, another great milestone, uh, as well. Uh, Deepak is, uh, as I'd mentioned, the co founder and CTO of, of login radius. Uh, he is an entrepreneur, a very strong background in technology and, uh, has just, uh, accolade of a wide range of uh, in the technical different technical fields, uh, which includes SAS, architect, API design, cloud infrastructure design and cybersecurity. So, uh, should be a great story today. And, um, so, uh, for our audience I always like to sort of explain, uh, what, uh, our companies do. So maybe you can just give us, uh, you know, sort of an explanation of what login radius does and a little bit about its history.

Speaker 3:

Yeah, for sure. First of all, thanks. Uh, um, thanks John. And, uh, I wanna first of all say that this is the national cybersecurity awareness month. So I hope audience knows the value of the data and we are in the cybersecurity. So definitely we are making, making sure that the user's data is safe and secure. Now I'm jumping onto Logan radius. We are a leading provider of cloud-based digital identity platform. We offer, um, authentication and single sign on, uh, for the consumer applications. And we help the online services to deliver an Omniture and customer experience and secure the personally identifiable information. And as a Logan radius, we currently manage more than a billion user accounts, um, around the globe.

Speaker 2:

Oh wow. That's, that's, yeah, that's quite a few. So, and that's, it's interesting because that's the thing about cloud computing is the, and cybersecurity, uh, it's not necessarily the size of your company all the time as much as it is how many users and how much data that you, that you handle. Um, but so, you know, really as a cloud service provider, you know, what are, I guess, what are the, some of the main security challenges that you face in your particular space?

Speaker 3:

Yeah, well, um, as a cloud service service provider, the first of most critical thing is comply with the government regulations and privacy compliance. Um, and, uh, that's where, uh, we have stepped into ISO 27,001 as CSA, star, SOC two, and feel the other compliance. So that's one of the key thing is how can we deliver these, uh, uh, security compliance and security assurance to our customers. Then the, the other challenges industry-wide, what industry is facing right now is how they can protect, uh, their users credentials. So how they can secure the data. As you see, a lot of breaches are happening. So how can we use industry standard, um, hashing encryption in the backend? Uh, how can we ensure that the infrastructure and, uh, the whole, uh, life cycle of product development is secure? And as, you know, one of the key challenges in the industry is, uh, most of the companies are getting into the remote environment so they have people working anywhere in the world. So how can we make sure that all these policies and controls, uh, getting enforced, um, in different locations where people are working? So these are few, a few of these challenges that, uh, most of the crowd crowd providers or the industry's facing and how they are solving these challenges.

Speaker 2:

Okay. And as I mentioned, you achieved, um, just recently, uh, 27,001 certification and also a star at test station, which is the, uh, you know, SOC two with the cloud control matrix, uh, added in that as an integrated, uh, system. Um, and you know, with Argus patients do these things. Um, I find that there's usually a few different reasons. One is either a may end date, which is usually the, one of the main reasons they do it is it's required by their customers. There's always market differentiator or in some cases it's just raising the bar in terms of your level of assurance and transparency. So what, what was the main driver or drivers, why you've gone down this road of 27,001 and star at test station?

Speaker 3:

Yeah, completely agree with you. I think a, it's kind of mix of, uh, both all three, uh, that you mentioned. Um, attaining these standards means, uh, demonstrating a philosophy we always had in Logan areas, uh, which is to maintain the highest possible standards and literally earn the trust of our customers by extension of their users. So that is why, uh, since beginning we have always pushed security in each and every function of our organization. And, uh, the key goal for us to get ISO 27,001 and, uh, started the station is to provide that level of assurance and transparency. Not only for our customers, but for their end users. So over customer and, uh, deliver that same assurance to the end users and to the industry that we are using a digital identity vendor who has all these, uh, security policies and frameworks in place. And we are differentiating against our competition. We are differentiating against others, uh, cloud vendors and we are setting the standards that using this digital identity, um, over customers don't need to worry about these security policies and frameworks. Yeah. And it's good. It's a good

Speaker 2:

point. And, um, I was just, uh, just having a conversation not too long ago about, um, with some people on, on risk assessment. And I think one of the issues that came up was in the cloud. You know, this whole shared responsibility model and how do we know that our, you know, we deal with a cloud service provider, how do we know that they have certain things in place, uh, because we may not have access to that information. So I think things like star at the station at 27,001, you know, raise that level of transparency and assurance that Hey, this is something I could put my finger on, right? I may not be able to go in and audit this person or I may not be able to ask them for certain information. Maybe I'm not a big enough customer, but I still have risks. And so how do I know that they're doing the right thing? And this I think really, uh, provides that transparency and assurance that that as someone that may be doing a risk assessment, um, can put their things

Speaker 3:

absolutely 100% agree with that. Yeah. 100%.

Speaker 2:

So, um, I know that, um, you know, one of the thing that our listeners are always interested in, uh, is, uh, the approach to implementation because there is obviously you have a lot of compliance and regular regulatory requirements and compliance as she's, you have to meet, uh, both internally and externally. And so there's, you know, there's a lot there obviously. And so you, you know, you have sometimes many different standards. It's you applied to. So maybe give us a, a look into, uh, you know, how, how did you weave the stark controls, uh, into your, your current management system?

Speaker 3:

Yeah, I 100% agree. Like all these standards and management frameworks definitely have loads of flow of information. They go deeper into each and every aspect of the organization. Um, including it policies that chart, policies, management policies, infrastructure, software development. Pretty much they go deep into each and everything specifics. And that's the beauty of these standards and policies because they go deeper into those functions. Um, overall the organization makes sense overall. The whole organization is safe and secure by following those standards. So definitely for Logan it is also, um, um, as we started implementing or looking into these standards and frameworks, um, initially we have to, uh, rework. So we started this process few years ago, not recently though. So we started this process in the beginning, um, when we started logging area. So because I'm the co founder, so when I started logging JDS, um, I had a security background. I have done a security compliances and I have a understanding of and different policies and frameworks since beginning. So as we started the company, as we started the initial framework, I always make sure that we start with the baseline, uh, security standard. We start with baseline frameworks. And as the company grew, as we had a lot of different functions, load of different development and infrastructure in place, uh, that grew with the time. But, uh, the, the key key thing, uh, implementing these security standards and policies is, uh, first of all, uh, you have to have the management buy in management, have you understand, um, and leadership has to understand the value of these standards, that they are not just, uh, uh, like a certification, but they will going to help and protect, um, each and every function of the company. And at the same time, it's gonna help, uh, customers, uh, to secure their information. So, um, once we have buy in from leadership, then the actual implementation we have to go through each and every function. We have to review each and every policies and rules, um, each and every, um, aspect of uh, um, these policies and how these policies impact, uh, and again, organization should not implement these things in a way that it, it would hurt their productivity and efficiency because that's one of the, another key thing with these standards is, uh, because they are so robust and they have, um, they have deeper penetration into the organization that it should not impact the efficiency and productivity. So we figured out a way that how can we make, um, all the, the, the team members and different departments happy and aligned with their goals, what they are looking to do, how they want to make sure that the data is secure and educating and enforcing them. That how, if you do this way, this particular process of this particular policy, if you design this way, it can help your job faster and better. Um, including, uh, protecting the internal customer, internal company data as well as the customer data.

Speaker 2:

Yeah. And he made a good point there by involving, uh, everyone within the organization. I see that a lot where it's, you know, it's, it's, you know, some people are just so focused on it and technology, uh, that they're not focused on, on the data governance and the things in how Holly's you said, how you involve everyone and how to help them meet their goals and still still keep a secure and educate everyone. Uh, so yeah, that's, that's a great approach. And, um, I think everyone needs to take to heart is that it's about people and process and on top of technology that just technology alone. Um, and so, you know, I guess dovetailing off of that, um, uh, you know, what, you know, what sort of challenges, uh, did STAAR reduce our solve in your, in your organization or what challenges are you expecting it solve or reduce then the organization?

Speaker 3:

Yeah, actually, um, CSA star, uh, uh, is a very robust security assessment framework for the cloud service providers. Um, as I mentioned, like I had some understanding of ISO, so can few of the other compliances. Um, few years ago I started looking into it and funny enough I was like, okay, why didn't someone build like a specific for the cloud service providers? I was thinking about it and that's where I started doing some research and that's where I came to know about CSA star. And I mean when I founded, when I see, um, the framework, when I see the standards I was like, wow, this is really good. It has all the best practices, uh, for any software as a service platform vendor, um, that satisfied in the whole organization. It has a collaboration and combination of various different compliances but only specific to the, the cloud providers, not to a different organizations because as you know, like all of these other compliancies, um, they have a lot of other things related to different industries, different verticals. They are not specifically focused, uh, for the cloud service providers. So, um, um, the, the star, the star, um, um, program, um, is, builds a trust, um, within the organization. Um, it also helps our customers and partners and, um, as the, the studies keep updating the policies and frameworks, it also helps us to keep up to date with the latest security standards. So overall, uh, it is definitely solving a lot of challenges around, um, the, what is new things coming up, um, in the industry. What are the new, um, um, data breaches, cyber security attacks, new policies that we need to design around is specific to a cloud service delivery.

Speaker 2:

Yeah. And I think it's important to mention that, uh, the either the cloud control matrix is, you know, it's updated on a regular basis. Actually version four is coming out, um, shortly. And, uh, so yeah, it's, it's robust, it's scalable. And as you mentioned, um, it's a, uh, implement once sorta comply money type approach. Um, that really works in the specific, specific to the cloud. Um, so, you know, in our, the current environment that we have today, so our, you know, cloud, you know, it's just becoming so prominent and growing more complex by the day. Um, and so in your experience and you know, you have good background experience in the cloud, different architectures, I mean, do you see in the future where certifications are now becoming our will become sort of mandated as an initial screening process for our organizations?

Speaker 3:

I definitely hope that it, that is the case. I mean we are in the fourth generation of the industrial revolution where each and every device and user is connected to the internet. Everyone is using internet, they are part of the cloud somewhere. Uh, we have like AI IOT load of new things coming up in machine learning[inaudible] things that are happening in this cloud computing era. And then the scale and speed of the information processing made cloud application necessity of the current environment. Everybody have to use a cloud. They can note, um, just to use still the on prem or legacy systems. They have to go with cloud if they want to sustain as a business or if they want to use a, an amazing experience and, um, and a good service. So I think, uh, the, the security standards and certifications, um, are already, uh, becoming mandate for a lot of cloud vendors internally. And if you look at it from the customer point of view, that is the first question they ask that do you have, um, ISO 27,001, do you have SOC two? Do you have started the station? I mean, I think it is becoming a, a mandate, uh, even for the customers, uh, who, whatever cloud service they are using and cloud vendors how to comply with certifications. Otherwise they can not build the trust, uh, amongst their customers and, uh, it's going to impact their business.

Speaker 2:

And as I mentioned earlier, you know, when you're doing risk assessment or what have you and your, your service providers, our cloud, whether it be SAS or whatever, uh, you know, you need to have some sort of measurement of what they're doing and how they're doing it. Uh, not only does, um, the certifications and Starr particularly handle that, but, uh, the star registry, um, is somewhere we can go and see where it's, you know, these certifications are updated on a regular basis. Um, so it's, uh, it's a great process and, uh, you can also see, um, in some cases certificates and things that were issued. And so, yeah, good stuff. Um, in terms of, uh, you know, looking at the implementation certifications and the, and the challenges. And I think everyone, um, appreciates your input from someone who's actually done it. We get a lot of questions about that, about talking to someone who's actually done it. Um, in terms of if someone has questions for you, we don't normally give out your information over the air. Uh, we can have them contact us. Um, and we get a, yup. Or I guess you're on LinkedIn as well, right?

Speaker 3:

Yeah. So feel free to definitely, I'm here to help and share expertise and knowledge. So if any way, shape or form, I can help the companies or anybody, feel free to reach out to me through LinkedIn, Twitter or they can reach out to you and then you can facilitate back to me. But yeah, feel free to reach out to me and happy to help on the compliance.[inaudible]

Speaker 2:

yeah. So you can, uh, email us@infoatcloudsecuritylines.org G and we can make that introduction. If you're looking to talk to Deepak either about their services or, um, are you just want to have a conversation about their implementation process and how they did that. Um, and of course, uh, what to find out more about star it to station or star certification, is that a cloud security Alliance that or G and a, so really appreciate this conversation. It was a good stuff. It's exactly what a lot of questions our listeners ask on a day to day basis. So really appreciate you taking time out in your busy schedule to, uh, to, to help out on Sundays. So anyway, I'm putting my yummy

Speaker 3:

yeah, good to have. Good to share the knowledge and happy to help any way, shape or form.

Speaker 2:

Okay. Awesome. Well, thanks again and everyone out there have a great day and rest of the week and, uh, uh, let us though contact us, um, if we could help in any way. Great. Thank you.

Speaker 4:

[inaudible].