Skip navigation
All Places > Products > RSA Archer Suite > Blog > 2015 > July

NIST just hosted Cloud Computing Workshop and Forum VIII at their headquarters in Gaithersburg, MD. It is part of the larger NIST ITL Cloud Computing Program. It was an impressive event, with four days of multiple simultaneous tracks. As security professionals, we all know it’s hard to juggle and stay abreast of all the topics and updates – new threats, new guidance, etc., and I’ll be frank, I had turned my attention away from cloud computing and cloud security for a large portion of the last year to work on other things. I’ll admit I was really surprised at how much the breadth, depth, and maturity of this field has grown in that time. As a federally focused practitioner, and given the location, I was expecting to show up and hear about FedRAMP and cloud security controls. Though they did cover those topics, it was a small portion of the event overall.


The list of presenters was diverse: academia, NIST and many other federal employees, implementers, consultants, and vendors (including RSA - our CTO, Zulfikar Ramzan gave one of the keynotes). They covered a hue range of topics, so I’ll just mention a few takeaways from the event I’d share:


Maturing library of standards. Just as the first wave of real cloud guidance (dating back to roughly 2011) is being adopted, there are so many new cloud computing guidelines and standards and updates either just coming out or in draft at the moment. As you’d expect, NIST and ISO, like with other IT and security standards and guidance, are at the forefront, but add to that Cloud Security Alliance, the Open Group, IEEE, and others, you get the scope of players and each of them introducing new standards and considerations.


New challenges, new taxonomy. There was a significant amount of time given to discussing the developing taxonomy for dealing with new challenges presented by cloud computing. Don’t feel bad, however, if you can’t articulate the difference between a cloud broker, cloud service manager, cloud provider, and cloud carrier – I couldn’t either, but NIST SP 500-292 started this conversation years ago and ISO is augmenting it with standards currently in development like ISO 19944. To effectively manage new cloud paradigms we need new ways to describe new data types, new architecture, and new customer scenarios.


Collaborative effort, diversified risk. I think I heard the acronym “SLA” almost as many times during the event as I did the word “cloud”. There was a lot of emphasis on business to business implications, specifically SLAs, because of the transference and ownership of risk across the lines of multiple organizations. SLAs in the past were viewed as just an annoying bit of paperwork, or an item to have for an audit checklist, but the number of players and moving parts in a cloud environment are going to make closer friends of your IT staff, legal staff, and acquisition office going forward. SLAs are critical to managing cloud computing risk and the number of teams and organizations involved can create a “cascading SLA” effect to make things even more challenging. ISO has several standards under development for this area (ISO 19086-1, 2, and 3).


There were many other one-off questions and topics like cloud forensics, deleting data in the cloud, privacy vs. security, etc., too many, in fact, to cover here - but for the curious: a link to the slides and presentation from the event. Wrapping up, the message I got from this event and from the industry, is that processes and security are mature enough that real adoption of the cloud is underway. We are finally past the phase where everyone is dipping their toe in but waiting for someone else to take the first plunge.


Thanks for reading and email me with comments or questions.

RSA Admin

Release Naming Convention

Posted by RSA Admin Employee Jul 14, 2015

The following table describes the naming convention and general scope guidelines for RSA Archer GRC releases. Based on several key factors such as risk, severity, and timing of the release, the general scope may be modified to include or exclude scope. For additional detail on the scope of a release, please refer to the Release Notes.



Hello everybody! I hope you had a wonderful 4th of July weekend! Independence Day is my all-time favorite holiday and this year did not disappoint. But now that the BBQ smoke cloud has settled and the Prilosec has subdued the effects of too much brisket and cherry pie, it’s back to work! And a lot of work to do indeed with so much on the horizon ahead of the annual Archer Summit at RSA Charge.  With that I’ll keep things short & sweet here and jump right into several highly anticipated items included in this content update.


First off is PCI-DSS v3.1. Rumor has it that four out of five PCI Council members agree it’s the DSS standard you’ve always wanted and way better than that old decrepit 3.0 standard they released so many years months ago. Ok yes I am poking some fun. And I guess to be fair it’s not the Council’s fault those protocol vulnerabilities were discovered right after DSS v3.0 came out. Inconveniencing? Yes. But necessary? Also (begrudgingly) yes.


In any case since 3.1 is largely the same we toyed with the idea of just issuing an update to the previous 3.0 content but ultimately decided instead to bundle 3.1 as a net new addition and take the opportunity to further improve the look and feel at the same time. This Archer content pack is tight as a drum and one of the most interconnected content sets we’ve produced yet. We’re talking a full boat package that includes the authoritative source, control procedures, all self-assessment questions, and triangular mappings to Archer Control Standards. In short you’re good to go with everything needed to operationalize your PCI compliance program in Archer right out of the box.


Also included this round is the latest Cloud Controls Matrix (v3.0.1) from the Cloud Security Alliance as a mapped authoritative source, along with their updated Consensus Assessment Initiative Questionnaire (CAIQ) as a set of mapped assessment questions.


The other authoritative source included in this update is the latest FFIEC Business Continuity Planning Booklet released in February, 2015.


The last item included in the update is a collection of 2,100+ new technical control procedures for more than a dozen different technologies including Apache Web Server, Linux, and several Microsoft products.


So that’s the overview in 400 words or less. The update page with release notes is here and content import packs are available through Customer Support. As always we’re here to answer questions too - whatever you need.


With that you’re now free to resume your regularly scheduled summer activities!



Prior to the launch of every spaceship that lifts high above the earth is a countdown that ends with 3...2...1...lift off! This signals the final moments before the spaceship takes off to fulfill its mission.  My blog is a play on the 3, 2, 1, liftoff analogy and how it relates to the "Three Lines of Defense" model.


Marshall Toburen is doing a great blog series that explains the Three Lines of Defense in It Takes a Village: The Three Lines of Defense Model.  Check that out to get a thorough understanding of the 3LoD model.  In short, each line of defense refers to a part of the governance, risk and compliance (GRC) structure.  The 1st LoD are business process owners - operations, IT, Sales, etc.  The 2nd LoD are Enterprise Risk Management (ERM) and Compliance groups, and the 3rd LoD is Internal Audit.  Each has their role in the GRC structure to manage risks and controls and must work together.


Internal Audit was one of the original risk and control groups with the charge to identify risks and evaluate controls.  Then ERM became en vogue and many companies implemented ERM or Operations Risk Management (ORM) groups as well as separate Compliance organizations.  This has taken some of the load off of Internal Audit but there are still many challenges in aligning across all of these areas.  Here's the crux of the matter.  These groups have a role to play in the risk and compliance picture, but who is in the best posture to do something about risks when whey pop up? Who is in the best seat to make sure controls are functioning? It's that 1st LoD - the business processes themselves.   However, while they're closest to these risks, it's not their primary focus and their perception of how to manage and address these risks can be very different from the 2nd and 3rd LoD.  Internal Audit, ORM and Compliance groups are struggling to implement programs and processes and just keep up with the velocity of new regulations and risks, so it's imperative that more be done by the 1st LoD.


Through this blog series I'll be discussing ways that realization, accountability and ownership over risks and controls can and should transition from the 3rd and 2nd LoDs to the 1st LoD, and why.  What's more important is I'll talk about ways that don't add to the already heavy loads these 1st LoD functions already have.  In fact, I'm convinced that as we launch from 3..2..1 that companies will lift off in their risk and compliance programs!


I'm presenting on this topic at the September 10th Phoenix, AZ Security and Audit Conference, so if you're in Phoenix - come and join me!  Follow me @pnpotter1017 on Twitter and give me your ideas at


Filter Blog

By date: By tag: