►
From YouTube: CNCF SIG Security 2020-10-21
Description
CNCF SIG Security 2020-10-21
A
B
B
A
C
B
A
B
B
B
B
Perfect,
I
generally
try
and
avoid
typing,
while
I
I'm
talking
just
because
it
can
be
distracting
and
I've
won
the
loudest
keyboard
award
at
work
with
my
mechanical
keyboard
there.
So
I
feel
I'm
doing
everyone's
ears,
a
favor
and
whatnot,
not
typing,
so
all
right,
our
members
here
all
right.
So
then
I'm
just
going
to
go
to
the
attendance
here
and
just
see
what
updates
we
have
here
so
emily's
appears
to
be
interesting.
Would
you
care
to
take
the
leelie.
F
Over
600
folks
signed
up
for
security
day,
which
is
really
awesome.
So
if
you
have
not
signed
up
yet,
please
be
sure
that
you
do
so
and
as
far
as
the
cognitive
security
weight
paper
goes,
we've
opened
it
up
for
community
review.
We've
had
over
100
comments
so
far.
Jj
aradna
and
myself
have
sorry.
Amy,
jj,
myself
and
arana
have
gone
through
and
done
a
lot
to
adjudicate
all
of
the
comments
that
we've
been
receiving.
So
if
you
haven't
had
a
chance
to
look
over
the
dock,
please
do
so.
B
B
D
Yeah
sure,
thanks
so
quick
update
on
the
security
assessment
working
group,
so
we
got
together
for
the
past
two
weeks.
We
got
a
lot
of
good
feedback
on
you
know
what
some
of
the
problems
and
ideas
we've
consolidated
it
and
put
it
into
different
categories
in
the
mirror
board,
which
I'm
gonna
paste
in
chat.
D
The
next
step
for
this
is
I'm
synthesizing
all
this
information
and
I'm
gonna
create
issues
around
like
each
of
them,
the
big
topics
and
then
we're
hoping
that
you
know
if
you
see
that
this
is
something
that
you're
interested
in
working
on.
You
know
anyone
should
feel
free
to
to
take
the
lead
on
any
of
these
issues.
B
G
If
you
are
a
maintainer
of
a
project
or
work
on
a
project
that
is
in
cncf
or
another
open
source
project,
or
if
you
are
responsible
for
you're
working
on
something
with
the
sig,
please
annotate
your
attendance
with
what
you
are
working
on
so
that
you
know
so.
It
kind
of
helps
people
get
to
know
each
other
a
little
bit,
because
our
meetings
have
gotten
fairly
big,
which
is
great,
but
then
sometimes
it's
hard
to
know
who's
at
the
meeting.
B
Awesome,
thank
you,
sir.
I
realize
I
keep
providing
a
thumbs
up
and
my
camera's,
not
on,
but
I'll
fix
that
next
time.
Okay
with
that
said,
I
don't
see
any
additional
check-ins,
but
I
do
see
one
proposed
topic,
at
least
from
the
very
top
of
the
document,
the
question
mark
in
toto.
If
I
got
that
right
in
toto
incubation
review,
is
there
anyone
that
would
like
to
grab
the
mic
on
that.
D
Yeah,
so
so
I
think
that
the
discussion
for
last
week
was
that
we
will
discuss
you
know
what
are
the
kind
of
sins
we've
had
the
security
assessment.
What
are
some
of
the
changes?
What
I
are
you
looking
for
and
what
the
cncf
kind
of
us
on
the
recommendations,
and
then
you
know
we
can
discuss
some
of
this
and
kind
of
get
consensus
of
what
we
should.
H
H
So
back,
then
it
felt
safer
to
just
get
into
sandbox
and
then,
when
some
time
passed
in
terms
of
like
other
options
and
project
maturity,
collaboration
and
such
then
to
apply
for
incubation
and
well
that
all
happened.
But
what
feels
to
me,
at
least
in
my
interpretation,
is
that
the
original
review
that
was
mostly
focused
on
how
how
do
we
secure
a
process?
Has
there
been
a
thorough,
like
security
analysis
of
the
architecture
of
the
software?
H
H
We
haven't
had
the
resources,
particularly
because
since
we
got
in
as
a
sandbox
project,
I
think
the
cncf
doesn't
doesn't
support
somebody's
projects
like
with
money
that
much
or
like
as
strongly
as
it
would
do
for
an
incubation
project
and
perhaps
to
to
fund
a
staff
to
do
hci
research
now
also,
since
we
were
mostly
on
the
bar
for
incubation,
because
of
adoption
and
contributor
count,
I
think
those
are
the
changes
that
we
have
seen
on
toto
in
the
last
year.
I
don't
know
if
this
is
the.
H
This
is
the
context
that's
needed
to
like
for
security,
to
kind
of
review.
The
situation
now
fast
forward
a
year
passes.
I
speak
with
michelle
morale
who's.
Sponsoring
us
for
the
incubation,
review
and
part
of
the
process
is
to
actually
I
mean
a
lot
of
things
have
changed
since,
but
now
we
do
need
security
to
give
a
like
a.
H
My
understanding
is
that
or
again
this
is
my
bias.
The
position
is
that
it
is.
It
could
be
as
simple
as
just
taking
the
old
recommendation
and
considering
that,
essentially,
nothing
has
changed
in
that
regard,
to
move
it
forward
to
the
new
due
diligence
document.
Now
I
am
not
comfortable
doing
that,
because
there
is
clearly
a
conflict
of
interest
there.
I
am
I'm
here
with
security,
but
I
am
also
a
the
person
who's
pushing
for
incubation.
H
So
so
I
was
hoping
that
somebody
in
the
group
would,
with
enough
lack
of
conflict
of
its,
would
be
comfortable
just
taking
a
look
at
the
old
recommendation.
I
think
I
shared
the
slides
last
week
and
and
just
either
rewarded
in
a
way
that
they're
more
comfortable
with
or
just
a
bit
or
just
move
it
over
actually,
okay,
yeah
and
I
think,
there's
a
couple
people
that
I
didn't
give
access
and
that's
my
bad.
I
should
have
just
let
it
open.
I
D
D
D
The
team
has
worked
on
making
progress
towards
fixing
some
of
these
findings,
or
you
know
the
the
recommendation
still
stands
and
usually
there
is
some
kind
of
like
informal
sign
off
by
by
a
co-chair
yeah.
So
my
my
interpretation
of
these
is
that
designed
off
by
by
the
culture,
is
kind
of
what
creates
the
an
unbiased,
like
self-defined
unbiased
view
got
it.
Thank
you,
yeah.
G
G
You
know
a
short
write-up
that
addresses
the
incubation
criteria
and
you
know,
and
then
you
know,
one
of
the
co-chairs
could
say
yep
because
I
think
we're
all
fairly
familiar
with
in
toto
at
least
jj-
and
I
were
very
active
in
you-
know
this
very
first
security
assessment,
and
so
you
know
either.
One
of
us
is
familiar
with
the
project
enough
to
probably
give
that
a
quick
review.
G
G
It's
actually
got
all
of
the
projects
or
three
of
the
projects
that
have
summary
slides,
but
I
I
moved
in
toto
to
the
top
and
one
of
the
things
that
was
like
got
it
made
it
be
sort
of
on
the
fence
between
sandbox
and
incubation,
for
us
was
that
there
was
just
one
public
case
study
where
we
underst,
we
just
didn't.
Have
the
you
know.
We
weren't
familiar
enough
with
the
cncf
process
to
understand
how
important
that
usage
was.
G
As
you
know,
you
know,
a
member
of
six
security
could
do
a
deep
dive
and
learn
more
about
who's
using
the
projects
and,
potentially
you
know
even
speak
to
one
of
them.
If
that
was
a
concern
and
do
that
under
confidentiality
and
then
report.
Yes,
we,
you
know,
there
are
multiple
case
studies,
so
that's
another
way
where
a
member
of
security
could
step
up
and
participate
in
this
due
diligence
that
I
think
particularly
security.
Focused
projects
have
a
need
for.
H
A
H
A
H
Sounds
good,
yeah
I'll.
Do
that?
Another
unrelated
like
point
that
I
don't
know
if
there
has
been
a
lot
of
conversation
around
it,
but
I
feel
it
feels
to
me
that
security
projects
also
have
a
higher
like.
It
is
more
difficult
for
security,
focused
projects
to
have
as
much
adoption
as
say
core
or
like
network
projects,
and
I
wonder
what
to
take
of
the
six
securities
of
that
and
when
it
comes
to
like
the
recommendation.
G
So
yeah
actually
maturity
like
that.
Like
bullet
point
in
the
slide
has
been
the
hardest
thing
for
the
different
projects.
To
say
like
what
do
you
even
mean
by
this
right
and
the
reason
that
we
I
felt
that
it
was
important
to
speak
to
and
we
could
got
aligned
on
that
being
like
a
a
thing
that
was
part
of
the
assessment.
Is
that
when
you're
assessing
the
risk
of
a
project,
how
many
other
people
have
adopted?
It
is
part
of
that
right
and
it's
really
not.
Do
you
adopt
the
project
or
not
it's.
G
How
much
are
you
now?
A
participant
in
developing
the
project
versus
you
can
just
rely
on.
Everybody
else
has
already
checked
the
box.
So
it's-
and
you
know
it's
not-
that
it's
more-
that
there's
validation
from
multiple
companies
and
different
types
of
projects
will
have
different
types
of
you
know
it's
qualitative,
it's
not
quantitative,
so
you
know,
and
it
doesn't
have
to
be
a
written
case,
study
right
and
you
know
personally,
I'm
not.
I
don't
care
about
github
stars
because
that's
like
popularity
contest,
it
doesn't
mean
somebody's
actually
using
it.
G
G
Oh
this
was
adopted.
This
is
a
company.
This
is
something
that
was
made.
It's
been
adopted
by
one
company
and
it's
really
not
going
to
go
anywhere
right.
I
don't
think
in
toto's
in
this
camp.
I
think
you
know,
we've
seen
a
lot
of
traction,
the
ques.
The
challenge
is,
how
do
you
articulate
that
that
traction
in
a
genuine
way,
that's
appropriate
to
the
project
in
the
sector,
and
so
that's
just
a
creative
challenge?
I.
H
H
Right
which
that's
that's
part
of
the
consequence
of
this,
like
self-fulfilling,
like
a
feedback
loop
right,
it
is
harder
for
them
to
get
adopted,
but
then
we,
it
is
harder
for
them
to
get
visibility
because
they
are
not
like
they're
competing
with
projects.
That
naturally,
are
a
little
bit
more
easy
to
adopt
to
say
it's
somehow.
J
J
J
For
spiffy
and
spire,
we
had
similar
questions
and
brian
grant
at
the
time
who
was
in
the
tse
said:
well,
just
just
flip
it
around.
If
any
of
these
companies
and
let's
talk
about
in
toto,
you
were
to
remove
their
supply
chain
logs,
would
they
be
able
to
run
their
infrastructure,
and
if
the
answer
is
no,
this
means
this.
This
is
being
used
in
a
meaningful
way
that
is
critical
for
that
business
operation
or
for
that
infrastructure,
operation.
H
Right
what
I
mean
is
you,
like,
I,
I
think,
there's
a
fundamental
difference
between
you
say:
you're,
building,
kubernetes
right
and
then
on
top
of
that
you're
securing
kubernetes.
Now
one
of
them
predates
the
other.
Just
by
like
a
natural
consequence
of
one
of
them
is
a
thing.
The
other
one
is
securing
the
thing
now
say
that,
after
that,
there
is
something
that
is
kubernetes
plus
plus,
that
is
likely
to
get
more
visibility.
H
Just
because
the
target
audience
is
everybody,
whereas
a
security
product
by
itself,
it
is
limited
to
people
that
want
to
provide
security
properties
to
a
product,
and
I
I
don't
think
it
is
a
competition.
I
think
it's
just
a
natural
consequence
of
like
security
being
a
subset
of
the
whole
world
of
computing.
H
C
G
This
is
understood
like
that,
if
it's
a
new
project
that
you
can
just
add
on
to
your
cloud
native
deployment,
there's
probably
a
higher
bar
for
the
quantity
of
customers
or
the
profile
of
customer
to
know
that
like
oh,
this
isn't
just
you
got
three
of
your
friends
to
add
it
on
right
right,
whereas
if
it's
a
security,
focused
project,
you
know
three
companies
may
be
a
huge
number
right,
because
it
has
to
be
there's
a
high
bar
for
the
company
to
adopt
it.
And
it's
you
know
for
something
like
in
toto.
G
You
know
or
like
oppa.
It's
like
any
of
these
things
right.
Spiffy's
fi,
like
these
become
a
core
part
of
the
infrastructure
right.
So
I
think
that
people
understand
like
it's.
You
don't
need
a
large
quantity,
it's
just
that
you
need
to
show
that
it's
more
than
one
which
could
be
by
private
disclosure
and
that
they're
different
and
not
they're,
just
they're
different
enough
right.
G
That
they're
not
like.
Oh,
these
two
friends
decided
to
do
it
at
their
companies
right
and
it's
not
that
it's
not
that.
I
care
that,
if
you,
if
anybody,
promotes
their
project
through,
you
know
social
interaction
and
friendship,
it's
more
that
we
are
making
a
commitment
when
we
move
something
to
incubation
and
we
want
to
feel
like
it's
got
some
traction
whatever.
That
means
like
it's,
it's
it's
it's.
H
H
J
A
Right,
I
yeah
so
I
mean,
when
I
add
something
to
that
conversation,
so
the
reason
why
we
formed
sig
security
outside
of
kubernetes
as
a
community
is
precisely
to
acknowledge
and
understand
that
right.
So
security
is
a
cross-cutting
concern
across
multiple
infrastructure
and
its
profile
and
projects
and
adoptions
are
going
to
look
a
lot
different
than
what
kubernetes
adoption
is
going
to
look
like,
and
I
think
it's
been
acknowledged
and
well
understood
by
cncf
in
general.
A
But
I
think
there
is
still
to
your
point
the
lack
of
clarity
or
lack
or
incorrect
expectations
in
terms
of
like
what
something
should
look
like
versus
what
something
is
and
what
something's
usefulness
of
it
is
right.
So,
and
I
don't
know
if
you'll
be,
if
we'll
be
able
to
find
like
a
magic
answer
that
says
like
okay
yeah,
we
do
x
at
x,
percentage
of
y.
This
makes
sense
kind
of
thing.
A
It
is
just
going
to
have
to
be
like
this
constant
conversations
like
this
and
then
have
some
like
things
like
assessment,
be
a
guiding
force
for
like
why
this
matters,
because
people
that
are
in
security,
understand
the
context
around
this.
That
will
be
able
to
assess
and
validate
and
push,
and
now
we
have
this
forum
to
basically
do
exactly
just
that
right.
So
I
think
it's
going
in
the
right
direction
to
your
point.
No
it's
very
less
understood,
but
is
there
a
common
consensus
and
a
mechanism
to
push
this
through?
H
A
A
J
C
J
H
No,
I
I
think,
that's
all,
that's
all
good,
and
I
don't.
I
think
I
really
appreciate
michelle's
perspective
and
I
think
my
my
concern
was
mostly
on
having
very
delineated
numbers.
For
example,
say
three
adoptions
again,
I
think
three
is
a
reasonable
number
for
incubation,
but
at
the
same
time
it
also
feels
that
it
is
a
like.
It
is
not
a
qualitative
measure.
It
is
a
quantitative
one.
B
B
F
D
D
F
E
E
So
there's
a
special
working
group
that
was
created
about
two
years
ago,
containers
and
microservices
under
csa,
where
they
have
already
published
two
papers.
One
is
on
challenges
for
operators,
end
users
of
containers
and
microservices,
and
it's
already
published,
so
you
can
search
for
it
and
download
it,
and
the
second
one
is
best
practices
for
microservices
and
application
containers.
That
is
also
published.
Obviously,
there's
evolution,
so
they'll
be
evolving
that
paper
and
research
further,
but
those
two
are
available
as
it
is
right
now
more
work
to
be
done
there.
E
E
E
Obviously,
there's
a
lot
to
be
done
when
you're
building
a
container
platform.
As
you
all
know,
the
intricacies
of
securing
a
container
platform
as
well
as
developers,
have
still
have
work
to
do
to
package
all
the
application
and
dependencies
in
the
container
and
deploy
them
but
functions.
Remove
that
dependency
as
well.
You
just
purely
write
business
functions
and
use
a
functionality
provided
by
the
cloud
provider
to
go
and
deploy
the
application
functionality
again
then
definition
of
what
this
serverless
we
had
a
lot
of
conversation
around
serverless.
E
What
does
serverless
mean
because
there's
container
as
a
service
offerings,
there
are
containers
service
offerings
from
cloud
providers
which
are
also
serverless
technically,
even
though
in
reality
they
are
not
serverless,
it's
just
that
their
functionalities
are
first
created
from
the
application
owners.
So
hence
we
in
this
paper
we
are
covering
container
as
a
service
as
well
as
function
as
a
service
aspects
as
well,
and
then
obviously
we
talk
about
shared
responsibility
model
for
different
deployment
models.
Ias
we
are
all
familiar.
E
If
we
build
our
own
container
platform
and
say
aws,
we
have
to
do
everything,
including
implementation
of
kubernetes
and
orchestration
engine,
hardening
of
that
and
also
the
runtime
control
plane,
as
well
as
the
data
plane
as
well,
and
I
have
seen
organizations
do
that
as
well.
I've
seen
several
people
trying
to
deploy
openshift
in
aws,
for
whatever
reasons
and
over
time,
cloud
providers
have
matured
some
of
their
services.
So
it
really
forces
people
to
think.
Why
are
we
even
doing
that?
E
Why
don't
we
just
use
container
as
a
service,
but
again
regulatory
and
organizations
where
there
are
regulations
they
have
to
meet
the
kind
of
visibility
and
detection
and
control
they
need
that
kind
of
suffices
their
justification
to
do
their
own
container
platforms
in
cloud
provider,
environments
as
well
and
similarly
function
as
a
service
is
there's
still
a
stack
of
controls
that
the
application
developers
in
an
enterprise
will
control.
So
this
is
just
to
visualize
that
and
then
we
are
also
talking
about
differences
between
faz
and
chaos.
E
Obviously,
event
driven
architecture
short-lived,
like
lambda
functions,
have
a
maximum
time
to
level
15
minutes
and
more
agile
they're,
not
as
portable.
I
mean
the
whole
advantage
of
building
applications
and
microservices
and
containers
is
that
you
can
put
them
anywhere.
Unfortunately,
when
you
use
functions
as
a
service
from
a
provider,
they
are
not
portable
to
another
platform,
whereas
container
as
a
service.
E
Obviously,
it's
managed
control
plane,
but
you
can
choose
the
longevity
of
your
service
that
is
going
to
live
in
your
data
plane
and
it's
more
configurable
and
it's
a
little
more
portable.
I
wouldn't
say
portability
has
been
much
of
a
need
today
in
the
enterprises,
especially
in
financial
services.
I've
seen
multiple
enterprises,
application
teams
have
affinities
to
cloud
providers
and
I
haven't
seen
them
putting
their
applications
from
aws
to
azure
or
google
today,
and
they
just
build
applications
in
their
container
platform
in
a
particular
provider
environment.
E
E
E
E
B
B
E
No
ways
so
it's
hard
to
get
visibility
because
they're
so
short-lived
and
cloud
providers
today
provide
some
detection
capabilities,
but
not
to
the
level
of
detail
that
enterprises
today
need.
So
there's
still
a
need
for
capabilities
from
third-party
providers
that
need
to
be
deployed
for
serverless
deployments.
Our
friend
from
palo
alto
can
well
show
that
basically-
and
there
was
a
company
called
puresec,
which
was
providing
detection
capabilities
for
functions
and
palo
alto
acquired
them
as
part
of
their
prisma
suite.
E
Now
they
provide
that,
and
there
are
several
other
third-party
solutions.
There
still
service
level
agreements
are
still
uncertain
because
in
the
shared
responsibility
model,
how
a
function
is
being
codified
is
up
to
an
application
developer,
so
cloud
providers
are
not
providing
any
service
level
agreements.
None
of
the
three
major
cloud
providers
are
providing
any
slas
around
functionality.
Service
and
their
performance.
E
Boundaries
are
not
there
anymore.
There
are
no
network
choke
points
that
exist
per
se
and
applications
are
not
here.
They
can
be
dynamic,
distributed
anywhere
and
integrations
can
be
very
wide,
so
boundaries
in
terms
of
application
functions
are
untrusted,
so
a
lambda
function
could
be
talking
an
emr
instance
or
a
red
shift
instance,
and
so
on
and
so
forth
in
data
manipulation
functions.
E
So
in
in
terms
of
inherent
weaknesses,
I
mean
obviously
no
performance
guarantees,
limited
security
controls.
State
management
is
hard
like
I
said,
monitoring
and
logging
is
critical,
but
a
lot
of
it
depends
on
the
developer,
what
they
want
to
log
as
well,
and
that
that
is
true
for
any
application.
So,
in
terms
of
maturity,
there
are
still
organizations
who
have
banned
functions
or
use
of
functions
for
certain
types
of
activities,
for
example
in
financial
services
because
of
the
regulatory
environment.
E
E
So,
in
terms
of
security
challenges,
I
mean
we've
had
a
lot
of
discussions
around
a
threat
model
around
us
and
we
have.
Since
this
presentation,
we
have
evolved
our
threat
model
in
the
paper
quite
a
bit
and
I'm
happy
to
share
the
link
with
all
of
you,
so
you
can
read
and
opine
on
it
as
well
and
provide
input
basically
misconfigurations.
E
E
There
are
a
lot
of
policy
enforcement
challenges
and
configuration
challenges
as
well
and
testing
right.
Obviously,
you
need
an
environment
where
you
can
test
it
before
you
actually
implement
it
in
production,
improper
authentication
authorization
is
a
big
concern.
Concern
basically
because
of
untrusted
boundaries
and
functions
can
go
and
talk
to
a
lot
of
other
services
and
so
appropriate
authentication
authorization
and
implementation.
That
is
critical
policy
violations.
E
As
we've
talked,
if
the
function
is
written,
inaccurately
or
there
are,
there
are
misconfigurations
of
the
deployment
of
the
function,
then
there'll
be
challenges
and
policy
enforcement
and
the
policy
violations
will
be
detected,
but
the
function
is
so
short-lived
that
you
may
not
even
be
able
to
fix
it
in
the
time
code.
Vulnerabilities
still
can
happen.
I
mean
this
is
this:
this
is
application
functionality.
E
Even
triggers
can
be.
You
know
there
are
injections,
sql
injections
as
well
as
even
data
injections,
that
can
affect
the
capabilities
of
a
function.
What
it
can
execute
to
runtime
issues,
obviously,
because
of
code
injections
and
denial
of
service
can
happen.
Malicious
traffic
could
impact
the
resources
that
you're
utilizing
and
the
function
may
not
be
able
to
execute
just
because
the
resources
finished
before
the
function
could
execute
the
full
functionality.
E
E
H
E
Sir
cloud
security
alliance
actually
was
incepted
in
2007
and
I've
been
part
of
css
since
then,
when
all
the
cloud
providers
were
just
coming
out
with
initial
services,
aws
was
really
small,
so
they
do
a
lot
of
work
in
building
best
practices
for
cloud
in
general,
and
that
is
is
sas
and
they
have
slowly
expanded
into
internet
of
things
and
mobile
security
in
a
way.
It's
this
standards
body
that
does
work
around
security
as
well,
complementary
to
cncf
and
I've
been
part
of
csa.
E
E
So
a
lot
of
small-time
sas
providers
and
past
providers.
They
go
to
csa
for
getting
their
services
certified
from
a
security
controls
perspective
and
they
they
have
a
cloud
controls
matrix
as
well,
which
provides
which
is
mapped
to
nest
800-53,
but
at
the
same
time
it's
written
in
a
different
flavor.
It's
also
mapped
to
iso
standards,
but
again
the
due
diligence
that
goes
into
fedramp
invalidation
of
controls
of
providers
is
slightly
more
deep
and
in-depth
compared
to
csa
audits
and
assessments.
E
But
still
it
does
provide
some
level
of
assurance
of
a
provider's
security
posture
and
framework
that
they
are
using
operational
best
practices
as
well.
But
there's
a
lot
of
research
available,
I'm
happy
to
share
the
link
of
csa
research
and
guidance
that
they've
published
so
far.
There's
a
lot
of
working
groups
where
you
can
participate
and
volunteer
and
share
your
knowledge
as
well
and
you're.
Welcome
to
join
the
serverless
working
group
as
well
since
you're
all
working
on
the
cloud
native
stuff
and
serverless
is
cloud
native.
H
H
H
B
B
B
B
K
K
E
Honestly,
a
fedramp
certification
is
only
given
by
the
government,
the
government
ato
right,
but
the
controls
that
csa
validates
as
part
of
the
ccm
are
mapped
to
fedramp
and
nest
800-53
as
well.
I
know
nest
works
closely
with
csa
as
well,
so
there's
inter
dependencies
there
and
they
share
data
between
each
other,
all
the
controls
etc.
E
E
It's
not
practical
for
a
small-time
sas
provider
to
do
that
right,
it's
expensive
in
terms
of
resources
in
terms
of
effort
that
they
have
to
put
in
place.
So
if
I'm
a
small
application
provider
that
is
now
providing
it
as
a
software
as
a
service,
I
don't
have
time
and
money
and
resources
to
have
fedramp
auditors
sitting
and
enforcing
all
those
nest.
853
controls,
24
7
365
days,
and
I
may
not
even
have
resources
to
secure
everything.
E
E
E
Freedom,
but
but
this
csa
audit
works
for
other
organizations
right.
I
work
for
a
financial
services
organization
organization
for
every
sas
solution.
I
would
validate
whether
whether
they
have
a
dram
or
they
have
iso
or
they
have
csa
either
of
the
three,
and
that
gives
me
some
level
of
assurance
of
their
security
practices,
and
then
I
can
do
more
due
diligence
based
on
my
assessment
from
their
audit
findings.
B
I'm
just
going
to
step
in
about
two
minutes
on
the
clock
before
hard
stop
and
just
want
to
offer.
If
anyone
want
to
continue
this
discussion
to
either.
If
you
want
to
post
your
contact,
details
and
chat
or
a
link
to
president
slack,
if
anyone
wants
to
continue,
I
was
just
going
to
save
the
very
last
minute
and
ask
if
there
are
any
attendees
today
that
would
like
to
quickly
introduce
themselves
before
we
wrap
up.