ISMG Editors: Payments SpecialExpert Troy Leach Joins Panel to Discuss Payment Innovation, Cloud Adoption
In the latest weekly update, Troy Leach, chief strategy officer at Cloud Security Alliance, joins ISMG editors to discuss the latest innovation in the payments space and accompanying risks, as well as how the case of Sam Bankman-Fried's failed cryptocurrency exchange will affect regulatory actions. Leach also shares how traditional banks are set to accelerate their journeys to the cloud threefold in the next couple of years and what that means for security.
The panelists - Anna Delaney, director, productions; Tom Field, vice president, editorial; and Troy Leach, chief strategy officer, Cloud Security Alliance - discuss:
- The most innovative trends in payments and the biggest concerns that come with that innovation;
- How the collapse of cryptocurrency exchange FTX will influence the regulatory discussion around digital currencies;
- The potential risks associated with traditional banks adopting cloud at an unprecedented pace in 2023.
The ISMG Editors' Panel runs weekly. Don't miss our previous installments, including the Dec. 2 edition discussing how the Twitter breach may be worse than advertised and the Dec. 9 edition discussing how the role of the CISO will evolve in 2023.
Anna Delaney: Hi, welcome to this special payments edition of the ISMG's Editor's Panel. I'm Anna Delaney, and this week, we'll be talking about trends and innovation in the payments space, cloud security, SBOMs and more. And at this point, I'd like to welcome our special guest Troy Leach, who is the former CTO of the PCI Security Standards Council and now chief strategy officer at Cloud Security Alliance. And, of course, Tom Field, our senior vice president of editorial. Welcome, Troy, really good to have you with us.
Troy Leach: Thank you very much. Happy holidays.
Delaney: Happy holidays, indeed. Where are you today?
Leach: Well, I am not in Rome. Although I just spent a couple of weeks there, Cloud Security Alliance, and working with some of our stakeholders in Rome and Milan and beyond. I am back in sunny Phoenix, Arizona, so I see all the snow in your backgrounds. And I'm not familiar. I did do my graduate work in Syracuse. So, I did get some snow in my life. But being in Phoenix for last 20 years, I'm not quite as familiar with that white stuff anymore. And you weren't tempted to dress up like Tom? We talked about this, right? And I wanted a ugly sweater competition. But because Matt didn't join us, you know, it was an uneven number of judges and panelists so I figured we just go normal this time. This is all your fault. I even dressed up a little bit. Tom, do explain.
Tom Field: Well, two things. One, I'm actually just outside of Rome. Rome is the neighboring town here. That's my home out in the countryside in Mount Vernon. I am wearing the ugliest sweater I have, I don't know if it quite qualifies what I would wear to a holiday party, and you perhaps have noticed them wearing a hat and some goggles. And these are based on the most annoying child character in the 1983 classic Christmas movie, A Christmas Story. I know Troy has seen it. Anna, you haven't, it's got to be on your list this year.
Delaney: It's on my list for sure. And well, it snowed in London this week. And it's rare to see a few inches of snow in London, particularly before Christmas, so I thought I'd share the view from my room. But Troy, we have a few questions for you today. And I'm going to pass over to Tom to lead the way to start us off.
Field: Perhaps I should have done. Okay, Troy, if you can take me seriously here, what do you see as the most innovative trends in payments as we go into the new year? And what are the biggest concerns and risks with that innovation and the word crypto comes up very quickly here.
Leach: Well, I do have crypto in mind. But I might surprise you in the type of cryptography that I'm talking about. You know, sometimes the most innovative things that we have are sometimes the least sexy, unlike the goggles and hat. These are things that to me and security, what I'm very interested in is to see how the use of things related to confidentiality of data. Because if we can eliminate the risk of exposing data and that can be used for harm, then all of a sudden, we can do all these wonderful things. And so I'm very interested in the advancement of confidentiality computing, it's something that is starting to get a groundswell, more popularity in the last couple of years. We talk all the time about third-party risk exposure, we saw the recent Uber data breach that happened due to a vendor. And there's countless other stories of similar attacks, where third-party vendors are at fault. So what if all these service providers had no access to decrypt the data even if they wanted to. And that's the core concept behind confidentiality computing. And all the cloud service providers already have their own enclaves. And dozens of organizations are developing solutions on top of that, those platforms as well. So it's not as attractive but I will say that's one trend. Of course, HSM as a service in the payment space is something that we're talking about which is related, we're taking the keys that create the trust and how do you trust the trust keepers? Looking at doing that in a cloud virtual environment, we see payback as a service, what Stripe has done and many others that have followed all this new ways that we're leveraging software to create commerce in different ways. And I will say the last one of innovative trends is crypto and just the commingling next year, you see Visa, MasterCard, all these major payment brands and major banks either acquiring or partnering with these crypto companies. And I'm interested to see how they're going to continue to have this hybrid of of going back and forth between crypto and some Fiat-based currency. So I think those are some of the trends. As for risk, I think it's simply to be able to verify all these organizations and make sure that there's no tamper - so, in the physical world, we have ways that we can know, "Hey, did someone break into our house, we have these physical tampers." So I think finding ways that all of those things I mentioned, how do we have tamper responsiveness for a virtual HSM, limited transparency today for some of the software development practices of pay facts? How do we look at crypto exchanges? Of course, we have FTX and whatnot that are in the headlines today and some of the integrity issues there. So, for me, it's simply creating these immutable controls to protect against any type of foul play and I'm confident we're going to get there, because for one, it's the holiday season, we just have to be positive anyways. But I think if we get these behind the scene things right like confidentiality computing, then these opportunities for consumers to have all different types of diversity and how they use payments is limitless. There you go.
Delaney: Well, Troy, we want to stay with FTX. We can't avoid it this week. So Sam Bankman-Fried, founder of this failed cryptocurrency exchange has been charged with what they say as one of the biggest financial frauds in U.S. history this week. So drawing upon your extensive experience of creating standards in the payments industry, how might these events or this case influence the crypto regulatory discussion?
Leach: Well, I think it quickly heightens the concerns by regulators that have a top-tier crypto exchange that could use client money simply by making a change to the software. That's what really scares me about the allegations is that something that was only known by a handful of people influence and take consumers' money and, you know, could continue to keep borrowing funds, that's another thing. It's something that should never have been allowed anyway, by any type of a crypto exchange, they're more like a payment processor in a traditional payment. So, and the fact that they were borrowing irrespective of the value of the collateral of the securing those loans. So in banking, there are very clear rules: any money laundering and banking standards. So I'm very curious to see how the existing laws are going to change. You know, I'm not a lawyer. But I did play juror number eight in a school production of 12 Angry Men. So I do have an interest in the law. And I do think, in conjunction with that, we have billions and tens of billions of dollars that have been lost to either crypto exchange has not done proper security. And we've seen Coinsquare, Coincheck, Gemini, Crypto.com. All these crypto exchanges that had reported data breaches, not all were crypto, some of it were just PII, but still data breaches, simply because they didn't have good security practices in place, they didn't have a validation system and security, public transparent security systems in place. And so, in addition to that, then you see also consumers have been frauded by phishing attacks and that's actually three to four times worse of a problem in the industry is all the victims that have lost their funds simply because they thought they were working directly with their crypto exchange and instead, it was a criminal that was stealing their information, taking the key and emptying their wallets. So I think all of those are going to lead to two things for the future and the government and there's going to be a lot of debate all over the world in different governments and one is, you know, what role, if any, does the government have to protect citizens against voluntary forms of decentralized finance? And the second part then is how do they validate and consistently monitor and force if it's not a Fiat-backed currency. And it was difficult enough for us to get PCI standards off the ground when we already had programs in place and operating contracts that it had enforcement. I think this is so hard for people to get their heads around because it's decentralized and, you know, servers are all over the world and the ledger slight of issues are really going to keep regulators very busy next year. That's my take.
Field: Troy, I'll ask you about one of your other predictions - this time about cloud migration. You predicted that we're going to see a three times migration in 2023-2024 of major traditional banks putting their infrastructure into the cloud. Now, why is pretty understandable, but what risks should we be monitoring?
Leach: Well, a McKinsey report that said between now and 2027, we'd see 3-4x growth in cloud. And for me, I think it's really driven by the pandemic. I think, in the banking world, they're very much laggards for a while. And I will say in Cloud Security Alliance, we just did our own survey to financial institutions. And the results of that survey will be out next quarter. But it really bolsters and it aligns with McKinsey and other groups that have done similar reports that while it's taken a really long time, banks have jumped in both feet with moving this lift and shift to the cloud. And the concern is they're doing it now very quickly, do they have the right people? I think the banks have been investing and exploring for a long time, but it's gone from, "Hey, this is an interesting thing. Maybe we should look at" to actually "No, this is our future. This is where we're going to go." And it makes so much sense. You know, we have people that are, you know, you look at the cloud and the value of the cloud, it's really about the scalability, the provisional utilization, the efficiencies of maximizing computational power, the storage span versus the data. So, all these types of metrics, they were made for financial folks, like the banks, and so it just took putting the right people in place and level of understanding it and verifying that. As for the risks, I think the biggest part is, again, the monitoring. And so there are so many regulations, each banks probably having 40, 50, 60 types of audit every year, maybe more. So it's how do you create the well-documented, transparent process of if I'm going to be using third-party service providers, or even I have my own private cloud, how do I know everything is where it's intended to be? And so it always goes down to people, process and technology. And I think it's in that order. We have a critical need to get people up to speed on just general cloud security practices, but also in specific, so each cloud, for those that are not technical, they don't realize that it's very different architecture and some of the security capabilities varies from GCP to Azure to IBM to Oracle to AWS. So I think having the training and understanding on an individualized level of what platforms are using, and I will say, the regulators are now coming to bank saying, "we think that if you were to use just one or two cloud service providers, that's not enough contingency, we want to see a more diverse spread of - and you saw this with the Pentagon, they made an announcement that I think it was at least four different cloud service providers would be part of this mesh of the cloud infrastructure that they want to put in place. And so that's going to be interesting in a trend for next year. And the upcoming years is how well do people understand and then can work in multiple environments that are unique, that are different from each other.
Delaney: Let's move on to faster identification and classification of bugs. Now we know that banks need to handle vulnerabilities more quickly and, arguably, CVEs are currently taking too long to come to market. So I'm curious to know what the Cloud Alliance is actually doing with NIST, MITRE and other industry bodies to help get vulnerabilities classify quicker, the critical infrastructure.
Leach: So for a guy that sometimes has been told, I talk too slow, things are moving very fast. And you're right on and it's just this CVS take far too long to come. They have, they struggle, they don't have an ability to have this community get hubs style type of contribution. So we need identifiers that are easily discoverable, fast to assign, updatable, they're transparent to everyone. I think that the number of vulnerabilities is simply growing faster than what we can currently track. So what Cloud Security Alliance has done is, they have actually started a project for a global security database (GSD). And this will be cloud-centric. And, by the way, CSA is a non-profit. So all of this is publicly available too for people to look at and contribute on a personal level or as their organization. And people can go in and look at it. But the goal is to find ways to just have very good cloud analysis of the vulnerabilities quicker. So you mentioned MITRE. CSA, and MITRE-established caveat, which is cloud, adversarial vector exploits and threats. I'm still learning all the acronyms at CSA, but the collaboration is to bring that relevant content to cloud security analysis so that people can respond quick. And we also have a research paper out and it's mostly MITRE contributors. The editor in chief is Mari Spina from our CSA Washington DC chapter, but they are working on a same thing of what are the gaps in our vulnerability, enumeration, stay with, you know, compared with attack, and defend from MITRE CAVEaT and where can we quit have this quick-to-market cloud adversarial analysis. As for NIST, NIST and CSA did talk on this particular subject, along with a lot of other research projects. The one thing I'm really excited about and keen to work on is NIST is developing version 2.0 of their cybersecurity framework. We've mapped our prior version of our framework, the Cloud Control matrix, to it. And some of the feedback that they received during their revision cycles was we really need to be focusing on the cloud and what can we bring in from CCM and other resources to really demonstrate good due diligence as more and more organizations move to the cloud. So we're going to be working with them. We have NIST speaking at some of our upcoming virtual summits next year, as well. And I'm really excited to see where the industry goes to try to rather than create more security standards, how do we reuse and leverage and come together to have multi-party recognition of the work that's already been done.
Delaney: Fantastic. Well, you've given us comprehensive answers there. Thank you so much, Troy. Well, finally, we do this just for fun at the end. Last week on the program, I asked colleagues, who would they choose as their ghost of cybersecurity paths? So it's a play on Dickens' A Christmas Carol. This week, we're in the present. So who would be your ghost of cybersecurity present? Who wouldn't you mind haunting you for a bit? Tom, I think you go first, so we give Troy a break.
Field: You want me to go first? You know, it first I was going to say Jen Easterly, because I think she's done a terrific job traveling around the world and in giving us a sense of where we are in cybersecurity and where we need to go. She has been a pleasant presence. But then I started thinking, Kindervag. John Kindervag, I call him the godfather of zero trust, the greater of zero trust. I think he's done a pretty forceful job over the course of the year of speaking with lots of organizations in lots of different sectors and lots of different regions of the world, and helping them determine what it is they need to protect and how to do that. And I think if anyone is going to be that voice, Kindervag is going to be the one showing us that if you don't make changes this year, that little database in the corner over there is going to be empty next year.
Delaney: Yeah. That's a great answer. And I've chosen somebody who is not a role model in any way, but he's certainly a man of the present. It might be interesting to have Sam Bankman-Fried just visit us right now because I know, between us, we'd have a few questions for him. So he might give us some nuggets of not knowledge, but something to think about. How to shape 2023. Troy, what are your thoughts?
Leach: So that's a tough one and right before Tom spoke, those two names came to mind as well. Jen Easterly and John Kindervag, both are really helping to, and in similar veins, of promoting certain aspects of zero trust and the importance of integrity to our authentication. You know, it's hard because cybersecurity is a team sport. So it's really difficult to pick one. But I say, and it's probably just because it's top of mind, I have a tremendous amount of respect for the research teams that are identifying future problems that we can resolve today before they become massive problems. And one example of that, and there's many like, these is the Google Project Zero team. And so I just listened to a podcast where Maddie Stone from that team was interviewed about just some of the amazing discoveries they've had over the years and how they've really limited, you know, some of the ways that our technology could have been exploited had we not been proactive. And so what I like about Google Project Zeroes is not just about Google products, they research any type of software that could possibly impact Google users. And so I think it's incredible that they're looking at any and all this stuff and that would be my guess, because it's, you know, the present, he was a ghost of plenty. So I'll say the entire team over there the Google Project Zero.
Field: Excellent choice.
Delaney: I have to check that podcast out. Thank you for the recommendation. Troy, this has been absolutely brilliant. Thank you very much for joining us. We appreciate everything you said, your insight, and we look forward to you joining us next time hopefully.
Field: Thanks so much, Troy.
Leach: Happy holidays.
Delaney: Yeah, absolutely. And thank you so much for watching. Until next time.