- IoT Is the Eyes and Hands of the Cloud
- It’s Time for a Change to Cybersecurity Consumption
- Why a ‘Cloud Architect’ Should Be on Your Hiring Agenda
EXPOSING THE TOP TEN CLOUD SECURITY MYTHS
The Cloud Changes Everything: Especially Cybersecurity
Welcome to Volume One, Issue One of “Top Reads on SecurityRoundtable.org.” With each issue, we promise to bring you highlights from our most compelling articles analyzing the critical news and trends in cybersecurity—all viewed through the unique lens of board members and senior-level business executives. We start by focusing on cloud computing
I meet regularly with customers from all different industries around the globe. What I’ve learned is that organizations take very different paths to the cloud, with varying degrees of cloud deployments and levels of maturity. However, the security challenges remain consistent due to the fact that the underlying technology keeps advancing, with innovations such as big data analytics, artificial intelligence (AI), and quantum computing promising to shape, and reshape, how the cloud evolves over the next few years. This presents unique cybersecurity challenges requiring leaders to embrace a new approach
Only by evolving to a new model for cybersecurity can we unlock the vast business benefits—in agility, speed to market, and lower costs—that the cloud can offer, now and into the future.
What you’ll gather from the pages within this magazine are a range of cloud experiences and insights from various voices on the topic. Key takeaways include:
We are all fortunate to be business leaders at a time of great innovation. We can change the world through our vision for the future and our use of cloud-connected digital technologies to turn that vision into reality. However, we can only use the cloud to change the world if we can secure it. Let that be the key takeaway from this new publication we are proud to share with you.
Many C-suite executives–it just seems to be easier to tell their employees that they can’t use cloud services
About 25 years ago, I helped manage a project to determine how much business leaders and IT professionals knew about the existence of local-area networks in their organizations. Remember, this was a time when LANs were still pretty new, were not well understood by non-technical executives, and were a source of confusion about their benefits and risks.
When business executives in one Fortune 500 company were asked how many computer networks were installed in their company, the consistent answer across the six C-level executives we surveyed was, “One— the one that hooks to our data center.” When we asked the CIO, he said the number was either three or four. And when we queried business units, we got the real answer:
I see the same thing happening today in cloud computing adoption. Oh, there’s no debate that cloud computing is pervasive, in terms of breadth of penetration. Third-party data based on input from technical professionals indicates that nearly all organizations are using cloud to some degree, and the average organization is accessing services from five different cloud service providers. But it seems like many business professionals are in a state of denial when it comes to just how pervasive cloud usage is in their organizations. And that’s because many of them still try to find excuses to justify saying “no” when it comes to sanctioning wider and deeper use of cloud services.
For many organizations—and, in particular, many C-suite executives—it just seems to be easier to tell their employees that they can’t use cloud services than it is to find ways to ensure that cloud computing is used securely and intelligently to leverage its many undeniable business benefits.
This is hardly the first time we’ve seen business leaders react this way. It happened with important technology trends such as personal computer adoption, IT outsourcing, distributed data centers, bring-your-owndevice, and telecomputing. Lack of technical understanding on the parts of business leaders often led to debates over security, data sovereignty, loss of control, and fear over compliance and legal issues, too often resulting in an arbitrary lockdown against those technologies
“I often talk with corporate executives about their use of the cloud, and I’m surprised to hear how many of them claim their organization doesn’t use cloud services,” said Sean Duca, regional chief security officer, Asia-Pacific, for Palo Alto Networks. “But after about 15 minutes of conversation, it becomes clear they are using cloud for things like Office 365®, data storage, and other pervasive services.”
And it’s not only tactical applications that are being developed, deployed, accessed, and managed in the cloud. Research indicates that 40% of organizations are storing personally identifiable information (PII) in the cloud, while 21% are storing healthcare records data in the cloud.
To Duca and others, the key point is getting business leaders to a place where they are comfortable not just with using cloud for critical applications and tasks, but also with an understanding of how data is going to be protected and available when and where it is needed. And to do that, C-suite executives and board members need to think about cloud security in a modernized, business-centric manner.
“It’s important to start by sharing security telemetry with others,” said Duca. “Crowdsourcing is a powerful way to get a collective benefit, and it’s important that business leaders get comfortable with that concept.” Duca likened this to doctors sharing information with colleagues, both informally and, increasingly, through formal mechanisms about unusual or never-seen-before symptoms. Doctors aren’t sharing PII about named patients, but they are helping other practitioners protect their patients—and are getting the same benefit in return.
“We have about 24,000 customers around the world sharing security intelligence with us today,” he said. “If a suspicious packet comes from a particular IP address, I can share that information with others to be on the lookout and take precautions. If thousands of people are contributing millions and billions of pieces of information, it becomes much harder for the adversary to launch repeat attacks. We can do real pain to our adversaries, and, in so doing, make our business leaders more comfortable that the right steps are being taken to secure data in the cloud.”
Greg Day, Palo Alto Networks CSO for the EMEA region, emphasized that many cloud security, privacy, and data sovereignty concerns of business executives can be addressed by asking some straightforward questions of their technical leaders, including:
“These are not technology decisions,” said Day. “These are issues deeply rooted in an organization’s most fundamental business processes and workflows. It is the ‘moment of truth,’ where business leaders who want to move faster and CISOs who want to do methodical evaluations around cybersecurity work toward a common goal.”
So, what should business leaders do, and what questions should they ask, to help them get past the reflexive responsive of “no” when it comes to broader and more strategic adoption of cloud computing?
And smart, strategic, and innovative approaches to security that go far beyond the latest next-generation firewall will make the difference between cloud simply being viewed as a nice way to reduce Capex and cloud becoming a catalyst for agility and transformation.
You need to ready the organization for a new mindset.
Congratulations on your organization’s adoption of cloud computing and your strategic embrace of cloud as a way to improve agility and support digital transformation. Now that you, your business colleagues, and your technical leadership have made this important decision, you need to tackle a vital issue—what to do about your cybersecurity team.
I know what some of you may be thinking. “No worries, we’ve got that covered. We’re outsourcing that to the cloud service provider.” Or, you may think your worries about cybersecurity in the cloud are moot because you already have a rock-solid, tried-and-true cybersecurity framework that has met service-level agreements, avoided headline-inducing data breaches, and ensured regulatory compliance.
Now, before I go any further, let me emphasize a relevant issue about my point of view: I’m not a Chief Information Security Officer, nor do I run cybersecurity for my organization. But in my role overseeing infrastructure, distributed systems, and, yes, cloud, for a leading e-commerce platform company for the travel industry, I’ve seen the dramatic shift from an on-premises security mindset to a cloud security mindset.
What have I learned, and how can those lessons benefit business executives who want to ensure rock-solid security in a cloud architecture? First, it’s important for business leaders to understand that you can’t “lift and shift” your legacy cybersecurity approaches from on-premises infrastructure to the cloud. That’s because most legacy IT shops just don’t have the right frame of reference for how applications are being developed and deployed in the cloud. So don’t expect your CISO to tell you what a piece of cake it’s going to be.
Second, be aware that your security teams are going to need new types of training on cloud architecture so they can properly plan, architect, and deploy your production applications in the cloud.
And finally, you need to ready the organization for a new mindset—one where security teams are tightly integrated from the start with the developers and business units. Call that what you will: “shifting left,” DevSecOps, or integrated security. Those are semantics; your cybersecurity teams are going to work alongside anyone who plans, develops or uses applications.
In today’s cloud-centric business processes, your cybersecurity team must become part of the comprehensive application framework in order to speed the velocity necessary to get into users’ hands faster— and, of course, more securely.
Doing so will bestow upon your organization a host of operational efficiencies, including a higher level of confidence that security policies are being applied in more prescriptive, proactive, auditable, and automated manner. That last part—automation— cannot be emphasized enough. In a business model where applications are being developed, released, updated, re-released—again and again—manual security processes are a killer. They don’t scale fast enough and wide enough, so you’ve got to get your teams out of manual labor like applying patches or updating policies and replace them with intelligent, automated tools.
And, before your CFO starts counting the savings by reducing headcount in the cybersecurity operation, understand that moving to the cloud should not be seen as a way to cut full-time equivalents. Instead, you need to think about how those security professionals can be better deployed as an integrated part of the application development and continuous improvement framework.
This is what the often-discussed shared responsibility model for cybersecurity is about. When you hire a cloud service provider, you obviously benefit from their broad and deep experience and expertise. This is not mean you are outsourcing cybersecurity to your service provider.
Having worked previously at Amazon Web Services and being involved in developing their first security exam, I understand the power of this approach. The combination of an experienced cloud platform provider handling security “of the cloud” (hardware and software infrastructure) and internal teams handling security “in the cloud” (customer data, access/identity management, configuration, encryption, and authentication) allows you to cover all the security bases with a minimum of overlap or redundancy.
You’re not reducing your security team’s importance or headcount; you’re just putting them to better use.
So, what do business executives in the corner office or in the boardroom need to know, and what questions should they be asking the CISO about the redeployment of cybersecurity teams as the organization shifts to the cloud?
I recently read an article highlighting opinions of security professionals about how the move to the cloud affects security team members. One, in particular, stood out:
“Information Security professionals must learn what secure and insecure look like in the cloud, and then apply that knowledge to all the settings exposed by cloud service providers.”
Before the cloud, it was always tempting to view information security team members in the way we assessed umpires in a baseball game: The less we noticed them, the better a job they were doing. But moving to the cloud changes the rules of the game. We need the entire DevOps process to be more focused on security, and that means integrating our security team members into the development process upfront, rather than having them be an afterthought. When they are working shoulder-to-shoulder with developers and business unit members to ensure that applications are always secure and available as part of the normal workflow, they can make a bigger impact and avoid acting as bottlenecks that slow down the process.
So, congratulations again on taking a major step forward in your journey to digital transformation by embracing the cloud. Just make sure you bring your security team along for the ride.
Every time a game-changing technology comes around, organizations are forced to scramble.
About 25 years ago, I helped manage a project to determine how much business leaders and IT professionals knew about the existence of local-area networks in their organizations. Remember, this was a time when LANs were still pretty new, were not well understood by non-technical executives, and were a source of confusion about their benefits and risks.
Every time a game-changing technology comes around, organizations are forced to scramble to develop, buy, or rent new talent for their IT organizations. It happened when we moved from a mainframe-based hardware model to a PC/LAN-based architecture; it happened when we moved from proprietary operating systems to open systems, and it happened again when we transitioned from physical to virtual infrastructure.
And it’s happening now as we move from on-premises computing to cloud computing. This transition is happening faster than anticipated, because business leaders have recognized that moving to the cloud is much more than just saving on Capex; it’s a way to make organizations faster, more flexible, and more adaptable to changing business needs in the journey to digital transformation. As a result of the rate and scale of this change, it’s putting a lot of stress on in-house IT and security teams to come up to speed quickly on how to support a cloud-first model.
This “cloud skills gap” is real and is growing, and it needs to be acknowledged, confronted, and overcome quickly. If not, many organizations will struggle to leverage the full potential of cloud computing; in so doing, they are likely to lose ground to their better-prepared, nimbler competitors that have put in place a cloud-ready workforce, and in many cases may have been born in the cloud. I recently read about a study conducted by global personnel company Robert Half Technology that pointed out that three quarters of CIOs and IT executives throughout the United Kingdom admitted that many of their IT teams are not up to the task of transitioning to a cloud-based IT model.
Clearly, this trend is not unique to the U.K., or to any geography, industry, or organization size. This cloud skills gap is the “new normal.” So, what do we do about it?
As business leaders, you can’t just order your CIO or CISO go on a college recruiting binge for cloud computing specialists. While some universities and technical institutes are actually offering formal concentrations in cloud computing, there are two challenges associated with this approach: First, there aren’t enough cloud-savvy college students yet, at least not when it comes to adapting those skills to a real-world setting. And second, hiring well-educated cloud technologists really isn’t what organizations need.
We already have many people working in our IT shops and security operations centers with transferrable skills that will let them help their organizations develop, deploy, and manage applications and workloads in the cloud. In a cloud-centric environment, solutions are less about infrastructure and more about working with the DevOps team to spin up a virtual private cloud to support faster and more frequent software releases.
This is causing a re-imagining of the roles and skill sets of IT and security teams in a cloud-first world. For instance, the move to the cloud means that IT hardware has typically been separated—or, “abstracted” as your technical teams will tell you—from the overall computing process. As a result, the shifting nature of skill sets means that you need fewer of the traditional technical skills than was the case in the pre-cloud days. For instance, network administrators need to understand how to automate cloud networking, while storage administrators must upskill to run such tools as S3 and Glacier instead of an in-house storage-area network fabric. Above all, you need smart, adaptable, and inquisitive people who understand cryptography and identity/access management in order to secure data in the cloud.
A few key decision points for your busi- ness and technical leaders:
Finally, there are a few things business leaders, in particular, need to keep in mind when it comes to helping their organizations close the cloud skills gap:
As business leaders, cloud computing may still be a bit ethereal and nebulous, a bit more conceptual than pragmatic executives may like. But rest assured that cloud computing will change the way your organization serves customers, competes, plans for the future, and measures its success. Take the time and energy needed to find new ways to bridge that cloud skills gap.
As your company’s risk profile changes, your cloud architect can help you decide what components of your IT system to move into the cloud.
as a C-level executive, you might want to deliver a new service to market. Your IT department could take six to nine months to set up the systems and get it ready—after you rounded up the funding, that is. Mean- while, you’ve probably lost time-to-market. But if you put your new offering in the cloud, it gives you the ability to launch much faster, and to automatically scale it depending on the demands and needs of your customers. This is but one of the reasons your enter- prise needs a good cloud architect, one who can inventory your IT processes, leverage new cloud-enabled technologies, and free up your resources to invest in tackling more complex, business-critical projects.
What makes a cloud architect (CA) a key hire? A cloud architect is not just another IT manager, but an expert in business strategy and planning. The role is both tactical and strategic, involved in addressing the pain points your IT staff deals with every day. This can give you financial peace of mind, in that it’s not about buying infrastructure, but concentrates on delivering critical business initiatives.
For some insights into and advice about how to hire and benefit from a CA, I turned to two experts in the field. One of Micro- soft’s handful of technology evangelists, Rick Claus, who is a senior program manager on the Azure Compute team, and Sean Duca, VP and regional chief security officer for Asia Pacific, at Palo Alto Networks. (Duca’s job is to help executives understand how to con- trol risk so they can profit from the benefits of cloud technology; Palo Alto Networks is SecurityRoundtable.org’s parent company.)
Before hiring a CA, however, it’s a good idea to know what the cloud is all about. “The cloud is, literally, someone else’s com- puter, and you get to use it!” explained Duca. You can shift your company’s software appli- cations and data to it, he said, “while some- body else makes the capital expenditure and manages it. What’s more, it shrinks and expands on demand instantly to suit your needs.” With your digital assets entrusted to an outside entity, it’s the CA’s job to manage the migration of your systems and data so everything’s safe.
As with any decision, there’s always a risk. But what’s considered acceptable risk? According to Duca, that’s up to you. To benefit from the quick scaling that a cloud provider can offer, you don’t have to put a critical software ap- plication out there right away, nor sensitive customer data. At the same time, you should first consider the risks you’re already facing by hosting your apps and data in-house.
“If your systems are all on premises, you’re probably protecting your data the same way you did ten years ago,” said Duca. “That kind of security won’t suffice for the next ten—and, possibly, not even for the next two—years.”
So, exploiting new options doesn’t necessarily mean accepting more risk than you can handle. As your company’s risk profile changes, your cloud architect can help you decide what components of your IT system to move into the cloud, precisely because cloud providers can protect some of it better than you can.
While recent news stories about high-profile data breaches might be enough reason to bring on a skilled CA, there are many upside drivers, too. For instance, traditional IT leadership might not even be aware of the ins and outs of how the cloud can benefit your business.
“My approach would be to find a ‘born- in-the-cloud’ expert,” said Duca. “Find some- one who’s got competency to work in one of the cloud platforms—Google Cloud Platform, Amazon Web Services (AWS®), Microsoft Azure®, etc. The more competency they’ve actually got in those different clouds, the saf- er it’s probably going to be for you and the organization.”
Claus emphasized both the immediate benefits and the long-horizon value of taking advantage of the cloud. And that means changing your IT department.
“A cloud architect brings the perspective of modernization and efficiencies that come from leveraging cloud technologies into ex- isting and new projects,” said Claus. “A clear line of sight on the benefits and returns for adopting cloud technologies needs to be front and center during the evolution of an IT department.”
A cloud initiative includes reducing the footprint of on-premises data centers. A savvy CA will recommend which IT workloads to move to scalable cloud providers and show IT staff how their own tasks and workloads can evolve to manage these new technologies. The strategic objective should be to free up resources to re-invest for tackling even more complex projects that are truly mission-critical to the business.
If you’re still contemplating a move to the cloud, your business faces security risks even while everything is primarily in-house, simply because the nature and behavior of your users, data, and applications will change. A cloud architect brings a new strategic perspective to your top-level security planning.
“Threat management was once about blocking and keeping bad things out,” said Duca. It was simplistic. “I had antivirus, then I had a firewall. That was a very static world. I had one device and an IP address and that was it.”
Now your employees, customers, and partners are connecting to hybrid, inter- mingled data and software applications via multiple devices—to and from places you don’t even know about. (“If I can’t see it, I can’t control it, and I can’t enforce security,” warned Duca.)
In many respects, your business is al- ready in the cloud. For example, companies use more contract workers than they ever did. There’s an ever-changing population of employees that are coming and going and potentially accessing and exposing sensitive information.
“How do we control all that?” asked Duca. “We’re at a point now where, exponentially, the threat has gone up. You probably can’t even work out how secure the data in your own databases is.”
Claus added: “Is your IT planning up for these new challenges?”
With a good CA on your team, Duca said, your digital assets could actually be safer in the cloud than in your own systems. “Your CA defines the governance around anything you put into the cloud and works with your cloud provider to secure it.”
“A cloud architect needs to be a team player who is able to adapt to fit into the teams he or she are working with,” said Claus. “They need to act as an advisor and facilitator. They should be able to identify themes and sce- narios that can bring consensus to a dispa- rate team that would otherwise get stuck in traditional models and debates.”
Of course, a good CEO who’s looking at candidates for a cloud architect will likely come back to risk management. This is right up Duca’s alley as a cybersecurity expert: “From a CEO’s perspective, I’d be thinking, How could you help me understand what are some of the risks and challenges I’m facing and, ultimately, how am I going to overcome them?”
No one would debate the fact that the roles of both CIOs and CISOs are changing in dramatic ways.
There is something powerful going on in many organizations that is going to have a profound effect on how enterprises ag- gressively, but securely, use technology for business advantage. And it has its roots in the evolving roles of the CIO and the CISO, and the strategic nature of their working re- lationship.
For C-suite executives and board members, how this relationship plays out can possibly make the difference between whether your organization benefits from digital transformation, or falls a victim to its mind-boggling impact.
Let me explain:
No one would debate the fact that the roles of both CIOs and CISOs are changing in dramatic ways. Two decades ago, CIOs began to be seen as business strategists, even more than technologists, and that trend is accelerating. And CISOs similarly are going through a belated, but equally impactful transition to business leadership instead of focusing just on the “shiny new toy” syndrome of cybersecurity.
Here’s where it gets interesting: Without an implicit, sincere, and well-planned alignment between the CIO and the CISO, organizations risk devolving into a technology turf war that will create roadblocks to success, rather than pathways to a brighter future.
I have been fortunate, in that my last eight years as a leader of Infrastructure and Security with last three as CIO have allowed me to work as a brother-in-arms with my CISO colleagues, first at The Gap and more recently here at Palo Alto Networks. This close working relationship has crystallized in my mind the benefits—as well as the potential challenges—brought about by the changing roles of CIOs and CISOs. And my thinking about how to get the most out of both executives and their teams for the benefit of the parent organization centers on two main themes: Kinship and Dynamic Tension.
I’ll admit, the notion of kinship—or a commonality of purpose—is not new, at least not in theory. Business schools and academic journals have talked about this theme as a prerequisite for leadership success for many years. Unfortunately, it has not always played out as drawn up on the whiteboard.
In my current role, I see our CISO at Palo Alto Networks as more than a business colleague. We are united in our over-reaching goals, but also in our shared understanding of fighting a common adversary. In our changing roles from worrying first about technology issues to solving our company’s most strategic business problems, we have a mirrored interest in solving critical, real-world crises. We may be coming at problem-solving with slightly different orientations—the CIO focused on how technology can positively disrupt business models, and the CISO centered on how security can enhance our customers’ trust in our brand—but we each know that we have to end up at the same place, even if it means we have to be flexible in how we get there.
We also are involved in another important organizational change: The increasing demand that we work in a far more decentralized structure where we are co-creating with business units and developers (DevOps), and where security is embedded from the start in all digital transformation processes (DevSecOps). It’s an exciting time to be doing all this, as technology disrupts every industry by using automated tools, machine learning, and other emerging technologies to change how we work and how our customers use technology.
OK, kinship is a great concept and a powerful fulcrum for positive change. But in many organizations, that may be the easy part. By contrast, encouraging and understanding how to benefit from dynamic tension can either build on the benefits of kinship…or render it a worthless slogan.
This give-and-take between smart, motivated, innovative, and—yes—ego-driven executives should be cultivated and used as a force-multiplier. At the heart of dynamic tension is the mutual acknowledgement that, at times, our agendas will differ and we need to communicate closely and honestly to be able to resolve differences and achieve optimal business outcomes.
Increasingly, CIOs are being measured by their ability to engender speed and agility in the organization and CISOs on their ability to prevent successful cybersecurity attacks. As any business executive can attest, sometimes those goals appear to be at cross purposes. While these agendas can lead to confusion about priorities and may become the source of conflict, it’s up to the CIO and CISO (without the CEO mandating it) to resolve any alignment issues. The key here is keeping the “eye on the prize,” which is an opportunity, agile organization that promotes cybersecurity for the good of all parties.
Done well, this dynamic tension can be a powerful catalyst for process improvement. However, if we don’t manage the dynamic tension properly, it can be corrosive to organization success.
For example, take the notion of who the CISO should report to. There’s a lot of debate on this topic, especially around the question of whether the CISO should roll up to the CIO and his/her team. A very good article recently published in SecurityRoundtable.org addressed this idea with a simple principle: Check your ego at the door.
For example, take the notion of who the CISO should report to. There’s a lot of debate on this topic, especially around the question of whether the CISO should roll up to the CIO and his/her team. A very good article recently published in SecurityRoundtable.org addressed this idea with a simple principle: Check your ego at the door.
Regardless of who they report to, I strongly believe that CISOs need independence from IT leaders to do their jobs properly—and that extends to budgets. The CISO needs a budget that is separate and apart from the CIO’s budget. As a CIO, I value independence for the security team, because I’ve seen first-hand how it has helped us improve our security outcomes. The independence does come at a cost though, since it requires both leaders to collaborate at much higher levels and have a common set of objectives around security. Often, I see a misalignment between CIOs and CISOs, and in some cases, disrespect between the two leaders.
I also am seeing a troubling and toxic mix of unhealthy competition that is being advocated by so-called experts who have a misguided notion of the benefits of promoting an adversarial environment among executives. Like a troubled teenager, a few CISOs believe there should be open competition with the CIOs. On the other hand, I have observed CIOs who are clueless about security, grossly under-spending on security, and burying security deep within organizational layers.
Both positions are wrong and dangerous to companies. We have a shared responsibility to security: Many times, the implementation and support of security controls is the responsibility of IT professionals, while defining and providing independent verification of controls falls with Infosec. If both groups don’t communicate and are not deeply integrated with each other, it is often impossible for their teams to come to common understanding.
And make no mistake about it: IT and Infosec teams take their cues from their leaders. If the CIO and CISO aren’t on the same page, you can guarantee a dysfunctional relationship between their teams. This is something CEOs and board members need to watch very, very closely.
How can business leaders take this evolv- ing relationship between the CIO and the CISO and use it as an asset, rather than as a liability? Here are a few lessons we’ve learned at Palo Alto Networks:
Build the right team structure. For instance, joint scrum teams from IT and Infosec, with leadership visibility into their activities, sends a powerful message of kinship. Your teams also must be aligned not only on goals, but on how progress is measured. IT and Infosec teams also need to develop and manage an evergreen program on cybersecurity hygiene
Develop and promote the right culture. CIOs and CISOs need to set the mindset standard for joint problem-solving, built around open give-and-take on ideas, suggestions testing, and implementation. Disagree during the process is natural, and often even desirable, but in the end, all team members have to adhere to a culture of commitment to the team’s goals and tactics.
I challenge CIOs and CISOs to work on three areas to improve their partnership for the good of the organization:
Jointly prioritize and strategize mitigation controls for areas you can’t address right away.
Understand, appreciate, and learn about each other’s world.
Drive your teams with a sense of urgency around any issue related to cybersecurity.
Above all, everyone should have a big-picture goal: Make work a positive experience, done with a smile and resulting in a joy of achieving higher outcomes. Work may not be the only thing in our lives, but it’s certainly important enough that we have to find ways to make it a rewarding process for all involved. We work too hard and too long to have it any other way.
Security needs to have the capacity to not only respond in a timely fashion, but also adapt.
Widespread adoption of the cloud has made business executives and board members comfortable with the idea of paying for IT resources and services “by the glass.” Moving to such a consumption model offers widely accepted financial and operational benefits that promote agility, scalabili- ty, and digital transformation.
Leading cloud service providers such as Amazon Web Services (AWS), Microsoft, and Google all now charge by smaller and smaller increments, allowing customers access to services on an as-needed basis. For instance, AWS has been boldly aggressive in formulating its consumption model, actually charging customers for services used by the second. Business leaders should follow suit and challenge their CISOs if they are not adopting cloud as the platform that allows this change in consumption models. Moving from a monolithic, capex-based, high investment to an on-demand, pay-as-you-go model with infinite capacity is clearly the way of the future, as digital agility is increasingly seen as a key business advantage.
Cybersecurity, however, unfortunately remains largely rooted in a procurement and deployment model that often results in over-provisioning, security silos, and management challenges. The critical point here is that security needs to have the capacity to not only respond in a timely fashion, but also adapt; maximum capacity is not needed at all times. This change in consumption—moving from big-hardware investments to a pay-forwhat-you-use model—is key.
We all talk a lot about the need for business executives and technical leaders to be on the same page in terms of priorities for deploying IT resources and services to achieve important business goals. But, more and more often, we run into examples where the two camps find themselves staring at a crossroads from two different perspectives.
At a recent analysts’ conference that I attended, I heard that 67% of business leaders and board members are pushing CIOs, CISOs, and other technical leaders—hard—to evolve their services and approaches faster and more aggressively. Board members have climbed aboard the digital-transformation bandwagon, and they want their organizations to move quicker than their competitors toward that goal.
But other research among CISOs indicates that most cybersecurity executives believe things might be moving too fast for them to properly assess risks and their implications. For security, that means business leaders want to deploy not only applications in the cloud, but also vital IT services, such as security, to avail themselves all of cloud’s benefits. Board members and business leaders have fast become big believers in the notion of “disposable IT,” which imposes a smaller footprint on enterprises, while providing greater agility and, potentially, cost savings. Many CISOs, however, are still in a traditional mindset of purchasing multiyear licenses for security, backed up by a lot of testing, risk analysis, and methodical decision-making.
How should organizations span the chasm between the “go faster” mandate from the board and the “let’s tame the cyber-risk monster” philosophy of the CISO?
Cybersecurity consumption models must mirror IT consumption models, with heavy attention to actual usage patterns and how security maps to IT services. For instance, if your IT organization has adopted say, a DevOps process, your IT usage and availability profile could change every week, every day, or perhaps even every few hours. Security consumption must align with those IT-usage trend lines.
It’s helpful to view this process as a threelegged stool. First, there’s an operational need; second, the developers build the solution to meet that need; and, third, security must be bound to those operational and development cycles. Unfortunately, DevOps— so far—doesn’t typically include this security leg. Research indicates that about 80% of organizations are embracing DevOps, but far less have made the transition to DevSecOps.
DevOps cycles move faster and faster each day. Business leaders are demanding real-time adaptation of software to match operational requirements, and security must match that every step of the way. If not, new DevOps scenarios and requirements will have come and gone before the security team can figure out what was needed—yesterday. Hence, there’s a need to shift from DevOps to DevSecOps, where security is natively part of the DevOps process.
If your CISO isn’t able to be an equal part of this DevOps process, then he or she is going to need to prepare a really good explanation to the C-suite executive team and the board. The reality is the business will simply continue without their support.
Adopting a pay-as-you-go cybersecurity consumption model enables the agility, responsiveness, scalability, and cost efficiency today’s application-development and deployment cycles require. Organizations that hesitate moving this way are likely to find themselves over-investing in security capex and not being able to pivot on a dime when new risks emerge.
Case in point: I recently meet with a CIO who wanted to transform his company’s data center, and he told me it took an inordinately long amount of time re-architect, get approval, and roll it out. So much so that he admitted that, today, the center is already out of date. Getting caught up in monolithic, long-term investments simply doesn’t make sense if you wish to remain competitive in the increasingly digitized markets.
Which brings us back to that tension between the business side and the technical side when it comes to security solutions. Most business executives acknowledge that they lack in-depth technical chops in cybersecurity, so they tend to rely on their CISO for strategy and operations. But they do know this: They want to their data, their business processes, routes to market, their intellectual property, and their sources of competitive advantage to be protected against cyber threats. The CISOs, of course, want all this, too—but they often want it to be the result of a Rolls-Royce solution. The business leaders typically think that this is simply overspending and can take too long to implement.
The new agile consumption model allows organizations to create state-of-the-art, scalable, and affordable cybersecurity that aligns with digital transformation goals and the crucial need for more agility.
If your organization is going to have disposable IT as its new paradigm for digital transformation, and you intend to align cybersecurity with it, this changing world might leave CISOs feeling pressured to keep pace. But it doesn’t have to be a harrowing experience, especially if there’s a plan to move to a bythe-glass model for security, as well.
Remember: The goal is to discover and thwart breaches before they happen, and doing so against a rapidly evolving and increasingly innovative set of bad actors can become prohibitively expensive and very manpower-dependent. As noted above, bringing cybersecurity into the mix is that third leg of the stool. Pay-as-you-go security enables agility, reduces costs, and can speed response times (since there is no limit to capacity). The value of such a consumption model is clearly working in the cloud and for IT, and there is no reason we should not be embracing this same idea for cybersecurity.
Despite the accelerated pace of cloud computing adoption, concerns about security show few signs of going away. In fact, security concerns actually grew among cybersecurity professionals in 2018—reversing a multi-year downward trend. According to the 2018 Cloud Security Report, nine out of 10 cybersecurity professionals now say they are concerned about cloud security, an increase of 11% from the prior year’s survey.
If cybersecurity professionals are increasingly concerned, what does that mean for board members and other business leaders? It means it’s time to get smart about cloud cybersecurity so you know what questions to ask the pros and what issues to stay on top of. In today’s environment, what you don’t know can hurt you. Not only that, you can also get burned when you think you know something that is not necessarily accurate.
We spent time chatting with Tim Prendergast, Chief Cloud Officer, and Sean Duca, Vice President & Chief Security Officer for Asia Pacific at Palo Alto Networks. Together they helped us to identify—and expose—10 of the biggest security myths about cloud computing and security. So, without further ado:
Many business leaders are sold on the promise that cloud is less expensive than on-premises infrastructure. Theoretically, this may be true. Yet, when it comes down reality, they typically find that their organizations actually wind up spending more. “It’s not cheaper because they are not taking advantage of the cloud’s elasticity, because they don’t have the proper governance in place, and are not taking the time to work on it and make it cheaper,” Prendergast says.
Duca says organizations must develop an understanding of what the cloud can offer, and what it can’t. “Most organizations are not getting the efficiencies they need,” he says. “They are experiencing cloud sprawl and are starting to pull back.” It takes knowledge, experience and commitment, Prendergast and Duca say, to explode the myth that cloud is less expensive and, instead, turn it into a reality.
The business model of the public cloud providers is wholly dependent on security. They have invested many millions of dollars in security, have the most up-to-date technologies, most sophisticated secure operations centers, use shared threat intelligence, regional data centers—the works. “Nowadays a public cloud provider has world-leading security in every major geopolitical zone,” Prendergast says.
The problem for many organizations is they don’t understand the cloud’s shared-responsibility model. “Business and security leaders are afraid of losing control,” Duca says. “They can’t see it, touch, so they think they don’t have control. If they don’t understand the shared-responsibility model, they don’t understand what type of security is available to them.
This is the flip side of the shared-responsibility model. “Well,” the myth goes, “if I trust the cloud to be secure, once I set up my cloud, I’m done.” The catch, of course, is that the public cloud provider is only responsible for securing their infrastructure—you are responsible for securing your data and applications stored in that infrastructure.
“They will secure what they provide,” says Duca, “but what you put in there is your responsibility. Cybercriminals are still targeting your applications and stolen credentials. You need the ability to identify those threats and control who is accessing information.”
Prendergast likens cloud security to home security. “You have a house with doors, windows, perhaps an alarm. You have the tools, but you still have to lock the doors, close the windows, set the alarm. You have to practice good cybersecurity hygiene. The cloud is no more secure than you make it.”
Any cybersecurity or business leader who says his or her organization can’t use public cloud because of security or data privacy risks, is probably already deeply immersed in public cloud with some of their most important data and applications, Prendergast says.
“Every time we talk to a company and they say their data is too important to put in the cloud, we ask them what they are using for HR or customer relationship management,” he says. “Invariably the answer is either Workday or Salesforce.com or both. We ask if they are using Office 365 or other software-as-a-service applications. They say, ‘Yes.’ We explain that their most critical customer and personnel is already in the public cloud.”
Wouldn’t it be nice, says Prendergast, to live in a world of no new vulnerabilities. “If nothing ever changes, no one new ever logs in again, yes, you’re done. In the real world, the cloud requires ongoing care and feeding just like every other IT environment.”
Duca says business and IT leaders need a “cloud security mindset.” Cloud usage does not remain static. “You need to evolve. Cloud providers are making changes, and you will be making changes to your own software, who will be accessing data, etc. The threat environment changes too. One of the most common vulnerabilities is that people get complacent. What you may think is secure today, could change the very next day.”
Actually, one of the reasons to use public cloud is because meeting compliance and data sovereignty requirements can be a lot less complex. “Cloud providers have more tools and capabilities to check and measure what is going on,” Duca says. “With data sovereignty, they let you keep data in a particular region. It is typically easier to ensure this in the cloud than with internal networks, where data and applications can be all over the place.”
Prendergast says public cloud providers have cone a really good job of meeting frameworks for underlying compliance requirements. “You can inherit a lot of those controls,” he says. “Cloud is programmatic, so if you take proper advantage of what is available, you can use scripts and software to manage compliance all year long. It’s important to understand you have to work on it continually, so that compliance is continuance.”
“With public cloud, you don’t have a lot of the physical infrastructure you would normally have—setting up racks of servers, running cables, power, etc.,” says Prendergast. “It’s like walking into a data center where one day you had 500 servers and the next day you have 10. It looks like you were robbed. That’s just a normal day in the cloud. If the data center is hit by a distributed denial of service (DDoS) attack, it’s hard to add 100 physical servers. In the cloud, you just click a button and scale up to 1,000 servers and make the DDoS inert and just pay for the day. You can scale up in just two minutes.”
Once again, we return to the reality of a shared security model, not the myth that your data and applications will automatically be exposed on the internet. “What you expose is up to you,” Duca says. “It’s your own perimeter. You can leverage the cloud to just host your apps and not put data there.”
Prendergast says this myth may come from the word “public” in public cloud. “Public means anyone can use it, not that your data is public,” he says. “The only thing exposed is what you want to have exposed. You have options to use virtual private networks, virtual private clouds, servers with no internet access. You are in full control, it’s all a matter of how you set up and manage that control.”
This is a myth that may have been perpetrated by a dynamic in which DevOps teams turned to public cloud because they couldn’t afford to wait for legacy purchasing and deployment processes. This accelerated time to market, but it also may have introduced security gaps. It doesn’t have to be this way anymore.
“We’ve seen with DevSecOps that security should be part of teams, embedded in development approaches, whether in cloud or on-premises,” Prendergast says. “They key is to treat security as a feature. The myth is that you can’t do rapid development and security in the cloud. The reality is that cloud is actually an enabling technology for DevSecOps.”
Duca says cloud easily supports DevOps advances such as containerization and microservices. “You can decouple the development of code, push changes out, manage change processes through agile development. All of this can accelerate innovation, time-to-value and quality control.”
The survey from Cybersecurity Insiders asked respondents to identify their main barriers in migrating to cloud-based security solutions. By far their main barrier was “staff expertise and training,” cited by 56% of respondents. Next were data privacy at 41% and lack of integration with on-premises security at 37%.
The myth is that the same people who have built and managed your on-premises data centers can’t adjust to the cloud era. This doesn’t give them enough credit, Prendergast says. “What we’ve always seen is that many IT people are excited and challenged by technology advancements,” he says. “Cloud is the new thing and many of your best people will make the transition naturally. You don’t have to replace them; you have to encourage and support them.”
The good news is that many organizations are already heeding that advice. Decision-makers were asked by Cybersecurity Insiders: “When moving to the cloud, how do you handle your changing security needs?” Nearly 60% responded: “Train and/or certify current IT staff.” Again, it was the Number One response to the question.
When it comes to the cloud, the opportunities for business benefits are too powerful to ignore—agility, cost savings, time-to value and digital transformation, to name few. The security issues are also too powerful to ignore, which is why your teams must be focused on the real issues, and not the myths. When it comes to cloud security, it’s time to get real.
Too often, organizations have a fractured situation.
OOpen source tools have unleashed business speed and flexibility that was unimaginable only a few years ago. But unless you’re very careful, deploying open source components in large numbers also wracks up a lot of “technical debt”—and that can result in security risks, according to Kevin Behr, chief scientific officer for PraxisFlow and author of The Phoenix Project: A Novel About IT, DevOps and Helping Your Business Win.
Technical debt was best explained by Saša Zdjelar, ExxonMobil’s Software Security Group (SSG) Supervisor, as “the cost tomorrow of a shortcut from yesterday. Each time you make a sub-optimal technology decision, you’re incurring debt for future re-engineering and refactoring of the cost of that decision.” Technical debt can accumulate rapidly during software development for businesses where there is no finish line, and operations keep moving faster and more frenetically. “It’s not an easy problem to solve because there are so many potential landmines,” states Tim Prendergast, chief cloud officer at Palo Alto Networks.
Perhaps most critical to paying off your technical debt, Prendergast says, is “Having people who really understand open source components, how they fit together and how they’re used.” This includes public cloud migrations that frequently add to the accumulation of open source code and technical debt. Solving technical debt requires an organization to address deep open source issues, like understanding the limitations of open source tools, recognizing how gaps and vulnerabilities occur in them, how they create exposure to breaches and break-ins, and how each open source community addresses flaws embedded in its components.
As modern businesses move faster and become more complex, software, too, has increased in complexity. Add in public clouds used by rogue business and development groups and you have the makings of a security nightmare. “The more code you have, the more bugs you have. When you introduce DevOps and micro-services you’re creating a very complex architecture with inherent security risks,” observes Azzedine Benameur, senior researcher in the Cyber R&D Lab at Accenture.
A primary reason for accumulation of technical debt is the lack of a framework— including a governance structure—to manage open source components. In some cases, Prendergast says, legal, technical and practical issues can collide. “Too often, organizations have a fractured situation. Legal experts make decisions without any knowledge of licensing fees or security, while a security group doesn’t acknowledge legal issues or understand how developers work,” he explains.
DevOps presents particularly vexing challenges, author Behr says. The whole point of a DevOps initiative is to remove red tape and streamline processes. “But the situation can create a Frankenstein of technical debt. If you’re not careful you find yourself adopting an endless array of one-off solutions. Debt piles up as people make quick choices that aren’t part of an integrated and coordinated plan,” Behr explains.
Like enterprise risk, “Technical debt is not something you ever completely eliminate,” says Prendergast. “The goal is to reduce technical debt and, along with it, risk exposure in the cybersecurity space.” This includes open source components used in public clouds. He identifies three primary ways to address the challenge.
Prendergast suggests five core criteria for selecting open source solutions: your ability to operate, manage and support the component; whether you can extend it in the future; its security framework (including how long it takes for a group to patch vulnerabilities); potential licensing or legal issues; and its long-term viability.
Ultimately, says Behr, “It’s important for executives to understand the conditions and trade-offs that lead to technical debt. The end goal is the adoption of open source components that lead to fluidity, reliability, sustainability and value.”
...such a broad attack surface, in an always-on environment.
When I think of the future of cloud computing, I automatically think of my teenager. Then I smile. Broadly.
Cloud and my teenager have a lot in common, especially as they continue to grow in size and capabilities. Of course, my teenager doesn’t improve organizational agility, scale exponentially to keep up with new workloads, or come with a predictable subscription-pricing model.
And in much the same way I think a lot about my teenager’s physical and emotional security, I spend a great deal of time in my business role thinking about cloud security.
Cloud computing has gone through dramatic changes in its short and rollicking life. It has quickly and boldly transitioned from a helpful, tactical resource to reduce costs and speed the delivery of IT services to become an important, strategic way to allow organizations to do more and better utilize our valuable people resources.
Now, cloud is quickly becoming a transformational source, opening up vast avenues of new opportunities to make our organizations and our communities more connected, useful, agile, and secure.
Exciting technology advances are dramatically accelerating the pace of innovation in and around the cloud. The growing symbiosis of cloud and artificial intelligence is changing everything from how healthcare organizations are using AI in the cloud to better mine data for better patient outcomes to how airline companies are reducing costs and improving safety using an AI-hypercharged cloud for real-time weather updates.
As I said earlier, I worry all the time about my teenager’s physical and emotional security. But I also have a measured sense of optimism and confidence about the future of their digital security. And that’s because I’m incredibly upbeat about what the cloud community of suppliers, agents, and users has been able to do with security, and what we are all likely to do as we move into the transformative future of the cloud.
Let’s be clear: I’m no Pollyanna when it comes to the target-rich environment that the cloud has become and what it will be in the future. The potential threat vectors presented by hackers, organized cybercriminal gangs, and bad state actors over the next several years are breathtaking. So, it’s important for all of us to know what we’ll be up against as we necessarily and deliberately rely and depend on the cloud.
With more and more data—and with more of that data deemed mission critical—created, stored, and managed in the cloud, bad actors will naturally take aim. Developments like the Internet of Things are a great example of why: The fact that the IoT represents a multi-trillion-dollar target makes it a gigantic target for the bad guys. This is becoming even more an issue as “smart things” are connected to the cloud without sufficient integrated security or as users fail to adopt proper security hygiene.
With such a broad attack surface, in an always-on environment, fraudsters have already exfiltrated data and caused cyber mischief. So it’s up to us to do more. A lot more.
Already, some things are happening. One of the best is the imminent demise of passwords, which are giving way to biometrics and other steps in multi-factor authentication. Still, we cannot underestimate the intelligence, creativity, and determination of hackers, whether they are lone wolves (which they rarely are), part of digital crime syndicates, or state-sponsored bad actors.
They are coming after us in the cloud, and they will amp up their efforts in the cloud of the future. There’s good news, however: We’re all ramping up and fortifying our cloud security frameworks in anticipation of more penetration attempts.
Already, cloud environments are being fortified with machine language engines to analyze global data points in the hundreds of billions of cloud-based transactions. AI and machine learning normalize the and push out attack indicators that are more meaningful, timely, and accurate. This will make our detection efforts far better—an order of magnitude better, in fact.
Security is one area that really benefits from a large, wide, and deep cloud environment, because with the right analytics tools and enough processing power, global decision-making becomes easier and more accurate.
Cloud security also will become much more automated; again, machine language tools will drive huge process improvements in developing and deploying automated defenses. This will take considerable pressure off overworked security administrators and security operations centers to manually detect and thwart attempted intrusions as simple as garden-variety viruses or as insidious as malevolent ransomware.
In short, the cloud of the future is going to be a digital fortress, more robust and resilient than ever. Cloud security will be more intelligent, more automated, and more discerning, driven by advances in AI, machine learning, quantum computing, and other transformative technologies. Cloud security also will be designed and implemented with more of an eye toward a positive user experience, making security steps less obtrusive to the user and less likely to impact our business productivity or our personal enjoyment.
As my child entered the exciting world of teenage-dom, I began to focus on what the future held and how my teenager would make their mark on the world.
I feel the same about cloud. As the cloud has evolved from a helpful business tool to an important resource, to the point where it is now transforming so much of our work and personal lives, I am exhilarated when I allow my imagination to run free and envision what the cloud of the future looks and feels like.
Maybe my teenager will even help shape the cloud of the future in some meaningful way. But I know one thing for sure: The cloud will change their world much, much more in the coming years than it already has changed mine.
The benefits are not just in cybersecurity, but also disaster recovery and business continuity.
If you are a board member or business executive and start hearing your IT development, operations and security teams start talking about a “shift left” you should pay careful attention. It could be one of the more important decisions your teams can make in terms of both accelerating speed-to-market and improving security protections.
In the parlance of DevOps and security, a shift left simply means that security is built into the process and designed into the application at an earlier stage of the development cycle. The goal is to increase quality, reduce the amount of time required for testing and, perhaps most important, mitigate the risk of security problems at the end of the cycle, when it is much more expensive and time-consuming to make fixes.
In the past, development teams have been somewhat reluctant to shift left because of concern that involving security personnel too early in the process would cause delays and complications. However, the world of DevOps has changed dramatically in the past few years, and shifting left is not only more viable, it is fast becoming a best practice in the worlds of both DevOps and security.
Cloud computing has one of the key change agents in allowing DevOps and security to shift left. Public cloud services enable DevOps teams to spin up infrastructure much more quickly than ever before. Cloud also enables DevOps to accelerate cycles through faster and more reliable testing and by leveraging technology innovations such as containers and microservices, which make it faster and simpler for teams to collaborate.
One of the most critical benefits delivered by the cloud is automation. Because many of the tasks in the cloud are highly automated, it makes it much simpler for DevOps teams to do both continuous testing and continuous deployment, which are essential practices for organizations looking to shift left and incorporate security earlier in the cycle.
I’ll give you an example from my own experience. I’ve been part of both the DevOps group and the information security group in my organization. Several years ago, we began increasing our use of automation and saw a lot of value in that. At the same time, our executive team was unsure how our organization was going to incorporate the cloud and how to approach it.
We decided to leverage public cloud to see if we could improve our speed and agility in developing applications. The results were well beyond our expectations. Previously, it had taken about 45 days to deploy a mid-size application. When we shifted DevOps to the cloud, we were able to develop a comparable app in one hour. From 45 days to one hour is a remarkable achievement, particularly in today’s world of rapid innovation and highly “consumerized” customer expectations.
With that experience, we decided that we wanted to move forward, which was when we created our DevOps group and continued with automation. The results have been so successful, we’ve made a decision to go all-in with the cloud for our entire organization. Our current philosophy is: If we can move an application to the cloud we are going to do so—as long as we know that we can secure it properly.
Ensuring that we can secure each application in the cloud has necessitated a shift left for our organization, so that we are defining and configuring security at the beginning of the development process and not at the end. It has also required us to make sure that our teams understand one of the core concepts of cloud security, which is that it is a shared-security model. Our cloud provider is responsible for certain aspects of security, and we are responsible for certain aspects, including our applications.
While public cloud has been a critical catalyst in our ability to shift left with security, we would not have been able to do so as easily or successfully if it were not for technology innovations in the world of security as well. Without getting too technical, one example of a new technology helping us shift left is an open-source solution called Terraform.
Basically, Terraform gives us the ability to modularize the security policy, so it lives with each application and is vetted, approved and defined throughout the application’s lifecycle. When we need to change security policies, it is much easier. And, when the application goes away, the policy is removed from the firewall. This not only helps with security; it also helps with compliance and auditing because you have an audit trail of any policy changes made in the application.
By embracing public cloud and shifting left with DevOps and security, organizations can see significant benefits in cost savings, quality control, speed to market and even corporate culture. At my organization, we are seeing rapid acceleration in the way we’re able to remediate applications and, at the same, we are significantly increasing our security.
We are reducing risk to the organization at multiple levels. We can deploy infrastructure and applications at a quicker pace, and we can mitigate the risk of ransomware in the cloud because we have more agility in securely redeploying our applications if our servers are locked.
The benefits are not just in cybersecurity, but also disaster recovery and business continuity. In the case of a natural disaster, we can redeploy our servers in another location. By integrating security into our deployment strategies, we have greatly enhanced our ability to do all of those things in an expeditious manner.
One of the additional benefits, at least in our organization, is a culture shift. Our teams are more collaborative than ever before. In fact, we are building a whole new campus designed to encourage that type of collaborative culture. It really feels like everyone is on one team.
Executives in the boardroom and executive suite don’t necessarily need to get too deep into the weeds when it comes to DevOps and security. But they do need to encourage their teams to be innovative in leveraging technology to accomplish key business imperatives.
DevOps and security teams, working cohesively in a cloud environment, can be empowered to reduce risk, accelerate speed to market and improve your overall cybersecurity posture. Particularly if your teams are ready, willing and able to shift left.
Countless regulations and standards have a big impact on how, when, where, and why you move important data, applications, and workloads to the cloud.
If you are like a lot of business executives I know, your head may be spinning over the onslaught of “cloud talk” these days: Cloud services, cloud security, cloud governance, cloud deployment, cloud this, cloud that. Admit it: When your CIO stands at a leadership committee meeting or presents to the board, and talks about adopting a cloud-first mentality, you are not sure whether to pat him or her on the back, or show them the door.
But do not let the jargon and potential confusion slow down your journey to the cloud. And one of the biggest things to keep in mind is how to account for regulations and standards in ensuring that you move ahead aggressively and securely to the cloud.
The industries where cloud not only has the greatest potential for good, but also the biggest challenges to overcome, tend to be the most highly regulated markets. Industries such as healthcare, government, and financial services are usually at the top of that list, but there are plenty of other industries where regulations, mandates, and government-imposed standards can make an organization’s journey to the cloud a tricky one. Does your organization have publicly traded stock or debt? Welcome to the world of Sarbanes-Oxley (SOX). Do your customers buy goods or services using payment cards? Say hello to PCI.
These and countless other regulations and standards have a big impact on how, when, where, and why you move important data, applications, and workloads to the cloud. Sorting this out requires you to do your homework and make smart decisions about your use of the cloud in a highly regulated industry. But let me emphasize that you do not have the option to turn away from the cloud just because regulatory compliance may be tricky.
Take SOX, for instance. Part of that act is a requirement of separation of duties, where developers are not allowed to directly push their code into a production system. But in a world where DevOps is fast becoming standard operating procedure, moving code to a completely different group of people who have not been involved in the process up until that point runs directly counter to what DevOps is all about. You end up with more silos, which adds complexity, inefficiency, and speed bumps.
Rather than just throw up their hands and blame the regulation, business leaders must empower their DevOps teams—working in concert with their InfoSec colleagues from the start—to develop and implement new policies that (A) account for the regulatory requirements, but also (B) operate smoothly in a cloud-first mindset.
Sounds tricky, right? Yes, in fact, it can be. But business leaders must listen to their DevOps, security, and compliance teams, which increasingly are collaborating on ways to support the letter and spirit of the standard without slowing down the DevOpsand-cloud locomotive. This is our “new normal,” and business leaders know that this is being done on an enterprise level at scale.
If FUD—fear, uncertainty, and doubt—is holding back your organization about cloud adoption amid the web of regulations and standards, you are not alone. But since when do organizations succeed by being cautious? Embracing cloud and DevOps in a secure, compliant manner is being done all the time-it is a movement that cannot be slowed, let alone stopped, by regulatory concerns.
So, what should business executives and boards of highly regulated organizations do when it comes to balancing the “need for speed” personified by cloud and DevOps with regulatory governance?
For instance, how data is handled in the cloud is fundamentally different from how it has been done in the data center, and many regulations were written in the pre-cloud timeframe. Fortunately, many standards have been written in ways to allow for a broader, looser, or newer interpretation in a cloud environment rather than in a physical, on-premises environment. Suppose there is a statute that you’ve always interpreted as “you must have virus protection on your servers.” But when you examine the statute more closely, it may actually say something different. For instance, in the HiTrust compliance standard for healthcare, it says, “Detection, prevention, and recovery controls should be implemented to protect against malicious code, and appropriate user awareness procedures on malicious code shall be provided.” That is a big difference, because that allows you to rewrite policies that account for containers, immutable servers, or server-less computing.
Your teams have to do that kind of work--examine the regulations and interpret them in a modernized, real-world context where cloud, not on-site physical data centers, is the standard. This means your compliance and governance teams must work as closely and as collaboratively as possible with your DevOps teams and cloud architects. Even though many in-house compliance teams are hard-wired to block anything that may feel remotely close to a regulatory fault line, business leaders need to strongly encourage them to find ways to help the cloud and DevOps teams get what they need.
At the end of the day, it comes down to basic blocking and tackling:
Adopting a cloud-first mindset is increasingly becoming a smart way to compete in the era of digital transformation—even for organizations in regulated industries. Avoid taking the easy way out and avoid the cloud and DevOps because you are uncomfortable re-evaluating your regulatory requirements.
The old story about the tortoise and the hare might be fine for putting your grandchildren to bed, but I prefer “the race goes to the swift.” And today, that means a cloudfirst mindset.
‘Connected things’ is really a full business ecosystem, not a point solution or an individual application.
Inflection points often become inflection points because of the convergence—sometimes planned, sometimes serendipitous—of multiple factors. It happened with the ascent of air travel, television, professional football and the internet, to name just a few. And it’s happening today with the convergence of cloud computing and the Internet of Things.
Simply put, cloud computing is becoming more important than ever due to IoT, and IoT’s long-term success and incalculable impact on global communities and economies is heavily driven by the cloud.
In this way, it’s easy to spot and acknowledge the indelible link between IoT and the cloud. In fact, this mutually beneficial relationship can be represented in a powerful and apt metaphor: “IoT is the eyes and hands of the cloud.”
What do we mean by that? In essence, cloud computing becomes more useful and a greater contributor to organizational success when it is fed by insightful data—data that is seen (eyes) and moved (hands) by a seemingly endless volume and variety of both advanced and everyday devices. “Those devices are typically small in both footprint and in vital elements such as operating systems and memory, and they need the cloud to be the location where data access and telemetry take place,” according to Tim Prendergast, chief cloud officer at Palo Alto Networks. “Cloud is the best place to take a centralized look at patterns of behavior among those devices; it’s the central nervous system for this globally connected IoT.”
At the same time, the unlimited capacity and scalability of the cloud is meaningless unless the data stored, analyzed, managed, and presented by the cloud is relevant and accurate. Take a common industrial process like semiconductor chip baths. Those baths must be kept at a certain temperature, or else production yields will be impacted and bad parts will slip into the manufacturing supply chain. “We don’t just need more data, we need more accurate data,” notes Jamison Utter, business development manager at Palo Alto Networks. “Sensors act as our eyes by giving us visibility into real-time conditions in those baths, and then they act as our hands by actually acting on the data, such as adjusting the temperature in the bath when it goes out of the prescribed operating parameters.
“IoT is great, but it’s not that interesting by itself,” he adds. “We need the cloud to do that; but the cloud also isn’t nearly as important without a reliable stream of real-time data from new sources. That’s what IoT does for the cloud.”
So, what should business leaders do when it comes to getting the most value out of this powerful combination of IoT and the cloud?
Remember that ‘connected things’ is really a full business ecosystem, not a point solution or an individual application,” according to Utter. “Otherwise, your teams will be creating more and more information silos, rather than turbo-charging your organization with powerful insights.”
Corner-office executives and board members also need to keep in mind that actionable intelligence gleaned from IoT systems can only be properly captured, analyzed, managed, and acted on in the cloud. “The cloud is the best place to review patterns of how and where data is accessed, and to generate the telemetry necessary to find patterns, anomalies, and ‘ah-ha’ moments,” said Prendergast. “And the tie-in to cybersecurity is critical,” he added. “Without the capacity, power, and intelligence in the cloud, it’s far more difficult to see things that shouldn’t be happening with your connected things, like postage meters downloading documents.”
Finally, executives need to ensure that IoT is treated as a cloud-powered and cloud-enabled system that aligns with business objectives. “Don’t separate your business unit personnel who will be using the information generated from IoT from the technical teams building and managing those systems,” said Utter. “The only way to drive true symbiosis between IoT and the cloud is to ensure you treat them as part of your overall business ecosystem, where all your data points, sensors, and inputs, from all around the world, all connected in the cloud. That’s where the true business value of your cloud comes, and where IoT acts as the eyes and hands of the cloud.”
Containers enable software to be broken down into smaller chunks that can be checked more frequently.
Until recently, if you overheard your company’s CISO mentioning Docker, you might have assumed he or she was talking about casual Friday attire. Now, however, you probably could identify Docker as the leading name in containerization, an increasingly important element in your organization’s strategy for digital transformation.
And you’re about to hear a lot more about containerization as your journey to the cloud accelerates. Containerization is important to more than your technical teams; business leaders need to understand it as well, particularly because it has significant cybersecurity implications.
Most business leaders have become familiar with the notion that applications are being developed and deployed differently— faster, in more frequent bursts, and in the cloud. This puts containerization at the intersection of two important trends–the accelerated adoption of cloud for a wide range of business tasks, and DevOps, the tight, agile relationship between software developers and the business groups that benefit from that software.
After all, the value for any organization’s IT investments is in its applications, and containers represent a major step forward in the process not just of developing those applications, but also in how fast they deliver measurable business value. And at the heart of this trend is business agility, according to Tim Prendergast, chief cloud officer at Palo Alto Networks. Containers “promote portability, so applications can move easily across environments–on-premises, a single cloud, or multiple clouds–with low friction,” he points out.
One way to think about the value of containerization is to consider what it was like to share documents before the introduction of Adobe’s Portable Document Format (PDF) solution. Today, we don’t worry about translating or recoding documents written in one environment, like Windows, but that need to be shared and read in many other formats such as an iPad running iOS, or an Android-based smartphone. PDF normalized documents into a single format, and containers are doing the same thing for applications that can be used in any physical or virtual computing environment. This means your developers can revise and update code anywhere, anytime, and on any type of system because they are using the same development environment as when they’re in the office working on their production systems.
And as DevOps becomes both commonplace and essential in helping organizations navigate their way to becoming truly digital businesses, containers become indispensable tools. One of the big attractions to containers centers on our favorite subject: cybersecurity.
Instead of developing and deploying large, monolithic blocks of code, containers enable software to be broken down into smaller chunks that can be checked more frequently and quicker when new threats emerge. Container infrastructure vendors like Docker and others have made cybersecurity a big priority and have integrated stronger security defenses into their tools from the start.
But that doesn’t mean you can take cybersecurity for granted as your organization embraces containers. Containers are not necessarily a new technology, but they are newer to enterprise use; that means attention must continue to be paid when using containers to ensure that the same cyber hygiene and best practices traditionally used in software development are applied to containerized applications.
There is the reality, as well, that bad actors will be drawn to containers by the very fact that they are new and a hot topic. “There are going to be zero-day exploits that will be attempted, and the bad guys are likely to be aggressive,” according to Prendergast. “Any new technology has an Achilles heel, so you need to re-evaluate your risk profile.” On the positive side, however, “If you are worried about the potential for a container being compromised, you can simply kill that container and launch a new one in seconds,” he said. “You don’t have to worry about replicating the fix across multiple web servers; it’s easier, faster, more efficient, and safer.”
He also points out that, as containers gain more acceptance and are more widely used for DevOps projects and as a facilitator of digital transformation, the container tools developers will undoubtedly step up their game when it comes to security and will finetune to mitigate known vulnerabilities.
Still, it’s important for business executives to ask some pointed questions when their IT execs talk about container adoption. These include:
In the end, business leaders don’t need to worry about how containers work–only that they are a good fit with their goals of more closely aligning how applications are developed and deployed with the needs of business users who benefit from that software.
The reality is that the public web and cloud services, are no more innately secure than any other traditional hosting options.
There are several widely accepted truths about public-cloud services of varying levels of veracity—that they are cheaper, more flexible, and can be more quickly deployed. Perhaps none is more dangerous, however, than the assumption that the cloud is, by nature, more secure.
Just last year: Four million customers of a U.S. cable provider were exposed to the Internet after a contractor failed to properly secure a public-cloud database; hackers stole from a professional-services firm millions of emails stored in a public cloud containing confidential communications and the plans of some of its biggest clients; six million customer records were made public online after a telecom provider’s CRM vendor failed to limit external access to public-cloud servers.
Many business leaders assume that, when they enter into a contract with a public-cloud vendor or any other web-service provider, they are signing away their responsibility for the protection of the data stored outside their own resources. The reality is that the public web and cloud services, for all their benefits, are no more innately secure than any other traditional hosting options.
What actually happens when you ink a deal with a public cloud or web service is what we call the “uneven handshake.” The vendor does agree to provide you with an array of services, but they do not assume responsibility for managing your cyber risk. Instead, they provide you with a number of options for how you might set up and configure their security tools.
Cloud- and web-service providers go to great lengths to absolve themselves of any obligation to protect their clients’ data, from their six-page, four-point type online contracts (that nobody ever reads before hitting Accept) to their security-related FAQs and training tools. Some even incorporate into their dashboards an explicit reminder that users, by default, are exposing their data to the public Internet. Many clients still assume that if a breach were to occur, landing them in some legal hot water, their public-cloud vendor will sit next to them in court. However, cloud providers have done everything in their power to make sure they will never have to do that.
It’s great that cloud providers offer customers a few options for setting up and configuring their cybersecurity. However, it’s a mistake to assume that the choices they provide are sufficient for every company’s needs.
The good news is that the zero-trust approach that leading companies have taken to secure their own IT environments can also be used to mitigate cyber risk in their digital-business initiatives. While, at one time, we assumed that everything on the inside of an organization’s network could be trusted, the increasing frequency of successful cyber-attacks built on exploiting that trust disabused us of that notion.
Traditional, perimeter-centric security strategies failed to provide the adequate visibility, control, and protection of user and application traffic. Enter zero-trust architectures, applying the principle of “never trust, always verify” to all entities—users, devices, applications, packets—regardless of what they are and their location, relative to the bounds of the corporate network.
It’s become clear—through the experience of the many companies that have dealt with breaches of their web- and cloud-based data and digital services—that exploitation of trust is as much of a risk in the public cloud as it is in the enterprise data center. Leveraging public-cloud services for digital-business efforts can change who owns and maintains the base architecture, but it does not mitigate or transfer cyber-risk responsibility.
A public cloud service might have a great security model, but it’s not necessarily the right security model for all their customers. They may not be subject to the same regulations, have the same customer demands, or handle the same types of sensitive intellectual property as their clients. That cloud vendors provide basic security and infrastructure patching is a tremendous value. However, their priority is maintaining and monetizing their cloud infrastructure, not becoming a managed-security provider. It’s the customer’s responsibility to protect their data as robustly as if it were sitting in their own headquarters.
Thus, when enterprise leaders are thinking about entering into a cloud agreement, it’s critical that they start thinking about a security model for protecting the digital business. What’s more, as most companies are in multi-cloud environments, they must be able to put in place and oversee a strategy that encompasses multiple platforms in multiple locations, where regulations can vary dramatically.
By establishing zero-trust boundaries— just as they would to effectively compartmentalize different segments of their own networks—companies can better protect critical data hosted in the cloud from unauthorized applications or users, reduce the exposure of vulnerable systems, and prevent the movement of malware throughout their network.
While enterprises across industries are eager to leverage the public cloud to build their digital-everywhere businesses, they must balance its benefits with their responsibility to keep sensitive data—personal health information, personally identifiable information, intellectual property, payment card data—secure. A workload containing such data must be more strongly protected that one with more benign data.
Too often, business leaders do not fully appreciate the true value of, and risk to, the data they deploy to the cloud, and the risk they expose their organizations to when they fail to secure it properly.
So, what actions can be taken to better protect data in the public cloud?
The cloud is not an “easy” button. It’s only reasonable that there will be some anxiety about migrating certain data types to it, but that can fuel honest conversations about what is cloud-appropriate, what’s not, and how to your security teams will protect the workloads that are already there.