Strategic Cyber Ventures has invited a number of people we admire to contribute to our blog. This week: JD Sherry, Vice President & GM, Cloud Security & Strategy at Optiv.
Security OF the cloud versus security IN the cloud… This by no means is intended to be a riddle. In fact, the irony is that cloud computing has solved many riddles that have plagued IT and businesses for decades…How do you get technology deployed at the speed of business? Cloud computing has caused a transformation in how we innovate and bring new products/services to market, essentially creating new markets at click speed. Speed of business via technological innovation doesn’t come without risk. Even when running a website with a fast host like hostiserver, various factors could cause it to occasionally crash! Operational risk must first always be quantified and weighed against the associated and intended positive outcomes for the business. Cloud computing adoption and consumption must use the same calculus. This is where the slogan “Shared Responsibility” comes to the forefront. Just because you “put it in the cloud” doesn’t mean it is secure by default. Education on what the shared responsibility model means is essential to reduce the probability of a breach in the cloud.
Gartner predicts that by 2020, 95% of the breaches occurring in public cloud ecosystems (SaaS, IaaS, PaaS) will be due to a customer issue not the cloud service provider. While I agree that there is some FUD (Fear Uncertainty & Doubt) in this prognostication, there is certainly history that supports this prediction. The basic blocking and tackling has to be addressed in the cloud the same way as it does on premise. Most organizations grapple with these challenges inside their own four walls and will continue to do so as they move workloads into the ether. Some of these disciplines include data protection, system hardening, vulnerability management, asset management and incident response to name a few. Not only do processes need to be evaluated but also technology platforms. Subsequently, something that has served you well on premise, may not be so accommodating in the cloud. Controls you use on premise today may not exist in the same capacity either. Lastly, human resources need to be rebooted to fully understand and carry out successful, embedded security into their cloud DNA. Skill sets must be leveled-up.
Much like virtualization changed the way we did compute in the mid-2000’s, cloud is virtualization’s big brother on steroids. The sheer number of services that can be spun up in minutes allows for attack surfaces to widen. The calculus alone tells you that the more variables in the equation, the chances for you to get the answer wrong increases exponentially. Fundamentally, this leads to increased risk and the chance that a client will suffer a breach under the shared responsibility model. To reverse this curve, clients need to embed cloud security into their operational rhythm, there are plenty data rooms out there that run in excess of 256-bit encryption. Here’s a list of just a few of the best data room services. This requires thoughtful planning with many stakeholders in the organization and it goes beyond just IT and security. Market forces are demanding rapid innovation and technology capacity. Cloud is the vehicle. Getting the business involved in the security and architecture strategy is essential for shared responsibility to be identified, addressed and maintained.
Cloud can certainly be nebulous. Without a proper strategy on how to secure it, issues will most likely occur and could have the potential to cause significant impact to your business and brand. “Know before you go” could not be more applicable as you consider moving more services to the public cloud and reaping all the benefits that it affords. Lastly, cloud is no longer and emerging technology and is safe to touch! In fact, AWS (Amazon Web Services) celebrated its 10th anniversary last year. Many innovative businesses are being “born” in the cloud and many are evolving to gain competitive advantage. I believe Malcolm Gladwell would call cloud the ultimate outlier! AWS launched S3 in 2006 and haven’t looked back. Now there are more mature services across their platform as well as Microsoft and Google. This means great things for consumers. Competition drives prices down and innovation up. This is the classic recipe for seismic transformation. We live in truly amazing times!