Vice President, Cloud Security and Strategy
As vice president of cloud security and strategy in the Office of the CISO at Optiv, Sherry focuses on security and compliance aspects that enable clients to be successful in planning, building and running their cloud ecosystems, spanning across private, public and most commonly hybrid cloud computing environments.
Cloud Powered Without Compromise
Security OF the cloud versus security IN the cloud.
This by no means is intended to be a riddle. In fact, the irony is that cloud computing has solved many riddles that have plagued IT and businesses for decades except for one – how do you get technology deployed at the speed of business? Cloud computing has caused a transformation in how we innovate and bring new products/services to market, essentially creating new markets at click-speed. Speed of business via technological innovation doesn’t come without risk. Operational risk must first always be quantified and weighed against the associated and intended positive outcomes for the business. Cloud computing adoption and consumption must use the same math. This is where the slogan “shared responsibility” comes to the forefront. Just because a company “puts it in the cloud” doesn’t mean it is secure by default. Education on what the shared responsibility model means is essential to reduce the probability of a breach in the cloud.
Gartner predicts that by 2020, 95% of cloud security failures will be the customer’s fault.1 While I agree that there is some FUD (fear, uncertainty and doubt) in this prognostication, there is certainly history that supports this prediction. The basic blocking and tackling has to be addressed in the cloud the same way as it does on-premise. Most organizations grapple with these challenges inside their own four walls and will continue to do so as they move workloads into the ether. Some of these disciplines include data protection, system hardening, vulnerability management, asset management and incident response, to name a few. Processes need to be evaluated, but so do technology platforms. Subsequently, something that has served a company well on-premise, may not be so accommodating in the cloud. Controls used on-premise today may not exist in the same capacity in the cloud. Lastly, employees need to be rebooted to fully understand and carry out successful, embedded security into their cloud DNA. Skill sets must be leveled-up.
Much like virtualization changed the way we computed in the mid-2000s, cloud is virtualization’s big brother on steroids. The sheer number of services that can be spun up in minutes allows for attack surfaces to widen. The math alone tells you that the more variables in the equation, the chances for you to get the answer wrong increases exponentially. Fundamentally, this leads to increased risk and the chance that a company will suffer a breach under the shared responsibility model. To reverse this curve, companies need to embed cloud security into their operational rhythm. This requires thoughtful planning with many stakeholders in the organization and it goes beyond just IT and security. Market forces are demanding rapid innovation and technology capacity. Cloud is the vehicle. Getting the business involved in the security and architecture strategy is essential for shared responsibility to be identified, addressed and maintained.
Cloud can certainly be nebulous. Without a proper strategy on how to secure it, issues will most likely occur and could have the potential to cause significant impact to a business and brand. “Know before you go” could not be more applicable as companies consider moving more services to the public cloud and reaping all the benefits that it affords. Cloud is no longer an emerging technology and is safe to touch! In fact, Amazon Web Services (AWS) celebrated its 10th anniversary last year. Many innovative businesses are being “born” in the cloud and many are evolving to gain competitive advantage. I believe Malcolm Gladwell would call cloud the ultimate outlier! AWS launched S3 in 2006 and hasn’t looked back. Now there are more mature services across their platform, and Microsoft and Google are also increasing their cloud capabilities. This means great things for consumers. Competition drives prices down and innovation up. This is the classic recipe for seismic transformation. We live in truly amazing times!