Not everyone would describe cloud security as "very exciting," however, the four expert panelists who joined us on our series of SecureWorld Remote Sessions for a Q&A hour all certainly shared this sentiment.
The panelists spoke on cloud migration, the state of the cloud during the pandemic, the DevOps pipeline, and more. Below is a short summary of the webcast, so be sure to check out the full episode.
Meet the cloud panel
Each member of the cloud panel started with opening statements on the topic. Here are excerpts.
Jon Allen, VP, IS Security Officer, Catalyst Corporate Federal Credit Union:
"We started our digital transformation journey about two years ago, and I have to say at the beginning of that journey I was… extremely worried and nervous. But at the end of the day, once I was able to wrap my head around it, and start to map features, and functions, and tools to the commonplace things that I’m used to working with in security today, it really sort of just came together. I’m extremely excited about our future in the cloud, especially with our current situation requiring more work from home types of situations, and opportunities."
Jonathan Nguyen-Duy, Vice President & Field CISO, Fortinet:
"My role is to take the 20-odd years in cybersecurity I’ve had, and marry that with the Fortinet Security fabric, and apply a lot of the lessons learned… including root-cause analyses of over 16,000 data breaches. I think digital transformation is really exciting. The cloud has lots of opportunities. My main concern is how are we going to apply some of those hard lessons about cybersecurity before the cloud, going into the cloud, and what it’s going to look like as we progress further."
Grant Asplund, Growth Technologies Evangelist, Check Point Software Technologies:
"I kind of think it all started really when we all decided to jump from our own individual lakes and ponds and get into this same big ocean called the internet we standardized. That created some interesting new challenges because we started off, I think, in the wrong cadence. We didn’t original start at ‘how do we protect the data’ and then work out. We did just the opposite. That’s something we’re going to have a hard time shaking loose, and as we’ve evolved into this perimeterless, completely software defined world, we’re all moving at the speed of light… there’s not always a lot of time to learn all this new stuff."
Aaron Ansari, Vice President, Cloud One, Trend Micro:
"I represent Cloud One for Trend Micro. It’s a platform that will allow you to have complete visibility into your cloud. So, all the problems that were just described by my predecessors, are well managed, and you are at least given the intelligence you need to make informed decisions on workloads, network, and your cloud posture."
How has the pandemic changed cloud and cloud security?
"I see the pandemic as accelerating the macro trends in digital transformation…. What we’ve seen are the firms that were cloud native before the pandemic had a pretty distinct operating advantage to those that were not. The NIST guidance that came out a couple weeks ago was very telling. Now we see remote working as a perfectly legitimate and normal way of conducting business. I think part of the new normal is going to be this notion of contactless commerce, communication, entertainment, education, healthcare, public services, etc.…. What we are seeing in a very real way manifested, is that the majority of our workforce is now operating outside of the perimeter, and so that means an acceleration of the adoption of things like zero-trust. We are kind of near the maturation in terms of cloud migration and as 5G takes hold in the next 5 years, we’re seeing computing moving from the cloud to the edge, and the cloud then becomes increasing repository for data and correlation."
"It was very interesting over the last couple of months watching the trends (Azure or AWS)… just comparing your score to the industry you work in…it’s amazing. I’m seeing about a 40% drop in the security scoring just the finance industry as a whole. So, you can definitely tell that over the last six weeks there have been a major push to get more resources available and active in the cloud, which does lead to concerns…. Are we opening ourselves up to more vulnerabilities by moving too quickly?"
What about visibility in the cloud?
"Gone are the traditional days of ordering a server, taking several weeks to have it installed… having network teams come on it…having the middleware team install (etc.)…. With the ease of the adoption of the cloud, somebody can take that five week… process and whittle it down to five minutes. Provision an instance…. (but), you lose the expertise that came with the various teams that were involved in building out an environment."
Which is more secure: the cloud or on-prem?
"No matter how big your organization is, it’s going to be Larry and his team, as opposed to when you put the muscle of an organization like Microsoft, like Amazon, like Google; there’s no question whose going to build the better data center…. The question is, ‘Am I using it securely?’ not, ‘Is it secure?,’ because I guarantee it’s better patched, better upgraded, better updated, better secure, from an OF environment…. The way you’re going to make your cloud truly more secure and better, is by taking full advantage of all of the fabulous cloud native capabilities."
What about cloud security and DevOps?
"Get your processes and your tool set embedded as deep, and as early into development processes possible. One of the things we succeed at very well is embedding this into the integrated development environment (IDE). When you have the risk put on the developer, and you pass that risk onto the developer as a bug, not a security ticket… terminology they are very familiar with… what you end up having is risk, and compliance, and security offloaded to the developers in a way that they don’t necessarily see, but in a way that gets it totally taken care of earlier in the development cycle."
Why do I need third-party security tools, even in the cloud?
"There’s no question they offer terrific security, but here’s the issue; they’re focused on themselves, on what they do, and it’s certainly not security first…. Third-party tools are the homogenizer, the unifier; they make sense out of storage, whether it’s blob or S3, so that you can manage policy effectively across the entire environment. You’re still going to need third-party if you want to do it right."
Are Cloud Security Access Brokers (CASB) still the tool of choice to manage the new network 'perimeter'?
"At the end of the day, it’s (CASB) not providing me the control or granularity to look at what’s happening to our data and understanding where our critical data is really being moved to. So, I’m thinking more of a data loss prevention, or an information rights management types of solution, or information protection solution, might really be where we should probably focus more of our efforts beyond the CASB type solution."
"I think CASBs are great, but there are some limitations. What I’m doing right now, as we help customers with more advanced zero-trust solutions, is that I’m combining the CASB with a UBLA capability, with NAQ, and with SIM, so that I apply those zero-trust networking principles."
What are the biggest operational headaches when moving to the cloud?
"A Cloud Security study by Cybersecurity Insider found visibility is the number one operational headache, and compliance is the other."
What automation is valuable to reset, detect drift, or change your cloud environments?
"When you have automation, when you have alerting, when you have the capacity for a machine to come in and tell you ‘hey, this is happening,’ and you can configure that properly, you’re able to manage that risk much more effectively."
Big picture, long term, post pandemic: what are the implications for security?
"The new normal is gonna be much more distributed, much more complex, and it’s gonna be much more accelerated.... In our Fortinet labs, we are seeing 600 new Phishing campaigns launched daily. You are seeing much more targeted, and much more automated attacks all leveraging the same human weaknesses as before, it’s just that things are at a much more compressed environment. Yeah, it’s going to be an interesting 90 days!"
Web conference: Cloud for the Win!
To go more in-depth on these insights, we highly suggest you take the time to watch the SecureWorld Remote Sessions episode. You will hear each panelist's thoughts on all things cloud.
WATCH: Panel: Cloud for the Win!
Thank you, Jon, Grant, Jonathan, and Aaron, for helping serve in SecureWorld's mission of connecting, informing, and developing leaders in cybersecurity.