Perhaps, if you are like me, un homme d’un certain âge, you will recall ads for Mennen Skin Bracer that featured famous people being slapped on the face and replying, “thanks, I needed that…”
The slap, followed by “Thanks, I needed that,” would have served well as the theme for this year’s Cloud Security Alliance (CSA) Summit at RSA 2019. We got to hear about serious cloud security issues from serious people who are migrating serious businesses to the cloud. This event didn’t feature platitudes or subjective, non-committal thinking. It dealt in reality. Thanks, I needed that.
Consider Stephen Scharf, who spoke on the panel, “CISO Counterpoint: Mission Critical Cloud.” We all have our mission critical technologies. But, in Scharf’s case, his mission critical is bigger than yours. Guaranteed. He’s the Global CISO for Depository Trust & Clearing Corporation (DTCC). If you haven’t heard of DTCC, you might want read the paper more often. They process $1.6 quadrillion in securities transactions worldwide every year—that’s right, quadrillion, a thousand billion dollars. (Or, to visualize that amount, picture Oprah’s purse or the coins lost under Jeff Bezos’ living room sofa.)
Seriously, how do you securely migrate to the cloud when you’re responsible for that volume of transactions? DTCC has an organizational goal of eliminating their data centers eventually. They want to be 100% in the cloud. Right now, according to Scharf, they’re about 10% in the cloud. And, they may never get to 100%. This is the reality of cloud security, and in DTCC’s case, compliance.
DTCC deals with many regulated products and entities. Moving their transactions to the cloud may not be feasible for certain kinds of securities processing. However, they are going to move what they can, when they can. “We’re elongating time frames,” Scharf explained. This is not what some people want to hear, but this is reality. It may take a while. If I had to keep over a quadrillion dollars’ worth of transactions secure in the cloud, I might take a comparable approach. Thanks, we all needed to hear that.
You Can’t Outsource Accountability
David Cass, CISO for Cloud and SaaS Operations at IBM, addressed another foundational issue of cloud security for large, regulated organizations: Cloud security is at least partly about culture. Yes, there are many technological and practical aspects to migrating to the cloud, but culture determines how truly secure the cloud will be.
Cass is dealing with cloud computing for large financial firms. He’s responsible for keeping their data and transactions secure and compliant across three clouds and multiple SaaS providers. His portfolio includes data sovereignty, compliance with SEC and New York State regulations, auditability, Identity and Access Management (IAM), availability, privacy, data classification, encryption management, business continuity and security incident management.
Are you panicking yet? Cass has a big job on his hands. But, according to Cass, if you can get the organizational culture where it needs to be—including a cultural fit between customer and cloud service provider—the technical factors will start to work as they’re intended to. “You can’t outsource accountability,” is his guiding theme.
For example, as Cass put it, “Are there the right contacts between your security team and cloud vendor? Will opening a ticket get you to the right people and actions?” He cited the case of compliance with the NY State DFS500 regulations, which require notification of an incident with 72 hours. The board and c-suite need to drive the cultural agenda that makes this possible. Thanks, I needed that.
Securing the Cloud in Stages
Andy Kirkland, Director, Information and Security – Strategy, Engagement, and Architecture at Starbucks shared his insights into “Surviving an Enterprise Cloud Journey.” Like David Cass, Kirkland spoke partly in terms of culture. Because it’s Starbucks, culture involves a lot of couches and cups of coffee. That doesn’t make it any less serious, though.
The company seems to have one of those laid-back-but-I’m-going-to-kill-you sort of cultures. To accomplish a goal like securing a move to the cloud, it’s essential to understand the cultural environment. Several years ago, with executives sipping mocha lattes in comfortably lit rooms, Starbucks security people firmly put the kibosh on cloud plans. Too insecure. No way, we’re not doing it. And, that was that.
Then, as the cloud matured and management changed, Starbucks revisited the idea of moving at least some of its digital assets to the cloud. For Kirkland and his colleagues, the challenge was to align the formality of cyber security measures with the maturity of the company’s cloud efforts. This also meant having a meaningful dialogue about what aspects of the company’s IT would go to the cloud first.
According to Kirkland, it made sense to migrate systems that would not affect the Starbucks brand first. For example, they looked at moving email to Office 365. Performance or security issues with email might be nuisance, but they wouldn’t have a negative impact on the Starbucks customer experience. Building up practices and organizational confidence from there, the next, bigger and more significant moves would become easier.
This approach came with what Kirkland described as “ad hoc security cloud consulting,” which was done in Starbucks “coffee and couches style” (meaning NO PowerPoints). As he put it, “We hired some experienced security people and we had conversations.” These dialogues produced a consensus, between IT operations, developers, security and business people that Starbucks would adopt the CSA’s Cloud Control Matrix (CSA-CCM).
CSA-CCM brings with it a formal security review process, which works to build security trust. At that point, it was time to “get off the couch,” as Kirkland shared. Today, they’re moving more and more workloads to the cloud. They implement security through “Tic and tie” of the CSA-CCM with its compensating controls. As the CCM framework matures at Starbucks, the organization is moving to clean handoffs from architecture to engineering—complete with continuous improvement.
This was not a simple or easy transition. “We went from a mindset where ‘security is making me do this’ to one where we’re mostly applying secure engineering principles inform each step of the process,” Kirkland explained. This took a fair amount of training as well as continuing conversations about balancing pragmatism with security.
And thanks. I needed that, too.