The CSA 2020 conference again offered presentations by some of the industry’s leading authorities on large-scale, complex security challenges in the cloud. Here are some highlights:
- Treat control incidents like security incidents – For Phil Venables, former CISO of Goldman Sachs, a control failure is as much of an incident as a security event. For sure, in the tightly-regulated financial sector, controls are critical for compliance. They are also, by design, intended to protect firms from data breaches and other potentially messy incidents. He urged cloud security managers to implement continuous monitoring of controls. He offered examples of situations where controls were turned off during a cloud system update – and then not turned back on, or not turned back on soon enough to avoid an attack.
- Watch out for fourth-party risk – Andy Kirkland, CISO of Starbucks, explained that his team is increasingly dealing with risk exposure that arises from indirect supply chain attacks. For example, when a vendor’s partner firm is breached, that can open an unexpected “side door” into his cloud infrastructure.
- Use the tools that are provided – Cloud providers are now offering pre-designed and pre-tested frameworks and toolsets in the cloud that make cloud security easier to implement. As Diana Kelley, Cybersecurity Field CTO at Microsoft, explained, the two-tier security model does not mean that customers have to start from scratch. In their case, Azure offers templates and tools that are ready to go for the client’s side of the security equation.
- Focus on the organizational aspects of security in a cloud migration – Robert Clark, Chief Security Architect at Oracle, suggested that people and their relationships to systems deserve the highest level of thought and scrutiny in a cloud migration. It’s critical to understand who the users are and what their permissions let them do, he suggested. For him, it is not enough to map directly from on-premises organizational rules to the cloud. He also felt the cloud move provided a great pretext for revisiting LDAP configurations.
- It’s time for honesty about security and privacy tradeoffs – Alex Stamos, former CISO of Facebook, urged the industry (meaning, big cloud companies) to be more honest about the tradeoffs they’re creating for everyone. He wasn’t pointing a finger. He was just saying that everyone would be better off if they understood that a social media company, for example, cannot be, secure, safe, private and free all at once, i.e. it’s impossible to be free and ad-supported without collecting user data. Nor is it possible to stay on top of predatory online behavior without some level of surveillance of user activities. In his view, people will accept these tradeoffs if they understand them.