Cloud computing is an inevitable shift in IT that security teams can’t stop, but innovative security pros can figure out ways to ensure it’s adopted safely.
Most people in this room underestimate how fast we’ll move to cloud. With some estimating that cloud computing can cut IT costs by 85%, security is not likely going to stand in the way.
Jerry Archer, senior vice president and CSO, Sallie Mae
“Most people in this room underestimate how fast we’ll move to cloud,” said Jerry Archer, senior vice president and CSO at Sallie Mae. With some estimating that cloud computing can cut IT costs by 85%, “security is not likely going to stand in the way,” he added.
“It’s a tidal wave. … .It will be irresistible and we have to make sure it’s secure,” Archer said.
Chuck Deaton, director of enterprise information security at Humana Inc., likened the cloud computing trend to the Borg in Star Trek: “Resistance is futile, you will be assimilated.”
Archer said the security community isn’t starting from scratch in tackling the cloud; there has already been a lot of research and tools developed, including the work of the Cloud Security Alliance (CSA). Organizations have to examine the risks involved with a cloud computing service and how to mitigate those risks. “The key is to get out in front of it,” he said.
His organization’s board of directors has asked him to brief them on cloud risks, which was heartening, Archer said. “It’s great if someone asks me before they do it.”
In the future, when highly regulated companies are using the cloud, he predicts “security will be better than it is today.”
Dave Cullinane, CISO at eBay Inc., said he sees a huge opportunity for Security as a Service; security could be delivered far more efficiently from the cloud. “That’s the stuff that gets me excited.”
For Humana, adopting Web filtering Security as a Service was an easy way to venture into the cloud. “We’ve hesitated to put our most sensitive data [in the cloud]”, he added. Still, the organization is looking for other cloud opportunities. “The bottom line isn’t security, it’s being profitable. Security has to blend into that,” he said. “You have to find the balance in security and take advantage of this trend.”
Deaton said the strategy of Humana’s security organization is to enable what the business wants to do. “We need to be the creative inspiration in the room,” he said, adding that business executives are looking to security to help them figure out how to use cloud without jeopardizing customers or the business. “If you put six to ten ideas on the board, they begin to see you as a partner.”
But Jason Witty, senior vice president and information protection consulting executive at Bank of America, said there’s been a disturbing trend of C-level executives – lured by the promises of cloud cost savings – going around IT in order to sign up for cloud services. Organizations are figuring out ways to track adoption of cloud services by implementing controls in purchasing processes and other governance methods, he said.
“Unless you have visibility to see where your data is going… how can you manage risk effectively?” Cullinane asked. “You’ve got to get out of front of this stuff.”
“We need change the way we do our jobs. We need to be more agile,” he added.
Change up the audit approach
When an attendee asked for advice on how to get cloud providers to provide more than a white paper to demonstrate their security and agree to a security audit, panellists suggested security teams change their thinking when it comes to cloud providers.
Instead of demanding a right to audit, security teams should consider what they really need to achieve and look to independent reviews, SOC reports and the CSA’s STAR program, Archer said. “There are other ways to get there from here and if we don’t, we’re just an impediment.”
Witty said governance tools provided by the CSA will eventually help organizations implement continuous monitoring of cloud security controls. “That type of thing will make the right to audit less relevant,” he said. Auditing is a point in time validation, he added. “As an industry, we’re moving to continuous monitoring.”
Deaton said he’s not a big believer in the traditional audit process, but Humana has transparency requirements. He suggested investigating the provider’s practices, including segmentation and isolation. “As you embrace the cloud, please ask the right questions,” he said.
Cloud providers are maturing and listening to organizations’ security concerns, he added.
Technologies to mitigate cloud security risks
Data location is a major cloud computing security issue due to various regulatory requirements, but Archer said the industry will need to overcome the issue. Data is going to move, and trying to prevent that reduces the opportunity of the cloud, he said. “There are ways to protect the data no matter where it goes,” he said, citing encryption as an example.
Fully homomorphic encryption “will be a huge step in the right direction. … It’s one of the many solutions that will support cloud computing,” Archer said.
Witty said VM tagging and tokenization are other ways to manage data location risks.
Cloud changing security’s role
“Cloud is a fundamental shift if the way we do computing,” Archer said. “Everyone in this room will be impacted by it.”
When asked after the panel to elaborate on security’s role in the future as cloud computing grows, Archer said security pros likely will need to add additional knowledge, including in the areas of contracts and law, but they will remain essential.
“We’re the gatekeepers,” he said.
View all of our RSA 2012 Conference coverage.