BOSTON -- Enterprise security teams' zero-trust mindset is often a good thing. But when it comes to cloud services...
adoption, Microsoft argued it may be doing more harm than good.
During her session this week at the 2018 Identiverse conference, "The Cake is Not a Lie," Laura Hunter, principal program manager at Microsoft, said security professionals need to change their default reactions when their organizations want to introduce new cloud applications. She said she finds security professionals go through something similar to the five stages of grief when their organization begins the process of cloud services adoption.
"I put a portion of the blame at the feet of the cloud service provider," Hunter said regarding why the reactions are so intense. "When [cloud service providers] talk to our customers, we maybe, historically, lay it on a little thick" and promise perfectly secured cloud environments.
The bigger problem, she noted, is security professionals are naturally predisposed to be skeptical of anything "new and shiny," like the perfectly secured cloud environments.
"It's in our nature, as security professionals, when we hear the stories of happy, shiny, flowers and goodness, to immediately go 'shields up,'" she said. "In some ways, this is good. But, in some ways, it can actually work to our detriment."
According to Hunter, security professionals work in a zero-trust mindset, especially when it comes to cloud services adoption. As a result, when another unit in the organization proposes using a cloud application or service, security professionals have an automatic answer of "no," because it would be bad for security.
However, if the IT department says no to a service that a business department or employee needs to do their job effectively, that business department or employee will most likely go out and procure the service on their own anyway.
Because of this, Hunter questioned the zero-trust mindset of security professionals.
"Is this default answer of 'Trust no one'... really acting in our organization's best interest?" she asked.
Laura Hunterprincipal program manager, Microsoft
By maintaining a "hard-line no" as the default answer every time cloud services adoption is brought up, "we are removing ourselves from the conversation," Hunter said. "We are removing ourselves from conversations our businesses are having whether we want them to or not."
When it comes down to business need versus security, business need is always going to win, she said, and then you end up with shadow cloud IT that the security team has no control over.
"It's going to happen anyway, and the only thing you've done by maintaining that hard-line approach is ensure that it happens without you at the table, ensure that it's happening without you as part of the conversation" about how to monitor the cloud applications, apply controls and policies, and maintain organizational compliance, she said.
"Maintaining that 'hard-line no' is actually making your organization less secure," Hunter said.
Security professionals should instead remain open-minded and "have a conversation that's a question," rather than always saying no. The solution is to embrace the use of cloud applications in the enterprise and work to find ways to make them more secure. Better yet, use the cloud services to improve enterprise security.
"Let's use the cloud for the good of our organization."