Benefits and challenges of securing your cloud data

Chris Sienko: Hello, and welcome to another episode of CyberSpeak with InfoSec. The weekly podcast where industry thought leaders share their knowledge and experience in order to help us all stay one step ahead of the bad guys. Andrew Howard of Kudelski Security knows a lot about the security risks that can arise when your company finally makes the full transition to a digital existence in the Cloud. Like any move, the task itself might be exhausting and take twice as long as you expect, but some planning and protection will prevent the destruction of some of your most precious possessions, and today we're going to find out how.

As the Global Chief Technology Officer for Kudelski Security, Andrew Howard is responsible for the evolution, development and delivery of the organization's technology strategies and solution architecture, including selecting and validating third-party technologies and managing research, development and labs. Prior to joining Kudelski Security, Andrew was Laboratory Director at Georgia Tech, spearheading the information security research and advisory programs. He served as an advisor on emerging security threats to Fortune 250 CSOs and government bodies, and has extensive experience as a security architect, strategist, and technical leader.

Andrew has an MBA in management of technology, and a master's degree in information security from the Georgia Institute of Technology. Andrew, thank you for your time today.

Andrew Howard: Thanks for having me.

Chris: So let's start out, can you tell our listeners a little bit about your security journey? How you first got interested in computers and tech, and was there anything specific that caused you to shift focus in the direction of cyber security?

Andrew: Sure. I originally was introduced to computers and programming through the TI-83.

Chris: All right, going way back.

Andrew: It's the calculator that we all used in middle school and high school, I still have mine, they still make them today I've learned. I learned basic computing, TI Basic, which was the language on those, and I first started playing Snake and then Tetris and then Oregon Trail, and quickly learned that you could program those things to do anything. Once I figured out that I could do my algebra homework by writing my own programs, I was hooked. I took an AP computer science class, got even more hooked. Went to college, took a computer science degree there, and really just loved computers.

Then once in college, I took an internship with the Department of Defense Research Laboratory, associated with Georgia Tech, and ultimately became the director of that laboratory. But when I was a student, I was working on systems that required high security. We didn't call it cyber security back then, but security was important, and I learned the basics there.

Chris: Okay. What interested you specifically in security at that point?

Andrew: A, it's an intellectual topic, it takes thought, it takes experience to solve the problem, and it's cat and mouse. It's good guy versus bad guy, it's strategy.

Chris: So what are some of the big projects you're currently working on at Kudelski Security? What are some of the big initiatives being worked on in 2019?

Andrew: We're a solution provider, and we build solutions for clients. Our focus areas are in places that they have problems, so one area is monitoring solutions. More and more of the enterprises across the globe are outsourcing their monitoring, and we want to be a leading player there, so we've made big investments into monitoring data on premise, in the Cloud, in the internet of things, as well as in operational or stata-like environments. So that's a big investment area, and there's major demand in the market for that type of expertise.

We have a fairly sophisticated blockchain practice, blockchain is more than just crypto currency these days, it's hit the enterprise, there's a role for a security provider. You'll see us bring product to market in that space. Then I'd say finally, just security strategy. We're constantly trying to innovate there and provide tooling to information security leaders about how to best operate their security program.

Chris: So within all of these different skillsets you have, the main focus of today's talk, the thing we really wanted to get your information on is the concept of migrating your company to the Cloud, or doing other digital upgrades to your company's files or collateral. So the first question I have is should everyone be thinking about eventually migrating to the Cloud? Are there companies where this type of transformation isn't appropriate? How can you tell whether you should be one of the companies that is considering the Cloud as an option for your business?

Andrew: From my perspective, if you're considering going to the Cloud, you're late to the game. In all likelihood, not in all likelihood, you are already there, whether you know it or not. So I often meet with clients who want to talk about a Cloud migration strategy, and my perspective is you don't need to migrate, you're already there, it's just about moving more data there. From my perspective, there is not a company profile that does not make sense for the Cloud. It is the way of the future, and frankly, the only way to operate in today's environment. All of the innovation in the technology industry is around the Cloud, so if you want to be an innovative company, you've got to be in the Cloud.

Chris: So related to that, how, if at all, have you seen popular thought about Cloud hosting? Has it changed in the past five years? I know a while back, the argument went that Amazon or Google was going to do a much better job of security than most single enterprises, since that's Google and Amazon's main focus. But in recent years, there seems like the thinking has changed, or maybe there's been a little bit of cynicism. Do you think that's affected the overall usage of Cloud migration for companies?

Andrew: I think that this is a big misconception around the Cloud. If you go acquire services from Amazon or Google or Microsoft, you are acquiring services against a shared responsibility model that they publish in their contracts. They're not guaranteeing you much, it's best to think of Amazon as the plumbers or the water company. They provide the plumbing, they'll get the water and electricity to your house, but once it's there, you're responsible for it.

Chris: You need to maintain it, yeah.

Andrew: You've got to maintain it. It's the same with your data, you move your data into AWS, they have some responsibility, but a lot of the responsibility is still on you. From my perspective, this is one of the biggest misconceptions around the Cloud.

Chris: So what exactly do most companies transfer to the Cloud? You said that obviously everyone's probably got some of their assets on the Cloud, whether they know it or not, but for those who don't know, how is this done? What are the actual mechanics and what do people in completing a Cloud migration have to transfer over?

Andrew: I'm going to try and answer the question in the reverse. So what do people not move to the Cloud, at this point, the Cloud journey is a little easier to describe. The things that I see not moving to the Cloud are crown jewel data, so this is the company's most important data. Although, I see that changing, but I still see a lot of companies holding onto that. The second thing is anything that's hardware specific. So if it's software that only runs on a certain technology platform, you can't really move that to the Cloud.

Chris: Right.

Andrew: Well, you can, but it's expensive. Then the third thing that I see not moving to the Cloud is legacy systems, so systems that just don't make ... It's more expensive to migrate them than just to run them. But frankly, other than those major categories, everything else is moving. People typically start with email, just because that's a fairly straightforward thing to operate and move. Then you typically see file systems move, because again, you move them to more of the infrastructure. Then from there, the gloves are off. It's everything, it's workloads, it's ERP systems, it's HR systems, it's everything.

Chris: So this is pretty regularly done in stages, rather than one massive dump?

Andrew: I think it's typically done in ad hoc fashion, most people don't have a plan, they just get there. Smart companies put a strategy together and move there in a concerted fashion. What we advise IT and security groups is you need to create an environment that people can move to, you don't need to move them, they're going to move themselves more often than not.

Chris: So what do you recommend in terms of the strategy along those lines?

Andrew: Step one is go do some type of visibility assessment, so bring either a technology platform or a vendor to come take a look at your current environment. My guess is that the Cloud utilization will be 800 times what you think it is, something like that. Two is go build a strategy document, that document should be focused on creating an environment that is ideal for you for your company and easy for business units to move to. It should focus on things like authentication, so how are people going to authenticate, how are your users going to authenticate to the Cloud?

It should focus on authorization, so do users get access to what they're supposed to get access to? And it should focus on monitoring of what's in the Cloud, and knowing that it's properly configured and it's properly used. Those are three areas to start, and if you build those three things and decide which Cloud providers you're going to use, and what type of SaaS is okay and what type of SaaS is not okay, and how you're going to enforce that, then the migrations can start to happen. But if you try to make the migrations without knowing that, then you're asking for trouble and you're asking, frankly, for the user community to work around you.

Chris: What are the benefits of a Cloud based business? We're talking about the security and safety risks of transferring to the Cloud, we also need to know what types of safety risks can be minimized by going fully Cloud based. What's improving? Obviously, you said that going digital completely is the wave of the future.

Andrew: That's a good question. The first thing, I'll start again with the negative, so what is it not? It's not cheaper, there are certain situations that it is cheaper, but at scale, it is not cheaper. That generally is not one of the reasons. There are advantages to how costs are allocated and how costs are generated, but in my experience, it's just not cheaper and I've seen horror stories. What it is, is more scalable, so it's easier to scale up. And two, it's more available, so you get better availability.

From a security perspective, what you gain is a much, you get to take advantage of Amazon's security staff, so now you have a much larger staff available. Then most importantly is this innovation concept. If you go look at the roadmaps of every single major security vendor, every innovation is in the Cloud. So if you want innovative security, you've got to be in the Cloud or you're just not getting the latest and greatest.

Chris: Gotcha. So one of the biggest security concerns with migrating to the Cloud is compliance with data protection regulations. What effect do you think that GDPR in Europe and CCPA in California have both the methods and the protection measures involved in Cloud migration?

Andrew: I think it's a major concern area, and I think a lot of organizations are not doing what they should. Every organization needs a privacy officer or a privacy leader to consider these types of topics, where data is stored and who accesses it and how is of the upmost importance. Again, if you go look at the shared responsibility requirements with most major Cloud providers, this is not a topic that's covered on the Cloud providers side of the chart. You as a business have an obligation to make sure that the business processes that you have, that take advantage of the Cloud, whether that's SaaS or IaaS, properly takes care of these data protection concerns. GDPR is pretty much going to require you to have a region of AWS or Google, otherwise, you're almost certainly going to be breaking some law that you're going to be liable against.

Chris: So what are some security catastrophes that can happen if you have a loose Cloud migration strategy? What are some red flags you might be able to watch for to see if the process has been compromised along the way?

Andrew: I think the biggest issue that you risk is just data loss. So you think you're migrating a million records, and you only migrate 900,000 records. So I think you're prototypical database, data warehouse migration concerns exist. But what I think the Cloud adds that doesn't exist in your typical migration is it adds the possibility that you are moving that data to an environment that is exposed to the internet. In a traditional sense, if I migrate data from database A to database B, I just don't connect database B to the internet until I'm ready. With the Cloud, because it's a very flat infrastructure by its very nature, it is quite easy to move something into an environment that's not well protected.

Then I think the second thing that can happen is that you can move it in such a way that it's either now in a geographical location that it shouldn't be, or people who have access to it, shouldn't have. Then finally I'll say, I've seen business processes just completely fall apart, because of a way systems interact behind the scenes. So you move a business process from A, from some premise solution to the cloud, and all of a sudden it doesn't work, because permissions aren't set up properly. So in summary, in some ways it's just like a typical migration on premise, but the Cloud adds some complexity around security, visibility and integration.

Chris: To that end, what about secure authentication for employees in the roles of identity management? As we know, employee passwords across multiple applications can add risk as well, how does that figure in?

Andrew: I think, my opinion is that if your Cloud strategy does not require single sign-on with your identity provider, whoever that might be, whether that's someone like Microsoft AD or a third-party, that is not a requirement in your security Cloud strategy or just your Cloud strategy generally, you're probably going to fail. Because all you're doing is creating more credentials for your users, and more likelihood that there are vulnerabilities around authentication. So this is why I say most often step one of any Cloud strategy is figure out how authentication's going to work. My advice to clients is that if a SaaS solution or a Cloud solution can not support single sign-on with your identity provider, you probably don't want to use it.

Chris: What are some of the common mistakes? I guess we've talked about them a little bit, but what are some of the most common mistakes that companies make when they migrate to the Cloud?

Andrew: The number one mistake I see is grossly underestimating ... Are you back?

Chris: Yep.

Andrew: The biggest mistake that I see is that they grossly underestimate the cost. This is generated by a couple of things, so one is because they just frankly do the sizing wrong, and they underestimate the cost of the services they're using. More often than not, it's because the Cloud enables their user base to go take advantage of services without IT in the loop. So what that creates is authorized shadow IT, because the company says, "We're going to go use Amazon as our preferred Cloud provider," and then the business just runs there, and all of a sudden your AWS utilization is through the roof and so are your bills.

So one mistake I see is cost, and then the second mistake I see is thinking that they have the same control in the Cloud that they had on premise. Security organizations are very used to deploying security controls around data on premise, deploy antivirus, deploy an IBS solution, deploy the firewall, secure the operating system. Often they move those workloads off an on premise solution into a Cloud based solution that's containerized or uses microservice architectures, that just can not use the same security controls. Now they've lost control of their data.

Chris: Going back to the first issue you noted, the cost overruns, do you have any strategies for budgeting to avoid that sort of thing? Because it sounds like it's one part of the company decides we're going to use the service, but doesn't really look far enough into what using that service is actually going to cost. How do you get around that problem, what preparation do you do?

Andrew: I think if you have any kind of scale, meaning that there's possibility that you're going to move a lot of workloads there, you should do two things. One is bring in some help, bring in a firm like us that has expertise on this topic. And then secondly, you've got to put some solution in place to control access, such as a CASB, Cloud Access Security Broker, or some other solution that allows you to monitor access to the Cloud. Doing that will allow you to better control all the potential cost overruns.

Chris: Something you may have just answered, my next question here, but I want to make sure. Once you've transferred to a digital or Cloud environment, what are the most important security strategies you need to put in place to make sure that your digital assets are protected? It sounds like you just mentioned one there, are there others?

Andrew: Several, we've talked about a lot of them, but one is some type of monitoring solution, such as a CASB. Second is a centralized authentication strategy. A third one is a centralized and common monitoring strategy. You're going to move data into SaaS, you need to have a way to know what's there and what's happening with it. Most SaaS providers today will open up their logs and their APIs free. Not all, but most. Then finally, you've got to have a strategy document that you can hold yourself to overtime. Everybody's Cloud journey's a little bit different, but the Cloud offers a lot of possibility. You've got to have a roadmap to get there.

Chris: Once assets have been migrated digitally or moved to the Cloud, do you have any thoughts on how job roles change? Does this tend to free up human resources or do new roles open up for maintaining Cloud assets? Since we mostly train people in cyber security positions, what type of skills do you think our listeners might be interested in working with, if they want to work in Cloud processes and get ahead of the curve in terms of new jobs opening?

Andrew: I do not think that it is eliminating total headcount. If anything, I think it might be increasing the headcount. However, I think it's changing the roles, like any technology does. If you are going to try and enter this field, good strong programming skills are to your advantage, because a lot of hardware is moving to software. So the old infrastructure jobs of racking and stacking hardware, running cables, installing this hardware, installing software on hardware, those roles are disappearing.

Chris: Going away, yeah.

Andrew: They're moving to infrastructure as code, and frankly, the Cloud is controlled through automation. So jobs that can drive automation are important. And this space, like any other space, data science backgrounds are incredibly valuable.

Chris: We're starting to wrap up here, so for any companies who are still on the fence about whether to migrate to the Cloud or continue operating as they are, what is your advice for whether to make the jump or not? It sounds like you're pretty much 100% go for it.

Andrew: My opinion is that if you're considering it, if you're still considering the jump, you've made a mistake. You've already jumped, your company has already jumped, you're just still on the cusp.

Chris: All right. As we wrap up today, if people want to know more about you or Kudelski Security, where can they go?

Andrew: Internet's your best choice, you can just Google Kudelski, K-U-D-E-L-S-K-I.

Chris: Okay. Andrew, thank you so much for joining us today.

Andrew: Thank you very much.

Chris: And thank you all for listening and watching. If you enjoyed today's video, you can find many more on our YouTube page, just go to YouTube and type in CyberSpeak with InfoSec to check out our collection of tutorials, interviews, and past webinars. If you'd rather have us in your ears during your workday, all of our videos are also available as audio podcasts. Just search CyberSpeak with InfoSec in your favorite podcast catcher. See the current promotional offers available for podcast listeners, and to learn more about our InfoSec pro live boot camps, InfoSec skills on demand training library, and InfoSec IQ security awareness and training platform, go to InfoSecInstitute.com/podcast, or click the link in the description.

Chris: Thanks once again to Andrew Howard and thank you all again for watching and listening. We'll speak to you next week.