What’s the one thing above all that everyone worries about cloud? It’s not scalability, suitability or vendor contracts; it’s security. But talking security is as old as discussions of cloud itself.
Can’t the world just get on board already? Traditional control and security measures no longer apply in this new environment, connected supply chains have made it that there’s little difference between “internal” and “external” and the value proposition for cloud is simply too great for organizations and their respective CISOs to ignore any longer.
On our Cloud Reimagined Series Viewpoint “Cloud Enabled Security,” we invited GE’s Chief Information Security and Technology Officer Larry Biagini to share his view on how CISOs might turn the question of security on its head and work to figure out a way to take advantage of cloud’s capabilities.
He argued that anyone using a security model “based on an inside versus outside perspective is probably invalid.” The cloud has changed the way we understand what a “network perimeter” is and how deploying a particular cloud environment is determined not on its security but on your “risk appetite for a given workload. “
Biagini additionally believed that while a company like GE could conceivably work within all three models of cloud based on different conditions, placing certain consumer based applications is likely no less dangerous than placing them within your internal DMZ. But in some cases, a Virtual Private Cloud may be the best of both worlds, allowing you to control the egress and ingress points back into your environment.
So if cloud was to be leveraged in order to make the enterprise more secure, what would be on the wish list of cloud capabilities that might make an impact? Biagini lists several items that he feels need to evolve such that he can sleep soundly at night.
- The ability to move workloads between clouds and a layer of abstraction between cloud providers.
- Stronger identity management structure superseding an individual cloud provider. “Identity has got to be solved because it’s a tenant for security going forward, when once we’ve locked the network perimeter, identity became the new perimeter.”
- Encryption must be strengthened both at rest and at flight. “If it has to give up all control of encrypted data to cloud providers, then we’re at the mercy of processes within the cloud itself, and we do lose some visibility.”
- Improved admin processes within a cloud environment and providing the right to escalate privileges without a customer. “The more control we have over who has the access to what and visibility into when that access is used, the better we’ll feel that our information and our processes are secured.”
Going about this evolution will take some experimenting and re-evaluating age old security principles, but now is the time to get your feet wet. “Put your toes in the water and put some applications out there,” Biagini said. “Understand what’s going on and understand that you may have to get up give up a little bit of control, but that doesn’t mean that you have to give up a lot of security.”