It usually takes several years to recognize when a major shift is happening in technology, but about 14 months ago, Richard Stiennon says he saw one occurring in cloud security.
While he already believed in the cloud, he says he didn’t have any insight into how to accomplish the migration from on-premises to the cloud. So, the former Gartner analyst (remember IDS is Dead?) and current chief research analyst at IT-Harvest, set out to research the topic.
His efforts resulted in a book which he’s promoting at the 2019 RSA Conference this week. We had a chance to ask him about it for this Q&A series we’ve been running with cybersecurity thought leaders.
1) We heard you just published a new book – can you tell us about it?
RS: Yes, the book is Secure Cloud Transformation: The CIO’s Journey and it’s a culmination of my observations about the impact of the cloud. As cloud offerings such as those from Microsoft, Amazon and Google have all grown, the security vendors have started offering services both to secure the cloud and also that are themselves could-based.
As an industry analyst in the security community, my question was, what are the really big enterprises doing to make this transition and transformation?
I reached out to a whole bunch of leaders that were already well down the cloud transformation path and conducted interviews. That turned into the book which tells the stories of 16 pioneers, as I call them, who had at some point in the last five years, moved their company to the cloud.
2) What did you find as you went through this research process? What are the security challenges that these 16 pioneers are running into?
RS: They realized that they can’t just replicate the data centers and the security around it, that they’ve been building for the last 20 years. Every data center has a stack of appliances and you can’t just move that to the cloud. This is because those appliances were custom crafted to handle the amazing throughput of a data center.
In addition, they also realized they were already in the middle of a mobile revolution. Because of that, they couldn’t extend the security protections for their employees that they used to have by backhauling them over a VPN to corporate headquarters, or by filtering the traffic on the way in and out of the perimeter.
As a result, they were basically trying to replicate all that data center security on their employees’ devices. At the same time, they realized that 70% or more of their traffic on the corporate network was destined for the Internet. So, they were backhauling their traffic over VPNs, which has a cost, and then sending their employees out into the wild, wild west of the Internet, where they’re still vulnerable.
This is why they started this network transformation – using what’s called local internet breakout. Instead of backhauling traffic from remote offices, you allow them, usually with the support of software-defined networking, to go direct to the internet.
Then, all security has to worry about is what users have access to what applications. Some of these companies I’ve talked to have as many as 300,000 employees and they’ve got a granular policy for this. For example, an employee who’s traveling to China probably shouldn’t have access to the corporate finances and you address that with a location-based policy.
All of a sudden, your data centers aren’t needed because you’re moving applications to cloud services. There’s no need to maintain all this hardware and upgrade it every three years, maintain the physical security, and pay for all the power and cooling.
3) Some of our own customers have moved to the cloud – and we too have a cloud-based solution – but many of our customers have a mix of cloud and on-premises infrastructure. We see this hybrid infrastructure often in the market, and change management or cultural barriers aside, we think it’s going to be that way for the foreseeable future. What’s your take?
RS: Yes, I completely agree.
Each of the people interviewed – CTOs and CISOs of these big companies like General Electric, Siemens and Fannie Mae – each realizes that is one of the steps they have to go through. They need to make a conscious decision about which applications should move to the cloud and which ones absolutely have to stay in-house.
At one of the large manufacturers I talked to, they decided to keep their technology in their own data center. They’ve just decided the impact of that ever getting out is too high. That’s a security decision that has to be made.
As you can imagine there’s also a lot of legacy data and infrastructure that you would eventually want to refactor and move to the cloud, but it’s all written in COBOL and is on a mainframe. A large financial services company might want to hold off on that because it’s expensive to move data into and out of the cloud. It’s also expensive to maintain it and process it so it may be still cost-effective to keep those things in-house.
So yes, there will be, for the foreseeable future, hybrid solutions that people depend on.
4) This is the million-dollar question: in a large company with a hybrid of cloud and on-premises – who do you think owns the security in the cloud? Does the company own it or does the cloud vendor own it?
RS: The company owns it, but I would recommend outsourcing it to a cloud security vendor. You need one that you monitor so you see all your own data and apply those policies the way you want to. Just like building Amazon capability on your own is a lot more expensive and difficult than buying a complete cloud security proxy, it’s just easier to go to somebody who’s already doing that.
It also frees up the vulnerability management people who don’t have to be concerned about vulnerable endpoints. It definitely frees up the firewall maintenance people because they’re not spending time upgrading or trying to decide every three years which firewall to buy next.
There’s still a demand for people to set those policies we talked about and more importantly spend more time doing what security people should be doing which is threat hunting and breach detection and response.
5) That’s an interesting perspective – are you saying the cloud is changing the roles of security personnel?
RS: Yes, it is – just as cloud applications changed the role of the systems administrators whose job used to be to spec out the latest Linux or Windows servers needed to support each application. Those jobs went away, and the effective people transitioned to being experts in how to manage that stuff in the cloud.
6) After doing all this research are there any significant findings or recommendations that you’d like to share?
RS: One of the nuggets that came out of that was this: don’t promise you’ll save money. Even though I’m convinced, and these people I interviewed are convinced, that you’ll save money by moving to the cloud, don’t promise that you’re going to save money.
This is because your savings won’t come until year 2, 3 or 4 but also, my advice is, whenever you save money, hold on to that budget. Do not let someone use it for something else because this is where you can hire better people to do more refactoring, or spend money moving applications to the cloud, or invest in that breach detection tool that you need and should have been doing all along.
* * *
Richard Stiennon will be signing books all week at the RSA conference – and at RSA Bookstore at 3 p.m. (PST) on Thursday, March 7, 2019. In addition, you can find his book on Amazon, Barnes and Noble, or on the dedicated website: securecloudtransformation.com. You can connect with Richard on Twitter and LinkedIn.
It’s worth pointing out, Bricata is at RSAC as well. Come visit us visit in booth #4139 in the North Expo. We’d love to talk secure cloud with you too!
Note: If you’d like to be interviewed for this Q&A series, please send an email to media (at) bricata (dot) com and be sure to put “Q&A” in the subject line.
If you enjoyed this post, you might also like:
“It is everyone’s business and responsibility” – 40+ Cybersecurity Professionals Share What They Wish Business Leaders Would Understand in Their Own Words