In a world of constant innovation, shifts to the cloud and mobile infrastructures are now an every-day reality for companies everywhere, but with threats of cyber-attacks an ever-present risk looming over enterprises of all sizes, there’s never been more pressure on businesses to implement good cloud and mobile security.
This was the topic of discussion in a recent panel at Oktane16 in Las Vegas, featuring an impressive line-up of security leaders from some of the industry’s most prestigious companies.
Kicking things off, panel host and Okta chief security officer David Baker asked how organizations should tackle the risks surrounding decentralization and BYOD within the work place.
“There’s no silver bullet,” said Craig Rosen, AppDynamics, “we know that data is moving into the application stack, we also know the user experience is now a lot better thanks to mobile apps. I think it can be done with constraints, but I’m not one to say that everybody should be allowed to do everything they want to do, there has to be some level of checks and balances.”
Dropbox’s Patrick Heim shared a similar view, adding that companies need to separate decentralization from mobility to gain an understanding of the broader risks.
“It’s about figuring out a way of not suppressing it – you have to put guard rails around it – but to try and make it safe, don’t squash it. Implement security technologies and polices that are rational and risk-based, and try to make it safe,” he added.
So, what are the real risks of the public cloud? asked Baker.
Josh Feinblum from Rapid7 explained that, in his view, the risks come with consolidating everything into one place.
“There’s no inherent risk with using the public cloud,” argued Slack’s Geoff Belknap, “it comes from approaching it with the mindset that it’s a direct replacement for the data center. If you approach public cloud as if it’s the same as your data center, you will make mistakes. If you approach it thoughtfully and think about authentication, about how you manage change and how it’s different, I think you will find a lot of the simple mistakes you can make can be addressed by automation.”
For Heim, the risks still boil down to bad authentication, chiefly in the form of poor password use.
“That’s what it comes down to, people get distracted by a long list of potential risks but the number one issue has to do with people using the same password across multiple sites, and that leads to compromises of accounts.”
To conclude, Baker asked the panelists what they see as their biggest challenge at the moment.
The main challenge is finding people with the right type of skill sets to understand and translate vulnerabilities within the company, said Rosen.
“A lot of the time we do get ‘heads down’ and technical. We have to work a lot more to educate in that discipline to translate things, because that’s critical.”
For Heim, it's pinpointing what the right vulnerabilities are.
“There’s so much noise, there are so many vulnerabilities to chase around and distractions coming from management. It’s maintaining the prioritization of what are really and truly the risks the company is facing, how do I know we are asking the right questions to uncover those, how do I know I have the right resources assigned. Most importantly, how do ignore everything below a certain line,” he added.