CSA Congress 2013: Security Professionals ‘Draconian’ in Lack of Trust in the Cloud

“We are seen as Gestapo naysayers, draconian purveyors of ‘no’, and the cloud is the great way around us”, LaRosa remarked at today's CSA Congress
“We are seen as Gestapo naysayers, draconian purveyors of ‘no’, and the cloud is the great way around us”, LaRosa remarked at today's CSA Congress

“If consumers trust the cloud, then why do we as security professionals have such trouble adopting the cloud?”, LaRosa asked the audience during a keynote address at today’s Cloud Security Alliance (CSA) Congress in Orlando – especially considering that each of us already put a large level of trust in these services.

“We are seen as Gestapo naysayers, draconian purveyors of ‘no’, and the cloud is the great way around us”, LaRosa remarked, channelling his inner William Safire while speaking to an audience of information security professionals. “We are seen as innovation killers, and that’s a bad thing for all of us. If we are seen as this, we will be nothing but a checklist item, and not a business partner.”

Whether it’s shopping for cars online, visiting doctors who maintain electronic heath records, employment benefits, or the company’s mainstay – payroll services – ADP has a hand in the lives of tens of millions of people worldwide, with nearly all of its services dependent on a cloud-based model. The firm’s senior director of converged security architecture admitted that when he moved from a previous role at EMC, he no idea that ADP was a massively diverse cloud services organization.

“The cloud is here; we are living in it. We rely on it so heavily today, that you could not live if the cloud was not secure”, LaRosa commented. “Think of all the things that are based on the cloud today, and ask yourself why your business cannot securely use the cloud?”

In hindsight, LaRosa observed, the cloud computing model is not as new as we think it to be. “I like to say that ADP is the grandfather of the cloud”, he said, adding that “cloud services have enabled expanded capabilities, to a much broader global environment.”

So why do information security professionals still maintain a high level of distrust over the security of cloud-based services? LaRosa questioned whether it comes down to a lack of control, or instead a lack of knowledge about the cloud model. To some degree it’s about a loss of visibility, he admitted, “but there is some technology in place that can help us with that.”

More specifically, what really concerns security professionals is a lack of control over devices and data. “At the end of the day, the cloud isn’t scary”, he insisted. Instead, LaRosa asserted, resistance to cloud services adoption is about a fear of the unknown.

“It saddens me to see such fear cast around such a fundamental, business changing breakthrough”, he said, referring to the accelerated uptake of cloud-based services – both enterprise and consumer-based. The fear, he concluded, is not about the cloud’s technology-based problems, but centers on “security professionals’ unwillingness to adapt” to changing technologies.

An Evolving Role

Being viewed historically as innovation roadblocks, LaRosa implored the audience to adapt a new approach to their role as information security professionals. And when it comes to the cloud, the focus should remain on what these services can provide to aid business productivity, with security professionals serving in an advisory capacity to explain the risks and create solutions to enable their use.

“The problem is not with [cloud] technology, but with us”, he said. “We must focus on driving change within ourselves and becoming better leaders. Balancing risk and reward is what it’s all about. There is no reward without taking any risk.”

Rather than being the ‘no’ people within an organization, LaRosa advised that if security professionals are ever to become a real partner in achieving an organization’s business goals, a transformation must occur that takes security professionals from their historically viewed role as innovation inhibitors to that of advisors and educators on risk.

“You can be part of the business, instead of being part of the roadblock that they go around”, he noted. “This is how you become a partner in the business’ mission. This is how you can help take the business into new areas of opportunity, and suddenly security becomes an enabler.”

LaRosa closed by stating that security professionals must measure risk to help business units make calculated decisions, and thus become true partners in innovation. “Taking chances is part of everyday life, and it’s part of a business. As security practitioners we must shed this constant need to avoid dangerous things.”

Many information security professionals are less-than adequate business leaders, LaRosa said, a comment that was met with more than its fair share of head nodding around the room. “Love me, hate me, it’s something that’s hard to hear”, he admitted. “We must advise the business, and not be that last check box as a product is ready to go live.”

What’s hot on Infosecurity Magazine?