Ten years of cloud computing have brought about a change in understanding, DevOps, new risk strategies and regulations.
Speaking on a panel marking the tenth anniversary of the Cloud Security Alliance, moderator Becky Swain, GRC and cloud security assurance consultant, asked what the challenges have been in the last 10 years of cloud computing. Setu Kulkarni, vice-president of strategy and business development at WhiteHat, said that the “security narrative is changing” as the “CISO 1.0” of 10 years ago had different responsibilities from the “CISO 2.0” of now, which include defending the applications that users use, and protecting the enterprise.
Kurt Hagerman, CxO advisor, cyber strategy at Coalfire, added that the challenge in the space was to understand cloud technology, and “native technology that is provided by cloud service providers.”
He said that as cloud now enables businesses, security teams need to know how to have a view of security which is an enabler, and not a business blocker.
Regarding DevOps, Kulkarni said that DevOps is “a party starter,” but we need to step back and understand why it is critical to the mission of security. Rich Campagna, CMO of Bitglass, added that there is an idealized notion of centralized security, and that is a tremendous risk, as it helps the “business move faster and the charter given to security professionals and developers is being pushed further.” While the software and tools are out there, Campagna said that this could be good or bad for organizations.
Hagerman encouraged the concept of thinking of “security as code” now and considering how to embed security controls in your mission, and having “security as code” does require a strong governance program.
Moving on to the significance of supply chain assurance, Eric Olden, senior vice-president of Oracle security and identity, said that “anyone on the cloud is virtually a global business,” and this means that the “bar is high and GDPR is your problem.”
Olden encouraged everyone to get “an encryption story and do encryption” as he said one thing he had learned in working in security since 1995 was that really bad breaches happen as someone didn’t encrypt their data. “It doesn’t matter what tool you use, get good encryption and think through where the private key is, and if you leave it to the service provider, the cloud service provider is in control of your data.”
Concluding, Swain asked how security technology has been adapted to handle new threats and new regulations on privacy. Campagna said that specifically on data privacy regulations, the California Consumer Privacy Act and GDPR show that no matter where you do business or which industry you’re in, you need to be compliant.