A panel of industry experts gathered today at CLOUDSEC 2017 in central London to explore the topic of balancing digital ‘good’ with digital ‘bad’. Speaking on stage were:
Ian McCormack, National Cyber Security Centre
Mark Hughes, president, BT Security
Stuart Aston, national security officer, Microsoft UK
Mieke Kooij, security director, Trainline
Martin Borrett, CTO Europe & distinguishes engineer, IBM
Getting proceedings underway, panel moderator Jane Frankland asked how, in the era of digital transformation with the cloud and IoT, do we navigate change and steer our organizations through new and emerging risks that surface along the way?
Hughes: Often we see digital transformation as something that brings more risk, but that has to be balanced against the fact that there is enormous opportunity out there for digital transformation. It’s a force for good, but what we have to get better at is understanding the risks that exist: what are the threats, how do we translate those and that discipline we have to bring forwards. We need to be more rigorous in assessing our risks, be more vigilant about the ever-changing nature of threats and be more upstream than we have in the past.
Frankland: Does the cloud offer a safer environment? Do the security fundamentals still apply to it and does it free us up more to get on and do the jobs that we really need to do?
Aston: Yes – but seriously, let’s think about it. When we make investments in an infrastructure on cloud we’re able to do [it] at a scale that most organizations wouldn’t be able to do themselves. The question refers back to how we get the assurance that the cloud service provider is doing the job that they claim to be doing, and that’s a matter of transparency on the behalf of the provider. The cloud makes some things slightly easier, but that doesn’t mean that you give up doing the basic hygiene factors and you still have to worry about managing the infrastructure you maintain on premise.
Frankland: With all of the collaboration we need to be making for the cloud, as an industry are we doing enough to protect it with regards to an obligatory duty of care?
McCormack: The thing that’s really important to emphasize is that those responsible for the delivery of a service remain accountable for the security of that service. I’m a very passionate believer that security should be driven by business and user need.
Frankland: How should we approach cloud security amidst the complexity of public, private and hybrid clouds services? Is consolidation key to getting security right?
Borrett: Most organizations have a hybrid cloud approach that blends off-prem, on-prem and traditional computing – that needs to be balanced and that adds a level of complexity. Every organization wants to take a holistic view that takes into consideration all of those modes, but the challenge is doing that effectively by finding the right tools, the right processes and the right people that understand those different environments.
Frankland: Are boards ‘getting’ the complexities of cloud security?
Kooij: It depends on the organization. Tech companies tend to ‘get it’ more than other companies. Are boards everywhere getting it? Not necessarily.
Frankland: How do we ensure cloud providers can actually segregate our data and the engineers are not accessing our data – what safeguards can be implement and should there be standards around them to protect customers?
Aston: That asks the question ‘should we regulate the IT industry as a whole?’ – well, that’s never worked out well. That said, suppliers should be transparent about what controls they do have in place. Suppliers should be particularly transparent about under what circumstances they will access customer data.