Steve Schmidt discusses how the cloud is enabling security departments to embrace innovation and deliver new projects. He takes a look at the lengths cloud providers go to in order to ensure the highest levels of security for all customers, including those in traditionally security-conscious industries
Think of the stereotypical security professional in your IT department: usually extremely intelligent, risk averse, with dashing good looks (if I do say so myself) and the first person to shut down any new idea.
Security has traditionally been painted as a blocker, a ‘no’ department. In the past this was a limiting factor for large enterprises, particularly when under pressure to innovate from line of business functions, shareholders and customers. Without the budget, or human resources, to fully investigate the security requirements needed for every new project, new initiatives simply got deprioritized or shut down.
In the past few years, however, the cloud has begun changing this. Security departments are embracing innovation by leveraging the security investment and expertise of a cloud provider. This is because they realize cloud providers invest in more security policing and countermeasures than almost any company can afford themselves. In this model the customer is only responsible for securing from the operating system up, and the cloud provider from the hypervisor down, meaning businesses can focus on the application’s security and not on the physical and logical security surrounding the infrastructure.
This is giving organizations of all sizes on-demand access to technology infrastructure that is secure by default and accredited to global standards such as ISO 27001, SOC 1, 2 and 3, and PCI DSS Level 1.
Some have had their data processing agreements signed off by the highest levels of government within Europe. This reassures even the most security-conscious organizations, such as those in the financial services industry (FSI), that they can quickly procure secure infrastructure on demand over the internet.
"By using the cloud, [banks] are able to get infrastructure that is secure by default and scales"
As a result, many financial services companies around the world are embracing cloud computing. In the UK, organizations such as Royal Sun Alliance Insurance and FTSE 100-listed wealth management firm St James’s Place are moving large swathes of their infrastructure to the cloud. In other cases, the cloud is opening up classic innovation activities, like hack days or hackathons, to those in FSI.
A good example is Bank Hapoalim, Israel’s largest bank. Bank Hapoalim recently ran a hackathon using anonymized retail banking data stored in the cloud. The banks then invited the Israeli developer community to a hackathon and used its imagination to develop new financial applications that help the bank to better understand its customers and give them a better banking experience. This is allowing the bank to crowd-source innovation and helping turn its security department into one that embraces invention and helps growth.
Traditionally banks would never have imagined giving developers unfettered access to their infrastructure in order to help them innovate, but by using the cloud, they are able to get infrastructure that is secure by default and scales to many more concurrent users than their own infrastructure could.
Bank Hapoalim is just one of thousands of examples across multiple industries where customers have investigated the default security they are able to achieve with the cloud and embraced it as an innovation platform. As a result we are seeing security professionals change their tune and fit a new stereotype – one that is extremely intelligent, prioritizes the security and privacy of their users, has dashing good looks, and is amongst the first to embrace new ideas and innovations within an organization.
About the Author
Steve Schmidt is chief information security officer (CISO) for Amazon Web Services (AWS). Prior to joining AWS, Schmidt served as a senior executive at the Federal Bureau of Investigation, where he oversaw the Cyber Division components responsible for the technical analysis of computer and network intrusion activities