digital risk management dialogue series: securing multi ... · introduction “the cloud.” it...
TRANSCRIPT
Digital Risk Management Dialogue Series:
Securing Multi-CloudTransformation
Hosted by
Ben Smith - Field CTO - US, RSA
Tom Field - Senior Vice President - Editorial, ISMG
Agenda
6:00pm - Registration, Networking
6:30pm - Introductions and Opening Remarks
6:45pm - Roundtable Discussion
8:30pm - Program Concludes
Executive Roundtable Series
Sponsored by RSA
Introduction
“The Cloud.” It used to be when security leaders discussed the topic, it
was all about cost savings, unlimited storage … and the security concerns.
Who has access to that data stored in the cloud?
But in today’s digitally transformed environment, where enterprises often are adopting a cloud-first
approach, the new discussion is about agility, access to new services … and the security concerns.
How do you maintain visibility into your public, private and hybrid cloud environments? How do
you manage privileged access to cloud resources and data? What framework(s) can you use to
measure cloud risk?
This latest edition of our exclusive Digital Risk Management Dialogue Series on Securing Multi-
Cloud Transformation will provide answers to these and other important questions.
Guided by insights from Ben Smith, field CTO at event sponsor RSA, this roundtable will help
define the topic within the greater context of digital risk management, as well as draw from
the experiences of the attendees, who will offer tips on how they have been able to help
organizations thrive amidst multi-cloud transformation. Among the discussion topics:
• How do you currently maintain security visibility into your cloud environments?
• What controls do you have in place to manage access to cloud resources and data?
• Have you defined your organization’s appetite for cloud risk – and against what framework
do you measure it?
You’ll have the opportunity to talk with your peers about the impact of the multi-cloud environment
and how the solution must be part of a bigger strategy to deal with the changing risk and security
landscape.
Securing Multi-Cloud Transformation2
Discussion Points
Among the questions to be presented for open discourse:
• How do you describe cloud adoption at your organization today – fully there, partially there,
still devising a strategy?
• How do you currently maintain security visibility into your cloud environments?
• What controls do you have in place to manage access to cloud resources and data?
• Have you defined your organization’s appetite for cloud risk?
• Against what framework do you measure it?
• Where do you see your remaining cloud security gaps?
• How will you address these gaps in 2020?
Securing Multi-Cloud Transformation 3
About the Expert
Joining our discussion today to share the latest insights and case studies:
Ben Smith
Field CTO - US, RSA
Ben Smith is Field Chief Technology Officer (Field CTO - US) with RSA, a
Dell Technologies business. With 25 years’ experience in the information
security, networking and telecommunications industries, he regularly
consults on RSA’s security and risk management solutions. His prior
employers include UUNET, CSC, and the US Government, along with
several technology-oriented startups. He holds industry certifications
in information security (CISSP), risk management (CRISC), and privacy
(CIPT), and has presented on RSA’s behalf internationally at cybersecurity
events sponsored by Gartner, FS-ISAC, SANS, IANS, CERT/SEI, ISSA,
(ISC)2, ISACA, Infosecurity, MWCA, RMA, BSides, ASIS, InfraGard, HTCIA,
SecureWorld, ICI and other organizations. Ben on Twitter: @Ben_Smith
About RSA
RSA offers business-driven security solutions that uniquely link business context with security
incidents to help organizations manage risk and protect what matters most. RSA solutions are
designed to effectively detect and respond to advanced attacks; manage user identities and
access; and reduce business risk, fraud and cybercrime. RSA protects millions of users around
the world and helps more than 90 percent of the Fortune 500 companies thrive in an uncertain,
high-risk world.
For more information, please visit https://rsa.com/.
Securing Multi-Cloud Transformation4
About the Moderator
Leading our discussion today is:
Tom Field
Senior Vice President - Editorial, ISMG
Field is an award-winning journalist with over 30 years of experience
in newspapers, magazines, books, events and electronic media. A
veteran community journalist with extensive business/technology and
international reporting experience, Field joined ISMG in 2007 and
currently oversees the editorial operations for all of ISMG’s global media
properties. An accomplished public speaker, Field has developed and
moderated scores of podcasts, webcasts, roundtables and conferences
and has appeared at the RSA conference and on various C-SPAN, The
History Channel and Travel Channel television programs.
About ISMG
Information Security Media Group (ISMG) is the world’s largest media organization devoted solely
to information security and risk management. Each of our 28 media properties provides education,
research and news that is specifically tailored to key vertical sectors including banking, healthcare
and the public sector; geographies from the North America to Southeast Asia; and topics such
as data breach prevention, cyber risk assessment and fraud. Our annual global summit series
connects senior security professionals with industry thought leaders to find actionable solutions
for pressing cybersecurity challenges.
Securing Multi-Cloud Transformation 5
Multi-Cloud Transformation Defined
TOM FIELD: What does “multi-cloud transformation” mean for different
types of organizations, depending on their technological maturity?
BEN SMITH: Adoption of cloud computing is at the heart of most
organizations’ digital transformation strategy. Whether they seek to
monetize data, streamline innovation, produce more engaging customer
experiences or simply create better operational efficiencies, a move
to the cloud today is about much more than just cheap and abundant
storage and compute capacity. It’s a business imperative and literally a
prerequisite for modern businesses to compete.
But offloading applications and workloads to the cloud creates an array
of new risks.
For starters, many organizations moving to the cloud lack the cloud-
native expertise to assess their current capabilities for managing cloud
risk. Are they on par with industry standards and best practices, or are
they woefully below the bar?
Because the infrastructure, applications and data live outside your
control, it’s very difficult to achieve a high level of security visibility
across private, public, hybrid and multi-cloud environments. This makes
it challenging for organizations, mature or otherwise, to be able to
assess their risk across their entire compute surface.
In advance of this event, ISMG’s Tom Field spoke about breach detection
and response with subject matter expert Ben Smith. Here are excerpts of
that conversation.
Securing Multi-Cloud Transformation
Q&A WITH THE EXPERT
Ben Smith
Field CTO - US, RSA
Securing Multi-Cloud Transformation6
Given that our old security perimeters are continuing to vanish, and that
more and more of us are directly accessing cloud-based applications
and data from unmanaged personal devices, controlling who has access
to what becomes a last line of defense, and thus is now more important
than ever.
Finally, as organizations move more mission-critical applications and data
to the cloud, they are indirectly increasing their reliance on cloud service
providers, making it vitally important for organizations to understand the
risks these third- and fourth-party relationships pose and how they could
negatively impact their businesses.
Managing Assets in the Cloud
FIELD: How do you see organizations managing the reality that they are
responsible for the assets they store in the cloud?
SMITH: Organizations that are well into their cloud journey usually
figure out early on that there is a skills gap when it comes to how their
cloud assets are stored, monitored and secured – a gap which must be
addressed.
While managed security service providers (MSSPs) and product vendor
service offerings may help offset the skills gap by helping organizations
“run” their security operations, organizations must first learn what they
don’t know about their current cloud security capabilities. Being able
to answer questions such as “how well are we securing our cloud
environments compared with industry guidelines and best practices?”
and “which cloud security investments should we make to best align with
the future needs of our business?” are the fundamental building blocks
of any successful cloud risk management strategy.
Before making any new, large-scale investments in cloud security tools
or managed security services, organizations should get a cloud security
“checkup.” Look for a trusted adviser who has decades of cloud security
expertise and deep knowledge of NIST and ISO specs to benchmark
current cloud security capabilities and assess business risk.
“Many organizations moving to the cloud lack the cloud-native expertise to assess their current capabilities for managing cloud risk” Ben Smith, RSA
Securing Multi-Cloud Transformation 7
They will also want an adviser who can help tailor a roadmap for
maturing an organization’s cloud risk management model, to ensure
that they are funding the right initiatives to support current and
future business needs. This not only provides a business-driven risk
management plan, but also helps close the skills gap by educating staff
and building an internal knowledge base around cloud-native security.
Remember, public clouds follow a shared security model. Generally
speaking, service providers are responsible for security “of” the cloud,
while organizations are responsible for security “in” the cloud – including
data, applications, devices and user access. Which is all the more reason
to get a handle on what risks you own and how best to manage them.
This is, in fact, a primary leading indicator of maturity when it comes to
managing cloud risk: the presence (or absence) of a whole-organization
understanding of who owns the risk for a new project. Wrong answers
often include security, or IT or the risk management team. These teams
are all there to support the business. It is the business which owns the
risk. And it is the business that must make the decision, informed by
recommendations and other information provided by these supporting
teams, regarding how to remediate, transfer or accept the risk for any
new proposed cloud offering.
“These days, misconfigurations dominate the headlines as a leading cause of cloud security incidents.” Ben Smith, RSA
Securing Multi-Cloud Transformation8
Visibility
FIELD: How does one maintain appropriate security visibility into a
multi-cloud environment?
SMITH: As organizations move applications and workloads to the
cloud, having good visibility means that they’ll not only be able to
monitor application performance and measure cloud service provider
SLAs, but they’ll be well-equipped to quickly detect and respond
to cloud-borne threats and maintain compliance with a variety of
evolving regulatory mandates and privacy standards, like last year’s
scariest four letters (GDPR) and this year’s scariest four letters (CCPA).
However, attaining the visibility they need can be a challenge. Each
cloud account, even on the same platform, is different – with multiple
security controls and configurations. These days, misconfigurations
dominate the headlines as a leading cause of cloud security incidents.
We’ve also noticed that most organizations use a hodge-podge of cloud
controls. Some are provided by cloud service providers, while others
are supplied by third-party risk management and cybersecurity vendors.
This fragmented approach reduces visibility and introduces complexity –
especially in hybrid and multi-cloud deployments.
For starters, organizations need to know which cloud services their users
are engaged with. The actual number usually comes as a surprise to
most CISOs – much higher than expected. They need to know what their
employees are doing when logged in.
Technologies like user and entity behavioral analytics (UEBA) enable
organizations to continuously monitor cloud activity and spot both
intentional and unintentional access abuse.
Organizations also need solutions that provide comprehensive logging
and monitoring of all cloud data sources, like packets, NetFlow and logs.
It’s also critical to have real-time visibility into threat vectors, including
endpoints, networks and cloud infrastructure.
“Cloud computing is only getting bigger, faster and more complex as hyper-agile DevOps practices continue to pump out new applications and capabilities at a rapid pace.” Ben Smith, RSA
Securing Multi-Cloud Transformation 9
To avoid limiting visibility due to siloed data, organizations should
correlate the rich security data already available from service providers.
For example, AWS customers should ensure their security monitoring
tools are collecting data from AWS CloudTrail, VPC and GuardDuty so
they can track user activity and API usage and detect threats within their
public and private AWS instances.
Finally, in addition to having deep visibility into cloud resources and
users, organizations should look for solutions that cover all their physical
and virtual infrastructures to better detect and understand attacks that
may span across their entire compute surface.
Access Management
FIELD: How does one get a handle on access management to cloud
resources and data?
SMITH: One of an organization’s critical responsibilities in a shared cloud
security model is providing identity and access management for their
workforce and other entities who need access to online resources.
Knowing that users are who they claim to be is key to securing
workloads in the cloud. But it’s no longer good enough to authenticate
users based on a single credential or even, for that matter, on a “one size
fits all” multi-factor authentication solution.
Today’s fast-moving workforce and fast-changing cloud environments
require authentication solutions that provide both a high level of security
and a high level of convenience for users. After all, organizations are
moving to the cloud partly to make it easier for folks to work more
efficiently. To do this requires organizations to, at a minimum, augment
static-based rules with rules that are self-learning and based on dynamic
context.
When it comes to authentication, organizations must go beyond simply
using static markers of risk, such as a credential, a user’s role or an IP
address or location, and begin incorporating signals associated with
user behavior, device reputation, threat intelligence and fraud patterns.
This approach will enable organizations to better guard against insider
Securing Multi-Cloud Transformation10
threats, thwart malicious attacks in progress and adapt access controls
based on ongoing changing workforce needs and actual behaviors.
However, verifying that users are who they claim to be is only one side of
the cloud access coin. Understanding what cloud resources users have
access to and what they can do with their access is just as important. As
you might expect, privileged users pose the most risk, since an attacker
with these credentials can quickly spin up new services and change
cloud security and configuration settings.
Cloud computing is only getting bigger, faster and more complex as
hyper-agile DevOps practices continue to pump out new applications
and capabilities at a rapid pace. This creates a growing number and
increased velocity of access requests.
Organizations must go much farther than simple provisioning tools
that allow for quick onboarding of cloud users. They must focus on
the governance side of managing access and rights, and incorporate
identity analytics for deep visibility into user entitlements in the cloud,
to understand how risks such as segregation-of-duties violations
and excess privileges can negatively impact their cloud security and
compliance posture.
Measuring Risk
FIELD: What are appropriate ways to measure cloud risk?
SMITH: Once you’ve solved or at least made some good progress
toward getting visibility across your cloud estate, there are a few good
sources I can point to when it comes to taking that next step: measuring
what you’ve now found.
If you’ve done any work within the information security and risk
management space, it will not be a surprise to learn that NIST is a fine
place to start on this question. Their special publication (SP) 500-299
outlines a cloud-focused security reference architecture, with a brief
section on measurements. I should point out that when NIST addresses
cloud metrics in this context, they tend to be more operationally focused
(around service level agreements, elasticity speed, data retention, etc.)
Securing Multi-Cloud Transformation 11
– but these are still worthy references to mine for potential security
metrics.
And don’t overlook NIST SP 800-145, which takes the time to fully define
what cloud computing is. Don’t let the age of this document, last revised
in 2011, frighten you off – it’s very short (less than 10 pages) and still full
of good, foundational information useful to us today.
OK, so what about something more directly related to your question
about cloud security metrics? Take a look at the Cloud Security Alliance
(CSA) as a reference. They have a wide range of collateral and even a
professional certification in this area. They recently published a white
paper on “Improving Metrics in Cyber Resiliency,” which gets you
thinking about “elapsed time” as a worthy metric: elapsed time to identify
failure, and elapsed time to identify threat.
Other CSA deliverables worth reviewing for metrics include the
Consensus Assessments Initiative (CAI) and the Trusted Cloud Initiative
(TCI). And CSA is a supporting partner of the Common Assurance
Maturity Model (CAMM), another resource I’d encourage you to review
on this question.
Securing Multi-Cloud Transformation12
If you haven’t picked up on the common thread through several of my
recommendations here, it is this: You can and should mine maturity
models for potential metrics guidance.
Finally, RSA recently introduced a series of risk frameworks which help
our customers recognize, quantify and measure risk across several areas
of their cloud-focused projects. I’ll get into that a little later.
Digital Risk Management
FIELD: Are organizations approaching multi-cloud transformation as a
single challenge to be addressed, or is it viewed as just one component
of a larger digital risk management strategy?
SMITH: Moving services to the cloud is a huge lift, all by itself, for many
organizations. But where we’ve seen the most success across our
customer base is when all this cloud migration work takes place in a
broader context, focused on understanding digital risk.
Digital risk management is a byproduct of today’s digital transformation
efforts which we are seeing across the industry. In the pursuit of
modernization, digital technology offers organizations opportunities
to transform their operations, resulting in increased speed, agility
and efficiency – these tend to be common goals in most digital
transformation efforts.
However, the explosion of information, users, connected devices, digital
channels and third-party applications introduces new threats and risks.
This technical complexity, combined with a cybersecurity talent shortage
and organizational silos, can create an abundance of new opportunities
for adversaries, who have more tools, resources and patience than ever
before.
Finally, governing bodies are trying to drive more accountability for
data security and privacy by enforcing risk-based requirements versus
prescriptive checklists. Security and risk requirements are converging
to shift the conversation from technology-focused security issues to a
business risk and litigation challenge.
“You can and should mine maturity models for potential metrics guidance.” Ben Smith, RSA
Securing Multi-Cloud Transformation 13
In our digital world, both good things and bad things can happen
more quickly, and with greater impact, than ever before. A solid digital
transformation strategy has, as a cornerstone, a healthy respect for the
accompanying digital risks which may be introduced. What’s unfortunate,
if not dangerous, is that many companies today are still operating in
yesterday’s model of (pre-digital) business risk.
Business risk has been around for as long we’ve had businesses, and
digital risk is a fundamental component of business risk today. It’s all
about understanding the implications of bringing new technology into
your organization. It’s all about walking before you run into rolling out
that new platform, or working with that new partner, or storing your
data with that new cloud provider. It’s all about stopping to realize that
time pressures, frequently coming from the market and competition,
often drive us to rush that new product, platform or relationship into
production before taking a hard look at the risks of this “new” approach.
We sometimes paper over those gaps to get the job done on time.
These gaps are where digital risk lives, often silently. Whether through
an accident, or a deliberate action by an external adversary or an inside
threat within your own company, if you haven’t surveyed, inventoried
and quantified these new digital risks, you are setting yourself up for
some pain at some point in the future, sooner than you’d like to realize.
Let me net it out for you: Don’t start your cloud migration project without
first understanding the accompanying digital risk. How can you make the
correct decision to proceed without this step?
RSA’s Strategy
FIELD: How does this topic fit within RSA’s digital risk management
strategy?
SMITH: Let’s start by acknowledging that many folks have no idea that
RSA is in the digital risk management business. But we are, and we
have been for almost a decade, and we offer substantial subject matter
expertise in this area.
“Business risk is what most organizations struggle with today - how to see it, how to measure it, how to minimize it. Information security is just a subset of business risk.” Ben Smith, RSA
Securing Multi-Cloud Transformation14
We are proud of our almost four-decade heritage as a pioneer in the
information security space, from our encryption algorithms to our
authentication technologies, to our risk management, network visibility
and anti-fraud portfolios.
One of the reasons that the RSA product portfolio is smaller and more
focused than in years past was the realization that we needed to take
another approach to how we think about risk more holistically, above
and beyond the information security space. Business risk is what most
organizations struggle with today – how to see it, how to measure it, how
to minimize it. Information security is just a subset of business risk.
And if you are living here in the 21st century, digital risk is just another
way to look at that central business risk challenge. Living on the internet
today provides significant advantages to how we all do business: It is
faster; we can reach our customers more directly; we can more quickly
see trends and come up with new products or services to offer. This
comprehensive interconnectivity makes it easier to do business.
But being so interconnected also increases our digital risk, often
substantially. We are interdependent on our third parties – including our
cloud providers – to accomplish our business goals. An outage, or an
attack, on a part of your infrastructure can be amplified and move much
more quickly across your environment, due to how interconnected we
all are. Managing digital risk is a fundamental challenge where even
successful organizations struggle.
Central to our philosophy of helping our customers effectively manage
their digital risk is leveraging models, or frameworks, which can serve
as a blueprint for action, as well as a means to benchmark progress
over time. There is a huge number of frameworks which exist in the
information security and risk management space. We realized that we
could provide more value to our customers not by simply pointing to this
group of models, but by bringing to the table our own expertise and real-
world experience gained through our RSA Risk & Cybersecurity Advisory
Services (RCAS) team.
Securing Multi-Cloud Transformation 15
And so we rolled out a family of “RSA Risk Frameworks” at our annual
RSA Conference 2019. Think of these frameworks as maturity models
– models which we’ve designed and developed through thousands
of engagements across some of the most complex business and
technology environments out there today, and based, in part, on industry
standards including the NIST Cybersecurity Framework, COBIT 5, the
FAIR methodology and others, all in support of helping our customers
move forward and succeed during their digital risk management journey.
Four of these RSA Risk Frameworks are available today: cyber incident
risk, third-party risk, dynamic workforce risk and multi-cloud risk. An
additional four frameworks (focusing on business resiliency risk, data
governance and privacy risk, process automation risk and compliance
risk) will be available toward the end of 2019. All these frameworks
aim to group organizations into one of three general maturity levels or
tiers: basic effectiveness, foundational effectiveness and operational
excellence.
Visualize these as horizontal tiers, where success might be reflected in
your starting in a less mature state in the bottom tier and subsequently
moving up the stack to the next tier over time. Because each of these
four frameworks is focused on a different use case, this is where we get
into the specifics.
The RSA Risk Framework for Multi-Cloud Risk is an especially useful
example in the context of digital transformation, as it maps directly to our
topic today. In this framework, there are four main capabilities we can
help you measure – visualize these capability areas as vertical pillars,
with the maturity tiers overlaying these pillars horizontally.
These four key capability areas are all about identifying the business
processes your cloud providers are supporting, your contracting and
governance practices, how you manage the identities and access
management involved with these cloud platforms, and finally your
compliance-oriented procedures around assessment, measurement and
reporting.
Securing Multi-Cloud Transformation16
An output of the services conversation we have in conjunction with
the RSA Risk Framework for Multi-Cloud Risk is a discrete numeric
score across each of these four areas and an aggregate score to total
everything up.
These scores are something quantifiable that can be measured
today, and then measured again in the future to see how much you
are improving over time. So as an example, you may be approaching
operational excellence today in your cloud provider contracting function,
but maybe you are a little less mature and closer to foundational
effectiveness when it comes to how you manage those supporting
cloud-based identities and access, as well how you govern and assess
those platforms. And again, as an example, this might be where you
acknowledge that you are also operating only at basic effectiveness
when it comes to defining and enforcing KPIs (key performance
indicators) relating to the business processes your cloud providers
support. We’ll score you in each of these four key areas, prepare a gap
analysis and make recommendations for improvement.
I haven’t talked about any RSA products here, and that is by
design. While we have some excellent offerings in the visibility, risk
management, identity and anti-fraud areas, we think that managing your
digital risk starts with a higher-level conversation to better understand
your business challenges – that was a key driver for us as we developed
and released the RSA Risk Frameworks, as they represent several core
challenges we’ve seen repeatedly across our customer base.
We would welcome the opportunity to demonstrate to you that we can
help you navigate this critical journey by asking the right questions,
helping you recognize where digital risk lies within your business – and
how to address it. n
Securing Multi-Cloud Transformation 17
Notes
Securing Multi-Cloud Transformation18
Notes
Securing Multi-Cloud Transformation 19
902 Carnegie Center • Princeton, NJ • 08540 • www.ismg.io
About ISMG
Information Security Media Group (ISMG) is the world’s largest media organization devoted solely to information security
and risk management. Each of our 28 media properties provides education, research and news that is specifically
tailored to key vertical sectors including banking, healthcare and the public sector; geographies from North America to
Southeast Asia; and topics such as data breach prevention, cyber risk assessment and fraud. Our annual global Summit
series connects senior security professionals with industry thought leaders to find actionable solutions for pressing
cybersecurity challenges.
Contact
(800) 944-0401 • [email protected]
CyberEd