Cloud

3/7/2016
07:15 AM
Amrit Williams
Amrit Williams
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Cloud Survival Guide: 3 Tips For CISOs

To thrive in the cloud era, CISOs must refashion their roles as business enablers, adopt automation wherever possible, and go back to the basics on security hygiene.

We’re undergoing one of the biggest transformational changes in IT since the introduction of the personal computer. We’ve evolved from mainframe to the PC client-server era, to cloud computing and mobile. Companies can now spin-up compute and storage resources in minutes and end-users can access information from almost anywhere, including 35,000 feet in the air.

This brings great opportunities for businesses to redefine themselves, but it also brings new challenges. Among the biggest concerns I hear about are how to keep corporate data secure, regardless of where it resides. Chief Information Security Officers (CISOs) still need to protect the business, but they need to do so facing an increasingly hostile threat environment, transformational IT change, regulatory and compliance initiatives and a serious lack of security talent.  

What’s a CISO to do? I have three suggestions:

Be a business enabler, not a gatekeeper

Despite having “security” in the title, the top priority for any CISO isn’t to just lock data down; it’s to enable the business. No longer can the security team be the department of “no” to end users and executives who want to use new technologies that will help them do their jobs better. This means CISOs need to put an end to draconian policies that restrict behaviors such as the use of mobile devices, cloud apps and new software tools. They need to allow the business to adopt new technologies, especially those that improve productivity and efficiency while lowering costs.

 The shift from restrictive to permissive requires a serious change in the way CISOs think about their role and about security. The correct mindset should mirror the overall IT environment. CISOs need to embrace the dynamic openness of data flows and devices in today’s cloud-based environments where perimeter walls have fallen down, letting data flow into and out of the network. Similarly, it’s futile to hold end users back from the technologies they want to use. The result is rogue and shadow IT that compromises security all the more.

Take advantage of automation
As data, devices, users and workloads multiply, your security team needs to become more agile and efficient by taking advantage of scalable technologies that enable automation and granular control of data, devices, users and workloads. For example, one area where security automation can support modern infrastructure is in the way new code can be developed and delivered. Delivering new code to customers used to take six months. Now organizations can deliver code every hour if they want.

Automation platforms also help IT keep on top of security and improve efficiency during staff shortages. Instead of sticking with manual processes, CISOs can turn to automation and free their personnel to focus on higher level tasks software can’t do, such as analyzing  potential threats, dealing with policy violations and misuse of corporate resources, and adopting innovative technologies to improve the business overall.

Don’t forget the basics
Instead of trying to find a silver bullet to take on sophisticated and stealthy advanced persistent threat attacks, CISOs can benefit greatly from practicing good security hygiene. Things like strong access controls, data encryption, software updates and patching, threat detection and vulnerability management are all basic and easy, yet many companies are woefully inadequate about doing them consistently. Meanwhile, more than 90 percent of attacks take advantage of vulnerabilities and weaknesses that could have been easily avoided. Instead of worrying about so-called “next-gen” technologies, CISOs should look back at best practices from the past ten years and follow them.

Related Content:

 

Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Amrit Williams has over 20 years of experience in information security and is currently the chief technology officer of CloudPassage. Amrit has held a variety of engineering, management and consulting positions prior to joining CloudPassage. Previously, Williams was the ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DorisG987
50%
50%
DorisG987,
User Rank: Strategist
3/12/2016 | 5:51:59 AM
CISO Training
Edgar Perez is teaching a 3 Day Masterclass in Cybersecurity designed for C-level executives and senior managers. Furthermore, he offers cyber security workshops for boards of directors and CXOs worldwide. He is the author of The Speed Traders and Knightmare on Wall Street, and his comprehensive training programs have been widely recognized by the media for his independent and non-biased approach.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
3/7/2016 | 9:25:30 AM
CASB
I highly recommend incorporating a CASB. This will not only help identify shadow IT on the network but allow you to incorporate DLP in the cloud space. As the article stated, you don't want to be a gatekeeper and block things unnecessarily. Ultimately, you are there to support the business but that does not mean you do not want to monitor what type of data is being funneled into the cloud.
How the US Chooses Which Zero-Day Vulnerabilities to Stockpile
Ricardo Arroyo, Senior Technical Product Manager, Watchguard Technologies,  1/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-3906
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 contains hardcoded credentials in the WCF service on port 9003. An authenticated remote attacker can use these credentials to access the badge system database and modify its contents.
CVE-2019-3907
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 stores user credentials and other sensitive information with a known weak encryption method (MD5 hash of a salt and password).
CVE-2019-3908
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 stores backup files as encrypted zip files. The password to the zip is hard-coded and unchangeable. An attacker with access to these backups can decrypt them and obtain sensitive data.
CVE-2019-3909
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 database uses default credentials. Users are unable to change the credentials without vendor intervention.
CVE-2019-3910
PUBLISHED: 2019-01-18
Crestron AM-100 before firmware version 1.6.0.2 contains an authentication bypass in the web interface's return.cgi script. Unauthenticated remote users can use the bypass to access some administrator functionality such as configuring update sources and rebooting the device.