A template for working collaboratively with the business in today’s rapidly changing technology environment.

Joshua Goldfarb, Global Solutions Architect — Security

December 20, 2016

5 Min Read
By DuMont Television/Rosen Studios, New York-photographer.Uploaded by We hope at en.wikipedia (eBay itemphoto frontphoto back) [Public domain], via Wikimedia Commons.

Everywhere I go lately, the cloud seems to be on the agenda as a topic of conversation. Not surprisingly, along with all the focus, attention, and money the cloud is receiving, comes the hype and noise we’ve come to expect in just about every security market these days. Given this, along with how new the cloud is to most of us in the security world, how can security professionals make sense of the situation? I would argue that that depends largely on what type of situation we’re referring to, exactly. And therein lies the twist.

Rather than approach this piece as “20 questions security professionals should ask cloud providers,” I’d like to take a slightly different angle. It’s a perspective I think will be more useful to security professionals grappling with issues and challenges introduced by the cloud on a daily basis. For a variety of reasons, organizations are moving both infrastructure and applications to the cloud at a rapid rate - far more rapidly than anyone would have forecast even two or three years ago.

As security professionals, we are way beyond the point of simply being able to tell the business they cannot move certain things to the cloud. Instead, we need to work collaboratively with the business to mitigate the risks introduced by the changing business environment. Given that we find ourselves in this situation, we need a different approach. What are 20 questions security organizations should be asking themselves as the business moves to the cloud?

  1. Do we know how much it costs to build, maintain, and operate data centers? That is the first step to understanding the pressure the business is under.

  2. Have we opened up the lines of communication and listened acutely to the business?  Before we can expect the business to listen to us, we need to build bridges, gain trust, and listen to the business.

  3. Do we truly understand the needs of the business? It’s hard to convince the business that we have their best interests in mind when we don’t fully understand what that means.

  4. Do we knee jerk? We must be honest with ourselves to determine if we are truly behaving proactively, or if we are merely behaving reactively.

  5. Do we always say no? We must be careful not to be the program of no to a business that will increasingly roll its eyes and work around us.

  6. Are we focused on mitigating risk rather than simply playing whack-a-mole? We need to think holistically and strategically about mitigating risk. We don’t want to win the battle but lose the war.

  7. What infrastructure has been or will be moved to the cloud? It helps to know what infrastructure we are looking to protect when we set out to protect it.

  8. What applications have been or will be moved to the cloud? It also helps to know what applications we are looking to protect when we set out to protect them.

  9. Are we able to enumerate the top five or 10 risks introduced by the move to the cloud that concern us? That’s generally a good place to begin when looking to mitigate risk.

  10. Are we certain that the move to the cloud always introduces additional net risk? While it is true that certain risks may be introduced, it is also quite likely that some legacy risks may actually go away.

  11. Are we positive that we can secure something better than someone whose core business depends on it? Granted, not all cloud providers are equal, particularly when it comes to security. But if the provider takes security seriously, they can bring resources and economies of scale to securing our applications and data that we will never be able to bring.

  12. Is all really lost when applications move to the cloud? It is entirely possible that a new infrastructure will give us visibility into applications like we’ve never had before. But we have to involve ourselves as a friend of the business from the beginning.

  13. Are we focused on data? In the cloud, it’s more about protecting data, and less about protecting infrastructure and assets.

  14. Have we considered the economics of the cloud for our own internal security purposes? Not all security products and services need to be racked and stacked in-house anymore. In fact, some of the most interesting ones are cloud-based.

  15. Have we looked into simplifying our own security stack in the cloud? As technologies mature, it may make sense to take a strategic look at consolidating and simplifying security infrastructure as well.

  16. Have we looked into the efficiency gains and operational scale the cloud can bring us?  Trying to run a query across several months’ worth of data on a 2U vendor appliance can be painful. But with the scale that the cloud provides, that same query can return lightning fast.

  17. Do we have have the necessary visibility into infrastructure and applications in the cloud? If not, how do we plan to gain that visibility?

  18. Have we considered how we will retain response capability with the move to the cloud?

  19. Have we thought about looking to the endpoint as a potential source of visibility and control as the traditional enterprise infrastructure slowly disintegrates before our very eyes?

  20. Are we focused on the big picture? The cloud is relatively new and can seem a bit scary, but have we thought about the fact that if we do our homework properly, we may even end up with a better security posture than we had before the move to the cloud?

Nearly all security professionals today are grappling with the business moving to the cloud in one form or another. While a few years ago, the mere thought of this happening would have seemed nearly impossible, it is now the reality we live in. As security professionals, we owe it to ourselves to ensure we ask the right questions and make the right preparations as the landscape changes before us. Otherwise, we simply have our heads in the clouds.

Related Content:

About the Author(s)

Joshua Goldfarb

Joshua Goldfarb

Global Solutions Architect — Security, F5

Josh Goldfarb is currently Global Solutions Architect — Security at F5. Previously, Josh served as VP and CTO of Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team, where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT. In addition to Josh's blogging and public speaking appearances, he is also a regular contributor to Dark Reading and SecurityWeek.

See more from Joshua Goldfarb
Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
Subscribe

You May Also Like

More Insights
Webinars
More Webinars
Events
More Events

Editor's Choice

VPN other edge devices cybersecurity
Endpoint Security
Teetering on the Edge: VPNs, Firewalls' Nonexistent Telemetry Lures APTsOn the Edge: VPNs, Firewalls' Nonexistent Telemetry Lures APTs
byRobert Lemos, Contributing Writer
Apr 23, 2024
4 Min Read
Kuala Lumpur, Malaysia, skyline against the harbor at sunrise
Cyber Risk
Licensed to Bill? Nations Mandate Certification & Licensure of Cybersecurity ProsLicensed to Bill? Nations Mandate Certification of Cybersecurity Pros
byRobert Lemos, Contributing Writer
Apr 23, 2024
4 Min Read
MITRE Corp's logo in blue
Endpoint Security
MITRE ATT&CKED: InfoSec's Most Trusted Name Falls to Ivanti BugsMITRE ATT&CKED: InfoSec's Most Trusted Name Falls to Ivanti Bugs
byNate Nelson, Contributing Writer
Apr 22, 2024
3 Min Read
Reports
More Reports
White Papers
More Whitepapers
Events
More Events