Tackling diversity & inclusion in the workplace | Download our latest Whitepaper
×

Is the Cyber Security industry getting cloud security wrong?

This post was written by: John Clifton

Joining us on episode 47 of The Tech That Connects Us was Trish Cagliostro Head of Worldwide Alliances at Wiz. Trish joined Laurie Scott and Andrew Ball. They only scratched the surface in a conversation that spanned Cloud Security, threat intelligence, the partner landscape, Cyber’s diversity challenge, the joys of softball and much more!

Trish is a thought leader in the cyber security industry, so whilst we had her on the podcast we needed to find out if the industry was getting cloud security wrong as is mentioned by commentators in the industry. Here’s what Trish had to say. 

“Cloud security is hard. It’s hard and it’s a little bit different from what the rest of the industry says. Cloud security isn’t so much of a problem for the born in the cloud companies, such as Netflix, they’re fine. Where this does become an issue is when a traditional enterprise goes to the cloud. Organisations go to the cloud for innovation, the costs savings are nice, but it’s the elasticity and the ability to endlessly expand and instantly expand globally that is powerful. 

However, the way these traditional organisations go to the cloud typically looks like this. They look at their applications on-premise, they go with what’s easy and upload some VMs into the cloud and expect to take their on-premise security structure with them. 6 months then go by, and the customer is thinking that they can’t innovate and they aren’t saving much money. So they want to look at what they can do differently from here. They’ll then start to refactor some of their applications, containerise, embrace some more modern application architecture, replatform and kick the Oracle legacy databases to the curb. 

Now the organisation will have a stopping point on their cloud adoption, they have their legacy on-premise tools supporting the legacy workloads. So now they need to go out and use some cloud-native services as all the cloud providers have cloud-native services. But they’ll have some very different types of computing that are very different in the cloud than they are on-premise. Then there’s the idea of a managed service which comes with the complication of the shared responsibility model. So at this point, the company will be looking at different tools from different vendors for niche cloud security. This is where the breach happens, all of a sudden, there are three separate data silos, the traditional on-premise tools, the cloud-native services from the cloud providers and the new types of security tools that were brought in to deal with the new types of cloud computing. 

So now these organisations still can’t innovate, they’re probably spending just as much money as they were in the first place, Then the cloud provider comes in and says ‘let me tell you about serverless’. The whole model is then broken. So in this instance, I don’t think it’s fair to blame the cyber security industry. It’s a shared responsibility between the industry and the customers as well, to think differently about security in the cloud. 

I meet with partners all the time, and they’ll say to me ‘Okay got it, it’s the same way we dealt with data centre security. But you can’t think that way. You have to think of a customer and the entire cloud journey they’re going on, and then understand how to build a security strategy that supports them across that. 

The other part of this is beyond just helping them with the security strategy and explaining that the customer will need to have an unusually long term vision with this and that we need to be transparent, understanding and really dig into what we’re doing in the cloud. A lot of time to the customers it’s not obvious, they’re normally using a managed service and think they’re good. You need to have a clear understanding of what your responsibilities are as a vendor, then make sure you have the controls and mitigation in place to account for what’s really important.  

I really do think that when we think about this we can’t just think about it in phases, we have to think about it holistically through the journey. 

Every Wednesday we sit down with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.     

Let's talk

    Or contact us on one of our social profiles.

    Facebook Icon Twitter Icon LinkedIn Icon