2020 State of Hybrid Cloud Security

On-Demand

Video Transcription

Elisa Lippincott:
Good morning, good afternoon, and good evening everyone. My name is Elisa Lippincott, and I’m the director of product marketing here at FireMon. We want to thank you so much for joining us today, especially as we know that these are extraordinary times as we all deal with COVID-19, and adjust to a temporary normal, and efforts to flatten the curve and contain the spread. Our thoughts go out to everyone who’s being impacted by this global crisis, and we just ask you to please stay safe and vigilant. Today, I’m joined by Tim Woods, our Vice President of Technology Alliances, and today we will be discussing some of the key findings from our recently released 2020 State of Hybrid Cloud Security report. If you have any questions, please submit them in the Q&A section on your screen, and we’ll address them at the end. A recording of the webinar will also be available shortly after the conclusion of our session, and we’ll also send it out so you can share it with anyone else on your team. Let’s go ahead and get started.

Elisa Lippincott:
This is our second annual report. We surveyed over 500 security professionals and asked them to share their thoughts on the impact that Hybrid cloud is having on their enterprise security and their teams. We’ll be covering the survey demographics and taking a look at the major themes that came out of this year’s report, and then we’ll conclude with some Q&A. This year’s report now, as I mentioned in the second year, included 31 questions with 522 respondents, and we had the survey open over a period of just under two months.

Elisa Lippincott:
An overwhelming majority, almost 90% of respondents were from North America, with Europe coming in at 3.8%, Asia at 3.6% and Latin America and Australia making up the remaining 2.7%. Respondents represented practically every industry, but I.T. services led the pack with just over 21%, followed by healthcare, government and education. We had a variety of job titles with network and security engineers coming in as the biggest group at almost 25%. IT ops came in at almost 21% and SecOps came in at just under 10%. 14% of our respondents came in at the C-level and we’ll be sharing some of their specific stats. Almost 57% of respondents were from companies with at least 1000 employees or more, 35% had at least 5,000 employees, and almost 20% came from companies with 15,000 employees or more.

Elisa Lippincott:
There were three major themes that came out of this year’s responses. The increased complexity and scale of Hybrid cloud environments was the biggest theme throughout, but as you’ll see as we go through the data, all three themes relate to each other in one way or another. We’re seeing that the mainstream adoption of the public cloud is one of the main reasons for that increased complexity and scale of hybrid clouds.

Elisa Lippincott:
With the lack of automation and third-party tool integration theme, we’re seeing manual processes and the use of disparate tools without any integration are contributing to misconfiguration errors and leaving teams shorthanded, which leads to the third thing, limited budgets and staffing shortages. With the complex environments and little to no automation, these teams are overburdened as they contend with limited staffing, reduced budgets and at times, uncertain relationships with their DevOps team. So let’s go ahead and dig into the data, and now I will pass it over to Tim.

Tim Woods:
Thank you, Elisa. Appreciate it and appreciate everyone that’s joining us today, and for those who aren’t joining us today and listen to this later, and appreciate you taking the time to listen to this. We all have busy things in our schedule, I know, and as Elisa said, everybody’s adjusting to the current environment. And so, appreciate your time very much today. The thing that excites me about this year survey is that it is the second year, and of course, as you continue, like any good survey in any collection of data, as you collect more data, then it becomes more constructive, and it adds more validity as you’re able to do some historical trending and some comparison in the ability to contrast. And so each year this is only going to get better, and so I would urge you… And by the way, this, this presentation, we’re not going to cover every aspect of the of the survey, so I would… At the end of the survey, you’ll see a link where you can actually download your own copy of the full survey, and get all the information so that you’ll have that as well. So I would encourage you to grab that and take a look into it. I think there’s a lot of information there that will be very helpful in the various roles that you perform.

Tim Woods:
So this slide, not to just look at some of the numbers here starting here, we speaks to the scale and complexity of what we’re seeing today, of course the increasing cloud adoption and acceleration of business, things of that nature, but 78% of the respondents said they had two or more enforcement point type technologies, two or more that they’re deploying both on prem and into the cloud.

Tim Woods:
51% said they’re using a private connection to the cloud, or they have their own private cloud nailed up, 47% said they’re using public, 41% said that they’re in a hybrid stance, 10%, interestingly enough, I didn’t think anybody today actually wasn’t using the cloud, but 10% of the respondents actually said that they didn’t have any type of public cloud connectivity currently. And so not to say that they’re not using private cloud, but they’re not connecting to the public cloud in any way, shape or form. And this one, of course, the last one, half of the respondents said that they’re using multiple public cloud platforms, and of course, we’re going to talk about that later on here too as we dig into the statistics a little bit more, about some of the complexities that come into play with having multiple cloud platforms.

Elisa Lippincott:
And Tim, I’ll note on that 10% that weren’t using any public cloud in last year survey, that number was 25.6, so it seems like that adoption is growing and growing over time.

Tim Woods:
It does, it speaks directly to the adoption that we’re seeing. Coming back from RSA, I know many of the questions, another thing I think that’s of noted interest is how many of these questions were actually concerns for the individuals that we had the opportunity to speak with at the RSA conference this year as well. So it’s a pretty good reflection, I think, of what everybody is concerned with, challenged with, and it’s top of mind today.

Tim Woods:
The security control. So what type of network security controls are you using in your public cloud environment? And you can see the responses there, native security controls, third party firewall, cloud specific solutions, managed security providers, none, which is always an interesting response when you see that and what concerns there are.

Tim Woods:
And we’re going to look at how the management of these controls, who’s taking responsibility for implementing these controls and maintaining these controls and initiating these controls as new assets and services and resources and things of that nature are deployed into the cloud. But, it’s a pretty well-rounded out. And I think, and Elisa I’d love to get your thoughts on it too, but I think the bright side of this is, the public cloud vendors are getting better with their security controls. They are getting better with the security functions that they’re offering the people that are consuming their technology, consuming their services and paying for that. I mean, they are providing, we’re seeing referenced architectures and best practice type, documentation for how to implement controls. So I think they are doing their part, but I think that 32% where you still see third-party enforcement point technologies being deployed into the cloud represent a concern that, “Hey, we’re not confident in the native controls that exist in the cloud today, and so we are going to implement second to the native controls that are available. We’re also going to implement additional security controls.”

Elisa Lippincott:
Yeah, Tim and it makes me wonder how many are using both. If they’re using a combination of what the cloud providers have available for them and what they’re bringing to the table with these third party firewalls. When I looked at last year’s report, those that were using the native security controls in the public cloud was only at 25.5%, so as you mentioned, the cloud providers are getting a lot better at that security side of what they’re offering, and I think enterprises are just getting more comfortable with it, and we know how easy it is to spend up something in the cloud, if it’s something I can just throw a credit card at, and they already have a service there that’s going to do the job, why not? I’ll just use theirs. So I think that’s… We’re probably coming across that.

Tim Woods:
I agree, and I think the users too are becoming better educated, and those that are holding the responsibility for, although we’re going to talk about that, I still think there’s some division there and some fragmentation of security control responsibility, but, all in all, I think the increase in that number represents that there’s better knowledge about the available functions as it relates to security controls in the cloud as well. This speaks again to some of the rising, what I’ll say some of the complexities of cloud adoption, as we go forward and look at it as well, and it looks at, as far as who’s consuming the as-a-service type deployments. And of course we have other as-a-service type areas as well, but in this particular side, we’re just looking at, and the question that we asked here was which of the infrastructure as-a-service, platform as-a-service, and software as-a-service models are you actually consuming within your respective organization?

Tim Woods:
And so you can see, I won’t read each one of these, I think at the end there 20 are on the right-hand side at the top 39% is an interesting number. It means approximately 40% of the respondents are using all three services, software as-a-service infrastructure, as-a-service and platform as-a-service. And what you don’t really see embedded in that number also is this is across multiple platforms, multiple offerings as well. So this could be, we’re using Amazon for SaaS, or we may be using a provider such as Salesforce or ServiceNow, or something like that from a SaaS perspective, but we’re also leveraging the AWS infrastructure as-a-service, we may be using Azure for our platform as-a-service. And so that adds some complexity too, because that knowledge of the separate platforms has to be there too. We’re going to talk about that later on when we look at shared responsibilities across the public cloud providers as well.

Tim Woods:
And those shared responsibilities aren’t always well understood, as we found out in this particular question to the respondents. 19% actually stated they, as it related to infrastructure as-a-service and platform as-a-service and even software as a service, which is even a little more surprising, but didn’t fully understand the shared responsibility model. What are the lines of delineation? What do I have responsibility for, and what does the cloud service provider have responsibility for, and what should I be aware of?

Tim Woods:
And I think sometimes, if you’re not well-grounded with a security background, and that’s where we see some of this fragmentation that we’ll talk about come into play, is that many of the individuals that are deploying applications, deploying services and assets and resources into their public cloud provisioning, they’re also taking responsibility for their own security controls, and they may not be well-grounded with that strong, doesn’t mean that they’re any less smarter, it’s just that they may not be well-educated from a firm security foundation or a firm security background as it relates to how they should be securing it and what they should be taking responsibility for. So this is a concerning issue, and I think it will continue to be a concerning issue going forward into the future until people better understand those clear lines of delineation.

Elisa Lippincott:
Yeah. And I know when we looked at the numbers last year, Tim, of those who were using the various as-a-service deployments, we didn’t ask this particular question. It was a… We made sure that we included it this year, but last year, we could only speculate if they even understood that shared security responsibility model. And I recently looked at the SANS… In SANS Institute, we’ve recently put out their 2020 IT security spending survey, and one of the things they found out was that there were some misguided perceptions that the cloud is inherently safe, and I believe that ties to the number showing that while they’re getting comfortable with deploying stuff in the public cloud, there’s still some confusion on who is responsible for what. And we may even also see that tied to when we talk about the stinking security budgets and how maybe the cloud security budget wasn’t earmarked for more money than it should have been because people just thought, “Hey, this is safe so we don’t need to worry about it.”

Tim Woods:
Yeah, no, no. I agree. There was a question here from the audience. Aren’t enterprises required to use both native and third-party security tools due to shared responsibility model? I would assume that number would be higher. Can you speak to why or why not? Here again, I think, as Elisa related to or commented on just now, is that there is a misunderstanding of what you should have responsibility for, and what the provider is providing responsibility for. If you’re deploying third-party enforcement point technology, then you’re probably well-grounded in that technology. You’re 99%, I would say most likely you are a security IT professional who has a background with enforcement point technology if you’re deploying a third party enforcement point.

Tim Woods:
If you’re not, if you’re the person who’s nailed up that application or service, and you’re deploying your asset services or applications into that cloud regardless of what the security functionality is available to you, then you may run into a misconfiguration. And of course, we see misconfigurations almost weekly, monthly hitting the news. Gartner was saying that… I forget what the exact percentage was, but it was really high. 99% of breaches are a result of misconfiguration. Something to that extent.

Elisa Lippincott:
Yeah. 99%.

Tim Woods:
Yeah. So I mean very, very high, and I think misconfiguration is a code word, and we’ve said this before, code word for human error, and that human error creeps into the equation. So if you’re not well grounded with the security background… And there’s complexities that come into play here too as things become more complex. We’ll talk about that later on too. Then those types of human error can creep into the equation as well. We see hackers not even hacking nowadays. We see hackers actually running their own public IP scan automation bots, looking for any type of exposed public IP addresses that are not well vetted, and they’re exposing some level of data where they’re just grabbing that stuff that’s readily available.

Tim Woods:
And so these misconfigurations, it’s a big problem that hasn’t changed yet either. I know AWS has done a lot to try to keep people from exposing their S3 buckets, and even though the security controls were there, AWS was quick to point out that it wasn’t their responsibility that it wasn’t configured correctly, but they’re still trying to do their part to ensure that the users understand what controls are available to ensure that that data is protected accordingly. So as we talked about them getting better at the security functionality that they’re providing.

Tim Woods:
I just threw this in here just for more of a reference for the audience to look back on, and you could search the internet in two seconds and find about a thousand other little graphics that look very similar to this, but it just breaks it down very quickly who has responsibility for what, and it really gets a little more discreet than this. This is kind of a little, little bit simplistic, but I think, all in all it, for someone who’s trying to educate the teams, or as you’re trying to promote better security posture within your organization, I think education is a big part of this.

Tim Woods:
This is a great slide for a reference so that people understand the different roles on the services, especially when you can relationally link that to your actual applications that you’re using in your particular organization, then it becomes a lot more vivid as it relates to where we have to focus our efforts as it relates to security controls. And the providers themselves, again, as you look around, they provide some clear instructions too, or they provide information about what it is that they’re taking responsibility for, where their responsibilities start or stop, and where your responsibility starts or stops. So I would solicit you to, if you haven’t, and that is one of your responsibilities that you take a look for that or seek some of that information out, because that information is available if you go and look for it.

Elisa Lippincott:
I would also note too, that it’s different based on the provider. As far as I can tell, there’s no set standard across the board. So Azure is going to be different from what AWS offers, et cetera.

Tim Woods:
Yeah. You’re absolutely right, and of course, that speaks to the fact when you’re in an organization that’s using multiple public cloud provisioning, then you have to understand the models for each one of those. And this gets into mergers and acquisitions as well. If you’re acquiring a company and you’re trying to understand what their security posture looks like before you interconnect the networks, one of the first things you want to understand is what does their cloud posture look like too? What public cloud provisioning are they using, and how broad is that, before you start joining those networks? So interesting.

Tim Woods:
We talk about the increased cloud adoption, this for me out of the entire report, was one of the most illuminating questions, and it’s not that we didn’t already know this, and this is something when I’m engaged with clients today on a weekend week out basis. At FireMon, we’ve been around for almost 14, 15 years, so we have a lot of deep domain expertise as it relates to security hygiene across the extended enterprise and the hybrid enterprise, but this really represents one of the biggest concerns today and is top of mind for almost everyone that we talked to, and it’s how fast the business is moving. How fast? For the right reasons too. Businesses are taking advantage of some of the new technology, the virtualization, and the cloud, the economics of scale, all of the good things the cloud has to offer, they’re taking advantage of it for the right reasons.

Tim Woods:
And we know over time that business has always trumped security. If you become an impediment to the business, moving forward, guess what? You get either pushed aside or it’s met with friction, but we’ve seen this. And so the question that we asked in the survey here is, do you believe that your business has accelerated past your ability to consistently secure it? And the answer to the question was 59% of the respondents said “Absolutely, we either agree or strongly agree that our business has accelerated past our ability to consistently secure it.” But what makes this most interesting is that last year the number was almost identically the same.

Tim Woods:
And so the difference here is almost, let’s see, Elisa, keep me honest here, I believe almost 14 months has passed between our two surveys. When we did the 2019 survey, it was actually the questions went out in 2018 at the very end of the year, so there’s really been about a 12 months, 13 months lapse here between it, and the fact that complete different group across, and of course, we have the luxury of talking to people across every market vertical almost, and professionals that are qualified in those respective verticals, but there’s less than a 1% difference in this number that says, “Hey”, so to me, what does that really say? I think it says that our confidence in our ability to secure the things that we’re putting into the cloud is still not there. Wouldn’t you agree?

Elisa Lippincott:
Yeah. And I mean, even, and I think we added just over 100 new respondents from our inaugural report last year, so yeah, it was interesting that the number practically remained the same. The other thing I’d point out is we don’t have it reflected in this slide, but one of the questions we’d like to have, I like to have a little fun with it, but we asked the respondents “What is your relationship with DevOps?” And last year it was 30% that said that their relationship with DevOps or the application team was complicated, tentious, not worth mentioning or non-existent, and this year it jumped up to 45.4%. So things really aren’t getting any better. And, I think these percentages are very highly related to each other.

Tim Woods:
Yeah, this number, to me, if I’m at the C-level, and speaking as a C-level, we pose the same question for the number, I think 14%, is that right? 14% of the respondents were actually made up of C-level executives and respondents too, but it was interesting that their numbers were pretty much in line with everyone else’s as well. But for me, if I’m a CISO, if I’m a CSO, if I’m a CIO, I’m going to be concerned with this, because if we’re deploying things in the cloud, I don’t want to be the person… If I’m the person responsible for security things that are going into the cloud, number one, I want to have visibility debt, but number two, I want to make sure that we are applying the proper data controls to those things that we’re putting into the cloud, that we are good stewards of the data that we’ve been entrusted with.

Tim Woods:
But From the C-level perspective here, everyone, I won’t read this, but you can see here. I mean, the numbers even here between the C-level level responses, there’s less than a 7% difference between those from last year to this year as well.

Tim Woods:
No surprise to anybody. I’m sure listening today, visibility remains one of the top cited issues, not having good visibility into my infrastructure, not having good visibility across my different platform tools, the integration of my platform tools, sharing information, having to hop between multiple platforms to try to piece information together, trying to stitch fragmented pieces of information together to get a better picture. And the way that we posed this question was pick one, it wasn’t pick all that apply. It was pick the one that are most relevant to you that you think is a challenge or an issue. And of course, visibility is always cited at the top. And we’ll dig into that a little deeper here, but I think this is really where it starts. At FireMon, we’ve always been proponents of being able to see things clearly, especially change.

Tim Woods:
And as we get into the cloud and virtual implementations of our networks and SDN and everything else, containers, all of a sudden they become even more dynamic, and things can change quite rapidly and frequently. And so anytime a change happens, I think it’s imperative that you answer the question was the change expected? Was the change scheduled? Was it good change? Was it bad change? Did that change impact my compliance posture? Did that change impact my risk posture? At the end of the day, I mean, it’s about managing risk to a level that is acceptable by the business.

Tim Woods:
And so anytime change happens in an environment, you have to have visibility into that change, and you have to be able to analyze that change. And if you’re not tracking change within your environment, then it’s not a matter of if disaster is going to strike, it’s a matter of when disaster is going to strike. You definitely got to be on top of that, of understanding change when it happens. And you’ll hear it said multiple times too, and you’ve probably heard this already, it’s very hard to manage those things that you don’t know about. It’s very hard to secure something that you can’t see, right. So, if you’re the individual that’s responsible for securing something, how are you going to secure that if you don’t have visibility to it?

Tim Woods:
Imagine if you’ve been given responsibility to provide security for a visiting dignitary, somebody coming into the U S , and they said you have responsibility to create a security team to protect this particular individual that’s coming in. And your first question is going to be well, “When do they get here?” “Well, I don’t know.” “Well, where are they entering from?” “I don’t know.” So immediately, it becomes very clear. You need to know, if you have the responsibility to protect an asset, you have to know, number one, that that asset exists and you have to know where that asset resides in order to apply the appropriate security controls, and if that asset moves, you have to ensure that those data controls move with it.

Tim Woods:
So let’s look at what the C-level executives had to say as it related to their top level challenges as well. Again, here we see it. Lack of visibility at the very top of their responses, lack of qualified personnel. And this speaks to the ongoing shortage of qualified professionals and how it continues to manifest itself, I think, also in many areas, and I think misconfiguration is one of those, and we’ll talk to that a little bit later, and then stacked below here, so there’s really five responses here. So each one of those, those aren’t… I might’ve not done the best job of graphically depicting this, but each one of those is 12%. So lack of ownership came in at 12%, lack of training, which I think is also critical, came in at 12%, and lack of combined integration or tool platform integration came in at 12.3% as well.

Tim Woods:
And so there’s really five responses here and how they were ranked. Visibility at the top, lack of the ability to find good in the face of this cyber security skills shortage of finding good qualified people, lack of ownership, being the one who’s responsible for implementing the controls around that, lack of training, and that may just be an investment issue there as well. It’s always hard to take people out of the field to train them, but it typically will pay back, the return on investment is very high, when you have a commitment to do that from the top down, and then lack of integration. We’ll talk about that too.

Elisa Lippincott:
Yeah. The one thing that was consistent from last year’s report to this year’s was that lack of visibility. It was a number one across the board.

Tim Woods:
Yeah. Big concern, definitely a place to start. I see many of the key as we engage in… As I was talking, as we come off the heels of RSA this year, this definitely was a reflection of the concerns of the people that I engaged in conversation around it. But as a key strategic initiative, many of the CIOs and CISOs that I had the opportunity to speak with too, this was one of their key strategic initiatives at the top, was increasing visibility across their hybrid environment.

Tim Woods:
So concerning here, the question was around how much do you spend? How much of your budget goes toward the cloud? How much of your security budget goes toward the cloud? Respondents here said that 78% of the respondents stated they spend less than 25% of their total security budget on the cloud, but even so, of that 78%, so if you dig into that number a little deeper, it gets a little worse actually, because of that 78%, 44% of that 78% actually spend less than 10% of their total security budget on their clouds. So Elisa I think this is the problem too.

Tim Woods:
If you’re already strained with people, and I’ll say this to you, I mean, you can have the best technology on the planet, even if you’re throwing dollars at good technology, you still have to manage that technology effectively, and your people have to be empowered to manage that technology effectively, or you’re not going to see the return on your security investment that you’re looking for as well. So I think as we see budgets going down, you wonder “Where is that manifesting itself as it relates to the issues that evolve from that?”

Elisa Lippincott:
Yeah, the 78% was pretty eye-opening because in last year’s report, that number Was 57.5%. So a jump that big was just… I triple-checked the data to make sure I wasn’t looking at the wrong numbers, but that’s what the numbers came back at, and it’s just, wow, I couldn’t believe it was that high.

Tim Woods:
Yeah. No, it’s… And, as we talk about reports and surveys of this nature becoming incrementally more constructive, I think this is one of those as we track, I think it will give a good indication of where we’re going in this area as well. The good news here is that we did ask the question, as it related to “Do you think your budgets will go up?” Or “What do you think’s going to happen with your budget in the future here?” And that’s what, this is an indication of. So 55% of the respondents said they believed that their security budgets would go up, as it related to their ability to spend on their cloud deployments and cloud management. Interestingly 6% said, “No, I think my budget will continue to decrease”, and 40% or almost 40%, 39% said, “I don’t think it’s going to change at all. That it will probably stay exactly where it is right now.” So again, this is going to be a number, I think, that will be of interest to tract to.

Elisa Lippincott:
I’ll need to dig into that 39% number to see how many of those spend less than 10% on the cloud, because that might be an interesting stat as well.

Tim Woods:
I agree. The shrinking security teams, again, I mean, this is… And I think we can probably dig into this deeper, 70% of the respondents said they had less than 10 people on their team, 45% of that 70% actually said they had less than five. But here again, I think this is one of the areas when we talk about the cybersecurity skill shortage and where it manifests itself, this is probably one of the areas keeping trained individuals… It’s also important to know there’s a number of different impacts that if you’re not leveraging automation, if you don’t have a good training program in place, if you don’t have good employee retention, if you’re stretching the people that you have too far, it’s like, “Always use the analogy of running a car, and that the RPMs on a car are running in the red for too long, eventually you’re going to hurt the engine. You’re going to throw a rod.

Tim Woods:
People are willing to go to the wall for a while, but when you stretch them too thin and they’re overworked, of course quality of life goes down, employee satisfaction goes down, but more importantly, it’s the number of tasks that you have on your plate at any given time. You can only get to so many of those things in a given period of time in a day, and those things that you don’t get to, get pushed off to the side to get addressed later, if they even get addressed at all because you have new things coming in. But many times we see that one of the things that gets sacrificed or compromised is the security tasks on hand as well.

Tim Woods:
And I think this is one of the things that happens, this is why misconfigurations take place, This is why just mistakes in general and impacts to the business are made. You hope that those don’t become highly publicized breaches, but one of the realities, one of the brutal hard facts is that they do, and it’s the direct relation I think, of the amount of people that we have actually trying to address a problem, but more importantly, the tools that they have that they’re able to use, are they able to extract the value? I hear talking to a lot of CIOs and CISOs, they are actually trying, I think the average number right now, they’re trying to shrink or aggregate the available tools that they have, platform tools that they have. And that’s not just at the network layer, that’s at the desktop layer, that’s at the BYOD, at the edge, that’s in the data center, that’s in the cloud. I mean, there’s an effort to try to get tools that can actually do both.

Tim Woods:
Some of the tools don’t translate when you talk about moving applications and services into the cloud. And so you have to have specific cloud-based platforms for managing those things, and of course, that just gives rise to complexity when you have even more platforms, but there’s an effort to try to shrink down the number of tools that our people are using. But what I found in a point I was going to make here, is that many of the CISOs that are talk to, and CIOs that I talked to, they say that they’re struggling with their people trying to get good quantification on the return of the security investments that they’re making across their platforms.

Tim Woods:
Meaning how do you metric, how do I extract value out of those platforms that I’m using, and how do I document that? So it’s one thing to shrink that down, and of course, people are wanting to invest in the vendors’ next new thing that’s coming up, or they’re wanting to replace one vendor for another vendor because there’s something shiny new, and my recommendation there is, “Hey, I’m willing to trade if I can maybe get a two-for-one swap, but most important is that I have to make sure, and this is what I say to audience, is you have to sure that whatever technology you’re using, if that technology is a part of a key strategic initiative, that I don’t lose sight of the ability of my people to consume that technology and to manage that technology and effectively use that technology, so that I can quantify the return that I’m getting out of that security investment that my company is making.”

Tim Woods:
So what do you have responsibility for? This goes hand in hand with what I was talking about earlier, and this is that division of responsibility and fragmentation of responsibility, one of the things that we see is as assets and resources and services and things are deployed into the cloud as companies embark on their digital transformation journeys and their cloud first strategies, that it’s not always necessarily the IT staff, the typical IT security staff, that’s taking responsibility for the security controls that are going into the cloud.

Tim Woods:
59% of the respondents, and well, that was really a pretty healthy number, except we’ll look at that as it relates to the size of the companies, but 59% of the respondents said that we take responsibility, that my security team takes responsibility for both, meaning that I take responsibility for my on-premise deployments, the security controls around my on-premise deployments and I take responsibility for the security controls of those things that are going into the cloud. 24% said, “No, I’m just focused on my on-prem”, and 10% said, “I’m part of a new cloud security specific team.” But what made this stat interesting is that 59% number is actually 66% of that number was represented by companies that had 1000 employees or less.

Tim Woods:
And what we see on the higher end in the higher enterprise ranges, is that we see, again, and this speaks to the acceleration of business and the lack of confidence in our ability to consistently secure those things we’re putting into the cloud, but it speaks to the fact that we see business owners and stakeholders and DevOps and various people that don’t necessarily have that well-rounded security background taking responsibility for their own security controls, and yes, we see mistakes being made, and yes, I think that’s one of the reasons that we see the wave of misconfigurations that do unfortunately make headline news along the way. And so somehow or another, that has to change. There has to be parity between the speed of business and our ability to secure that business as it’s deployed into the cloud.

Elisa Lippincott:
And Tim would you say that 59% that are managing both on-premises and cloud, would you speculate that those are the people that are being recruited pretty heavily since they have that balance of knowing security on the traditional on-premises side and have taken the time to learn whether it’s trial by fire or actually going through an official learning process of learning security in the cloud?

Tim Woods:
Yeah, it’s a good point that you’re making there. There’s a lot of people that are becoming more valuable by the fact that they are being thrown into the middle of it here, and they are learning as they go, and that is making them more valuable in the marketplace as well, but also, it’s another thing that’s taking place is the fact that some of these people are hopping around too, because they’re in high demand, and they’re not necessarily staying in one place as long as you might like. So, when you have somebody who is valued like that, or has that level of knowledge across the Hybrid enterprise, then you have to make sure that you protect that asset as well.

Tim Woods:
And another thing that this hits on, Elisa, is the fact that we’re getting away from a centralized security policy as well. When you think about the traditional on-premise security, that was typically mandated by a centralized security policy, and whether it was written, most times it’s written, but at least we had a centralized policy that everybody aligned with, and sometimes that took the shape of some of the regulatory compliance initiatives that we were held responsible for as well, but regardless it was a centralized security policy that our security controls should be, not always, but should be somewhat a reflection of the actual implemented security controls, should be somewhat of a reflection of our centralized security policy.

Tim Woods:
What we see however today, is we’re getting away from a centralized security policy, and it’s a lot more, I use the term wild, wild West out there, where we’re not being guided by a central guideline that tells us what we should or shouldn’t do, and as people take responsibility for their own security controls, in the cloud, they’re not being guided by a common security policy that helps them do so. So the big problem, and in my mind, and until we get our hands around that, we’re going to see issues continue to arise as a result, which to me speaks to this one as well.

Tim Woods:
One of the questions that we ask is, “What do you feel is the level of automation that you’re employing across your organization today related to helping you manage the security controls in the deployment of your applications in the cloud? 65% of the respondents said that they continue to use manual processes, that they really haven’t embraced automation as a way to gain better consistency and greater efficiency out of their operations. And so here’s what I would say to that, right. If you’re not adding more people, you have to look for a way to make the people that you have more efficient.

Tim Woods:
And I think automation, and I know we hear the term machine learning and Artificial Intelligence and automation, but automation by itself, and I’m not trying to be a proponent to say that we have to automate the world, that we have to boil the ocean, but I do believe that there is some incredible value that can be extracted from levels of automation, where there’s some low hanging fruit that can provide a really good return on some of the very repetitive tasks that our people are being challenged with on a day in day out basis. It’s eating up so many of their daily cycles and is preventing them from focusing on some of the higher level activities and higher skilled activities that they were hired for in the first place. So this is a pretty significant stat here that I would point to, and it’s probably one that our listening audience today can take away and say, “Hey, look at what I learned today. What are we doing in this particular area?”

Elisa Lippincott:
Yeah. And you mentioned just having some basic level of automation, just to get rid of some of those repetitive tasks. Of that 65%, 35.4% of them don’t have any type of automation at all. They’re using manual processes, whether it’s email or spreadsheets, that’s just crazy, especially if you have a decent size environment and you’re trying to keep track of everything.

Tim Woods:
No. You’re absolutely right. Absolutely right. And again, as far as things complementing or going hand in hand, we asked the question, “What did you feel was the biggest threat to your Hybrid cloud environment?” 33% of the respondents said that they felt misconfiguration was one of the biggest issues, but what was interesting here is that of that number, 74% of that number said they weren’t using any type of automation also. And so, I mean, here again, automation is one of those things that can lend better consistencies to… You want to get it right, you want to make sure that the processes that you have, that you’re trying to automate work, but once you get it right, then that’s one of the gifts that you can pay back many fold going forward, as far as doing things in a more responsive manner, but getting it right every single time.

Tim Woods:
Biggest roadblocks to workload migration or cloud adoption, there’s still, even though we do see the increase in cloud adoption and some of the problems that go along with this, we did ask the question, cyber-attack was 29% compliance, I won’t read every one of these. What I will point out is last year, and Elisa keep me honest here, I think compliance was number one, actually, wasn’t it?

Elisa Lippincott:
Yes.

Tim Woods:
I think so. It was at the top. So let the percentages, not a large variance in the percentages here, but all of these are concerned quite honestly, and even geopolitical in third-party risk and asset tracking, all of those things are becoming more front of mind and top of mind when we engage in conversations with people around this area.

Tim Woods:
I put this in here again for the audience, I think it’s a good way to graphically depict what’s going on, but again, here’s what I would say, and you could… When you talk about being challenged, when you talk about being challenged or highly challenged, what is the result of that highly challenged, not being addressed? What happens when we don’t face that challenge head-on? What happens when we don’t apply the necessary resources to try to minimize the results of some of this challenges, and challenges left unchecked, challenges left unchallenged will increase both expense and ultimately will increase risk. But you could apply this to the number of rules that I have to manage within the environment. You could apply this to the number of applications that are being deployed if we’re not tracking those applications.

Tim Woods:
You could apply this to the people that we have available. You could apply this to train. There’s so many things that you can apply this to, but as complexity goes up into the right, two things is definitely going to happen. Human error is going to increase, and the probability of risk entering into the equation is also going to increase.

Tim Woods:
So, I’ll leave that with you guys to use, and we’re coming up on the end here so I wanted to just round off with the last few slides here, but what should we be doing? Again, I stated earlier, continuous monitoring. Now, visibility, visibility, visibility. Making sure that you understand change whenever it happens is so critically important, but adaptable data controls, this gets back to the data moving with the asset that it’s responsible, the data controls that are responsible for protecting that asset or resource, making sure that they can move with it when it moves, obviously compliance and controls, collaboration starts at the top and have to be part of the culture I believe. And automation can obviously lend itself Well, when you talk about consistency of deployments.

Tim Woods:
Again, this is where I talk about the focus on the people. I see so many projects, I see so many key strategic initiatives that are underway today, many of the individuals that I talked to at C-level, they look at this slide, or if we talk about the different things that are in here they can reflect on, that, “Hey, we have all of these things happening right now. All of these things are on the table and either currently being worked on or will currently being worked on or scheduled at one point.” But my point here is, these things are important, but the people managing these things are even more important and you have to make sure that you’re making proper investment in your people to get the return out of the technology that’s driving your key initiatives.

Tim Woods:
This just speaks, again, this probably is a really good takeaway slide, I think, for the listening audience here, but misconfiguration is a big concern and its complexity increases, like I said, misconfigurations is one of those things that can tend to go up, and of course it gives way to additional risk and it’s not something that you want. But almost all the analysts, like Gartner here actually made a statement last year. The rapid adoption of cloud services along with increasing number of cloud infrastructure and platform services has created an explosion in complexity and unmanaged risk. I completely agree with that statement there, as what we’re seeing personally and what we’re hearing from both our customers and those that we’re engaged with.

Tim Woods:
Another area that if you’re not… Is not top of mind for you right now, I’m going to say that it should be, or it will be, and that’s extracting greater value from the platforms that you have. It’s the vendors you have. If you want to raise the total value of your combined security solutions, then you need to ensure that your vendors make it easy for you to exchange information or to enrich each other’s information across your platforms. And that’s where a really strong commitment to a robust API comes into play. So again, this is one of those things that I would solicit you to take a look at and would strongly recommend that you evaluate the level of support that your vendor is providing as it relates to their API support.

Tim Woods:
And last but not least, we’ll open it up for questions. FireMon is here to help. We help you render a holistic view in or across the entire security real estate, and we help you extend that visibility across your Hybrid infrastructure and we place a strong emphasis on proactively identifying and managing risk. I talked about monitoring for change, that is always top of mind for us to helping you to both alert on change and to evaluate that change when it takes place. Reduce that complexity. I feel very strongly that if I can help you reduce complexity, there’s no doubt that I’m going to give you a better security posture.

Tim Woods:
I can help you find that low hanging fruit, as it relates to automation, I can help you drive dynamic compliance into your infrastructure, meeting that when a change happens, I want to be able to… I can alert on change and tell you the who, what, when, where all the details of that change, but wouldn’t it be better if I could sandbox that proposed change in advance and evaluate it before it gets implemented into my infrastructure to say, “Hey, this is going to have a negative impact on our posture and therefore we shouldn’t allow this. Let’s identify, let’s remediate it before it takes place.” So we, we have always placed a strong emphasis on dynamic compliance.

Tim Woods:
And then being able, just to correlate vulnerabilities to policy, to say, “Where are my riskiest? Where are the riskiest holes within my network fabric, and where are those things that I should be spending my effort?” So we would invite if we would extend an invitation to talk to you, if you think that we can help you in some of these areas, I’d love to talk to you to at least educate you more about the services and what our platform has to offer. So with that, Elisa, why don’t we just go ahead and open it up, if we have any last minute questions. I know we’re coming up on the top of the hour, but I’d love to at least try to hit a couple if we can.

Elisa Lippincott:
Yes, we have a few from the audience. For those of you on the webinar, if you have a question, please submit it in the Q&A box, and if we don’t get to yours, we’ll make sure to follow up. Here’s a little doozy for you, Tim. Do you see DevOps and SecOps becoming better aligned in the near future?

Tim Woods:
That is a doozy. That, again, I think DevOps in and of itself needs to become a cultural initiative within the company. I think it starts at the top and it has to permeate itself throughout the organization. I think security we hear the term DevSecOps and SecDevOps and things like that, but regardless where you sit, on which side of the fence you sit on, I think we will all agree that that security has to become a component of the process. And this is one of the reasons I loved when GDPR first came out. One of the terms that they used was security by design and default, and I just love the spirit of that, because that tells me that, “Hey, I’m not thinking about security at the end of my process. I’m not thinking about security as an afterthought, but I’m putting security at the forefront of my thought process.” And I think that’s where DevOps has to go, where security becomes an integral component of the DevOps process.

Elisa Lippincott:
And one more, because we might get shut down in a little bit, but what can my team do in the short term to reduce misconfigurations?

Tim Woods:
Another good question. Again, I would challenge you to look at the processes you currently have. Obviously anytime a misconfiguration happens, you want to do your due diligence to try to understand the root cause analysis, but I would say, if it was driven by a process, or if it’s an area where a process could drive a different result, then I would look at that. But anytime you start looking at automation or you start looking at how automation can help you need to break it down into, I’ll call it bite-size nuggets, but start by looking at the current processes that you have in place in evaluating, “Are these processes working for me? Are they effective? Could they be modified? Could they benefit from automation? Is this something that I could automate to where it could at least run by itself?” And if there’s an exception, then we can arbitrate.

Tim Woods:
I’m not saying you don’t ever take the human element completely out of it, but at least you reduce the reliance on the human element in some of those areas. And there’s some areas where you won’t be able to automate, where it does require a higher hands-on and it requires the human element to be involved. But there’s a lot of areas that I would challenge you to go look at to say, “Is this an area that could benefit from automation?” And so if you want to strengthen your consistency of deployments, if you want to strengthen your consistency of applying security controls, if you want to strengthen your ability to ensure that the data controls move with the thing which I’m protecting, then those are some of the areas that I would say you would go and evaluate first.

Tim Woods:
And those are all areas, by the way not giving FireMon additional plug here, these are areas that we help customers with and clients with on a day in day out basis. This is definitely areas where we can help you with.

Elisa Lippincott:
Great. Well, everyone that is all the time we have for today. Thank you for taking the time to attend our webinar. I’d like to thank Tim for his time today and for the great session. Thank you and please stay safe, everyone.

Tim Woods:
Thank you very much.

Read more

Get 90% Better. See How to Get:

  • 90% EFFICIENCY GAIN by automating firewall support operations
  • 90%+ FASTER time to globally block malicious actors to a new line
  • 90% REDUCTION in FTE hours to implement firewalls

SCHEDULE A DEMO