Embracing the Cloud 2020

On-Demand

Video Transcript

Illena Armstrong:
Hi everyone. Illena Armstrong, VP of editorial for SC Media here with you. Now a part of the CyberRisk Alliance or CRA, which is a business intelligence company catering to the cybersecurity industry. The SC Media team and I trust that all of you with us today are enjoying our CRA Cloud Security eSummit so far. Continuing with our sessions, which are being led by top experts from the field, we’re now moving onto learning more about the growing challenges with hybrid cloud networks. Indeed, as many organizations continue to embrace hybrid cloud environment, they’re seeing cybersecurity risk grow due to complexities with such areas as automation, integration, transparency and more. On top of these issues that hybrid cloud infrastructures often can introduce, many enterprises are facing resource, staffing and budget constraints that further complicate how their security and IT teams can ensure that sound risk management strategies and day to day cybersecurity controls are properly maintained.

Illena Armstrong:
Here to explore with us hybrid cloud challenges and share findings that is, from FireMon’s second annual state of hybrid cloud report, which polled over 500 security professionals, is Tim Woods, VP of technical alliances with FireMon. He has more than 20 years of security experience across various market sectors and enterprises of all sizes and believes his most important task is education and raising awareness to build strong organizational security postures. Before I hand it over to Tim, let me just remind you very quickly, if you have questions, pop those over and we’ll be sure to tackle them, as many as we can, at the end of Tim’s presentation. With that, please let me welcome Tim to our virtual podium. Thanks for joining us.

Tim Woods:
Illena, thank you very much. I appreciate the introduction and the opportunity here today and I definitely want to thank our listening audience that is joining us as well. Thank you for attending our virtual session. And I think it’d be remiss if I didn’t say like you, the FireMon team is working hard to address the current uncertainties that we’re all faced with. And we want you to know that we are here and ready to help any way that we can, whether now or in the future. If you’re not familiar with FireMon, FireMon is a global security software development company in the security management and security orchestration space. We render a holistic view across the security real estate, helping you to extend visibility in these hybrid infrastructures that Illena referenced during that introduction. And so let’s go ahead and jump into it.

Tim Woods:
We recently completed our second annual 2020 State of the Hybrid Cloud Security survey. And what makes us interesting is that each year as you start completing surveys and gathering information, like any good report, the more data that you compile, the more interesting it becomes and you can start doing some historical trending and compare from last year to this year and see what the deltas kind of look like. This was the biggest one we’ve done so far. There were over 500 security practitioners and that was across, I’m not going to dive too deeply into all the statistics around the actual survey itself as far as the geo makeup of it, but it was very qualified. We threw out anything that we felt wasn’t a qualified response or coming from a qualified source as well. We tried to make sure that we were getting very high quality answers.

Tim Woods:
Part of the makeup this was C-level executives, network security engineers, operational architects, SecOps and DevOps and the like. We got really, really good, valuable feedback.

Tim Woods:
No surprise I think to anybody and again, guys, faced with the things that we’re faced with today, I’m already looking forward to next year for reports to see how things have changed because we’ve already seen some shifts in priorities and shifts in agendas dealing with the current state of the situations that we’re all faced with today. But one of the biggest things that emerged from the report here are the three of the biggest things and this doesn’t cover everything in totality, but the increased complexity and scale of hybrid cloud environments, the speed at which the business is moving.

Tim Woods:
We’re going to talk more about that as we get deeper into some of the stats that we pulled out, the lack of automation and third party tool integration, the ability to easily exchange information between the platforms and the tools and the solutions that we already own, came up. And also the budget. Budget constraints. There was definitely a feeling there that the spending wasn’t where it needed to be in order to do what is that we needed to. In order to do to reach our goals, to achieve those goals that we had to find.

Tim Woods:
We’ll talk about that in a little deeper detail as well. Another thing that highlighted in the survey was the fact that not everybody clearly understood that as we embrace cloud and as we move into both public and private cloud deployment and many corporations, many organizations have multiple public cloud providers as well. There is a shared security model that there is lines of delineation, regardless of whether you’re using software as a service platform, as a service infrastructure, as a service for the various applications in the hosting facilities that you’re using or the things that you’re deploying or what you’re developing on, that there are lines of demarcation as far as what you have responsibility for and what that cloud provider is providing you.

Tim Woods:
And it’s not the same for each provider either. You need to clearly understand what those lines are as you go into this so that you’re prepared to address whatever the necessary security controls are and to validate the security controls that are in place for the different types of as a service is that you’ve engaged with those public cloud providers.

Tim Woods:
This is a very simple chart. You guys have seen this, probably. You’ve probably seen this chart before, I think it’s an excellent depiction of kind of where those lines many times exist. This is a little higher detail or a little higher level. I think you can get a little more discreet with some of the data. I saw one similar to this, too that basically depicted kind of the pizza making process as well, that I thought was very educational for those that you may be educating other people within your organization and they just tend to get it very quickly when you start trying to describe what the as a service models actually provide and who’s responsible for what. But anyway, I’ll leave you with this. I put this in here, basically for your reference. Hopefully you all seen this.

Tim Woods:
The other thing I would mention though, that most of the public cloud providers, in fact, all the public cloud providers that I’ve worked with and have had interacted with, they also share their own security responsibility models, as far as they try to define where their security responsibilities lies and what they take responsibility for and what they take ownership for and where you should be looking to apply your part of the responsibility as well. If you haven’t had an opportunity to look at that or you haven’t taken a look at that, then I would encourage you. I would solicit you to go and find that for your specific security providers and cloud providers to look at where those shared lines of delineation kind of exist.

Tim Woods:
One of the most, out of the survey, there’s always one thing that kind of rises to the top, there’s always one thing that kind of grabs your attention and this year was no different. And that came from a question, one of the questions that basically said, “Do you think your business is moving faster than your ability to put appropriate security controls in place?” And over 60% of the respondents, well 59.4% of the respondents said, “Yes, I absolutely agree or strongly agree that deployments of our business services in the cloud has accelerated past their ability to adequately secure them in a timely manner.” Now, what makes this even more interesting though, as I said, since we did this same survey last year and collected the information for that is that last year, that response was 60%.

Tim Woods:
There’s been approximately 13, almost 14 months that has passed between these two surveys. You kind of have to ask yourself, you have to kind of step back and say, “What does that tell us if we haven’t really moved the needle? Doesn’t seem like or feel like that we’ve moved the needle in the right direction as it relates to the confidence in our ability to secure those things that we’re deploying in the cloud.” And every day, I know that as you’re reading your news feeds and looking at the various trade journals, that these things pop up. We see stories all the time about breaches and when we see things about being compromised and so it’s no surprise if we don’t feel like that we’re putting the right security controls in place, that those things could be happening.

Tim Woods:
When we kind of looked at this same question from a C-level perspective, it was pretty much in line with the rest of the responses and both from last year also. Over 50% of the 14% of the C-level respondents also agreed that they felt like the business was moving faster than our ability to secure it. For me, this brings about a bit of concern. It brings about, it’s definitely an area if I’m a CIO, if I’m a CISO, if I’m at the top of leadership and management concerned about the security of the assets and the resources and the services that we’re deploying in the cloud, this is something that’s going to stand out for me. This is something that I want to make sure that we’re addressing as a company, that my teams are acutely aware of.

Tim Woods:
Right along those lines, one of the things that also bubbled to the top and we’ll look at this from a C-level, from a C-suite perspective also, but visibility. The ability to see what’s going on within the infrastructure, whether that’s new deployment. You’ll hear me say this and you’ve probably already heard this. At the risk of being cliché or redundant, you can’t secure what you don’t know about. It’s hard to manage what you can’t see. The analogy that I’ve used is a visiting dignitary coming to, let’s say, visiting the US as an example and you’ve been given the responsibility to protect that individual. And the first question you ask is, “Well, when do they get here?” Well, I don’t know. Where do they arrive at? I don’t know. By what mode are they arriving? I don’t know.

Tim Woods:
If you’re tasked with protecting an asset and you don’t know where that asset resides, that you don’t know when that asset moves, if you don’t know where that resource asset or service exists at, how are you going to put the appropriate security measures in place in order to adequately secure that asset? This is when we talk about visibility, we talk about monitoring for change. This one really is near and dear to me, because I’m a strong believer that you have to monitor for change. You have to understand. I was at RSA this year, I know that seems like years ago, but quite honestly, it wasn’t that long ago. I attended a top analyst meeting while I was there and this was at the top there. Inventory and asset management, visibility of inventory and asset management along with third party extended risk was top of the chain as far as concerns for the clients that were engaged with this particular analyst firm.

Tim Woods:
We look at the C-level responses as well, we see, and these were all, this is not choose all that apply. This was a choose one question. And so this is kind of how they ranked up, but visibility again was at the top of the stack. Also, this speaks to the cybersecurity skill shortages that we keep hearing about. Sometimes these things are hard to quantify. But this kind of puts it more into perspective. This is a valid concern for the top C-level executives, as far as having good qualified people, the ability to find those good qualified people and making investments in those good qualified people. Lack of training, lack of ownership as far as what it is that they need to have responsibility for in order to put the appropriate controls in place and lack of integration. We’re going to talk about that toward the end, as well, kind of what that means and put it a little more in perspective as well.

Tim Woods:
Shrinking security budgets. This again, this is one of those things that I think given the current environment that we’re faced with that I will be interested in tracking as we look at results for next year’s survey as well. But 78% of the respondents stated that less than 25% of their budget goes towards security. And what was even more interesting there is of that 25%, so bring that 25% out, that it actually gets 44, more than half of that is only 10% of the total security budget went to cloud. That’s kind of concerning as well. And I suspect that this is a number that will change. Also I predict this is a number that will change going forward in the future.

Tim Woods:
We did ask, how many of you believe that this number will fluctuate going forward? And of course this was before the current pandemic that we’re faced with, but 55% responded and said, “Yes, I believe spending will go up.” 6% said they thought spending would go down and somewhere there in the middle of around 40% said, “We don’t think it’s going to go one way or the other. We think it’ll stay exactly where it’s at.” Again, it will be an interesting statistic to track and something that I think we’ll want to pay close attention to. Likewise, the level of staffing, finding good qualified people and having a security team in place that can respond to the issues.

Tim Woods:
We’re going to talk a little bit here about automation as well and how we empower people, but we do see this not just a difficulty in finding the right qualified people, but even the qualified people that we have, kind of getting caught in some of the I’ll call it the quagmire. Kind of getting caught in these highly redundant and repetitive, very cyclic tasks that are taking place that eats up a lot of their time in their day and I hear it all the time from the C-level suite, that I have some of my best people and even at the director level, I have some of my best people doing these repetitive mundane tasks and they’re not able to focus on the higher skilled activities that I originally hired them for. And I already don’t have enough. I don’t have a large enough team as it is.

Tim Woods:
And so we see the impact of that. Again, it goes back to this cybersecurity skill storage and stretching out the resources that we have too thin, which is a valid concern and I hear that a lot too. The problem with stretching your resources too thin and I think, we’ve all worked on teams where you’re more than willing to go to the wall to do whatever is necessary to get the job done, but you can only run a car in the red, at a high RPM for so long before the engine breaks. And we don’t want to put those resources, those valued resources that we’ve already had a problem that we’ve stated that we have a problem acquiring, we don’t want to put those resources at risk. What do we do to make the people that we have more effective? And I think that’s where automation comes into place. And we’ll talk about that.

Tim Woods:
Fragmented security responsibility, we’re seeing where we once saw kind of security and security controls were defined by a global or a centralized security policy, we’ve seen a rapid departure away from that. And especially as it relates to deploying assets and services and resources into the cloud and we see the owners themselves taking responsibility for the security controls. We see the stakeholders, the business owners, we see DevOps being involved in the security control process. We don’t always see the IT security teams themselves. However, in this survey, we saw that 59% said that they have responsibility for both. They’re already stretched too thin. We already have reduced staffing, but we saw that 59% said, “I’m doing both.” 24% said, “No, I’m just focused on those on premise infrastructure type deployments that we have.” 10% said they were part of a cloud team or specifically dedicated to cloud.

Tim Woods:
But what also made this interesting, because the makeup here was of the 59% that said, “We have responsibility for both,” those were at companies that had less than a 1,000 employees. And so perhaps, the technical skillsets are more distributed or have a wider range of responsibility, wear more hats, for lack of a better analogy there. But they’re playing that dual role. The problem here though, is that as we look at these things, it is that we’re not being driven. We’re not being driven by that centralized security policy.

Tim Woods:
And so it’s really, when you get into a scenario or when you get into a cadence of rolling your own or defining your own security controls that haven’t collectively been or collaboratively been defined, then we can get ourselves in trouble. Especially, and it’s not that these aren’t, these are incredibly smart people that we’re talking about, but if you’re not well grounded from a security foundation, from a security background, you may not know the precise things that you should be focused on in order to secure that data that you’re deploying into the cloud. And so definitely a concern there.

Tim Woods:
Level of security automation, this was a question that came up on the survey as well. And again, this was a bit of an eye opener because 65% of the respondents said, “We’re not really using automation. We’re not really. We haven’t embraced automation yet.” As I’ve had the opportunity to talk to folks both in our engagement and even recently, most recently here at the RSA show, there were several that related failed automation experiences to me. Failed automation initiatives that just didn’t produce the fruit or didn’t produce the value that they were looking for as well. And so, to that, I would say it’s time to go back and consider what it is, where we applied those efforts. I always talk about technology process and people, but also looking for that low hanging fruit and making sure that we’re not trying to boil the ocean with our initiatives.

Tim Woods:
Biggest threat, biggest security threats to your hybrid cloud environment. Misconfigurations, again, we see this time and time and time again is misconfigurations popping to the top, the concern of misconfiguration. What was interesting about this question here is the ones that had responded that misconfigurations where some of their biggest threats, 74% of those that responded to this particular question also said, “They’re not using automation either.” That they’re relying on manual processes within their environment. And so, this gets into as we suffer from attrition, as people come and people leave and if we don’t have consistency in our processes, if we don’t have a way to guarantee consistency in our processes, then we can expect for these types of things to slip into the equation as well.

Tim Woods:
Biggest roadblocks to workload migration, there’s concerns about cyberattacks. No doubt about that. Compliance, again, this was pick one out of all those hidden costs, lack of visibility. Interestingly the silos of communication within the organizations themselves and the internal politics that you run into was also a roadblock to cloud migration.

Tim Woods:
This is a slide, I’m going to stand on this for just a minute, because I want you to understand this one, because I think it’s valuable to apply many different things to what I call the challenge slide. You find those things that you feel like are a challenge for you today and kind of look at, where am I slightly challenged? Where am I challenged? Where am I highly challenged? And then, what initiatives can I put in place in order to try to reduce the level of that challenge, the difficulties that we’re faced with there? But this could apply to again, it could apply to visibility. It can apply to the amount of assets and resources that are getting deployed.

Tim Woods:
I know some organizations have their arms around better deployment process models than others that I’ve spoken with. Some clearly understand when things get deployed and there’s a cadence around what has to happen when something goes into the cloud. And then yet I’ve talked to other organizations that say they’re struggling with different parts of the organization taking responsibility for deploying their own things into the cloud and they don’t have control around that. We saw that lack of control statistic come up earlier and that’s exactly what that kind of pointed to.

Tim Woods:
In the past, we’ve dealt with rule, the growth in just sheer volume of rules across our security enforcement point product and our firewalls and load balancers and routers and switches and things like that. Basically, anything with an ACL we’ve seen just the sheer volume of those rules go up and through the roof. And so the ability to manage that and to keep the hygiene around policy management in play has been a struggle as well. And so what happens here? My slide looks like it’s off there just a little bit with the Y, but this complexity gap, as it widens, as it grows, two things happen here. One is when complexity starts going up, the probability of human error definitely creeps into the equation. The probability of risk also creeps into the equation. Higher level of risk, also creeps into the equation. Again, I would leave you with this slide a here and say, “Hey, this is something that I think you can apply to several different areas.”

Tim Woods:
Cloud sprawl, another one of these things I’ve talked about. Again, during that meeting with that top security analyst, with that top analyst team, inventory management, awareness of assets, what’s going there and the process and controls around that was very important. And we see this taking place today. I think it’s cloud sprawl is a real thing and you need to get your arms around it early in order to make sure that it doesn’t get out of control. There’s two types of growth, there’s organic growth and there’s acquired growth, but in this case, when we have organic growth that’s taking place and it’s not managed, it can be a bad thing.

Tim Woods:
What do we need kind of going forward? We’ve outlined a couple of things here. Continuous monitoring. Again, when something changes, we have to answer those questions. We have to answer those questions of, what changed? Was it expected change? Did it introduce any additional risk into the equation? Did it introduce unacceptable risks into the equation? But there’s just a few basic questions. Did we identify the business owner for that change? These questions have to be answered and if you’re not continuously monitoring, if you’re not continuously, if you don’t have controls in place that help you continuously monitor your environment, then it’s very hard to answer those questions. Also, if things move we need to be able to adapt our security controls so that it moves with the data that we’re protecting.

Tim Woods:
And I think also, especially going forward into the new world, into what I call the new era of cloud, business doesn’t slow down. Business is not going to stop and say, “All right, I’ll wait. We’ll let you guys catch up. We’ll let the processes catch up.” That’s not going to happen. Business almost always trumps security. At least that’s been my experience and we need to ensure that we are from a security perspective and from a security process deployment perspective, that we are in parity with the speed of business in order to honor their needs. Compliance and security guardrails have to be in place in order to make sure that that takes place as well.

Tim Woods:
This is always interesting to me. I’m going to spend just a couple minutes on this and then we’re going to wrap this thing up, but here’s what I would say. As you’re looking at your strategic initiatives, I recognize that many times the goals that we define or the strategic initiatives that we define are powered by a technology choice. It’s either a technology that we already acquired or we already have or we own or it’s a technology that we’re looking to augment or maybe upgrade or maybe it’s a new technology that we’re looking to trade out for something else or aggregate things that we already have. The one thing I would say here is to be ever mindful of how am I going to quantify the return on that security investment? How am I going to make sure that my people are effectively equipped to make the best use of that technology?

Tim Woods:
You can have the best technology on the planet bar none, but if your people aren’t able to effectively use it and manage it, then you’re not going to recognize or realize the return on that security investment that you’ve made. As you look at your projects and your strategic initiatives, I would just say, make sure that you keep the people factor at the forefront of your thoughts.

Tim Woods:
I’ll leave this for you to read over here. The last note I want to leave you with, because I want to leave time for some questions here, is that as you’re looking at your vendor selections and the technology that you’re pulling in the clouds today, especially as it relates to the tools and platforms and integrations that you’re using, make sure that they have a robust API. Make sure that you can easily exchange information between those platforms, if you need to. And whether you’re even using that today or not, I can promise you, I promise you that in the future, this is something that you are going to want.

Tim Woods:
It’s something that you will need in order to raise the total value of your combined security solutions in your combined tool platforms that you’re leveraging. And not just from a network perspective, this will ring true at the desktop at the desktop, at the edge, it will ring true in the data center. It will ring true in the cloud, in the hybrid infrastructure as well. Look at those APIs and make sure that the vendors that you have a strong commitment to an open API where you can readily exchange information one to another.

Tim Woods:
At FireMon, as I said earlier, we’re a global security software development company. We help many of our clients quantify the return that they’re getting on their security investments, whether that, we’ve helped clients where they’ve wanted to make some radical adjustments to the total number of unused rules within their environment and we’ve helped with that. Or they’ve wanted to make sure that their policies, the hygiene around their security policies are better. They want to make sure that they don’t have overly permissive rules that have slipped into the policies over time that sometimes happen and that they’re locking down those controls that’s providing only the access that is necessary to meet the needs of the business. We’ve looked at helping them to manage risk, to make sure that over time that known vulnerabilities within the environment are not exposing them to undue risk.

Tim Woods:
At the end of the day, we want to manage risk to a level that’s acceptable by the business. And so we need to have insight. We need to have visibility into the behaviors of our security policies in order to achieve that. But FireMon has been helping companies, over a decade now, helping to drive continuous automation and consistency into the management of their policies. And when it’s time, we’d be more than happy to engage with you if you think we can help your situation as well.

Tim Woods:
Last thing I’ll say here, I just touched on just a few items that was in this 2020 State of the Hybrid Cloud Security report. I would encourage you to go and download the full report for yourself so that you can dig through all the details. And I think you’ll find it quite helpful. Again, I want to thank you today for your time. I hope this has been helpful and I look forward to engaging with you. Thank you very much.

Illena Armstrong:
Very good, Tim. Thank you. That was a great presentation. Appreciate you sharing salient findings from FireMon’s research report and additional thoughts on how organizations and the people who are tuning in with us can actually take on some of these challenges. I think we have time for maybe one or two questions. We’ll take these real quick. The first one, what should an enterprise look for before adopting a new cloud provider? What are maybe some of the top three or five areas they should pay attention to?

Tim Woods:
Yeah, no doubt. It’s a good question. We found some organizations that had more cloud providers than they thought they did, also as we went through some of the audit processes with them without maybe doing their due diligence. But anytime you’re getting ready to engage another vendor and any technology for that matter, you want to make sure that we look at, do I have the necessary skilled resources on staff to help me manage this? And what is the training? And if I don’t, what’s the training available for me to either make that investment in the people that I have or to find those people that we will need to help us successfully launch that new acquisition of technology? That’s one of the first things I would say is make sure again, I always focus on the people.

Tim Woods:
I always focus on making sure that we’re making good investments in our people in order to get the best use out of our technology and that they have the necessary tools that they need. I’d also say, as I stated earlier, as you look at your cloud providers is to make sure you understand those lines of delineation as it relates to shared responsibilities. And that’s whether you’re just deploying a VPC or you’re looking at some type of elastic database approach, make sure that you understand exactly what they’re providing you, where your people need to pay close attention and particular attention, as it relates to the security controls and what are the security controls that they are providing? We’ve seen many of our customers augment what the cloud providers are providing with additional third party security enforcement technology, either virtually or from an edge perspective, but regardless, just be keenly aware of where those lines of demarcation exist as it relates to shared responsibility in public cloud provisioning.

Illena Armstrong:
Excellent. Thank you for that. And we’ll take one more, just very quickly. It’s a good one given the current situation, the crisis in which we’re finding ourselves, the world is a different place. What are your predictions for the 2021 hybrid cloud survey taking into account the increased need for remote employee support?

Tim Woods:
I think we’re going to continue to see companies even more so now, if they weren’t before I know some of the roadblocks that they were concerned about, I think they’ll probably continue to go forward in spite of. Those roadblocks, aren’t going to magically just disappear either. They’re still a concern. They’ll still be out there. They are still things that we need to remain cognizant about. But I think that we will see a continued acceleration of adoption of public cloud services for those very reasons, especially as it relates to contingency planning and continuous business initiatives as well to remain continuity so that that business continuity remains intact and especially as it relates to remote employee gaining access to the resources that they need. It’s very easy to deploy in cloud. It’s very easy to connect people to those resources in the cloud, but we still have to make sure that those security controls are in place.

Tim Woods:
Yeah, I think adoption is going to increase even more so. It was already at an accelerated pace. If I had to put a percentage on it, probably, 8X to 10X, over our speed of some of our, what I’ll call antiquated processes that we’ve used to put security controls in place. And so one thing that’s going to be necessary going forward to the future is we have to look at a paradigm shift in the way that we associate our security controls to those things that we’re deploying in the cloud. And we have to look at gaining parity with the speed of business.

Illena Armstrong:
Excellent. Well, that brings us to the close of yet another of our cloud security eSummit sessions. Thanks again to Tim Woods, VP of technical alliances with FireMon, for sharing with us some very interesting insight from their recent research on hybrid cloud and definitely providing us with some much needed advice on how to contend with these issues that we’re facing in these environments. As a quick reminder, this webcast along with the others from today will be available on demand after the conclusion of the eSummit on the CyberRisk Alliance website under the eSummit tab. Next up is another industry expert who will lay down some more knowledge and guidance on cybersecurity in the cloud. Do stay tuned. But meantime, thanks kindly for clicking in with us for this one. And of course, please be well, everyone.

Read more

Get 90% Better. See How to Get:

  • 90% EFFICIENCY GAIN by automating firewall support operations
  • 90%+ FASTER time to globally block malicious actors to a new line
  • 90% REDUCTION in FTE hours to implement firewalls

SCHEDULE A DEMO