Secure Your Journey to the Hybrid Cloud

On-Demand

Video Transcription

Elisa Lippincott:
Hello and welcome to our webinar titled Secure Your journey to the Hybrid Cloud. My name is Elisa Lippincott and joining me today is Tim Woods, who is our vice president of technology alliances. Today’s webinar will focus on steps you need to take to gain full visibility and control to secure your hybrid environments, how to ensure consistency of your security controls within hybrid cloud and multi cloud environments and how a cloud security posture management can help you manage risk and complexity in your hybrid cloud.

Elisa Lippincott:
Before we get started, I have just a couple of housekeeping items. This webinar is being recorded. And the recording will be available on BrightTALK immediately after we conclude. If you have any questions, please type them in the questions box below the presentation screen. And you can also access more information by clicking on the attachments button. And with that, I will go ahead and pass it over to Tim.

Tim Woods:
Elisa, thank you very much. I appreciate it and I want to say a big thank you to our listening audience today. For those of you that have tuned in to listen to us live, thank you very much, I know you have a million other things you could be doing, but you chose to spend your time with us. And for that we are sincerely appreciative. So thank you.

Tim Woods:
So let’s go ahead and jump into it here. I prefer it whenever we’re in front of everybody so you guys can throw things at me and I can throw things at you. And we can see heads nodding and stuff like that. But we’ll get through this together. So it’s an interesting time that we’re at here. And for those of you that are just starting your cloud journey, or perhaps you’re already well into your cloud journey, you’ve probably already hit some road bumps and some obstacles that you’ve had to overcome. But it’s just not as simple as swiping the credit card and nailing up a service and starting to put things out. It can be that simple.

Tim Woods:
But in a large enterprise, it’s important that we understand that the Brownfield applications and the Brownfield devices that we have that we want to bring into the cloud, some of those are not as, let’s say cloud friendly as others, and that has to be taken into consideration. But you really need a good process in place. And you need a good plan in place, and especially the larger the enterprise and the more things that we’re going to move into the cloud, it’s important that we do so in a uniform manner.

Tim Woods:
When you take an application from the data center into the cloud, everything associated to that app is different. I mean, the performance potentially is different. And speaking of performance, also for the applications, it’s also important to note that you might not necessarily see the same performance that you saw, that app, if it was optimized for a piece of hardware in the data center, and you put it into the cloud, and now you’re dealing with virtual servers, and you’re dealing with virtual storage, and you’re dealing with other virtual aspects, you might not see the same performance. And in the long run, if you’re not careful, that can actually cost you more money. So it’s important to understand the performance difference, as well.

Tim Woods:
And then how you monitor it. How you monitor those applications. Security. And security is different as well, and something that has to be at the forefront. And we’re going to talk more about that as we go into here too. But security definitely has to be at the forefront of our thoughts. And then even the system management tools, used to manage the virtual servers and the environment in the cloud. And the act of even deploying the applications into the cloud is different than what we’re used to in a traditional data center. So important stuff.

Tim Woods:
And then the world is definitely changing in front of us. We see that happening, cloud computing and virtualization and SDN, continuous development and DevOps and continuous integration and all of these great things. And for the right reasons too. I mean, people are adopting it probably faster than we’ve ever seen in the history of cloud, people are starting on their digital transformation journeys, people are embracing a cloud first strategy. And for the right reasons too. They’re trying to gain competitive advantages, they’re trying to reduce server footprint, they’re trying to increase compute or take advantage of elastic storage. All those things.

Tim Woods:
Internet of Things, always interesting. Not really completely relevant today, except that a lot of those things talk back up into the cloud. Interesting, I went through my own personal inventory last night as I was going through the slides, I was like, “How many IoT devices do I just have here?” And if I count my smart lights, and then you look at Alexa and the cameras and my thermostats and my Nest smoke detectors and everything else, it’s just crazy. I had over 25 different IoT, just in my own personal domain here. But think about that as they creep into the enterprise, those things too have to be addressed because they talk back up to the cloud, they’re all connected, how we secure those, the OS that’s running those and who’s using those. They become another point or target for some nefarious activities. And so we have to be careful around those as well. So interesting times, no doubt.

Tim Woods:
I think probably everyone here today would agree that business has increased, probably quicker. I mean, it’s going faster than our ability to secure it. And we’re going to talk about that, because that brings about some key challenges as well. And some struggles that we’re facing today. FireMon has a unique perspective on what we call-

Elisa Lippincott:
Hey, Jim.

Tim Woods:
Yes.

Elisa Lippincott:
I’m so sorry to interrupt. Can you click on screen share?

Tim Woods:
I sure can. Are we not sharing right now?

Elisa Lippincott:
No. Sorry for the interruption.

Tim Woods:
No, that’s good. Very good. How about now?

Elisa Lippincott:
Perfect. Thank you.

Tim Woods:
Awesome. Thank you. I apologize everyone. So I’m not sure what happened there. We were sharing fine. But anyway, the speed of business has accelerated past our ability to security, essentially, is what we’re saying here. We’re going to explore that further, as we go through the slides today and talk about that as well, because there’s some things that take place there that we over time, if we don’t address, then we will incur what I like to call security debt. So multiple cloud deployment types. Again, if you’re embarking on your journey, you’ve already encountered this, which clouds do I use where and do we need private? Do I need public? What will I use the private for? What will I use the public for? When do I need hybrid? When do I need multi cloud? Which cloud services are we going to us? Most of the customers that we’re talking to today, are using multiple cloud platforms. And these are just a few that I’ve listed here. These are what I would call the ones that are leading the market share today, by and large. But there’s others, there’s many others out there too.

Tim Woods:
But we have to take all these things into consideration. And here, again, some of the challenges that we’re faced with as we’re interfacing with our customers, I was saying earlier, there before I lost my screen share that FireMon has a unique perspective on this because we talk to clients across the entire market sector, I don’t care if you’re in healthcare, if you’re in finance, if you’re in leisure, if you’re in travel, if you’re in, whatever it happens to be. We have clients, large enterprise clients across all of those different market verticals. And so it gives us a perspective of the challenges that they’re facing as they relate them to us.

Tim Woods:
And probably the biggest challenge, if I look over across that horizon of those different market verticals is complexity. Complexity is definitely still alive and well. And here’s what we know, if we leave complexity unchecked, if we don’t put forth an initiative to challenge complexity within our infrastructures, within our hybrid environments, then over time, what’s happened as complexity increases, then the probability of human error creeping into the equation increases, the probability of risk growing into our environment increases. And so that takes place and definitely not a good thing. And then we have a significant event and that’s definitely something that we don’t want.

Tim Woods:
But we’re also seeing that many of the security teams are still required to use what we’ll call outdated processes. And you see it listed there on the left, under that first little item there we talk about spreadsheets. I do see email. I see an email a lot just in firewall change requests type processes. Where people are actually using email. And I do see some great CRM integration systems, we see some great automation efforts that have taken shape as well to help increase the efficiencies of the team. So that’s all taking place too. But definitely if you look at the middle part here, this is something else that we’re experiencing. And this is the thing that we’re seeing a lot of the analysts right now, both Gartner and Forrester, they’re raising the red flag they’re talking, they’re telling us about the global warming that’s coming out of here. And a lot of that is related to misconfiguration. And the reason for misconfiguration. It all gets back to complexity. Where customers, they’re exposing S3 buckets.

Tim Woods:
I had the pleasure of going to the AWS re:Invent Show at the end of last year, and while they have the controls in place that can prevent that, they realized that people are accidentally exposing their data through misconfiguration or the lack of configuration, or just the lack of knowledge. And so they’ve taken a lot of steps to try to enhance that. They added a feature, specifically to block S3 public access and to be able to use that as a check to come back here. And in fact, they presented that they had introduced over 239 security related enhancements to the AWS service.

Tim Woods:
So what does that mean to you and to me and to us, as a consumer of these technology? It means that the native cloud controls are getting better. And that’s the good news. But right now, we’re faced with some pretty serious problems, because it seems like every day we’re seeing some exploits that have taken place. We’re seeing some data that’s been exposed. I saw another one last night as I was reading. And that’s your data, it’s my data. So it’s a very serious thing that we have to take into consideration.

Tim Woods:
So the biggest concern, and again, you’re seeing the analysts talk about it, you’re seeing security experts talk about it, is because of the rapid deployment of cloud and taking advantage of these things, again, for the right reasons, business is not going to slow down. But we have to get our hands around these cloud misconfigurations. I believe it was, we give you some references down there below, I think it was threat stack that estimated that 73% of all companies on AWS are suffering from some form of cloud misconfiguration that can impact security. So pretty significant number.

Tim Woods:
As I talk about complexity, also, it’s not just the rules going up into the right, because traditional IT security teams are definitely challenged with that, just the sheer number of rules that they’re required to manage. And as we move into the cloud, we still have enforcement technology in the cloud. We have the native security cloud controls, if you’re doing micro segmentation. If you’re doing containers, you have IP tables there. We still have enforcement technologies, and we have rules that we have to manage. It doesn’t just go away, just because we’ve moved into the cloud, if anything, it’s an even bigger concern. Because of some of the things that we’ve seen experienced out there.

Tim Woods:
But the other part of it too, is… And I’ll qualify that also to say that the resources necessary to manage this rule increase, this acceleration of rules up into the right, the resources necessary to manage that has not really went up, it’s remained somewhat stagnant over time. So I get it. Again, it’s not the again, I mean, a really nice position to talk to some really smart people. And it’s not that they don’t get it, they absolutely get it and understand it, it’s just having the time necessary to address it. They have 10, 15 different priority ones on their plate and which ones do I get to first?

Tim Woods:
But as we look at cloud, so that’s some of the problems, what we’ll call security, the increase of security complexity, but then also you have security bloat, and things that take place there too, that give rise to complexity. But then also in the cloud, it’s just understanding as we move into the cloud and we start pushing applications and devices into the cloud, it’s keeping a handle around that. Keeping a handle around the asset inventory of those things that we’re putting into the cloud. Who’s the owner of those devices? What are they being used for? Are we getting the right return on our investment? Are we overpowered, underpowered? Are we getting good benefit out of those things that we’re putting up there?

Tim Woods:
But the other problem is that many of the teams that are charged with supporting this effort of the devices that are going into the cloud, they don’t always know about all of those things that are actually being put up into the cloud. And so that’s a problem too, and you’re going to hear me talk about this a lot today as far as continual monitoring, continual investigation, continual discovery, it becomes really, really important because the cloud is so dynamic, it’s important that we have a foundation that allows us to continually discover what’s going on in our clouds.

Tim Woods:
I hate to pick on anybody, I really do, but the Equifax hack of 2017, this underscores what we were talking about earlier there is some of the teams that are forced to use antiquated systems or they’re using legacy processes that really just don’t work in today’s environment. In Equifax, they had it even harder, because they were forced to work on rather outdated legacy IT systems, some of them built in the late ’70s and early ’80s, and it made it really difficult not only to scan, but also to patch. And that’s why some of the many of the regulatory compliance initiatives today, you immediately become out of compliance if you’re running an operating system that is no longer a version of the operating system that’s no longer supported by the native vendor. So that becomes a problem. And so you either have to air gap that or you have to figure out a way to update it, you have to spend money to advance that. Equifax was bit by that. Not a good thing, and it left them vulnerable to exploitation, we all know what happened there.

Tim Woods:
These are not challenges just for any one company, though, and it’s not challenges, the regulatory compliance initiatives that we have to meet the challenges that we’re faced with, you pick a vertical, I don’t care what it is, whether it’s retail, or its energy, or it’s healthcare, whatever it happens to be, they’re all dealing with these type of security related challenges. And most of them are also trying to take advantage, they are embarking on their digital transformation journeys, or they’re taking a cloud first strategy approach, trying to take advantage of what the cloud provides them, again, for the right reasons. But nobody here is exempt in the real world current day challenges that we’re faced with here.

Tim Woods:
And it’s not unique to any one given compliance framework, either. All the compliance frameworks call it out. I think the one that I’m most impressed with, if I think about it is GDPR, because it’s one of the newest regulatory compliance initiatives on the scene. Although it’s a derivative of the previous one for the EU. But the thing that I like about GDPR, and I think you’ll see other compliance initiatives adopt this as well, is the spirit or the tone that they take to talk about security by design and default. Meaning that in our processes, as we’re looking at establishing those security guardrails and those compliance initiatives within our organization, GDPR specifically for personally identifiable information, I think they’re going after Google right now is what I just read. But the problem… Or not Google, Facebook. But the problem there is if they find that you’ve had a breach, and you’re at fault, and you didn’t put security at the forefront of your consideration, as far as it relates to including security in the process, then they will fine you larger. It’ll be a larger fine. So a lot of teeth behind GDPR as well, especially as it applies to the citizens of the EU.

Tim Woods:
All right. So I said I’d get back to this, keeping up with the speed of business. If I had to put a number on it, and again, this is just my own personal experience from interfacing with our customers here at FireMon. I’ve been here quite a while, over 10 years. So I’ve got to talk to a lot of really smart people. But if I had to put a number on it, I would say business has probably accelerated over the last three to four years, probably eight X. And again, past our ability to secure it in a timely manner. So what happens when we can’t honor the demands of the business? What happens if we say no, or if we say you have to wait. It’s no surprise that they’ll find a way to go around us. It’s no surprise that we see business owners and DevOps taking responsibility for the configuration of their own security controls. It’s no wonder that I see new cloud security teams being adopted as well.

Tim Woods:
The problem is that we’re getting away from the concept of a central security doctrine or a central security policy. We’re finding that people as they move into the cloud, are rolling their own as it relates to their security policies. And this can be a very dangerous thing. Over time, we will definitely incur the security debt that I talked about, and at some point we’ll have to pay interest on that. And so that’s a big problem.

Tim Woods:
Look at some of these percentages that we have listed here. So 52% of companies admit to cutting back on security measures to meet deadlines. Again, as we do this, there’s a price to be paid for that. And no doubt it’s recognized within the companies as well. But what are we doing to counter that? It’s not quick enough. 62% of companies think the biggest threat to their public cloud implementation is misconfiguration. So that aligns with what the analysts are saying, it aligns with what we’re seeing, it aligns with what we’re finding in the marketplace today. So again, it goes back to challenging complexity and reducing that complexity in order to avoid some of those costly misconfigurations that we’re seeing take place in the marketplace.

Tim Woods:
But in order for us to fix this, one of the things that has to happen is, and by the way, I don’t think this is going to go away. This trend, segmented security, where people are taking responsibility, or other teams are taking responsibility that may not be well versed or well grounded, not that they’re not smart people, they’re incredibly smart people. DevOps, very, very smart individuals, but they’re not necessarily well grounded in a deep security background, yet they’re taking responsibility for their security configuration. So we can see that the problem is going to mountain here, but I don’t think this is going away.

Tim Woods:
And so I think to solve it, we set out, FireMon, almost two years ago, looking for a way to establish a collaborative platform that everybody can be a participant of, as it relates to the security of our hybrid infrastructure. And I think that’s the way. We have to learn how to build security into our processes, into our deployment processes. It has to be a component of our implementations. And it can’t be an afterthought and it definitely can’t be something that is not honored by a common security discipline as well.

Tim Woods:
What happens if we don’t? Well, there’s a lot of examples out there. I’m not going to read each one of these to you. But I think there’s enough here. And again, it’s no wonder why the Forresters of the world and the Gartners of the world, the analysts of the world are raising their hand and saying, “Hey, we have a problem coming at us here, there’s a tsunami in front of us. And if we don’t do something about it, it’s only going to get worse.” So it’s a pretty big issue that we’re faced with, and so companies are definitely going to have to… It can’t be ignored any longer. It’s something that we’re going to have to address.

Tim Woods:
As I said earlier too, the good news is that the native controls within the cloud are getting better. The cloud providers themselves are providing better collateral, as well. Again at AWS this year, in addition to the over two hundred and thirty something security enhancements that they talked about, they also talked about establishing best practice guidelines. And I know that Azure is doing this as well, I’m quite sure we’ll see Google Cloud Platform follow suit, but I really applaud AWS for what they established, what they’re calling their cloud formation templates. And so if you need to nail up a VPC, they have a blueprint or a best practice guide or a reference architecture that you can use to do that with. So that you can copy what has already been known to be successful. Same thing for EC2, same thing for the E3 in simple storage services. Same thing if you’re trying to nail up a large data store for Hadoop, or you need a cluster platform that can expand and contract for the elastic management or for your RDS, for your relational database system.

Tim Woods:
They have roadmaps or blueprints, architecture, architecture references for all of that. So I applaud them for doing that. And I think you’ll see all the clouds… That will become a requirement for all the cloud platform companies. As you move to them they’re going to need to give this type of material to their clients in order to not only encourage them to move into the cloud, but make sure they’re following the best practices possible.

Tim Woods:
All right. Let’s talk a minute about organic growth. Is it good or bad? Typically when you hear organic growth, you think of business process, a couple of ways to grow a business. You can acquire technology, you can acquire assets from other companies and grow your business that way, or you can grow it all naturally, internally. But as we think about the cloud, we’re seeing a lot of organic growth in the cloud, meaning that we’re just throwing things up there as we need it. We need that, this department, that department. And unfortunately, because of the siloed nature of some of the large enterprise businesses, it’s not real aligned, there’s not a common process that’s being followed, there’s not a common plan that people are adhering to. Definitely no common security controls, which is an even bigger issue.

Tim Woods:
So poorly planned deployments can be, it can be a big challenge to secure. And so organic growth, I’m not saying that it can’t be good even as it relates to cloud, but if we’re not following a plan, if we’re not following a defined process, then we’re going to get into trouble down the road. Especially for those that are charged to manage it and monitor it and secure it and ensure that we’re doing the right thing for our accounts and our clients and our customers. So Cloud sprawl is a real thing. You’ll hear me say this multiple times too, you can’t manage what you can’t see. And it’s very hard to secure those things that you don’t know about. So it’s something that has to be addressed as well.

Tim Woods:
This was just one that I grabbed out there from some of the articles that I’ve been reading and people that I’ve been talking to. And I just found it interesting, we started looking at this, actually, it was a couple of years ago that a well-intentioned hacker, when we talk about hackers, there’s black hat and gray hat and white hat. But a well-intentioned, we’ll say, security evangelist put this search tool out there where you could search your repos. If you’re not familiar with GitHub and GET Lab, GitHub being the biggest of those. Basically, GET is an open source version control system and then GitHub is a place where coders and DevOps and developers can place their source code and collaborate with one another as a team, regardless of where they’re located at.

Tim Woods:
But what we found or what was being seen is that sometimes they were accidentally posting code up there that contained their private keys. And hackers got wind of this and started looking for it, and these tools come up out of the same, GitHub and Truffle Hog, which allows basically developers to go in and look at their repos to make sure that they haven’t put something up there, secret keys, or passwords or anything like that, that would be not a good thing if it got in the hands of somebody with malicious intent.

Tim Woods:
And so all I’d say to this, as we go on to the cloud, as we start embracing CI, continuous integration and continuous development and continuous deployment and things like that. And if you’re using GitHub and if your DevOps is using that this is something else that can’t be overlooked. We have to make sure that anything, anything that we place in the public sector, anything that we place that is public facing, we have to make sure that that’s been sanitized before we do so, so that we don’t put ourselves at jeopardy by giving them something that they shouldn’t have. That gives them basically certain other keys to the kingdom.

Tim Woods:
This is something I started working on, and it’s not complete right now by any stretch. I’m still working with some of my counterparts to complete this. But basically it’s talking about some of the tenets of a good cloud security posture management system. You’ll see Gartner and Forrester also, they already have some similar things that they’re producing and talking about it as a good line as an architecture of things that you want to start looking at. And we’re going to talk more about the different types of cloud platforms that can be adopted as services will call them, in addition.

Tim Woods:
But the only thing I wanted to point out here, and the reason I put this up here is I think at the very base, yes, compliance surrounds this whole thing. Compliance is an ever, especially if you’re in an industry that has regulatory governance behind it, or around it. But at the very bottom of it and this was what I was talking about earlier is you need this global security orchestration platform that allows collaboration from the various groups, from the business groups, from the development groups, from the compliance groups, from the security teams, from the infrastructures teams. If we’re going to get our arms around our entire hybrid enterprise, both cloud, private, public and the stuff that we have on-premise, we have to have a centralized view. We have to have centralized visibility across those things. We have to have controls that adapt to changes within the environment.

Tim Woods:
As we said, cloud can be very fluid, especially if you’re using containers and micro services and things that can spin up and spin down. If we don’t have a way to discover those things, and to make sure that the security controls are following the data, data being our biggest currency nowadays. The bigger the database store, the bigger our potential currency, the more value it adds to our customers. Obviously, the more consumable we make that data to our customer base, it has to be consumable in the aspect that it’s also secure. But there’s a lot of things that surround that.

Tim Woods:
So having a good reference architecture that you can point back to, that charges the teams with the things that they need to assume responsibility for, and that we can create initiatives around is very important. And that’s why I came up with that. Consistency can’t be over stated. And these are some of the main tenets. In addition to that, security orchestration platform, you got to have continuous monitoring, you got to have a way that you are basically looking, discovering what’s going on within your environments, regardless of where those applications are, or which cloud platforms, albeit either public or private, what is going on there, I have to make sure that my controls are dynamic. I have to make sure that I have that collaborative platform that everybody can have input to.

Tim Woods:
And when I say collaborative, what I’m talking about there, to an extent is self service capabilities. No different than how we change our passwords or reset our passwords today. There’s no reason that if I’m a business owner, and I have somebody new coming into my team, and I want to give them access to a resource or to the data that they need to do their job, there’s no reason that I should have to go off and create a change ticket and wait for security to enable that, I should be able to self-enable that. As long as I’m not coloring outside the lines, that if security guardrails are in place to say, hey, that’s already accepted, that’s good, it should just flow right on through.

Tim Woods:
And then the last piece, of course, is consistency and deployment. We need to be doing things following a centralized security policy and doing things in a consistent manner. We shouldn’t have people going off and enrolling on their own, or doing their own things throughout our infrastructure. If you do, you can be guaranteed that that’s going to come back and haunt you in the future.

Tim Woods:
I think this is really important also as you… And most customers, I’m going to ask Elisa to comment on this here in a minute, when we start looking about, we did a survey recently. And we’re producing a report on this that talks about which as a services are you using, and we’re finding some interesting data around that. But here’s what’s important to understand, depending on which, as a service, you’re embracing, or you’re leveraging, you’re using, there’s a different shared responsibility for who takes ownership for what. And it’s very important that you understand what those are.

Tim Woods:
And we see some shifts going on there, too. Whether it’s platform as a service or infrastructure as a service, who’s taking responsibility for what. But you would be well served to make sure that you are talking to your cloud provider on what it is that they believe that they’re personally charged for supporting versus what you’re personally charged for supporting. These were a couple of examples taken from Amazon and Microsoft. Again, it’s just money ahead, you’re two steps ahead, if you understand exactly what you have responsibility for and what they have responsibility for. So I would highly solicit you to investigate that further, if you haven’t already.

Tim Woods:
Just another way to look at it here. Some of the applications that probably most of us could relate to. Anybody here listening today can put their own up there, across these different as a service offerings. At the top, probably everybody here is using Office 365. ServiceNow if you don’t recognize that logo at the top right up there, that’s the new ServiceNow logo. I think we’ll see ServiceNow move in to the past stage two, because they’re getting into digital workflows and the ability to serve up a platform that people can write their own digital workflows to and then sell those. It’s interesting where they’re going. Salesforce has already moved there. I know sometimes Salesforce is considered a SaaS model, but it’s a complete platform as a service offering because people can write to it and offer complete solutions on top of the Salesforce platform. But again, it’s important to understand who has responsibility for what and what are the components of each one of those as a service layers.

Tim Woods:
Cloud security posture management. So the reason I found this is… And I took this from Gartner, by the way. But you’ll notice here at the very top, it talks about policy visibility. And so again, it just underscores what we’ve already been talking about, policy visibility and continuous discovery and identification of the things that are in the cloud. So it’s workloads or services, those assets, those applications that are being deployed down to the cloud. Being able to comment to have a continuous risk evaluation of those things that are out there.

Tim Woods:
Again, we go back and we look at what are the biggest concerns and what are top of mind and challenges for organizations and enterprises today, and it’s misconfiguration, it’s exposing data that we don’t want exposed and what even surprised me, and it’s hard for me to get surprised, but it’s how much of that data that’s been exposed, that’s not even encrypted. I mean, hackers aren’t even hacking nowadays. They’re going through there, they’re looking for the car that’s running with the windows rolled down and the keys are in it, they don’t have to hack, they’re looking for things that are publicly available. They’re looking for those secret keys, or those private keys, they’re looking for those S3 buckets that are exposing the data unintentionally. And it’s not a matter of hacking, it’s a matter of just using their bots or using their scanning tools to find those things that are readily accessible.

Tim Woods:
What’s the analysts take on this? I’ll let you read some of the key findings down there yourself. But it says nearly all successful attacks on cloud services are the result of customer misconfigurations. That sums it up, in and of itself right there. We have to get our hands around evaluating the things that we’re putting up into the cloud to make sure that they are secured properly. And until we do that, we’re going to continue to run into this misconfiguration issue that leads to data exposure, which, it’s a very dangerous thing.

Tim Woods:
The list that you saw slide before last, this was our list at FireMon. We’d started to form this process quite some time back. But what interested me here, and the reason that I’m throwing it up here for you today is because it talks about some of the very same things. It talks about gaining efficiency, and it talks about how we gain better visibility and continuous monitoring. It talks about the need for automation in order to gain more efficiencies for our people and to do things in a more consistent manner. The scenario that I painted earlier, where the rules, the complexity was going up into the right, and we don’t have the resources necessary to manage that curve or to mount that curve, if we can’t hire more resources, or we’re not investing in more resources, then what do we have to do? We have to make the resources that we have more efficient. We have to unburden them from some of the mundane tasks that they’re doing today and allow them to do the things that they were originally hired to do. And we accomplish that through automation.

Tim Woods:
But also, we need to be constantly looking at risk, we need to constantly be assessing, and proactively looking at risk. And when I talk about proactive, yes, I mean, it’s great to be alerted, and it’s great to be alarmed when we detect it. And we do that all the time too. Anytime a change takes place, we evaluate that change, we look at what did it look like before? Now what does it look like? Was it good change or it’s bad change? Was it good change or bad change? Because one thing we know for sure change is always taking place within our environment. So the question is, was it good or bad.

Tim Woods:
And so being able to understand that after it happens is good, and raising the red flag it’s good, but proactively, I would like to be able to assess a change that proposed to be made before it actually gets implemented. So we need to be able to not only look at change as it happens, but we need to proactively look at proposed change before it actually gets implemented as well. And that gets into number five, there, of course, is the security and compliance across the hybrid enterprise.

Tim Woods:
Again, even on compliance, there is reactive compliance and there’s proactive compliance. And if done right, and I don’t want to trivialize that there’s not some heavy lifting involved here. But there are tools and technology out there in the market today to help us accomplish this. We can put ourselves in a dynamic compliance posture, meaning that every time a change happens, we can analyze that change dynamically. Every time there is a proposed change, we can assess that from a compliance assessment perspective to make sure that that’s not going to break our compliance posture or introduce something that allows greater risk into our environment without us being able to make a decision on it first. So those things are achievable today.

Tim Woods:
So this is really cool. I’m going to turn this over to Elisa and let her comment on this because she was one of the lead architects behind this. But every year you guys, some of you on the phone may have actually looked at our state of firewall report. And this year, we did a state of the hybrid cloud security report, which has produced some interesting results. So Elisa, you want to comment on this?

Elisa Lippincott:
Sure. So this report is actually coming out next week. But we wanted to give everyone on the call a sneak peek. We surveyed about 400 security professionals, and we wanted to get an idea of the challenges that they’re worrying about as they embark on a hybrid cloud initiative. And one of the big steps that came out was the fact that 60% of respondents said that their cloud business initiatives were accelerating faster than their security team’s ability to secure them. Now, mind you, this is in addition to the other challenges they were facing, which included the lack of visibility into what’s going on, on their network. And as well as the lack of resources and qualified staff to be able to handle everything. Can you go to the next slide.

Elisa Lippincott:
So we found that many of the respondents are using multiple different firewalls, and in some cases, they’re even using multiple public cloud providers. But it was actually also interesting to see how they were exactly using the cloud. So going back to what Tim discussed around shared security responsibility, it seems like enterprises are getting more comfortable with using more as a service models where they’re holding a little more of the responsibility for security. We’re seeing 39% of respondents using infrastructure platform and software as a service concurrently.

Elisa Lippincott:
I want to dig a little more into the data. Because as I say, enterprises are getting more comfortable. I’m hoping that they actually know that they’re responsible for some of that security in the cloud, especially as they go beyond software to infrastructure and platform. And it would be interesting to see how this trend grows over time and how it will ultimately affect the relationship between security teams and DevOps. Tim, any thoughts there?

Tim Woods:
No. I think it’s some incredibly useful data, number one. And I think it’s only going to get better. I’m already excited, I’ve had a chance to preview it, what we’re putting out in the next coming days. But as we train this over the next couple of years, it’s going to be very interesting also, to see what prevails. But I think, more importantly, that potential clients and customers can look at this and actually help them in some of their planning efforts going forward as they continue down their digital transformation journey.

Tim Woods:
There’s a lot of projects and initiatives. It’s always interesting to me, as I look at strategic initiatives within a company, I always start there as we’re engaging, either with new clients or with new opportunities and stuff. I always like to understand what are the strategic initiatives, and how our products can help map into those strategic initiatives to help them gain success. But it’s always interesting to look at the strategic initiatives for a given year. And more importantly, what are the technologies that they’re going to rely on, to achieve their stated goals. And when I talk about technology, I’m talking to either the existing technologies that they have, or maybe there’s an upgrade to something that they already own, that they need to make an investment in, or perhaps it’s even acquiring something new and it may be as a replacement of something they already have, but this new thing that they’re requiring, affords them greater functionality around a given area. But it’s always interesting to see how technology is tied back into the strategic initiatives.

Tim Woods:
And then below that, or in parallel to that, it’s the resources. The resource requirements around it. So if we’re going to acquire new technology or upgrade that technology, how are we going to manage it? How are we going to use it? More importantly, how are you going to respond to the data results that it produces? Is there something that I have to have a reactionary team around or a response team around as well?

Tim Woods:
And then I say this, and as I’m listening and discussing, I’m always interested to see where does security come into the discussion? Because it shouldn’t be, security should really start again, at the top. It should be by design and default. And it should be the beginning point of the equation. And again, I think this is where some of the regulatory compliance initiatives are going to, they’ll be adopting the same spirit that we see prevalent in the GDPR compliance initiative as far as security by design and default and if it’s not there, then there’s going to be some eyebrows that are raised and some questions that are answered.

Tim Woods:
But anyway, you guys are probably, as you’re looking at this, and you’re looking at some of these projects and some of these strategies, I’m sure, I was talking to somebody here recently, just a couple of months ago, at a trade event. And we were looking at this deck, going through this, it wasn’t this deck, it was a different deck. But anyway, the individual told me and he said, “Tim, everything that’s on this slide right here, every single thing that you have on this slide right here is either something that my team is working on, that we have projected, basically, it’s top of mind.” So I thought that was interesting.

Tim Woods:
We’re coming to the end here. So I just want to wrap up with two more slides here. And then, Elisa, I’m going to turn it over to you and see if you have any parting notes when we wrap it up here. But one of the things that I’m really big on right now, and I think is really important to cloud adoption, and even if you’re not using it today, I think it’s going to be important in the future. The little quote that you see there was actually by Forrester but it’s the ability to exchange information between different vendors is becoming more important. And vendors that have a well-defined API structure can really serve to raise the overall value, the total value, the totality of the overall efficiency of an enterprise combined security solution. And whether you’re using that today or not, I promise you in the future, you will want that. You will want the ability to leverage solutions that have a robust API and the ability for you to use those types of integrations to enhance or enrich other information that you have between those different vendor devices that you have invested in.

Tim Woods:
So very, very important. And I’ll read over there, to the right, some of the ways that we use our APIs, with our technology partners, with our customers, we’re very big in the MSSP space, because they can extract that data and put it into their own custom portals, and we allow them to do that quite readily. So I think this is something that you’re going to hear more about from other vendors in the future. And you’ll see people standing on top of their mountain waving the flag about how proud they are of their API, rightfully so if they have a robust open API structure, how important that is, to the future of the cloud and the hybrid enterprises.

Tim Woods:
So with that said, FireMon we have over 15 years of experience helping customers chase real world problems. And so I think we need security at the speed of DevOps, we need security at the speed of business, we need to gain parity with the speed of business as it relates to security. Your management needs confidence that the automation strategies and the initiatives are actually going to work and it’s not something that we’re going to struggle with. They need to know that there are ways to put security guardrails in place that can help if we aren’t going to get into more of a self-service path of helping people to enable their own security cross the different groups, that we can rely on our security guardrails to make sure that people don’t color outside the line, and they don’t do something that is damaging, or introduces more risk into the environment.

Tim Woods:
So all of these things are things we’d love to talk to you about today, and I definitely put out the invitation there, for anybody who wants to talk further about the information that’s contained in this presentation. We’d love to work with you. So Elisa, any parting notes before we wrap it up here?

Elisa Lippincott:
We do have a couple of questions that have come through. This one is related to the shared responsibility topic. They’re asking, is the shared security responsibility the same across all of the different public cloud providers?

Tim Woods:
It’s a good question. I think that’s something that’s morphing today. And that’s why I said earlier, I think for the cloud providers that you are engaged with, make sure that you question them. That they provide you with a clear understanding of what they are claiming ownership for. And that way you know exactly what you need to have ownership of. So if that’s not clear to you, if it’s not clear to you exactly what they’re taking responsibility for, and what they believe you should be charged responsibility for, then that’s a gap that needs to be closed.

Tim Woods:
So I’d say this is something that is at the moment, we see some new areas that are evolving, I think we may see some other as a service type platform reference architectures being developed as well. But it’s something that I would solicit anybody who is engaged with a cloud provider to clearly understand based on which as a service platform you’re using and as you pointed out, many of them are using multiple as the survey results revealed, that you know across different cloud vendors that you engage with what their stance on that is.

Tim Woods:
So I don’t think it’s a straightforward question. I know, I didn’t answer it in completeness there, because it’s not something I think that can just be answered resolutely for any one vendor, it’s one thing that you need to go out and seek out for the people that you’re engaged with.

Elisa Lippincott:
Yeah. It’ll be interesting if the cloud providers get together and come up with an agreed upon standard across the board, but obviously, that remains to be seen.

Tim Woods:
All right.

Elisa Lippincott:
We have one other question here. Oh, I like this one. Will an on premise environment ever truly go away?

Tim Woods:
Right now, my take, barman take on it is hybrid is forever. Meaning that there are some systems right now that just aren’t very, as I said earlier, at the very beginning that aren’t very cloud friendly. There’s reasons that we can’t bring them into the cloud, there’s compliance reasons that we can’t bring them into the cloud, there’s cost reasons that we can’t bring them into the cloud. And there’s many other reasons as well. But no, I don’t think any time in the near future, at least in the next five to six years, and I say that tongue in cheek, forever. Because forever is a really big word and a really long word. So will it be forever? I don’t know. But I definitely over the next five to eight years or so, we’re still there. The hybrid, the on-premise implementations are not going to go away.

Tim Woods:
And so with that, I would also say, if I’m putting my security hat on and keeping my security visibility hat on, my security implementations, my security management, I want to look at a solution that’s going to give me a common window, a common pane of glass across my hybrid environment. So I want to make sure that not only do I have a clear view of those things on-premise, but I have a clear view of those things in the cloud. I need that common platform that gives me a view of both.

Elisa Lippincott:
Okay. Well, we have one final question. And this is another doozy of a question that probably has way too many answers. But the question is, how do you think DevOps and network security teams will be able to work together for a successful migration to the cloud?

Tim Woods:
That is a big question.

Elisa Lippincott:
Right.

Tim Woods:
Yeah. I mean, there’s a lot. We see Sec moving in to DevOps. I mean, we see the term regularly now, DevSecOps or SecDevOps. I think they understand there’s a growing understanding of the need for security within the process of DevOps. And so I see that being adopted. I see that melding, I see that becoming a union of two. Again, this is why I stand on the platform that says, “Hey, we need that uniform orchestration platform too, that allows the multiple business silos to collaborate.” No different than IT security has to collaborate with DevOps, more than the business has to collaborate with DevOps. With compliance has to collaborate with IT and infrastructure.

Tim Woods:
We can’t operate in silos any longer, especially as we get into the cloud, because the peril is just too much. The cost or the potential damage to the business and loss of data and information that we potentially can expose is just too great. And so these things, I think we see a union forming here in the future between security and DevOps, which is a good thing I should say also, a very good thing. But definitely will become security by design and default in the DevOps process.

Elisa Lippincott:
Okay, great, thank you. We’re going to go ahead and wrap up today’s webinar. I want to thank everyone for joining us today. I also want to thank Tim for his time today and his great insight on all things hybrid cloud. For more information on FireMon, you can visit us at www.firemon.com. You can also follow us on Twitter and LinkedIn at FireMon. This concludes our webinar. Thank you and have a nice day.

 

Read more

Get 90% Better. See How to Get:

  • 90% EFFICIENCY GAIN by automating firewall support operations
  • 90%+ FASTER time to globally block malicious actors to a new line
  • 90% REDUCTION in FTE hours to implement firewalls

SCHEDULE A DEMO