How do you approach security in this cloud-first, mobile-first world?

28.1k views2 Upvotes11 Comments

CTO in Software, 11 - 50 employees
There is no ‘moat' around the castle any more. Next-gen hardware solutions are definitely not the security answer. The way I think about security is a combination of visibility and hygiene. You can't secure what you don't know about and an example of poor hygiene is having manual processes in place to patch systems. In today's high velocity, cloud, no perimeter world, that just doesn't scale.At Netflix we implemented something called zero trust security. Basically operate like you have no security; like you're at a coffee shop. Within that mindset, we would think about how to bring visibility, continuous awareness, anomaly detection versus the old-school ‘perimeter' approach:Step one is to take inventory to understand what are all the applications being used and where they all live;Step two is to prioritize this inventory and have a strategy in place to address these applications.The whackamole approach just doesn't work. What makes this hard to do is the cybersecurity industry just creating more and more products instead of platforms and strategic frameworks.
15 1 Reply
SVP CIO in Telecommunication, 5,001 - 10,000 employees

Agree with Mike that the perimeter is gone (if it ever rally existed). Zero trust needs to be a going in assumption.

The other thing I think you need to do is think like a time traveler. Here's what I mean.

Say you want to encrypt data and based on today's compute cost and algorithms you select a method that would take years and be cost prohibitive to defeat. Next year cloud compute costs drop but an order of magnitude and cloud based GPUs become cheap to run, so your assumptions are now invalid as a defeat could be achieved in hours for nominal cost.

If you think like a time traveler you think about 3-5 years from now when the server, storage or software you are deploying is still in use and the security assumptions are no longer valid. What can you realistically expect to happen in the future (faster CPUs, lower cost, and more sophisticated algorithmic attacks, for instance) and so if that were true now, how would that change your approach?

Chief Security Officer in Software, 10,001+ employees
I answered this in a previous thread. We use a ZeroTrust model similar to Google's BeyondCorp strategy.
3 1 Reply
VP of IT in Healthcare and Biotech, 51 - 200 employees

We are taking the same approach. Helps that we use GSUITE Enterprise. :-)

Chief Information Officer in Software, 501 - 1,000 employees
From the security perspective, our partners and customers see us as ahead of most organizations they work with, however we have an internal mentality that every day is a clean slate for the threat community. We continuously debate how to improve the security of our applications through pipeline management, but we have one goal; a solid and secure offering for our customer base and their patients. Additionally, we partner with a managed service organization that exercises the Zero Trust model to protect our platform. All that said, there is always room to continue to preach security starts within the product design phase.
CTO, Self-employed
I agree zero trust is a great architecture to implement and follow, the main problem in my opinion is it is not always implemented and followed as it should be, zero trust in its essence means "never trust always verify", very simple but very powerful, if this followed by all systems and EMPLOYEES then it would prevent a large number of threats, if you analyse modern attacks you'll see that a large number of them relied on exploiting a system or an entity that trusted something without verifying it.

It is easy enough to implement this model when building systems but the real challenge is always the employees "the weakest link in the security chain", following this model means they should never trust any email, phone call, sms or even plain old mail even if its coming from a friend or from an entity that they usually interact with, this would slow down their productivity to the point that would push some of them to just ignore this model and trust these methods of communication when they shouldn't, because all of the above can be easily used to gain initial access which then can be escalated to a system wide breach.

In my opinion education is one very important aspect that a lot of companies don't give too much attention to, they spend a lot of money on designing great secure systems and put policies in place that forces people to use their systems securely, but all of this is meaningless if the employee is not educated properly on the risks they could introduce to the company, this was the main topic of my talk at the Global Cyber Security Financial Summit (you spent all that money and still got hacked!

A great example of this is a huge automotive company that we did a pentest on, they really did have the latest and greatest in terms of security, they also had great policies in place where random secure passwords are generated every week ....etc, all of this didn't really matter when we got into one of the employees offices (pretending to be a customer) and discovered that he had the passwords written on a sticky note, yes the note was kind of hidden but we were still able to read some of the passwords and gain initial access that way!
Assistant Director IT Auditor in Education, 10,001+ employees
For cloud, us Cloud Access Security Brokers (CASB).
VP of IT in Software, 1,001 - 5,000 employees
My take - continue adopting a risk-based approach. My rule of thumb is that any off-premise solution has have an equivalent security posture as would an on-premise solution, otherwise the elevated risk delta must be managed and residual risk accepted.
CIO in Software, 501 - 1,000 employees
Preaching is fine but we've been trying to educate a lot of traditional security organizations to say don't wait for something to happen to respond. If your mentality is that things are going to happen so the best we can do is the fastest response, we're going to be great first responders and we're going to contain something, whether it's a machine, or a server, or a group of the network, we're going to contain that, quarantine it, we're going to fix it and then close what vector of attack was used and then we feel good until the next one happens.

Then you're in this constant firefighting mode. You never seem to have enough people, enough solutions, enough things detecting what is going on in the environment. If you were to think about that in a different way and say we're not there to respond, we're there to prevent. Then there are very little things you have to actually worry about. So change that and leverage things like AI to be focused on prevention, not focused on detection. Once they can understand that, they can pivot to their security organization. 
Global CISO, 1,001 - 5,000 employees
For me, it was very important to have a more cohesive view of trust within the environment in which I work. When we think about trust, it's across many security principles. We build trust within our products, platform services operations. 

And It's about maintaining those environments. This is accomplished through compliance and audits, certifications and adaptations. Then the question becomes how do we partner with our customers to be that tether to reality. In other words, is what we're doing working? The efficacy of that can be measured. 

If you think about these across three pillars: built up trust, maintain trust and advocate trust, then it means you are not just fulfilling them when you operate in one of those silos. You need a more cohesive view, and I call it the ‘single-pane-of-glass view’ on risks to the company and risks to the environment. 

CIO in Services (non-Government), 501 - 1,000 employees
No matter how technology changes, the basics still work.

1. Build alliances with the company's leaders and users wherever you can. Learn how the power structure works and make coalitions to get things changed. Disruption and change must be win-win, or it will never happen.
2. Design metrics, meet with everyone they impact, then confirm your metrics make sense. Repeat. Don't measure stuff that doesn't actually matter to you and your users.
3. Train, train, train.

Content you might like

CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
Read More Comments
42.6k views131 Upvotes319 Comments

Cost structure26%

Lack of in-house skills to migrate / deploy / manage workloads on cloud51%

Security / governance compliance concerns17%

Lack of performance or features that you have on-prem but not the cloud4%


2.8k views1 Comment