At RSA 2019, Brian Roddy of Cisco discussed what CISOs should include in a cloud security plan.
At RSA 2019, TechRepublic Senior Editor Alison DeNisco Rayome spoke with Brian Roddy of Cisco about what CISOs should include in a cloud security plan. The following is an edited transcript of the interview.
Brian Roddy: It's really interesting, and from a cloud security perspective, as applications have shifted to the cloud, that's had this ripple effect that's impacted just about every way you think about security. It's impacted how you think about application security, perimeter security, branch office security, roaming security, because it's fundamentally changed the way people interact with their networks and with their applications.
The key elements for a cloud security plan, it should start with how you're securing the cloud applications themselves, so making sure you have a deep understanding from a shadow IT perspective, "What applications are people using?" But also what are the data policies that you're applying to those cloud applications.
But it's more than that. You have to also think about the applications that are deployed in your PaaS and IaaS environment. So you have to think, How do I secure Amazon and Azure when I use them as my platforms? But it even goes beyond that when you start to think about, How is that I secure the users that are accessing those applications in new ways? So, for instance, if I have a roaming user on the road connecting to a cloud application, how do I give them consistent security? If I have a branch office that's doing direct internet access, how do I secure those branch offices?
SEE: Vendor comparison: Microsoft Azure, Amazon AWS, and Google Cloud (Tech Pro Research)
So we like to think about things that are fairly comprehensive strategy that goes everywhere from the application backwards to the people using the applications themselves.
There is a ton of confusion about who owns what aspect of security when it comes to cloud security, because the first thing you're doing, is you are offloading and decentralizing control of those cloud based applications. On the positive side, that means that you are allowing these vendors that can spend a significantly more amount than you traditionally could, to secure those applications.
You've also decentralized the risks, so if one application is compromised, it won't compromise the rest of the applications. The challenge is that it creates a range of problems that you have to think about application by application. So, the CISO needs to think about, what are the controls that each application vendor is offering, and how can I provide consistent policies across those applications to meet the data and compliance requirements required by my particular business?
SEE: Disaster recovery and business continuity plan (Tech Pro Research)
And you also want to think about again that end user and how they're accessing the applications, because that shift is a result of what happens to the end user and employees, and those are clearly the CISO's responsibility.
So, to sum it up, think about how you can apply your policies on top of what the cloud security applications provide and then on top of that think about how you can secure the end users accessing them.
- Cheat sheet: How to become a cybersecurity pro (TechRepublic)
- Phishing attacks: A guide for IT pros (TechRepublic download)
- Information security policy (Tech Pro Research)
- Online security 101: Tips for protecting your privacy from hackers and spies (ZDNet)
- The best password managers of 2019 (CNET)
- Cybersecurity and cyberwar: More must-read coverage (TechRepublic on Flipboard)