Why security is the top barrier in enterprise cloud adoption

At RSA 2019, Richard Bird of Ping Identity discussed identity-related security issues and solutions for enterprises.

Why security is the top barrier in enterprise cloud adoption

At RSA 2019, TechRepublic Senior Editor Alison DeNisco Rayome spoke with Ping Indentity's Richard Bird about identity-related security issues and solutions for enterprises. The following is an edited transcript.

Alison DeNisco Rayome: So I know a recent Ping Identity study found that security was the top barrier in cloud and SaaS adoption in enterprise IT infrastructures. Can you tell me a little bit about that and some of those top takeaways?

Richard Bird: Sure. Those takeaways really associated well with my own experience. Before I got involved with Security Solutions, I was a customer for about 22 years. I was in corporate America, and kind of came through all of the different aspects of technology development and growth, infrastructure, deployments, that started with building data centers, and then moved to outsourced or co-located data centers. And now we've moved to the cloud, and I think the hesitance around security that we see in cloud adoption is a realization of something that we've all known for a long time. It manifests in data, in manifests in the results that we see around cyber crimes and fraud, which is identity has become an enormous component of the move to the cloud.

And if you go back in history and look at answering a couple of simple questions about identity: are you who you say you are? Are you doing what you're supposed to be doing? Do you have what you're supposed to have? What we find is, is that back in the days when it was all in your data center, we didn't answer that question very well then. Now in the cloud where things are out of our direct control or we're not actually managing those cloud instances with a direct hand, the concern becomes, if I wasn't doing a good job of managing identity on site, now it's in the cloud and I have even less control over it, am I at higher risk relative to somebody not being who they say they are, getting into something that they shouldn't have access to, and doing things that they shouldn't be doing.

And I do think that that is a really large component of people's security concerns relative to cloud migration.

SEE: Network security policy template (Tech Pro Research)

Alison DeNisco Rayome: And what are some other identity-related security concerns that businesses are facing right now?

Richard Bird: Oh, wow, it is such a landscape change in identity from when I started in this in this particular part of information security. What we see is a bigger and bigger push to not just protect data, but demands to protect identity. That was always a expected quantity inside of companies on our own infrastructures in our own data centers because we needed to protect data and assets of value. But now this is being extended to an expectation for customers that we are doing business with to have securitized access. And this is such a big leap.

It's only come into being in the last couple of years with regulations around data protection and privacy, that we need to once again make sure that that customer is who they say they are, in order to be able to ensure the privacy of that data. And this is causing a tremendous disruption in the marketplace, if not from a solution standpoint, it is definitely causing a disruption relative to thinking about architecture, thinking about how security is designed. We were originally designed to protect assets and we have firewalls and perimeters. And now, we're having to shift that information security architecture focus to people and identities, and that is a big, big change, and it is very challenging for a number of our biggest customers and biggest organizations, not just in the US but around the world to begin to digest and figure out how to solve it.

Alison DeNisco Rayome: And what are some solutions that security practitioners can look to to solve these issues?

Richard Bird: Well, I would say that the identity solution space in particular has been aggressive about addressing the concerns before they've manifested in regulatory demands. So, we don't have yet a regulatory demand that says a customer must, or a company must protect a customer's identity. It will happen. We're seeing the beginnings of this in the European Union and Australia, so it is coming along. But, it doesn't mean that identity solution providers are kind of resting, waiting for that to happen. We're seeing applications of multi-factor authentication as the current most secure form of authentication control being used now with customers, with partners, with vendors, in order to ensure that most important question: are you who you say you are?

SEE: Incident response policy (Tech Pro Research)

Multi-factor authentication doesn't 100% guarantee that today because it is still possible that you can take somebody's device or their authenticator and pretend to be them, but it does make it substantially more difficult. So these are the beginnings of these solution changes. So we really rapidly came through the old style of two factor authentication, it's something that you have, and something that you know. And that almost became obsolete in-flight. And now we've moved to multi-factor authentication. We're moving to much more aggressive uses of intelligence and monitoring to be able to continuously authenticate users. And that is the solution path that most companies will be adopting over the next two to five years.

Also see