Nov 7, 2019
All links and images for this episode can be found on CISO
Series (https://cisoseries.com/defense-in-depth-the-cloud-and-shared-security/)
When your business enters the cloud, you are transferring risk,
but also adding new risk. How do you deal with sharing your
security obligations with cloud vendors?
Check out this LinkedIn post for the basis of this show's
conversation on shared responsibility of security with a digital
transformation to the cloud.
This episode is co-hosted by me, David
Spark (@dspark), the
creator of CISO
Series and Allan
Alford (@AllanAlfordinTX). Our
sponsored guest for this episode is Paul Calatayud
(@paulcatalayud),
CSO for Americas, Palo Alto
Networks.
Thanks to this week’s podcast sponsor, Palo Alto
Networks.
Palo Alto
Networks, the global cybersecurity leader, is shaping the
cloud-centric future with technology that is transforming the way
people and organizations operate. By delivering an integrated
platform and empowering a growing ecosystem of partners, we are at
the forefront of protecting tens of thousands of organizations
across clouds, networks, and mobile devices.
On this episode of Defense in Depth,
you’ll learn:
- You have to have a business reason to go to the cloud. Usually
it's done as a business imperative in order to stay
competitive.
- Security is rarely the primary reason businesses move to the
cloud. It's often an adjunct reason.
- Moving to the cloud may transfer risk, but it also introduces
new risk.
- Security professionals have long avoided the cloud because they
feel they give up perceived control. If I can't see or touch it,
how can I secure it?
- One issue security people need to grapple with during digital
transformation and a move to the cloud is what does it mean to
manage risk when you don't own the program?
- Much of the online discussion was about getting your service
license agreements (SLAs) in place. But if you're a small- to
medium-sized businss (SMB) you're going to have a hard if not
impossible time negotiating.
- Don't lean on SLAs to be your entire risk profile. It's like
using insurance as your only means of security.
- Cloud security requires setting up automation guard rails.
- For cloud evolution you'll need a change in talent and it
probably won't be your traditional network engineers.
- Because of performance, privacy, and data protection issues
you're probably going to find your business moving apps in and out
of the cloud.
- The Cloud Controls Matrix (CCM), from the Cloud Security
Alliance (CSA) is a controls framework designed to help you assess
the risk of a cloud security provider.