In this Help Net Security podcast, Marco Rottigni, Chief Technical Security Officer for Qualys across EMEA, talks about the importance of IT asset management within digital transformation processes. He illustrates why it’s crucially important to understand what you have, and how to build security in versus bolting it on. Here’s a transcript of the podcast for your convenience. Hello, my name is Marco Rottigni and I work for Qualys as a Chief Technical Security Officer … More →
Digital technologies such as cloud computing, big data, data analytics, IoT, artificial intelligence, augmented reality, and blockchain are gradually being leveraged in the defense industry at both agency and operational levels as change enablers, according to Frost & Sullivan’s latest analysis. The deployment of digital technologies improves legacy processes and enhances operation and mission efficiencies, which will, in turn, produce cost savings. “The rise of digital platforms is empowering the military, enabling better continuity of … More →
Only 25% of global organizations that are already using artificial intelligence (AI) solutions, have developed an enterprise-wide AI strategy, according to IDC. At the same time, half the organizations surveyed see AI as a priority and two thirds are emphasizing an “AI First” culture. “Organizations that embrace AI will drive better customer engagements and have accelerated rates of innovation, higher competitiveness, higher margins, and productive employees. “Organizations worldwide must evaluate their vision and transform their … More →
I was a panellist at the e-Crime & Cybersecurity Congress last week, the discussion was titled 'What's happening to your business? Cloud security, new business metrics and future risks and priorities for 2019 and beyond", a recap of the points I made.
Cloud is the 'Default Model' for Business
Cloud is now the default model for IT services in the UK; cloud ticks all the efficiency boxes successful business continually craves. Indeed, the 'scales of economy' benefits are not just most cost-effective and more agile IT services, but also include better cybersecurity (by the major cloud service providers), even for the largest of enterprises. It is not the CISO's role to challenge the business' cloud service mitigation, which is typically part of a wider digital transformation strategy, but to ensure cloud services are delivered and managed to legal, regulatory and client security requirements, and in satisfaction of the board's risk appetite, given they ultimately own the cybersecurity risk, which is an operational business risk.
There are security pitfalls with cloud services, the marketing gloss of 'the cloud' should not distract security professionals into assuming IT security will be delivered as per the shiny sales brochure, as after all, cloud service providers should be considered and assessed in the same way as any other traditional third-party IT supplier to the business.
Cloud Security should not be an afterthought It is essential for security to be baked into a new cloud services design, requirements determination, and in the procurement process. In particular, defining and documenting the areas of security responsibility with the intended cloud service provider.
Cloud does not absolve the business of their security responsibilities All cloud service models, whether the standard models of Infrastructure as a Service (IaaS), Platform as a Service (PaaS) or Software as a Service (SaaS), always involve three areas of security responsibilities to define and document:
Cloud Service Provider Owned
Shared (Cloud Service Provider & Business)
For example with a PaaS model, the business is fully responsible for application deployment onto the cloud platform, and therefore the security of applications. The cloud service provider is responsible for the security of the physical infrastructure, network and operating system layers. The example of the 'shared' responsibility with this model, are the processes in providing and managing privileged operating system accounts within the cloud environment.
Regardless of the cloud model, data is always the responsibility of the business.
A "Trust but Verify" approach should be taken with cloud service providers when assuring the security controls they are responsible for. Where those security responsibilities are owned by or shared with the cloud service provider, ensure the specific controls and processes are detailed within a contract or in a supporting agreement as service deliverables, then oversight the controls and processes through regular assessments.
The cloud security guidance resources I recommended were: