By John Wood, CEO & Chairman, Telos Corporation
At the second annual NVTC Capital Cybersecurity Summit, I was privileged to moderate an amazing panel discussion on “The State of Cloud Security and Compliance: Dispelling the Myth of Cloud Insecurity.”
What made it so amazing were the panelists who represented the “Big 3” of cloud providers: Susie Adams, Chief Technology Officer, Microsoft Federal; Matthew O’Connor, Security Program Manager for Google Cloud Platform, Google; and Doug Van Dyke, General Manager, Public Sector, Amazon Web Services.
Yes, these three companies are in fierce competition – but, they are also passionate advocates of cloud computing and how it can benefit public and private sector enterprises. That passion really showed throughout our wide-ranging conversation.
During the discussion, the panelists shared why federal agencies, which have been slower than the private sector in adopting cloud computing, despite its advantages in terms of security, cost-effectiveness and capabilities, are now finally picking up the pace on cloud adoption. Our panel noted that NIST Special Publication 800-171, with its emphasis on a common language, has increasingly helped decision-makers better understand the security standards required to operate in the cloud and thus enabled them to make more informed decisions.
Susie Adams of Microsoft stated that “The security paradigm has changed,” because “we are no longer just protecting assets that live behind our firewall…there is now a virtual edge you need to protect.” She added that “Identity is the new firewall, and devices are the new edge.” Another key point Susie made was that, “We are going to need to learn to protect data no matter where it is. If you can make that paradigm shift in your head, then you clearly see cloud providers can give you capabilities you didn’t have before.” I responded by noting that automation is key…it takes the work out of the manual security compliance process and puts it in the hands of the systems.
Currently, some 80 percent of federal IT spending is devoted to maintenance, often of outdated legacy IT systems, which is a massive information security risk. This is compared to 20-something percent for maintenance in much of the commercial sector, where businesses have much more readily adopted the cloud and other such innovative technologies. In our discussion on that issue, Doug Van Dyke of AWS observed that “There is a risk in not adopting these new technologies.” So if enterprises truly want to minimize risk, the cloud should be a means to do so. Susie Adams added that if agencies (and others) are not protecting their infrastructure, they are going to have a breach, and that is “why it’s important for the federal government to take advantage and invest in this new technology.”
Asked to identify what might impede or slow down cloud adoption, Google’s Matt O’Connor named two things – a massive breach that could lead to a more cautious posture vis-à-vis the cloud, and overly burdensome regulation, particularly by other nations. He stressed that governments around the world need to collaborate with, not dictate to, the private sector.
We had a very lively discussion on the responsibilities of customers hosting in the cloud environment. Doug Van Dyke said it is wrong for users to assume that security is someone else’s responsibility in the cloud, which he tied back to educating users. Matt O’Connor summed it up by saying that, in a shared security model, enterprises can look at their cloud security provider as a force multiplier and they should take advantage of what cloud providers have put in place, but they should not neglect their own responsibilities.
We concluded our session with a number of excellent questions from attendees, and Doug Van Dyke summed up the entire discussion best by saying we should mark this date, because we had AWS, Microsoft and Google “all in violent agreement” over the advantages of cloud computing and the need for continued focus on state of cloud security and compliance.
I agreed with that conclusion – to have business rivals all on the same page is memorable. But cloud security and compliance should be an area where there is strong consensus because they are now so intertwined. And I also believe cloud security providers should explore additional methods to further automate security and compliance processes for their customers.
Here’s a link to the entire session (see video below also). I highly recommend it to anyone exploring a move to the cloud who may have some lingering hesitation. It will be worth your while.