Assessing the Threats in Cloud Security
Shane is a visionary and transformational Information Technology executive with in-depth experience in guiding IT strategic and tactical planning, fostering innovation, prioritizing IT initiatives, and coordinating current and future IT systems within healthcare, education, manufacturing, and banking.
In the ever-changing face of security threats and limited availability ofqualified personnel, security teams are overburdened by the need to update and reassess their strategies consistently. Along with heavy security management loads weighing down organizations, their legacy security systems with reduced functionality in the cloud are being overshadowed by the growing challenges of protecting virtual and shared environments, adding to their woes. However, the most significant concern that worries organizational heads is the threats surrounding cloud security and the associated headaches of managing a traditional IT operation in a cloud environment. As enterprises adopt solutions to strengthen their cloud security and address these hurdles, it is necessary that they keep track of where their security budgets are heading.
While considering migrating to the cloud, organizations should look at the benefits that they can derive by using the service other than monetary savings
What are the emerging trends and challenges that you observe in the cloud security landscape?
A key challenge is that organizations are lured into a false sense of security due to the belief that having their IT systems inside the four walls of the organization is a source of strength. Their views on cloud solutions are a bit skewed based on the notion of cloud being a less secure environment. As they are busy worrying about securing the perimeters, this steers them away from the practical questions regarding security that they are supposed to ask their internal security and product teams. What they often forget is that the actual threat landscape exists within the perimeter defenses and not just on the periphery. To meet this challenge, more security professionals are now discussing hybrid IT instead of just cloud.
How is the cloud security landscape changing? How are the latest technologies altering the cloud security space?
Previously, if I had a network team of 10 members and needed to fix a network segment, I would most likely find the gear and network connections set up in multiple ways. Whereas now, with software-defined networking which encapsulates the network, we can automate the networking components, track and work on them, and address issues through programming versus manual touch. Through network automation, for example, I can decide how to configure a remote branch, create and deploy the configuration, and have the configurations saved in version control. These are the kinds of technologies that impact process and probably have some of the greatest impacts on cloud security.
What is the best approach that organizations should follow while implementing new technologies into existing systems?
I most often employ a risk-reward analysis approach while selecting a particular vendor or technology. People often associate a brand name and its presence in the industry as a benchmark for quality and security while choosing a provider in the networking and security space, which may not always be right in the current. Consider the example of Cisco; they have been a premier brand in networking and security space for decades. Network professionals have a sense of belief that since it is Cisco, the quality and security will be uncompromised when it comes to connecting and defending the data center. In the case of newcomers in the market, these same professionals often do not feel the same as these new players do not enjoy the same brand recognition, respect, or time at market in most cases. What organizations need to keep in mind are the potential differences in Cisco technologies versus others who have built their products from the ground up with cloud in mind bring to the table. A company that has deployed products for decades also has a heap of technical debt to contend with. Newer players in the space are likely to carry less technical debt into their solutions, and the solutions are designed and built with modern multi-tenant infrastructures in mind. Therefore, it is good to use a risk-reward analysis while approaching a new technology so that you can dig past any surface notions that technical teams may have and compare solutions to the current business challenges. Also, investing in full scale POC instead of lab POC will usually surface the technically superior solutions.
What are some of the key metrics that organizations should consider while deciding whether to migrate to the cloud entirely or partially?
One of the major mistakes that organizations make while adopting cloud services is that they view the advantages purely from a cost-cutting sense. As much as I do understand that a certain amount of money can be saved using cloud services correctly, it should not be the sole driver for organizations to employ the technology. While considering migrating to cloud, organizations should look at the benefits that they can derive by using the service other than monetary savings. Is it IT self-service that the company desires? Are they looking for speed and agility, or faster time to value in their IT solutions? Are they on the lookout to transition to a service-based business where they can relieve their back-end staff of the unnecessary tasks so that they can focus on the more important things like end-user experience? I think some of these questions based on the business value proposition should be the motive for organizations to move their functions into cloud and not just potential cost savings.
If the primary reason for the change is cost, the organization could end up picking a losing side without realizing its impacts from an operational standpoint. You cannot operate in the cloud the same way you do from a data center and expect the transition to be cost-effective. Organizations need to understand if the benefits offered by migrating to cloud services are in line with the requirements that they have as a business entity and then finalize their decisions based on value gains.
What are the strategic points that you and the team consider before taking up a project?
Before considering a project, we start off with business value stream mappings. I like obtaining a holistic perspective on the problem that we are trying to solve. We do an analysis of the value stream, the business processes involved and other features to understand the impact that the project can have on the various sections throughout the organization. By analyzing all of these characteristics, the team can weigh organizational impact of doing or not doing a project.
What advice would you like to give your peers and the aspiring leaders who are planning to join the industry?
The single piece of advice that I have for everyone is to surround yourself with people who are both motivated and smarter than you. There is a misconception that being a leader, you have to be the smartest person in the room, always have the answers, and do the work. As a leader, your job is to provide clarity, create an environment that brings those smart people together, and provide resources and clear obstacles that might otherwise prevent them from putting the ideas into motion. Learn from failures and celebrate success.
In the coming years, what do you think will be the disruptions or transformations that the cloud security space will witness unfolding in the future?
When data center virtualization came out years ago, it faced both moderate acceptance and harsh criticism from the industry. However, years later, virtualization in data centers have become an essential part of organizations and their functioning dropping the word “virtual” when described in conversation. Similarly, in the next five to ten years, cloud and cloud security will be a part of the way we work losing the word “cloud”. With the passage of time, the tools and associated technologies will also evolve, like how it did for virtualization, and security as a whole will continue to get better as adoption increases.