3 Cloud Security Truths For CISOs

As cloud initiatives shift from cost savings efforts to strategic transformations of IT and the business, CISOs are finding that in many ways they need to completely reimagine their security controls to keep up.

"Cloud is fundamentally changing how we manage IT, and in some very good ways. Security has to change with that," says David Etue, vice president of business development for Gemalto. "The big message is we need to step back and think what is our long term security strategy of how do we apply security controls to protect our data in these new environments as the infrastructure changes. One of the biggest challenges of cloud for security folks is cloud is all about sharing. And let's face it, as security people we're not that great at sharing."

"Cloud is fundamentally changing how we manage IT, and in some very good ways. Security has to change with that."

David Etue, VP, Corporate Development Strategy, Identity & Data Protection, Gemalto 

Last month I got a chance to talk with a dozen different speakers in a number of sessions at the RSAC TV studio (check them out here; about half have been posted with more to come in the next few weeks), and during one of them I spoke with Etue in depth about his talk at the show on data governance in the cloud. Clearly, cloud is a bit of Pandora's Box for security, but that doesn't mean that security leaders should give up on the prospect of controlling data as it moves through cloud infrastructure.

"As the ownership of the infrastructure and who manages it changes, data control becomes more challenging," Etue says. "But if we focus and look at some areas that mater, we can make some decisions that can benefit our data."

The following are three key suggestions that Etue believes CISOs and other security leaders should take to heart:

#1 Know What Data Matters And Where It Is
"We've too long tried to protect everything uniformly and protected everything poorly," Etue says.
He believes one of the important ways security is going to stay apace with the volume of cloud transformations going on in the enterprise is by gaining a true understanding of which data sets are most important to the business and prioritizing control and governance of that data.

"We clearly have scarce resources and so trying to protect everything everywhere just doesn't work," he explains. "We should say, 'Here are the 2, 5, 10 or 20 data sets that really matter. How do we focus on those?' And put the right controls in place for those."

#2 Some Of The Least Sexy Fundamentals Count The Most
It might not be sexy, but the field of asset, configuration and change management is very important in this cloudy world.
"If you don't know what you have, how it's configured and how it changes, it's hard to build a lot of reliable security controls on top of that," he says.

He recognizes that a big challenge for CISOs is the fact that configuration and change management is often owned by the ops folks or the CTO. This makes relationship building across IT silos extremely important.

#3 Get Over Our Fear Of SaaS
Many security professionals are scared of software as a service, and to some degree SaaS may have earned that trepidation. But the fact is that many SaaS providers are probably more on top of security than a CISO's in-house team could within that specific application domain.

"I think a lot of software as a service vendors have the opportunity to do security better than we could in our own data centers," he says. "The security team can't be an expert at the application layer of every system in our data center. Take a Salesforce, or a Workday or an Office 365: they can hire talent and do security at the application layer that we could never justify internally."

Of course not every SaaS provider is created equally—the point is that CISOs should approach SaaS evaluation with a more open mind and endeavor to become more embedded in the process of helping line-of-business and other IT groups choose providers wisely.

Ultimately, Etue's message for security folks is that cloud is helping IT pay for "30 years of sins in IT" and finally pay down some technical debt. Even though IT doesn't control the infrastructure, it doesn't mean they can't control the data.