Stop ignoring hybrid cloud security risks
Karen Roby talks with Ping Identity security expert about safeguarding the enterprise in a hybrid IT world.
Security for the enterprise is challenging, and it’s a broad issue with no sure-fire answers. But when it comes to humans and security, it’s never easy. Karen Roby talked with Richard Bird, a security expert with Ping Identity, about the enterprise. The following is an edited transcript of their interview.
Richard Bird: One of the most different things for people to hear and people being executives and boards of directors and investors, one of the most difficult things for them to hear is what most information security organizations and executive suites within the companies that they’re following are not sharing, which is, we’re not doing really well on information security. Historically, we didn’t do really well on information security. There was a big historical curve or an upward swing that was going through the 80s, 90s, around information security breaches. They were all related to these hard parameters that we built. People were launching massive denial-of-service attacks and everything was about trying to bring us down.
That landscape shifted, and that hockey stick dove around the 2008-ish, 2009-ish mark, where breaches came down dramatically. And the very next year they spiked. When you look at the history of this, from an enterprise security standpoint, this is really when malware and all of the actions and activities by bad actors to try and get inside of the organization without being discovered. And then using all of these accesses and credentials to break into everything without being monitored because they look like somebody that was supposed to be inside of the systems. That’s when that actually happened. And since that happened in the 2009-ish timeframe, that hockey stick over the last 10 years, has been enormous in terms of breaches and exploits. And it’s accelerating and the breaches are getting more catastrophic.
When we look at why, it’s because the information security models that we built, were built to keep everybody on the outside out. And there is no more outside anymore. Speaking with companies that are really thinking ahead, they’re talking about a world where there’s no perimeter. That is really an earth-shaking premise because what they’re saying is, is that we’re going to be able to use things like identity access control to be able to make sure that you are who you say you are, and we’re going to be able to run applications in the public cloud. Or we’re going to be able to run applications anywhere that we want to on the edge, and we won’t have to worry about all of these physical defenses.
Karen Roby: Let’s talk more about the hybrid IT world. As we’re finding out when it comes to security issues and involving the cloud now, what’s old is new again.
Richard Bird: When we think about security in the hybrid IT world, we never ever, ever, ever talk about is the propagations of the old habits and bad habits and bad designs that we had on our own sites, that’s now manifesting in the cloud. We never talk about them because we’ve just said everything’s going to the cloud. And one of the things that I find fascinating is that when you talk about cloud services, the conversation starts with, it will be easier to maintain, it’ll reduce your capital expenditures, your operating expenses will be easier to manage. All these different benefits, but there’s not a single person that ever goes to the cloud because the cloud provider said, “And if you move to us, it’ll be more secure than if you manage it yourself.” Because nobody’s making those types of security assurity statements out in the marketplace because it really almost logically can’t be better than what it is on a well-managed on-premise infrastructure site.
SEE: Hybrid cloud: A guide for IT pros (TechRepublic download)
The way that I like to do this from an analogy standpoint is I say that for most companies, their information security organizations have been grossly underfunded, grossly under-resourced, heavily demanded in terms of their available capacity. And when we think about that enterprise security model, it looks like a rowboat, and everybody is trying to bail water out of it as fast as they can. And a good information security organization is getting that boat almost down to the wet hull on a regular basis. But now we think about the cloud and the representation of risk from a hybrid IT standpoint, and you just took that rowboat and you just added yourself to a cruise ship, and all of the different companies that are within that cruise ship. And all of that is great again until the Italian sea captain gets drunk at the wheel and puts it up against the rocks.
We’ve seen those types of outcomes. And it’s a fair analogy because there are security safeguards, protocols, checklists, all the same things that we see in the digital, and we have to be very, very concerned that because of where we’re at with the maturity of hybrid infrastructure, that we’re preparing ourselves for the inevitable issues that we’re going to find where things break exactly like they used to break on-prem. People make mistakes exactly like they used to make on-prem. And be prepared for the possibility of the consequences of those types of breaches or issues will be larger because it’s now more than just me.