This is a follow up from my post last week that announced this webcast. Today it was a treat to have Richard Noguera as our special guest and who is uniquely qualified to speak on the topic of key imperatives for today’s CISO for the data center. Rich is a youthful InfoSec veteran who has led teams at Yahoo, Symantec and McAfee as well as held consulting roles and presently at Accenture in a Security and Risk management strategy role. I wanted to provide you access to the slides as well as summarize some of the key points Rich educated us on today.
As a concept, cloud is the one that most interested our audience today. We are seeing heavily virtualized data centers with private clouds, cloud attached data centers that leverage Infrastructure as a Service (IaaS) facilities for rapid service deployment or capacity management, and hybrid clouds that mix/match based on implementation needs. Most of our customers have embraced one of the above models. And, so I am going to focus on our imperatives accordingly.
Imperative 1: Enable IT to Play a More Strategic Role
Gartner predicts with market maturity that enterprises will increase migration of *mission-critical* functions to *public* cloud services over the next 3-5 years. IT and InfoSec must adapt and consider an alternative means to maintain the confidentiality, integrity, and availability of their business services, data, and users. For the ‘extended enterprise’ to operate effectively then, access control and data exchange between cloud service providers (CSP) needs to be standardized. Organizations should look to implement a Cloud Services Brokerage (CSB) – whether internally or externally, utilizing private/public/hybrid clouds – to accelerate service implementation and integration and also ensure visibility and cohesive security policy across multiple cloud service providers.
Imperative 2: Business-driven Security and Risk Metrics
Through conversations Rich has had with CIO and CISO figures in industry (and in his own experience), operational data is the mainstay of metrics – e.g. network flows, access/authentication traffic, system events, change tickets. Given the distributed ownership of business function within a cloud attached data center, the following must also be considered:
(1) Multi-tenant recovery risks – in case of an incident, what is the prioritization of restoration? What is the extent of liability coverage?
(2) Distributed ownership risks – how are the components of any given attack or incident chain resolved? How is remediation managed across CSPs?
(3) Target risks – multi-tenant CSP inevitably become attack targets, so how are threats/vulnerabilities identified/mitigated/managed? What is reported to the enterprise?
Imperative 3: Balancing Key Technology Investments
Based on where you are in state of your data center spectrum and the progressiveness of your organization with cloud adoption/migration, any of the following projects are worth considering:
Cloud Service Brokering – Build or implement self-service provisioning portal for SaaS/PaaS/IaaS platforms, focused on establishing standardized usage profiles based on user roles and data/system access requirements.
Cloud Security Metrics – Build or implement a CSP metrics analysis platform for policy decisions
Cloud Risk Governance – Establishment of executive forum reviewing CSP Compliance and Risk.