Managing Security and Risk | Straight Talk

SUBSCRIBE NEWSLETTER

The latest insights from your peers on the latest in Enterprise IT, straight to your inbox.

Data privacy, security, and risk management are always top of mind for CIOs – and will be important considerations as they increase their use of public cloud resources.

“One of the key learnings of cloud migration is that you are not outsourcing your security model to a cloud provider,” says Rob Krugman, Chief Digital Officer for Broadridge Financial Solutions. “While the cloud provider may be responsible for physical security, you are entirely responsible for securing your services and environment to ensure your solutions are running properly.” 

One challenge is extending an organization’s own security policies, controls and postures to the public cloud platforms. “How do you take all of that and fit it for use in the public cloud, enforce it, and monitor for violations?” says Partha Dutta, Head of Cloud Services and Security Architecture for Veritas Technologies. “To extend the security perimeter of your on-premises and data centers into the public clouds, you have to build your own security stack, integrating with vendor products where available, depending on your workloads.” Because each vendor’s product works in a functional silo, providing solutions for only a sliver of the security pie, it is up to the enterprise to solve for the overall security pie, addressing threats through an end-to-end lens, Dutta says.

Another issue is that each public cloud platform is a bit different, and significantly different from data center models. “In a true hybrid environment, you should be able to use and secure enterprise workloads in multiple clouds – from Amazon, from Google, from Microsoft – as in your data center,” says Dutta. “But securing public clouds requires a knowledge base about each of them, as well an understanding of how the security models of public clouds differ from those of your data center.” For example, the agility and flexibility of public clouds – the programmability nature of infrastructure as a code – could easily open up the environment to the world. Enterprises should be aware of such public cloud functionalities that may violate corporate security policies, Dutta says, and be able to detect and remediate for such violations if they were to occur.

Yuri Misnik, Executive General Manager and CIO at the National Australia Bank, agrees that security and data protection are top of mind. His cloud-first organization is piggybacking on the investments its major cloud partners are making in this area to deliver better and more efficient security tools. 

“How do you take all of that and fit it for use in the public cloud, enforce it, and monitor for violations?” - Partha Dutta, Head of Cloud Services and Security Architecture, Veritas Technologies 

Another concern is the concentration of risk. “Australia has four major banks with nearly 90 percent of the market. If all use AWS [Amazon Web Services] in Australia, that’s a systemic risk,” Misnik says. “We have to think about how we address that, probably through the use of multiple cloud providers.” 

Guardian Life Insurance EVP, CIO, and Head of Enterprise Shared Services Dean Del Vecchio says the company’s primary cloud partner, AWS, has helped the company enhance security and compliance. However, the insurance company is assessing the need for cloud data bunkers in the future. “As we get more mature and go further down this road, we’ll explore things like that which add a third layer of resiliency, he says.”