Our elite Power Panel includes business and technology experts who will share their seasoned perspectives.Join our #Tweetchat “Cloud Security: Cloud 9 or a cloudy forecast?” on 17th March'21 at 11 AM EDT to get #STinsights of the panel on why companies are hesitant to move to the cloud? Click https://t.co/YNHQjAI6N9 to save the date. #OneHCL pic.twitter.com/T1tY5I42cq
— hcltech (@hcltech) March 17, 2021
We start with how business leaders need to tackle the challenge of migrating to the cloud.We have an amazing panel with us for the #Tweetchat “Cloud Security: Cloud 9 or a cloudy forecast?” on 17th Mar | 11 AM EDT. Click https://t.co/bveeCszZcy to save the date. #OneHCL #STinsights@BillMew @anton_chuvakin @imoyse @MarcWilczek @mdkail @ntsyam @DigitalSecArch pic.twitter.com/kHUHKeX443
— CIO Straight Talk (@CIOStraightTalk) March 16, 2021
Coherency and ease of use are key drivers for any security policy for any cloud migration initiative.We are going live with the #Tweetchat. Here's the 1st question. #STinsights #OneHCL pic.twitter.com/I5hgTmOoUl
— CIO Straight Talk (@CIOStraightTalk) March 17, 2021
Hi @CIOStraightTalk #OneHCL #STinsights, . There are several important ones, but 5 key factors are must - Reliable Cloud Provider(s), Security, Migration KPI/Baseline, Cost with Cloud Assessments.
— Syam Thommandru (@ntsyam) March 17, 2021
Great point @ntsyam - the #measurement is key to #automation. A key rotation with #cloud deployment has to be better instrumentation and consumption of the data that gets created on #health and #risk. #STInsights #OneHCL https://t.co/2zqmGjogeg
— Wayne Anderson (@DigitalSecArch) March 17, 2021
Hi @ntsyam Besides the key factors that you have shared.What are few must have considerations for each cloud security capability? #STinsights @CIOStraightTalk @BillMew @anton_chuvakin @MarcWilczek @mdkail @imoyse
— Chhaya Rathi (@RathiChhaya) March 17, 2021
Valid question @RathiChhaya Shortlisting list of Access controls, Data Security controls in addition to the available migration documentation. #STinsights @CIOStraightTalk @BillMew @anton_chuvakin @MarcWilczek @mdkail @imoyse
— Syam Thommandru (@ntsyam) March 17, 2021
A1. Migrating to cloud is a change of tech, process, data structure and policy and involves people changing and accepting both at user and LOB @CIOStraightTalk #STinsights #OneHCL
— ??? ????? #cloud (@imoyse) March 17, 2021
Reality check (2/2): Instead of building, and having to administer, point solutions, savvy CIOs and CISOs should consider how to enforce their security policies in a coherent fashion across all workloads and applications irrespective of where they reside. #STinsights #OneHCL #CIO
— Marc Wilczek (@MarcWilczek) March 17, 2021
?Application-Aware #Security #STinsights #OneHCL https://t.co/3li3YkgBVW
— mike d. kail (@mdkail) March 17, 2021
Interesting points ! Do you think organizations should extend existing security products or augmenting with new ones is a better idea? @mdkail @MarcWilczek #STinsights #OneHCL #CloudComputing https://t.co/IYh26iE2vj
— Apoorva Agarwal (@Apoorva_Ag) March 17, 2021
Across @Microsoft customers - a recent #security survey indicated that while the #security budget hasnt been as greatly affected during #COVID as expected, nearly all security teams are being pressured to simplify operations. #STInsights #OneHCL
— Wayne Anderson (@DigitalSecArch) March 17, 2021
Esp. w/ most #security teams working from home, corporate LAN/VPN access can turn into a bottleneck. If the VPN servers are under attack, the admins might suddenly find themselves locked out. That's an interesting scenario, when trying to respond to an ongoing incident.
— Marc Wilczek (@MarcWilczek) March 17, 2021
Cloud has driven innovation not only in itself but in surrounding sectors such as management and security. Many new security offerings were born in the #cloud and utilise cloud to bring greater protection @CIOStraightTalk #STinsights #OneHCL
— ??? ????? #cloud (@imoyse) March 17, 2021
We're operating in a fast-pace environment. What was good 3 or 5 years ago is potentially no longer adequate to fend of threat. We've seen this time and again, esp. when it comes to everything that is hardware related.
— Marc Wilczek (@MarcWilczek) March 17, 2021
Which means:
— Wayne Anderson (@DigitalSecArch) March 17, 2021
- #identity inspection
- #application discovery
- #data visibility
- #audit review
Across clouds, across applications, across business units.#STInsights #OneHCL https://t.co/BD18NltcQu
Agreed but not so easy for the average size business to address - enterprise yes - but remember the majority of business entities are the small to mid size firms #cloudforall @CIOStraightTalk #STinsights #OneHCL
— ??? ????? #cloud (@imoyse) March 17, 2021
It doesnt have to be #hard. Did you know fighting a forest fire uses the same incident command system in the US as a local house fire? Its about scale - power of #cloud gives you the leverage to get #identity, #analytics, #ML and more in your security team. #STInsights #OneHCL
— Wayne Anderson (@DigitalSecArch) March 17, 2021
Cloud-based computing needs cloud-based defense. While some of natively incorporated #security features might be sufficient for test & dev scenarios, end users—esp. in regulated industries—should consider upgrading their capabilities by adding an additional security layer on-top.
— Marc Wilczek (@MarcWilczek) March 17, 2021
Indeed. Choosing end establishing Cloud-based Defense makes the foundational baseline for successful cloud migration with added security controls. @CIOStraightTalk #OneHCL #STinsights
— Syam Thommandru (@ntsyam) March 17, 2021
A1. Cloud has many strong benefits to bring, but is not right for every use case, for every business every time. What solution ever was? @CIOStraightTalk #STinsights #OneHCL
— ??? ????? #cloud (@imoyse) March 17, 2021
For many organizations, #Cloud is part of the #delivery answer - but that requires intentional #design. It enables some tech otherwise inaccessible to SMB/SMC #STInsights #OneHCL
— Wayne Anderson (@DigitalSecArch) March 17, 2021
A1: Don’t forget to look beyond a company’s current solutions for their journey to the cloud. It is important that this transition goes smoothly for sure, but a cloud model allows companies to change architecture as programs and initiatives evolve. #STinsights #OneHCL
— Andrew Nebus (@AndrewNebus) March 17, 2021
I love this point @AndrewNebus - #cloud isnt buying into today - its buying into the 1 to 3 year roadmap. The release and update cadence, the future vision. Evaluate vendor vision on #security and #operations. #STInsights #oneHCL https://t.co/g9LrnqzRWL
— Wayne Anderson (@DigitalSecArch) March 17, 2021
#STinsights this is of course valid advice but it sounds too much of a "should" - how can cloud providers help people who just don't follow this advice?
— Dr. Anton Chuvakin (@anton_chuvakin) March 17, 2021
Fair point - when you look at #Azure and @Microsoft, we invest in roadmap, with account level tech resources and FastTrack program for @Microsoft365 and @Azure. The team at @awscloud has similar program. @googlecloud getting there too. https://t.co/uY9FFeBMMJ #STInsights #OneHCL
— Wayne Anderson (@DigitalSecArch) March 17, 2021
First., what is the business case for cloud? How will teams behave & collaborate differently in the cloud era? What direct & indirect benefits will the customer accrue?
— Kalyan Chatrathi (@chvkalyan) March 17, 2021
A customer experience centric cloud migration has higher chance of success than if it’s internal initiative
First., what is the business case for cloud? How will teams behave & collaborate differently in the cloud era? What direct & indirect benefits will the customer accrue?
— Kalyan Chatrathi (@chvkalyan) March 17, 2021
A customer experience centric cloud migration has higher chance of success than if it’s internal initiative
A1: 1. Cloud isn't as straightforward solution as it is often told i.e. it's not a Plug 'n' Play product, even though it might seem so at first.
— Moin Shaikh (@moingshaikh) March 17, 2021
2. Security is a shared responsibility b/w vendor and client.
3. It's a change of culture, not just infrastructure.#STinsights
A1: Indeed 'commodity #cloud' that is plug and play, portable/interoperable and much the same from all vendors is a myth - always has been@CIOStraightTalk #OneHCL#Cloud #Security #STinsights https://t.co/ifyi2OIrhi
— Bill Mew #DigitalEthics #TrustinTech #BLM (@BillMew) March 17, 2021
A1: That performance and resiliency doesn't come "for free". One needs a proper infra deployment and s/w architecture that utilizes the elastic benefits of #cloud #STinsights #OneHCL
— mike d. kail (@mdkail) March 17, 2021
Bingo! As always @mdkail helps - it's not just plug into new servers "over there" its about revisiting how your app is structured and why. #STinsights #OneHCL https://t.co/kvqQEzQkRo
— Wayne Anderson (@DigitalSecArch) March 17, 2021
Great point on resiliency. As NFR, I doubt if many non-leader orgs spend investment & Engg bandwidth dedicated to resiliency. Stress testing their platform / applications to increasingly new variables should become a tool in every CIOs toolkit
— Kalyan Chatrathi (@chvkalyan) March 17, 2021
Reality check (1/2): Most comps operate in a diversified IT landscape incl. hybrid & public #cloud deployments. There’s no such thing as a single cloud. With that in mind, enterprises need to consider how to ensure a consistent security architecture across their entire IT estate.
— Marc Wilczek (@MarcWilczek) March 17, 2021
A1: The Cloud doesn't save you from your responsibility so outsource to somebody else's computers only services that need to be Internet facing, buy all the extra security services, buy geographical DR, replicate data on your local servers, employ and train good techies.
— Paolo Vecchi (@Vecchi_Paolo) March 17, 2021
#CloudComputing is a shared responsibility model. While physical security is up to the #Cloud Provider, other key aspects such as data security, access and identity management remains in the realm of the end user. #OneHCL #STinsights #CISO
— Marc Wilczek (@MarcWilczek) March 17, 2021
Absolutely - as #security leaders, the organization needs to make sure #policy and #standard set the guiderails for who does what. The #serviceprovider model of IT in the #cloud age includes guiding and growing other units to be generally safe consumers. #OneHCL #STInsights https://t.co/XwHDlHLH4c
— Wayne Anderson (@DigitalSecArch) March 17, 2021
A1. That its not all self provisioning, click a button and go - #cloud has been over sold as a panacea for too long @CIOStraightTalk #STinsights #OneHCL
— ??? ????? #cloud (@imoyse) March 17, 2021
Absolutely - you dont get to #visibility and #automation and #orchestration by just clicking a button. #STInsights #OneHCL https://t.co/kgA5HxrQc3
— Wayne Anderson (@DigitalSecArch) March 17, 2021
A1: As I sometimes say, some people migrated systems to the cloud (lift/shift), but did not migrate their thinking. Cloud migration is a lot about practice change, not server location.
— Dr. Anton Chuvakin (@anton_chuvakin) March 17, 2021
Colocation is the new cloud ?
— Vic (@cisovic) March 17, 2021
A1: The #cloud migration is not just a technology delivery shift - its an #operations and #culture shift as well. #STinsights #OneHCL
— Wayne Anderson (@DigitalSecArch) March 17, 2021
A1 (Cont): Part of that #culture shift has to be bringing the focus of #IT team on holistic #business goals - which include #security as non functional req. #STinsights #OneHCL
— Wayne Anderson (@DigitalSecArch) March 17, 2021
A1: who do we blame for the fact that #cloud has been over-sold?
— Bill Mew #DigitalEthics #TrustinTech #BLM (@BillMew) March 17, 2021
The vendors - well they over-sell everything anyway
Or the Clients - they should know better by now
???@CIOStraightTalk #OneHCL#Cloud #Security #STinsights https://t.co/n3td52KOyQ
The #Marketing - its not just the #vendors, its #press, and momentum. #Cloud solves a lot of things - early #ML and #AI adoption was a key case. It doesnt solve everything and without re-architecture can be more expensive. #STInsights #OneHCL
— Wayne Anderson (@DigitalSecArch) March 17, 2021
A1: all the hype was about savings, but the reality is that a lift and shift approach won't gain you much in the way of savings.
— Bill Mew #DigitalEthics #TrustinTech #BLM (@BillMew) March 17, 2021
You need to re-engineer apps for #cloudnative architectures and with #cloud #security in mind to gain benefits and be secure#OneHCL #STinsights https://t.co/rxeOg8fBSZ
Next, the panel tackles the tough issue of the tradeoffs between security and efficiency.This is absolutely true - lift and shift was an antipattern from wave 1: Dark to #cloud. Its application rationalization and #serverless that drives cloud efficiency and capability integration. Including #security #automation. #STInsights #OneHCL https://t.co/lv2nvo6wrf pic.twitter.com/AKyLx1qmvZ
— Wayne Anderson (@DigitalSecArch) March 17, 2021
Bad news travels fast and in the face of increasing scrutiny, it’s imperative to drive security as an efficiency enabler.Join in the conversation using #STinsights #OneHCL #Tweetchat. And our second question is: pic.twitter.com/jrR2sXS9Xe
— CIO Straight Talk (@CIOStraightTalk) March 17, 2021
A2. There were security issues pre-cloud, but they didn't get as much news & we were not as connected then so the breadth of impact affected less people then! @CIOStraightTalk #STinsights #OneHCL
— ??? ????? #cloud (@imoyse) March 17, 2021
A2: it is not just the move to #cloud that has made #cyberattacks more common and frequently reported - this came with #GDPR reporting requirements as well as an increase in threat not all of which were cloud related@CIOStraightTalk #OneHCL#Cloud #Security #STinsights https://t.co/4QtvN3MZBT
— Bill Mew #DigitalEthics #TrustinTech #BLM (@BillMew) March 17, 2021
Early days of cloud adaption had many myths about #Cybersecurity challenges. With abundant of maturity in place and rapid growth in cloud with right people skills, Cloud has become newnorm for enterprises. #STinsights #OneHCL @CIOStraightTalk #cloudsecurity #CyberSecuritywithHCL
— Syam Thommandru (@ntsyam) March 17, 2021
A2. Customers using cloud, including consumers assume too much - #1 is assuming all clouds are born equal - they are not - as with anything some are better than others #diligence @CIOStraightTalk #STinsights #OneHCL
— ??? ????? #cloud (@imoyse) March 17, 2021
Selecting #cloud has to take into account available company #capabilities - for example getting full value from @googlecloud means knowing what #SRE is and people who can do it. Or a plan to get there. Once there, it super powerful. #STInsights #OneHCL
— Wayne Anderson (@DigitalSecArch) March 17, 2021
A2. The majority of the B2B market is smaller firms who do not have security experts, but want and deserve to benefit from cloud compute. If you don't know the right questions to ask, and how to challenge the answers !!! @CIOStraightTalk #STinsights #OneHCL
— ??? ????? #cloud (@imoyse) March 17, 2021
One thing that I have appreciated - both @Microsoft and @awscloud have invested heavily in making #SMB/#SMC level architectures available and well-architected review tools available. Doesnt solve but helps smaller companies. #STInsights #OneHCL https://t.co/0rvRYucwR1
— Wayne Anderson (@DigitalSecArch) March 17, 2021
A2: Shared as it always was with providers & supply chain, but cloud software providers can also be light years better at this shared security model. Cloud native providers are generally better to engage with!
— Andrew Nebus (@AndrewNebus) March 17, 2021
Most of the broad security concerns are FUD. #STinsights #OneHCL
Compared with most legacy data centers, moving to the #cloud is typically a #Cybersecurity booster. I’m not sure whether there's a tradeoff between efficiency vs. security, it’s often more UX vs. security—which is not related to the cloud. This question is as old as Methuselah?
— Marc Wilczek (@MarcWilczek) March 17, 2021
Well valid point made @MarcWilczek. Efficiency and security go hand in hand for the success of cloud adaption #STinsights #OneHCL @CIOStraightTalk #cloudsecurity #CyberSecuritywithHCL
— Syam Thommandru (@ntsyam) March 17, 2021
Does your organization know what #success looks like for #deployment velocity? A lot of first and second generation #cloud definitions were "get tech deployed over there". #Business outcomes are more complex than that. #STInsights #OneHCL
— Wayne Anderson (@DigitalSecArch) March 17, 2021
A2. We can appreciate why there is so much concern over cloud re security. What gets the press; the negative data leak stories, not the greater breadth who remain secure and robust! @CIOStraightTalk #STinsights #OneHCL
— ??? ????? #cloud (@imoyse) March 17, 2021
A great point - many aspects of #cloud enhance the available capability within the provider or around the provider. #CWPP from @Gartner_inc seems to have fallen out of popularity but #inspection and #instrumentation is key to overcoming config vulnerability. #STInsights #OneHCL https://t.co/NmoKjvXBLt
— Wayne Anderson (@DigitalSecArch) March 17, 2021
A2. Cloud providers try to do a good job at protecting their own networks/services and they are not always succeeding. If you put your own workloads on the Cloud you are responsible for monitoring, patching and protecting them as if they were on-premises. #STinsights #OneHCL
— Paolo Vecchi (@Vecchi_Paolo) March 17, 2021
#STinsights Instead of answering I'd add to the question: what is the best advice for people who destroy cloud efficiencies by bringing too much of their on-prem tools and practices?
— Dr. Anton Chuvakin (@anton_chuvakin) March 17, 2021
Consider: Fire the #CIO who did this.
— Wayne Anderson (@DigitalSecArch) March 17, 2021
The bigger rotation in #cloud is the #culture, not the #tech. If they missed this, if they arent part of the biz, if they arent leading the people, thats a huge red flag. #STInsights #OneHCL
Perhaps I'd ask the provocative question whether they'd consider trying to cross the Atlantic in a paddleboat, too? It might work but I wouldn't recommend trying ?
— Marc Wilczek (@MarcWilczek) March 17, 2021
"re-factor" your thinking or move back to hugging your on-prem servers
— mike d. kail (@mdkail) March 17, 2021
A2: Most #cloud #security concerns arise from FUD. Need to explain the shift from network perimeter security to identity and application aware security leveraging programmatic cloud constructs #STinsights #OneHCL
— mike d. kail (@mdkail) March 17, 2021
For Enterprise, making cloud with enabled security is important. This can happen with Privacy by Design, Shared Security & responsibilities, with control and visibility makes #STinsights #OneHCL @CIOStraightTalk #cloudsecurity #CyberSecuritywithHCL
— Syam Thommandru (@ntsyam) March 17, 2021
A2: Part of the organization needs to be #velocity by integrating capabilities into the team. Just as #CICD has ops integrated, #security is there too. #STinsights #OneHCL
— Wayne Anderson (@DigitalSecArch) March 17, 2021
A key opportunity for many organizations is 1) MVP #design stage #architecture review with #security and 2) #automation of #security testing. #STinsights #OneHCL
— Wayne Anderson (@DigitalSecArch) March 17, 2021
I've unfortunately seen a lot of "lift and shift" approaches leveraging firewall appliances and the like. This eventually gets refactored #STinsights #OneHCL https://t.co/M5wGVWNKQN
— mike d. kail (@mdkail) March 17, 2021
Incidentally #cloud means that modern #cultural and #development rotation means making sure that #security is an iterative review and adapt activity - not a static deploy. #STinsights #OneHCL
— Wayne Anderson (@DigitalSecArch) March 17, 2021
A2: many #SMBs are like rabbits in the headlights - seeing so many #cyberattack headlines
— Bill Mew #DigitalEthics #TrustinTech #BLM (@BillMew) March 17, 2021
They think that there's little they can do and see #cyberinsurance as a soln. It isn't
Don't confuse cyber insurance with cybersecurity https://t.co/0nF1hg3tOa #OneHCL #STinsights https://t.co/pk8Ru98lBi
Many clients were expecting that the Cloud is a magic place where everything is cheap and safe.
— Paolo Vecchi (@Vecchi_Paolo) March 17, 2021
Add to the order form a checkbox saying "I understand that by buying this cheap service I may lose all my data" and add the various DR/backup options.
Consider: Fire the #CIO who did this.
— Wayne Anderson (@DigitalSecArch) March 17, 2021
The bigger rotation in #cloud is the #culture, not the #tech. If they missed this, if they arent part of the biz, if they arent leading the people, thats a huge red flag. #STInsights #OneHCL
A4: What's the matter?
— Bill Mew #DigitalEthics #TrustinTech #BLM (@BillMew) March 17, 2021
Don't you believe in magic? or #cloud SLAs?@CIOStraightTalk #OneHCL#IncidentResponse #Security #STinsights https://t.co/NxgNDpeWEJ
No. #magic in the #cloud is when design, deployment, effective #people support and #customer experience come together to deliver transformative experience by hard work and intent. Anything else is #marketing or slop. #STInsights #OneHCL https://t.co/8PDqYh9LAI pic.twitter.com/SbR1bDYo49
— Wayne Anderson (@DigitalSecArch) March 17, 2021
Absolutely. Even small companies can have basic discussions on #risk - whats the impact to the company if the e-com front is down? If the impact of it is "fatal" then it makes sense to say how do I avoid that in #cloud? #STInsights #OneHCL https://t.co/5A1WbMwG8q
— Wayne Anderson (@DigitalSecArch) March 17, 2021
And this is where we dive in deep on the different perspectives defining zero-trust.I think sometimes in #security when we talk about #risk - we do so in a formal ISO31000 adapted to ISO27005 adapted to FAIR Institute valuation... etc. Can be simpler - what can I think of that happens? How do we decide to protect against that in #cloud or not? #STInsights
— Wayne Anderson (@DigitalSecArch) March 17, 2021
As the cloud opens up more possibilities, it also lets in new dangers – and ensuring water-tight security is rooted within zero-trust.Time for our third question. Keep the questions coming! Join the conversation using #STinsights #Tweetchat #OneHCL pic.twitter.com/eeUe6MijEy
— CIO Straight Talk (@CIOStraightTalk) March 17, 2021
A3. the greater you apply zero trust the more potential impact you have on usability for those whom you do want to gain access @CIOStraightTalk #STinsights #OneHCL
— ??? ????? #cloud (@imoyse) March 17, 2021
A3. It is not so different to the non cloud world, excepting the argument thatthe more accessible via #cloud you make a system the more you open yourselves to the attack vector @CIOStraightTalk #STinsights #OneHCL
— ??? ????? #cloud (@imoyse) March 17, 2021
A3: #Cloud is the perfect environment to implement #ZeroTrust due to lack of defined network perimeter and a #security context around identities and applications. Both #AuthN and #AuthZ are important here #STinsights #OneHCL
— mike d. kail (@mdkail) March 17, 2021
100% #ZeroTrust is not just about "do I approve this access at this time" - its also about post inspection, does the pattern fit intended access? Have to instrument #identity and #data access patterns to do that. #STinsights #OneHCL https://t.co/YCrR850lpA
— Wayne Anderson (@DigitalSecArch) March 17, 2021
Great thought! @mdkail What are your recommendations to manage risks and align to the goals of the business? #STinsights #OneHCL
— Chhaya Rathi (@RathiChhaya) March 17, 2021
With many workloads moving to cloud, #ZeroTrust becoming efficient way of providing common usability with in Cloud. @CIOStraightTalk #STinsights #OneHCL #CyberSecuritywithHCL
— Syam Thommandru (@ntsyam) March 17, 2021
Zero trust in cloud means securing Workforce, Workload, and Workplace.
— Moin Shaikh (@moingshaikh) March 17, 2021
Workforce = users and devices.
Workload = data, apps, servers etc.
Workplace = Network.#STinsights #OneHCL pic.twitter.com/uST1cFacuI
Zero Trust is an IT security model that eliminates the notion of trust to protect networks, applications and data. It can be termed as Trust-as-a-service This makes effective way of #CyberSecurity. @CIOStraightTalk #OneHCL #STinsights #CyberSecuritywithHCL
— Syam Thommandru (@ntsyam) March 17, 2021
It's effectively a paradigm shift. Everything is a potential threat. No access to data and resources until the users can be properly authenticated and their access authorized. In essence, a zero trust architecture allows a user full access but only to the bare minimum needed.
— Marc Wilczek (@MarcWilczek) March 17, 2021
A3. In the Cloud everyone is trying to get to your data. While on-premises you may kind of air gap some bits of your networks and workloads on the Cloud you can presume that everything is or will be compromised.
— Paolo Vecchi (@Vecchi_Paolo) March 17, 2021
Encrypt all things! (and keep the encryption keys off-Cloud)
A3: Zero Trust in cloud means that you have a chance to apply true zero trust principles from the lowest to highest parts of the 'stack' (from network segmentation to user segmentation) but it's still almost impossible to do for legacy apps / lifted & shifted.
— Christian Reilly (@reillyusa) March 17, 2021
A3: The #Trust level of #security is historically low - #zerotrust means examining everything for #context - does this request fit the business? #STinsights #OneHCL
— Wayne Anderson (@DigitalSecArch) March 17, 2021
#StInsights #OneHCL https://t.co/Z6z3USWmZX
— Wayne Anderson (@DigitalSecArch) March 17, 2021
A3: In a #cyberattack #compliance checklists and #ISO27001 certification counts for nothing
— Bill Mew #DigitalEthics #TrustinTech #BLM (@BillMew) March 17, 2021
A decent #ZeroTrust implementation and #RAPTOR #IncidentResponse however could well save you https://t.co/ZJqAjvTZRC @CIOStraightTalk #OneHCL@ItKlaatu #Security #STinsights https://t.co/J0Vhum6zMy pic.twitter.com/TcjaYbLS5n
The #ISO27001 process can help you prepare for the things that defend - but shifting thinking for how you treat #risk is key - what did you assume? #ZeroTrust is about challenging those assumptions in #cloud models. #STInsights #OneHCL #CyberSecurity https://t.co/MXx4SCzLKP
— Wayne Anderson (@DigitalSecArch) March 17, 2021
A3: there are many clients with private #cloud solutions with their own workloads that found that they had no #backups or #disasterrecovery support following the Strasburg #datacenter fire@CIOStraightTalk #OneHCL@ItKlaatu #Security #STinsights https://t.co/O5bAqb3w5d
— Bill Mew #DigitalEthics #TrustinTech #BLM (@BillMew) March 17, 2021
Many clients were expecting that the Cloud is a magic place where everything is cheap and safe.
— Paolo Vecchi (@Vecchi_Paolo) March 17, 2021
Add to the order form a checkbox saying "I understand that by buying this cheap service I may lose all my data" and add the various DR/backup options.
A3: there is a balance to be had here
— Bill Mew #DigitalEthics #TrustinTech #BLM (@BillMew) March 17, 2021
Too much friction in a #ZeroTrust setup and usability suffers
Too little friction and #cybersecurity is compromised
Goldilocks solution is just enough friction to stop attackers, without hitting productivity#OneHCL #STinsights https://t.co/o1yN2znzwp
Next, the panel discusses the immense value cloud brings in times of major disruptions and secures operations for the future.Great point @BillMew - Ultimately #ZeroTrust means getting away from our reliance on #network segment and #identity source to a more holistic determination of #cloud access. Hopefully LESS friction at scale! #STinsights #OneHCL https://t.co/EzCQg4gwau
— Wayne Anderson (@DigitalSecArch) March 17, 2021
While the cloud can play a key role, it’s always good practice to augment its recovery capabilities with third-party services.A big shoutout to everyone on our panel. Here’s our fourth question. Join the conversation using #STinsights #Tweetchat #OneHCL pic.twitter.com/r34lqVVW4m
— CIO Straight Talk (@CIOStraightTalk) March 17, 2021
A4: The DR/BCP model shifts from Active/Passive "sites" relying on latent data replication to #cloud architectural patterns using multi-region and multi-AZ in order to greatly improve resiliency. TL;DR - recovery shifts to resiliency #STinsights #OneHCL
— mike d. kail (@mdkail) March 17, 2021
Indeed. As cloud adaption growing by providing cost-efficient and scalable methods of computing for ITinfra, Apps, and data, it’s most likely to become an increasingly popular option for enterprise disaster recovery #CyberSecuritywithHCL @CIOStraightTalk #OneHCL #STinsights
— Syam Thommandru (@ntsyam) March 17, 2021
A4. Cloud providers bring greater investment than the average business can afford. DIY needs server, failover server, UPS, backups, security patches, management & security S/W etc with SaaS this is bundled & costs shared across multitenant customers #STinsights #OneHCL
— ??? ????? #cloud (@imoyse) March 17, 2021
Most organizations benefit from cloud-based business continuity programs, even in remote locations with reduced costs, rapid response and readily accessible. @CIOStraightTalk #OneHCL #STinsights #CyberSecuritywithHCL
— Syam Thommandru (@ntsyam) March 17, 2021
Adding to which - multi-region deployment was super expensive in pre-#Cloud era. Think even with the app service provider model or v-instance rentals. Very inexpensive to keep replicated data and "dehydrated" instances in second location today. #STInsights #OneHCL https://t.co/Rc7w5IxzH5
— Wayne Anderson (@DigitalSecArch) March 17, 2021
A4. However it is key that diligence is done on the cloud provider as all are NOT born equal or as resilient@CIOStraightTalk #STinsights #OneHCL
— ??? ????? #cloud (@imoyse) March 17, 2021
However, while many of the capabilities natively available in the various clouds, might suffice for test&dev purposes, when it comes to mission-critical apps or services, end-users may want to enhance their cyber-resilience by adding 3rd party services to harden their workloads.
— Marc Wilczek (@MarcWilczek) March 17, 2021
If conceptualized well from the ground off, the #cloud can boost existing BC & DR levels—think geo redundancy and Tier 4 data centers. Yet, as said before, there’s an awful of weight on the user’s shoulders to get it right—from the very bottom all the way up to OSI layer 7.
— Marc Wilczek (@MarcWilczek) March 17, 2021
A4: (1/2) #Resilience has been a watchword of 2020 into this year. Using #cloud means de-linking from some physical delivery infrastructure #STInsights #OneHCL
— Wayne Anderson (@DigitalSecArch) March 17, 2021
A4: (2/2) Part of #Resilience is doing effective #SRE - which can mean making sure that your #application approach has #scale that #cloud enables. #STInsights #OneHCL
— Wayne Anderson (@DigitalSecArch) March 17, 2021
A4: The DR/BCP model shifts from Active/Passive "sites" relying on latent data replication to #cloud architectural patterns using multi-region and multi-AZ in order to greatly improve resiliency. TL;DR - recovery shifts to resiliency #STinsights #OneHCL
— mike d. kail (@mdkail) March 17, 2021
Absolutely @BillMew is absolutely right. Do you know how your #SLA is calculated? Does it require multiple resources in a set? A certain tech required? Multi region deployment? Did your app do that? How did you decide yes/no? #STInsights #OneHCL https://t.co/q3zMB0kz7P pic.twitter.com/F2s7PvKbBs
— Wayne Anderson (@DigitalSecArch) March 17, 2021
And finally, we close the discussion with our panel explaining the proactive, defensive capabilities within the cloud environment.SLA, DR. BC etc is also all relevant to the application need - for example you might accept lower SLA's etc and costs for a less than critical system and want higher for a critical application. eg who askes what Tiering of DC their cloud provider uses ! #STinsights #OneHCL
— ??? ????? #cloud (@imoyse) March 17, 2021
True security begins with individuals and is maginified when supported by a workplace that is driven and enabled by clear security policies, governance, and tools.Here’s our final formal question to the panel. Keep shooting YOUR questions using #STinsights #OneHCL #Tweetchat @BillMew @anton_chuvakin @imoyse @MarcWilczek @mdkail @ntsyam @DigitalSecArch pic.twitter.com/IpI4goDrpP
— CIO Straight Talk (@CIOStraightTalk) March 17, 2021
A5 #STinsights One new idea I wanted to add to this part is: how can we transcend share dispensability into something like shared fate?
— Dr. Anton Chuvakin (@anton_chuvakin) March 17, 2021
There are many clients of the Strasburg datacentre that shared the same fate, ditto with @Solarwinds clients and @Microsoft Exchange ones too - it's not always a good thing@CIOStraightTalk #OneHCL #Security #STinsights https://t.co/qIsuJmEmPA
— Bill Mew #DigitalEthics #TrustinTech #BLM (@BillMew) March 17, 2021
A5 #STinsights Too many cloud users seem to trip over some shared responsibility characteristics, such as controls that are inherently joint. "I thought they are doing this one" So perhaps a better model can be invented?
— Dr. Anton Chuvakin (@anton_chuvakin) March 17, 2021
One such way is to look at best practices followed in Traditional Hybrid Datacenter controls and adapt them towards benefiting the cloud @CIOStraightTalk #OneHCL #STinsights
— Syam Thommandru (@ntsyam) March 17, 2021
A5. Do not assume that #cloud security is the sole responsibility of your provider - you remain the #datacontroller - it is your role to ensure adequate protection for the data you hold, a bad cloud provider error does not admonish you from responsibility. #STinsights #OneHCL
— ??? ????? #cloud (@imoyse) March 17, 2021
I find it interesting how many folks dont realize that the cloud provider does not have anything to do with YOUR cloud security. YOU are responsible for it all and you have to plan for it throughout the process. review and revise continually. #gigamon #Hawk
— Jim Mandelbaum (@Jmandelbaum) March 17, 2021
Well, this sounds painfully obvious, but I think that enough people still don't get it. This to me means that the approach has to change, so perhaps to this: https://t.co/TlHIIq4gWV
— Dr. Anton Chuvakin (@anton_chuvakin) March 17, 2021
In your post you mention that you have to choose a security focus or a cloud focus? I still think its on us to manage the security, period. Implement visibility at the core of the flows and you will see all the data so you take ownership. # cloud #gigamon # hawk
— Jim Mandelbaum (@Jmandelbaum) March 17, 2021
Hmmm, not sure I mentioned a choice between cloud and security, but I did say that we can do better than shared responsibility model, perhaps.
— Dr. Anton Chuvakin (@anton_chuvakin) March 17, 2021
A5: Start with visibility into #cloud infrastructure assets, then apply standards and repeatable #security constructs that are part of an overall #DevSecOps culture. Then ensure that this is continuous #STinsights #OneHCL
— mike d. kail (@mdkail) March 17, 2021
Compared with the old server room down in the basement, Tier 4 data centers (where clouds are typically being hosted) come with proper physical security. Access is next to impossible. But security doesn’t stop here. This is where the whole journey starts.
— Marc Wilczek (@MarcWilczek) March 17, 2021
Cloud being new territory for the digital world, these helpful ways to prevent data breaches - Increase CyberAwareness, Encryption at every stage, MicroSegmentation, Visibility, Governance & audit/assessments @CIOStraightTalk
— Syam Thommandru (@ntsyam) March 17, 2021
#OneHCL #STinsights #CybersecuritywithHCL
#STinsights If you're looking to fundamentally prevent *all* breaches, I think you starting from a wrong and unwinnable place anyhow :-)
— Dr. Anton Chuvakin (@anton_chuvakin) March 17, 2021
Not sure whether security can ever fully prevent a breach. There’s no such thing as a perfect world. However, I do believe that the odds of something going south can be drastically reduced when consistently leveraging & safeguarding the cloud in an E2E fashion across all layers.
— Marc Wilczek (@MarcWilczek) March 17, 2021
A5. There is no such a thing as holistic Cloud security, there is only risks minimisation and contingency plans when something bad will happen. Consider decentralisation/federation of private Cloud to offer a "non standard" attack surface.
— Paolo Vecchi (@Vecchi_Paolo) March 17, 2021
A5: Take a step back. What does #cloud #security mean to your business? Should have a general organizational high level answer and then a per-provider expectation, and per-application more specific implementation at velocity. #STinsights
— Wayne Anderson (@DigitalSecArch) March 17, 2021
#cloud #cybersecurity sounds complicated, but it doesnt have to be. #Policy covers org. #data and #audit feeds + #identity strategy per provider. #Controls and #automated security per application pipeline. #STinsights
— Wayne Anderson (@DigitalSecArch) March 17, 2021
A5: Answer:
— Bill Mew #DigitalEthics #TrustinTech #BLM (@BillMew) March 17, 2021
1⃣Be #riskaware, #crisisprepared and check the #SLAs
2⃣Be #riskaware, #crisisprepared and check the #SLAs 3⃣Be #riskaware, #crisisprepared and check the #SLAs
And did I mention be #riskaware, #crisisprepared and check the #SLAs #OneHCL #Security #STinsights https://t.co/9Dm2Mu3jEU
Thanks to our Power Panel for making this an amazing discussion. We will be back again soon!One extra thought when it comes to preventing #data #breach - the goal of #security teams should be relentlessly positive. Create predictability. If app meets standards, it should get a "yes". Biz is your customer - they should know they can depend on HELP from team #STinsights
— Wayne Anderson (@DigitalSecArch) March 17, 2021
A big thank you to our Power Panel for their #STinsights and those who joined us for this exclusive discussion on our #Tweetchat #OneHCL@BillMew @anton_chuvakin @imoyse @MarcWilczek @mdkail @ntsyam @DigitalSecArch pic.twitter.com/ANisyiGGBz
— CIO Straight Talk (@CIOStraightTalk) March 17, 2021
Thank you to the panelists and the community for sharing incredible insights on cloud security. #STinsights #OneHCL
— Moin Shaikh (@moingshaikh) March 17, 2021
It was pleasure to be part of the panel. Thank you all for your insightful tweets on #CloudSecurity. @CIOStraightTalk @BillMew @anton_chuvakin @imoyse
— Syam Thommandru (@ntsyam) March 17, 2021
@MarcWilczek @mdkail @DigitalSecArch
#STinsights #OneHCL #CyberSecuritywithHCL
