digital risk management dialogue series: securing multi ... · introduction “the cloud.” it...

Digital Risk Management Dialogue Series:

Securing Multi-CloudTransformation

Hosted by

Ben Smith - Field CTO - US, RSA

Tom Field - Senior Vice President - Editorial, ISMG

Agenda

6:00pm - Registration, Networking

6:30pm - Introductions and Opening Remarks

6:45pm - Roundtable Discussion

8:30pm - Program Concludes

Executive Roundtable Series

Sponsored by RSA

Introduction

“The Cloud.” It used to be when security leaders discussed the topic, it

was all about cost savings, unlimited storage … and the security concerns.

Who has access to that data stored in the cloud?

But in today’s digitally transformed environment, where enterprises often are adopting a cloud-first

approach, the new discussion is about agility, access to new services … and the security concerns.

How do you maintain visibility into your public, private and hybrid cloud environments? How do

you manage privileged access to cloud resources and data? What framework(s) can you use to

measure cloud risk?

This latest edition of our exclusive Digital Risk Management Dialogue Series on Securing Multi-

Cloud Transformation will provide answers to these and other important questions.

Guided by insights from Ben Smith, field CTO at event sponsor RSA, this roundtable will help

define the topic within the greater context of digital risk management, as well as draw from

the experiences of the attendees, who will offer tips on how they have been able to help

organizations thrive amidst multi-cloud transformation. Among the discussion topics:

• How do you currently maintain security visibility into your cloud environments?

• What controls do you have in place to manage access to cloud resources and data?

• Have you defined your organization’s appetite for cloud risk – and against what framework

do you measure it?

You’ll have the opportunity to talk with your peers about the impact of the multi-cloud environment

and how the solution must be part of a bigger strategy to deal with the changing risk and security

landscape.

Securing Multi-Cloud Transformation2

Discussion Points

Among the questions to be presented for open discourse:

• How do you describe cloud adoption at your organization today – fully there, partially there,

still devising a strategy?

• How do you currently maintain security visibility into your cloud environments?

• What controls do you have in place to manage access to cloud resources and data?

• Have you defined your organization’s appetite for cloud risk?

• Against what framework do you measure it?

• Where do you see your remaining cloud security gaps?

• How will you address these gaps in 2020?

Securing Multi-Cloud Transformation 3

About the Expert

Joining our discussion today to share the latest insights and case studies:

Ben Smith

Field CTO - US, RSA

Ben Smith is Field Chief Technology Officer (Field CTO - US) with RSA, a

Dell Technologies business. With 25 years’ experience in the information

security, networking and telecommunications industries, he regularly

consults on RSA’s security and risk management solutions. His prior

employers include UUNET, CSC, and the US Government, along with

several technology-oriented startups. He holds industry certifications

in information security (CISSP), risk management (CRISC), and privacy

(CIPT), and has presented on RSA’s behalf internationally at cybersecurity

events sponsored by Gartner, FS-ISAC, SANS, IANS, CERT/SEI, ISSA,

(ISC)2, ISACA, Infosecurity, MWCA, RMA, BSides, ASIS, InfraGard, HTCIA,

SecureWorld, ICI and other organizations. Ben on Twitter: @Ben_Smith

About RSA

RSA offers business-driven security solutions that uniquely link business context with security

incidents to help organizations manage risk and protect what matters most. RSA solutions are

designed to effectively detect and respond to advanced attacks; manage user identities and

access; and reduce business risk, fraud and cybercrime. RSA protects millions of users around

the world and helps more than 90 percent of the Fortune 500 companies thrive in an uncertain,

high-risk world.

For more information, please visit https://rsa.com/.


About the Moderator

Leading our discussion today is:

Tom Field

Senior Vice President - Editorial, ISMG

Field is an award-winning journalist with over 30 years of experience

in newspapers, magazines, books, events and electronic media. A

veteran community journalist with extensive business/technology and

international reporting experience, Field joined ISMG in 2007 and

currently oversees the editorial operations for all of ISMG’s global media

properties. An accomplished public speaker, Field has developed and

moderated scores of podcasts, webcasts, roundtables and conferences

and has appeared at the RSA conference and on various C-SPAN, The

History Channel and Travel Channel television programs.

About ISMG

Information Security Media Group (ISMG) is the world’s largest media organization devoted solely

to information security and risk management. Each of our 28 media properties provides education,

research and news that is specifically tailored to key vertical sectors including banking, healthcare

and the public sector; geographies from the North America to Southeast Asia; and topics such

as data breach prevention, cyber risk assessment and fraud. Our annual global summit series

connects senior security professionals with industry thought leaders to find actionable solutions

for pressing cybersecurity challenges.


Multi-Cloud Transformation Defined

TOM FIELD: What does “multi-cloud transformation” mean for different

types of organizations, depending on their technological maturity?

BEN SMITH: Adoption of cloud computing is at the heart of most

organizations’ digital transformation strategy. Whether they seek to

monetize data, streamline innovation, produce more engaging customer

experiences or simply create better operational efficiencies, a move

to the cloud today is about much more than just cheap and abundant

storage and compute capacity. It’s a business imperative and literally a

prerequisite for modern businesses to compete.

But offloading applications and workloads to the cloud creates an array

of new risks.

For starters, many organizations moving to the cloud lack the cloud-

native expertise to assess their current capabilities for managing cloud

risk. Are they on par with industry standards and best practices, or are

they woefully below the bar?

Because the infrastructure, applications and data live outside your

control, it’s very difficult to achieve a high level of security visibility

across private, public, hybrid and multi-cloud environments. This makes

it challenging for organizations, mature or otherwise, to be able to

assess their risk across their entire compute surface.

In advance of this event, ISMG’s Tom Field spoke about breach detection

and response with subject matter expert Ben Smith. Here are excerpts of

that conversation.

Securing Multi-Cloud Transformation

Q&A WITH THE EXPERT

Ben Smith

Field CTO - US, RSA


Given that our old security perimeters are continuing to vanish, and that

more and more of us are directly accessing cloud-based applications

and data from unmanaged personal devices, controlling who has access

to what becomes a last line of defense, and thus is now more important

than ever.

Finally, as organizations move more mission-critical applications and data

to the cloud, they are indirectly increasing their reliance on cloud service

providers, making it vitally important for organizations to understand the

risks these third- and fourth-party relationships pose and how they could

negatively impact their businesses.

Managing Assets in the Cloud

FIELD: How do you see organizations managing the reality that they are

responsible for the assets they store in the cloud?

SMITH: Organizations that are well into their cloud journey usually

figure out early on that there is a skills gap when it comes to how their

cloud assets are stored, monitored and secured – a gap which must be

addressed.

While managed security service providers (MSSPs) and product vendor

service offerings may help offset the skills gap by helping organizations

“run” their security operations, organizations must first learn what they

don’t know about their current cloud security capabilities. Being able

to answer questions such as “how well are we securing our cloud

environments compared with industry guidelines and best practices?”

and “which cloud security investments should we make to best align with

the future needs of our business?” are the fundamental building blocks

of any successful cloud risk management strategy.

Before making any new, large-scale investments in cloud security tools

or managed security services, organizations should get a cloud security

“checkup.” Look for a trusted adviser who has decades of cloud security

expertise and deep knowledge of NIST and ISO specs to benchmark

current cloud security capabilities and assess business risk.

“Many organizations moving to the cloud lack the cloud-native expertise to assess their current capabilities for managing cloud risk” Ben Smith, RSA


They will also want an adviser who can help tailor a roadmap for

maturing an organization’s cloud risk management model, to ensure

that they are funding the right initiatives to support current and

future business needs. This not only provides a business-driven risk

management plan, but also helps close the skills gap by educating staff

and building an internal knowledge base around cloud-native security.

Remember, public clouds follow a shared security model. Generally

speaking, service providers are responsible for security “of” the cloud,

while organizations are responsible for security “in” the cloud – including

data, applications, devices and user access. Which is all the more reason

to get a handle on what risks you own and how best to manage them.

This is, in fact, a primary leading indicator of maturity when it comes to

managing cloud risk: the presence (or absence) of a whole-organization

understanding of who owns the risk for a new project. Wrong answers

often include security, or IT or the risk management team. These teams

are all there to support the business. It is the business which owns the

risk. And it is the business that must make the decision, informed by

recommendations and other information provided by these supporting

teams, regarding how to remediate, transfer or accept the risk for any

new proposed cloud offering.

“These days, misconfigurations dominate the headlines as a leading cause of cloud security incidents.” Ben Smith, RSA


Visibility

FIELD: How does one maintain appropriate security visibility into a

multi-cloud environment?

SMITH: As organizations move applications and workloads to the

cloud, having good visibility means that they’ll not only be able to

monitor application performance and measure cloud service provider

SLAs, but they’ll be well-equipped to quickly detect and respond

to cloud-borne threats and maintain compliance with a variety of

evolving regulatory mandates and privacy standards, like last year’s

scariest four letters (GDPR) and this year’s scariest four letters (CCPA).

However, attaining the visibility they need can be a challenge. Each

cloud account, even on the same platform, is different – with multiple

security controls and configurations. These days, misconfigurations

dominate the headlines as a leading cause of cloud security incidents.

We’ve also noticed that most organizations use a hodge-podge of cloud

controls. Some are provided by cloud service providers, while others

are supplied by third-party risk management and cybersecurity vendors.

This fragmented approach reduces visibility and introduces complexity –

especially in hybrid and multi-cloud deployments.

For starters, organizations need to know which cloud services their users

are engaged with. The actual number usually comes as a surprise to

most CISOs – much higher than expected. They need to know what their

employees are doing when logged in.

Technologies like user and entity behavioral analytics (UEBA) enable

organizations to continuously monitor cloud activity and spot both

intentional and unintentional access abuse.

Organizations also need solutions that provide comprehensive logging

and monitoring of all cloud data sources, like packets, NetFlow and logs.

It’s also critical to have real-time visibility into threat vectors, including

endpoints, networks and cloud infrastructure.

“Cloud computing is only getting bigger, faster and more complex as hyper-agile DevOps practices continue to pump out new applications and capabilities at a rapid pace.” Ben Smith, RSA


To avoid limiting visibility due to siloed data, organizations should

correlate the rich security data already available from service providers.

For example, AWS customers should ensure their security monitoring

tools are collecting data from AWS CloudTrail, VPC and GuardDuty so

they can track user activity and API usage and detect threats within their

public and private AWS instances.

Finally, in addition to having deep visibility into cloud resources and

users, organizations should look for solutions that cover all their physical

and virtual infrastructures to better detect and understand attacks that

may span across their entire compute surface.

Access Management

FIELD: How does one get a handle on access management to cloud

resources and data?

SMITH: One of an organization’s critical responsibilities in a shared cloud

security model is providing identity and access management for their

workforce and other entities who need access to online resources.

Knowing that users are who they claim to be is key to securing

workloads in the cloud. But it’s no longer good enough to authenticate

users based on a single credential or even, for that matter, on a “one size

fits all” multi-factor authentication solution.

Today’s fast-moving workforce and fast-changing cloud environments

require authentication solutions that provide both a high level of security

and a high level of convenience for users. After all, organizations are

moving to the cloud partly to make it easier for folks to work more

efficiently. To do this requires organizations to, at a minimum, augment

static-based rules with rules that are self-learning and based on dynamic

context.

When it comes to authentication, organizations must go beyond simply

using static markers of risk, such as a credential, a user’s role or an IP

address or location, and begin incorporating signals associated with

user behavior, device reputation, threat intelligence and fraud patterns.

This approach will enable organizations to better guard against insider


threats, thwart malicious attacks in progress and adapt access controls

based on ongoing changing workforce needs and actual behaviors.

However, verifying that users are who they claim to be is only one side of

the cloud access coin. Understanding what cloud resources users have

access to and what they can do with their access is just as important. As

you might expect, privileged users pose the most risk, since an attacker

with these credentials can quickly spin up new services and change

cloud security and configuration settings.

Cloud computing is only getting bigger, faster and more complex as

hyper-agile DevOps practices continue to pump out new applications

and capabilities at a rapid pace. This creates a growing number and

increased velocity of access requests.

Organizations must go much farther than simple provisioning tools

that allow for quick onboarding of cloud users. They must focus on

the governance side of managing access and rights, and incorporate

identity analytics for deep visibility into user entitlements in the cloud,

to understand how risks such as segregation-of-duties violations

and excess privileges can negatively impact their cloud security and

compliance posture.

Measuring Risk

FIELD: What are appropriate ways to measure cloud risk?

SMITH: Once you’ve solved or at least made some good progress

toward getting visibility across your cloud estate, there are a few good

sources I can point to when it comes to taking that next step: measuring

what you’ve now found.

If you’ve done any work within the information security and risk

management space, it will not be a surprise to learn that NIST is a fine

place to start on this question. Their special publication (SP) 500-299

outlines a cloud-focused security reference architecture, with a brief

section on measurements. I should point out that when NIST addresses

cloud metrics in this context, they tend to be more operationally focused

(around service level agreements, elasticity speed, data retention, etc.)


– but these are still worthy references to mine for potential security

metrics.

And don’t overlook NIST SP 800-145, which takes the time to fully define

what cloud computing is. Don’t let the age of this document, last revised

in 2011, frighten you off – it’s very short (less than 10 pages) and still full

of good, foundational information useful to us today.

OK, so what about something more directly related to your question

about cloud security metrics? Take a look at the Cloud Security Alliance

(CSA) as a reference. They have a wide range of collateral and even a

professional certification in this area. They recently published a white

paper on “Improving Metrics in Cyber Resiliency,” which gets you

thinking about “elapsed time” as a worthy metric: elapsed time to identify

failure, and elapsed time to identify threat.

Other CSA deliverables worth reviewing for metrics include the

Consensus Assessments Initiative (CAI) and the Trusted Cloud Initiative

(TCI). And CSA is a supporting partner of the Common Assurance

Maturity Model (CAMM), another resource I’d encourage you to review

on this question.


If you haven’t picked up on the common thread through several of my

recommendations here, it is this: You can and should mine maturity

models for potential metrics guidance.

Finally, RSA recently introduced a series of risk frameworks which help

our customers recognize, quantify and measure risk across several areas

of their cloud-focused projects. I’ll get into that a little later.

Digital Risk Management

FIELD: Are organizations approaching multi-cloud transformation as a

single challenge to be addressed, or is it viewed as just one component

of a larger digital risk management strategy?

SMITH: Moving services to the cloud is a huge lift, all by itself, for many

organizations. But where we’ve seen the most success across our

customer base is when all this cloud migration work takes place in a

broader context, focused on understanding digital risk.

Digital risk management is a byproduct of today’s digital transformation

efforts which we are seeing across the industry. In the pursuit of

modernization, digital technology offers organizations opportunities

to transform their operations, resulting in increased speed, agility

and efficiency – these tend to be common goals in most digital

transformation efforts.

However, the explosion of information, users, connected devices, digital

channels and third-party applications introduces new threats and risks.

This technical complexity, combined with a cybersecurity talent shortage

and organizational silos, can create an abundance of new opportunities

for adversaries, who have more tools, resources and patience than ever

before.

Finally, governing bodies are trying to drive more accountability for

data security and privacy by enforcing risk-based requirements versus

prescriptive checklists. Security and risk requirements are converging

to shift the conversation from technology-focused security issues to a

business risk and litigation challenge.

“You can and should mine maturity models for potential metrics guidance.” Ben Smith, RSA


In our digital world, both good things and bad things can happen

more quickly, and with greater impact, than ever before. A solid digital

transformation strategy has, as a cornerstone, a healthy respect for the

accompanying digital risks which may be introduced. What’s unfortunate,

if not dangerous, is that many companies today are still operating in

yesterday’s model of (pre-digital) business risk.

Business risk has been around for as long we’ve had businesses, and

digital risk is a fundamental component of business risk today. It’s all

about understanding the implications of bringing new technology into

your organization. It’s all about walking before you run into rolling out

that new platform, or working with that new partner, or storing your

data with that new cloud provider. It’s all about stopping to realize that

time pressures, frequently coming from the market and competition,

often drive us to rush that new product, platform or relationship into

production before taking a hard look at the risks of this “new” approach.

We sometimes paper over those gaps to get the job done on time.

These gaps are where digital risk lives, often silently. Whether through

an accident, or a deliberate action by an external adversary or an inside

threat within your own company, if you haven’t surveyed, inventoried

and quantified these new digital risks, you are setting yourself up for

some pain at some point in the future, sooner than you’d like to realize.

Let me net it out for you: Don’t start your cloud migration project without

first understanding the accompanying digital risk. How can you make the

correct decision to proceed without this step?

RSA’s Strategy

FIELD: How does this topic fit within RSA’s digital risk management

strategy?

SMITH: Let’s start by acknowledging that many folks have no idea that

RSA is in the digital risk management business. But we are, and we

have been for almost a decade, and we offer substantial subject matter

expertise in this area.

“Business risk is what most organizations struggle with today - how to see it, how to measure it, how to minimize it. Information security is just a subset of business risk.” Ben Smith, RSA


We are proud of our almost four-decade heritage as a pioneer in the

information security space, from our encryption algorithms to our

authentication technologies, to our risk management, network visibility

and anti-fraud portfolios.

One of the reasons that the RSA product portfolio is smaller and more

focused than in years past was the realization that we needed to take

another approach to how we think about risk more holistically, above

and beyond the information security space. Business risk is what most

organizations struggle with today – how to see it, how to measure it, how

to minimize it. Information security is just a subset of business risk.

And if you are living here in the 21st century, digital risk is just another

way to look at that central business risk challenge. Living on the internet

today provides significant advantages to how we all do business: It is

faster; we can reach our customers more directly; we can more quickly

see trends and come up with new products or services to offer. This

comprehensive interconnectivity makes it easier to do business.

But being so interconnected also increases our digital risk, often

substantially. We are interdependent on our third parties – including our

cloud providers – to accomplish our business goals. An outage, or an

attack, on a part of your infrastructure can be amplified and move much

more quickly across your environment, due to how interconnected we

all are. Managing digital risk is a fundamental challenge where even

successful organizations struggle.

Central to our philosophy of helping our customers effectively manage

their digital risk is leveraging models, or frameworks, which can serve

as a blueprint for action, as well as a means to benchmark progress

over time. There is a huge number of frameworks which exist in the

information security and risk management space. We realized that we

could provide more value to our customers not by simply pointing to this

group of models, but by bringing to the table our own expertise and real-

world experience gained through our RSA Risk & Cybersecurity Advisory

Services (RCAS) team.


And so we rolled out a family of “RSA Risk Frameworks” at our annual

RSA Conference 2019. Think of these frameworks as maturity models

– models which we’ve designed and developed through thousands

of engagements across some of the most complex business and

technology environments out there today, and based, in part, on industry

standards including the NIST Cybersecurity Framework, COBIT 5, the

FAIR methodology and others, all in support of helping our customers

move forward and succeed during their digital risk management journey.

Four of these RSA Risk Frameworks are available today: cyber incident

risk, third-party risk, dynamic workforce risk and multi-cloud risk. An

additional four frameworks (focusing on business resiliency risk, data

governance and privacy risk, process automation risk and compliance

risk) will be available toward the end of 2019. All these frameworks

aim to group organizations into one of three general maturity levels or

tiers: basic effectiveness, foundational effectiveness and operational

excellence.

Visualize these as horizontal tiers, where success might be reflected in

your starting in a less mature state in the bottom tier and subsequently

moving up the stack to the next tier over time. Because each of these

four frameworks is focused on a different use case, this is where we get

into the specifics.

The RSA Risk Framework for Multi-Cloud Risk is an especially useful

example in the context of digital transformation, as it maps directly to our

topic today. In this framework, there are four main capabilities we can

help you measure – visualize these capability areas as vertical pillars,

with the maturity tiers overlaying these pillars horizontally.

These four key capability areas are all about identifying the business

processes your cloud providers are supporting, your contracting and

governance practices, how you manage the identities and access

management involved with these cloud platforms, and finally your

compliance-oriented procedures around assessment, measurement and

reporting.


An output of the services conversation we have in conjunction with

the RSA Risk Framework for Multi-Cloud Risk is a discrete numeric

score across each of these four areas and an aggregate score to total

everything up.

These scores are something quantifiable that can be measured

today, and then measured again in the future to see how much you

are improving over time. So as an example, you may be approaching

operational excellence today in your cloud provider contracting function,

but maybe you are a little less mature and closer to foundational

effectiveness when it comes to how you manage those supporting

cloud-based identities and access, as well how you govern and assess

those platforms. And again, as an example, this might be where you

acknowledge that you are also operating only at basic effectiveness

when it comes to defining and enforcing KPIs (key performance

indicators) relating to the business processes your cloud providers

support. We’ll score you in each of these four key areas, prepare a gap

analysis and make recommendations for improvement.

I haven’t talked about any RSA products here, and that is by

design. While we have some excellent offerings in the visibility, risk

management, identity and anti-fraud areas, we think that managing your

digital risk starts with a higher-level conversation to better understand

your business challenges – that was a key driver for us as we developed

and released the RSA Risk Frameworks, as they represent several core

challenges we’ve seen repeatedly across our customer base.

We would welcome the opportunity to demonstrate to you that we can

help you navigate this critical journey by asking the right questions,

helping you recognize where digital risk lies within your business – and

how to address it. n


Notes


902 Carnegie Center • Princeton, NJ • 08540 • www.ismg.io

About ISMG

Information Security Media Group (ISMG) is the world’s largest media organization devoted solely to information security

and risk management. Each of our 28 media properties provides education, research and news that is specifically

tailored to key vertical sectors including banking, healthcare and the public sector; geographies from North America to

Southeast Asia; and topics such as data breach prevention, cyber risk assessment and fraud. Our annual global Summit

series connects senior security professionals with industry thought leaders to find actionable solutions for pressing

cybersecurity challenges.

Contact

(800) 944-0401 • [email protected]

CyberEd

digital risk management dialogue series: securing multi ... · introduction “the cloud.” it...

Documents