Tech is constantly evolving, and IT pros need to be agile, open to and ready for change. At RSA 2018, Michael Farnum, solutions architect manager for Set Solutions, talked about how he overcame his preconceived ideas about the cloud and learned to embrace it personally and professionally. In his session, “Confessions of a Cloud Security Convert,” he told of his quest in conquering five challenges he encountered, in a Dungeons-and-Dragons-style tale.
“I had some alternate titles for this presentation, like ‘That time when a network security guy moved to application security at about the time when cloud was really maturing and getting popular and how he missed a bunch of stuff and the cloud scared him and he didn’t trust it and some people had to drag him kicking and screaming to the cloud so he would admit he was wrong…’” he said.
Alas, Farnum set out on his journey to conquer his cloud challenges, giving each one a fantastical name.
1. Let Go of Preconceptions
King Ogre of PrejudiceChallenge Rating: 7
Farnum needed to get over his preconceived notions of the cloud so he could begin to trust it.
“It just felt wrong – putting all of this stuff in the cloud,” he said. “I had no control over it anymore.”
But the more Farnum learned about the cloud, the more he grew to trust it. He did his research and learned how to implement measures to use the cloud securely. Eventually, Farnum found that the benefits outweighed the risks, and his newfound knowledge led to trust.
2. Redefine the Perimeter
Earth Elemental of the PerimeterChallenge Rating: 5
Farnum said he was primed to overcome the perimeter issues in the cloud thanks to mobile endpoints. But the software-defined perimeter held him back.
“To me, the wall never fell. I’ve always viewed the perimeter as an extension or expansion,” he said.
To overcome Earth Elemental, Farnum again did his research to learn more about software-defined perimeters and looked into vendors that specialize in it. He also reconsidered his own definition.
3. Simplify Complex Terms and Billing
Hydra of Confusion
Challenge Rating: 9
With so many cloud providers and so many services, the selection process can be overwhelming. The acronyms, the services, the billing. Especially the billing. He even compared some billing practices to getting attacked by a flock of birds, coming from every direction.
To overcome the Hydra of Confusion, Farnum set out to learn everything he could about the cloud – listening to podcasts, reading articles, watching videos. To reign in billing, he set thresholds and created alerts to make sure that what he was paying for was actually needed.
4. Define Responsibility
Shadow Dragon of Data ProtectionChallenge Rating: 13
This dragon proved to be more challenging than any of the other beasts, as it relates to security responsibility, S3 buckets, secure deployment and shadow IT.
“Anybody can hit you from anywhere if you don’t do things right,” Farnum said.
He wanted to know what he was responsible for and what he could count on his cloud providers to do. While the provider has primary responsibility in most cases for software as a service (SaaS) and platform as a service (PaaS), there is shared responsibility with infrastructure as a service (IaaS).
“They secure the cloud, you secure what’s in there,” he said. “You can’t depend on them to secure your workload.”
He learned that S3 buckets are by default more secure because they’re not publicly available unless you bypass several warnings. And although he could have moved his existing data center into the cloud and treated it as an off-premise data center, that would hamper agility, which is one of the benefits of the cloud.
“I didn’t want to hamstring the flexibility of the cloud, but I didn’t want to ignore data security requirements,” Farnum said.
And although he has embraced the cloud, he understands that, “It was a pipedream to say total security was possible in the cloud.”
5. Prepare for Future Challenges
Future Monsters
Challenge Rating: TBD
Farnum’s quest continues, and new challenges will continue to arise. He cited logging, compliance and tracking assets as ones he’s already identified. But, he now knows that with knowledge, an open mind and determination, he can slay these future beasts.
“The biggest monster was stubbornness,” he said. “I had to call BS on myself and the vendors.”
Read more from RSA 2018:
- Collaboration and Cybersecurity Culture in the Spotlight at RSA 2018
- The Experts Weigh In: Key Takeaways from RSA 2018
Are you ready to conquer your cloud beasts? Check out the recently updated CompTIA Cloud+.
