The architecture of the cloud is fundamentally different than an on-premise model. Cloud providers are correct that the underlying operating system, the bare metal so to speak (the layer they are responsible for), is more controlled, replacing components when they fail with minimal impact. However, the logical layer is controlled by the client. In the on-premise world, well-established standards determine which applications to run, as well as what servers and which configuration tools to use. In a cloud scenario, these are decisions that must be made by the firm; there are infinite combinations to be customized to their needs. The reality is that the individual firm may not know what the best combinations are. So, while the individual components may be more secure, it is not guaranteed that the assembly of components into a complete system will be.
Further, the cloud accountability model is much more difficult to assess from a controls perspective. Instead of one entity (the firm) being responsible for all data, infrastructure and operations, the activities are divided between the cloud provider, the application developer and the client -- each with different and overlapping responsibilities for resiliency. It is not always clear who is accountable for security in a given app, with a given client, at a given point in time.
In the on-premise world, the SOC2 (security operations center for physical assets) is assessed by a visit to the data center. In a cloud model, no one visits the data center; in fact, there may be multiple data centers distributed around the world. For example, take Zoom, which uses Amazon Web Services for hosting its infrastructure. In any given Zoom call, each individual user is routed to a virtual data center near their location to stand up the infrastructure to support the call. Whose controls should be assessed? Zoom is just providing the software that allows the data streaming. The hardware that spins up capacity is in regional data centers worldwide. So, the traditional way of looking at data centers to assess controls does not really apply. Conventional IT support teams in an on-premise model do not have the skills to support the different approach to software development (known as the Continuous Improvement/Continuous Delivery or CI/CD pipeline) and DevSecOps required by a cloud-first model, which can itself create friction in terms of adoption. Cyber professionals must ensure governance and controls fit the organizational delivery model for a cloud-first model.
In fact, one reason for the reluctance of top-tier financial institutions to fully adopt the cloud is not because of the technical challenges; they are comfortable that they have the expertise to devise resilient cloud models. It is because regulators around the world have not yet found an accountability model that accommodates the new cloud reality that the institution does not always control all the systems through which customer data must pass. Many recent privacy regulations are geographically and economically oriented; for example, in the EU, customer data must be stored within an EU member country. This is completely contrary to the essential premise of cloud computing -- that data goes where the applications go, which could be anywhere in the world. The machinery of regulation, set by lengthy legislative processes and often taking years to enforce, is moving too slowly for the oncoming tide. In the meantime, companies are finding workarounds that take advantage of the economic drivers to the cloud as best they can, like hosting virtual instances of customer data in the cloud instead of the data itself and using the cloud for everything besides customer data.
In recent years, we have seen the emergence of digital organizations, overseen by a Chief Digital Officer, which exist outside of the central IT function of firms. Digital teams are usually responsible for websites and mobile apps, and sometimes even customer service. They tend to use cloud-based capabilities, including the new approaches to software development that enable continuous improvement and delivery as opposed to older methodologies used in the on-premise model. They are also often unencumbered by the governance requirements of central IT.
The CISO must decide if and how to get involved in the digital world. While some are most comfortable with the traditional way and therefore stay within the remit of the main IT organization, those who recognize that their cybersecurity responsibilities extend to the digital sphere (especially now, with the shift to digital banking and remote working accelerated by the pandemic) will tend to have more exposure to the innovation in controls design necessary to effectively secure the new approaches, techniques, tools and infrastructure of the cloud. Since they can be radically different, and in some ways antithetical to on-premise modalities, they can be difficult for security professionals to get their heads around. But they must. Those CISOs who steer their teams towards understanding this paradigm now are going to be the ones best prepared for the cloud’s inevitable takeover of all IT operations, whether that is one, five, or ten years in the future.
Most CISOs believe that their job is to reduce risk. The best CISOs know their job is to manage risk. Enterprises must take risks to be competitive, certainly to be industry leaders. What separates great CISOs apart is effective risk management, which increasingly requires an in-depth understanding of the evolution of computing technology. Only those who embrace the cloud and all the new paradigms that come with it will be able to surf its rising tide.
The shift of all computing to the cloud is as inevitable as the tides, but the transition is fraught with challenges from a security perspective. To effectively manage the risks that come with cloud migration, CISOs must understand cloud architecture, the challenges in accountability that come with having multiple entities handle data, and how they fit into their firm’s organizational structure. The pipeline based development model for cloud requires skill from cyber security professionals to instrument controls into the pipeline within a governance model that emphasizes software quality. Only those who embrace the fundamental differences of the cloud paradigm will be successful as it increasingly takes over in coming years.
© 2021 FS-ISAC, Inc. All rights reserved.
Jim Routh is the Head of Enterprise Information Risk for MassMutual in Boston. Mr. Routh was formerly a security leader for many large companies including: CVS Health, Aetna, JP Morgan Chase, KPMG,...Read More
DTCC and American Express. At Aetna, he developed one of the most mature converged security programs in the private sector. He serves as a board member and advisory board member for several companies including: University of California Berkeley Center for Long Term Security, Clear Sky Advisory Board, Cyber Starts Advisory Board and the Global Cyber Alliance. He is the former Chair of the Health Information Sharing & Analysis Center (HISAC) and former board member of the FS-ISAC. He serves on the board of Acceptto and ZeroNorth. He serves as an advisory board member for Agari and Gurucul. Mr. Routh has been recognized by many industry awards for Cyber Security Leadership (CSO Hall of Fame, Shared Assessments Lifetime Achievement Award, SINET Impact Award and others). He regularly publishes articles on innovative practices and capabilities to improve enterprise resilience across industries.