A panel of security experts on Wednesday at the RSA Conference in San Francisco said the number of cloud implementations are rapidly rising, but the maturity of the industry will bring tremendous benefits and improvements to security.
The session, “CISOs Check the Weather: Beyond the Hype of Cloud Security,” consisted of Jerry Archer, CISO at Sallie Mae; Dave Cullinane, CISO at eBay; Chuck Deaton, director of information security at Humana; and Jason Witty, SVP and information protection consulting executive at Bank of America. The moderator was Jim Reavis, executive director of the Cloud Security Alliance.
All agreed that the cost savings presented by cloud deployments is enough of an attraction to radically change the landscape. But, some companies still are not comfortable with the idea yet, said Witty. There are, he said, so many variables in how a company can shift operations to a cloud services provider that many potential users are unclear about the best approach.
But, resistance is futile, said Deaton.
“You will be assimilated," he said.
Archer said the results of a recent survey showed that IT costs can be reduced by 85 percent from a move to the cloud, certainly a fundamental change that will force businesses to at least begin a discussion of outsourcing models.
“This evolution will be unlike anything we've ever seen,” he said.
Also, the security component will evolve, Archer said, first with provisions and contracts, and then with protocols and other means to gain insight.
However, other members of the panel warned of some of the challenges cloud implementations will bring. Cullinane said cloud services offer a huge opportunity for delivering security via the cloud cost-effectively, but said he was worried of not being in control of his company's operations.
Deaton added that security pros have to be as non-disruptive as possible and cannot block innovation. But they certainly can add their two cents and ensure there are no unintended consequences.
“Get in there, voice your concerns and participate,” he said.
But, Cullinane raised what he labeled one of the big challenges: How does one get in front to figure out how to implement the cloud while at the same time assuring there is as little risk as possible.
“Unless you have visibility into where your data is going, how do you manage risk,” he asked.
Deaton responded that security pros charged with employing cloud services will find a way that will allow their teams to do innovative things, find new strategies to minimize risk, and give “yes” answers when the C-level requests a new program or offering. The onus is on security teams to stay ahead of the tide.
“We need to change the way we do our jobs,” said Cullinane. “Major things are happening here.”
For example, an audience member asked whether one needs to regularly audit their provider. Witty said audits, in fact, become less relevant when all operations are handled automatically via a cloud implementation.
“We're moving to continuous monitoring that validates activity,” he said.