Digital transformation is forcing IT to re-architect towards a decentralized infrastructure that removes data gravity barriers and accommodates ubiquitous and on-demand operations. However, this can introduce new security concerns with more points of entry.
What’s in store for the changing IT security landscape? To learn more about best practices companies should consider in shaping their physical and cyber security strategies, we invited Don Freese, Principal of PwC’s Cyber Strategy, Transformation & Risk to join Ed Diver, Digital Realty’s CIO, for a live Q&A at our MarketplaceLIVE event in New York City in November of 2019. With 22+ years of experience at the FBI’s Global Data Privacy division, Don brought a wealth of knowledge and experience to the table and shared his thoughts on:
- Advantages the cloud provides for security strategies
- How to think about the risk associated with data scattered everywhere
- Overcoming unique challenges from a security standpoint regarding data gravity barriers and moving to a decentralized environment
- How to handle crisis operations
- Outlook on the convergence of physical and virtual security
You can watch the full video of the discussion and read excerpts from the live Q&A included below.
Where Decentralization Meets Cybersecurity: MarketplaceLIVE Q&A with Don Freese and Ed Diver
*the following transcript has been summarized from the original recording
ED: What advice would you give to CEOs and CSOs when it comes to embracing the cloud? How should they approach it and what are some of the advantages the cloud might provide them for their security strategy?
DF: It's a great first question to lead off with. I think it's really what brought you and I together; it's what set up this situation where you and I ended up on stage talking with one another. I mean, there are different ways to lead in the IT world, but one of the things is that relationships matter and we're trying to lead by example. You and I--as CIO and as someone who works with CSOs all the time and having been in those roles previously myself--there is a big difference between us battling over budgets and strategy or me trying to slow down what you're doing on the innovation side or any of the folks in the security world doing that.
The cloud question is one that presses on all of us; whether we're going to virtualize or stay in an on-prem environment. Cloud is a great enabler for security and it’s going to help most companies get out of a legacy network situation which often includes a technical deficit, particularly on the data storage side. If companies are trying to manage those things themselves with gear that's outdated, there's end-of-life issues, just with patching responsibilities alone.
Cloud is a great enabler for security and it’s going to help most companies get out of a legacy network situation.
Entering into a very responsible and robust relationship with cloud providers is a great way to move security programs ahead while at the same time meeting a lot of business strategy elements. It only adds value. It does also certainly add risk in certain areas whenever you're starting to get data into a more centralized location; that does make the attack surface change a little bit. However, it also enables many more strategies to control access through identity, control access and understand who's taking what data when and where. And also to have the ability to stop access in a very rapid fashion that is, quite frankly, impossible on most legacy networks.
This strategy has to be done in collaboration with the CIO, with the overall strategy enterprise, with the business leadership, and with the lines of business and products. And that's where you start to see security actually enabling business rather than chasing or slowing it down.
ED: Our data is spread all over the place. Compute is everywhere when it comes to cloud and on-prem applications. How should a CIO or CSO think about the risk associated with that? How should they categorize and prioritize the work to tackle security challenges across the right surfaces?
DF: It goes back to the first part of your question in that data is scattered everywhere. Without organizing data and understanding where it is, why we're storing it, how it's moving, what customers—either internally or externally—need access to that data, it really becomes incoherent to try to secure a network around those things.
So shifting your security strategy to a data-centric strategy also helps with cleaning up data for the entire enterprise. It helps with the regulatory environment that's changing like with GDPR and CCPA.
I would focus on the reverse of that question: how much privacy is wrapped around those data sets? So I really like where we can talk as a team with the CIO world, with the security world, with the data privacy officers, with the general councils, with the product environment and say, “how much data do we actually need in our environment?” and let's organize that, let's categorize it and let's control the access to it based on identity and some of the other things that make sense.
Now is the time to use or to look at modernizing where data's stored and, and cloud environments are the perfect way to do that.
ED: Barriers around data gravity are forcing IT leaders to move towards a more decentralized environment. That must bring some unique challenges from a security standpoint.
DF: Most of the companies that we work with have a global footprint. Looking at it by country is a little bit irrelevant when we're looking at architecture except for the data governance per country, but we take that as a secondary approach. And as we look at that, a lot of times we can really challenge the company by asking:
- Why are you storing this much data?
- Why do you have it over a certain period of time?
- What usefulness is it to you for your operations?
These are questions that companies simply aren't asking themselves. A lot of times, when companies are discussing a digital transformation project or migration to a cloud environment, they're taking their assumptions right out of the box on how much data they handle, how much they store currently, and they're simply doing calculations of what that would cost to be in a cloud environment. If you back that up a few steps and look at privacy regulations and you look at what the business usage for the data is, it's amazing how that is not being taken into account. Oftentimes, we're able to find that there's huge efficiencies in storing less data or at least archiving on a regular basis. And then we get into topics like, how do you restore the data and how do you plan for that in the modern threat environment?
Why not focus on what data you actually need to operate? What's actually profitable for you as an organization? And why not hand that other data off that you can archive? Maybe you need it for other reasons, but you can store that much more cheaply now. And in the environments like Digital Realty provides. We really do a lot of that with different companies and it's a great strategy that opens things up immensely.
ED: Many CSOs and CEOs spend a lot of time worrying about a breach and how they’re going to recover data in that scenario. It always puzzles me how they hadn’t planned for that in advance. Any thoughts on that?
DF: Yeah, it is a concern. It's something that we certainly coach a lot in our world. We work with both executive and board levels about how to handle crisis operations. You'll always hear cybersecurity experts, like myself, talking about exercising and preparing and planning for those types of things. But getting down two layers from that, a lot of times we don't see it exercised at the technical level or the operations level. What do people understand in engineering teams and infrastructure teams? What does the CIO need to think about when a modern threat enters the system? Perhaps one that is encrypting data at a rapid rate like we see with ransomware, encrypting data in a way that stops operations.
What sort of discussions are taking place and what sort of mitigations are done there? The beauty—going back to your very first question with some of the cloud strategies that exist—is once we see things like ransomware in an environment taking place, those environments can be decommissioned offline within hundredths of a second. No one will even know that there was an event that occurred. And a lot of times having the data organized, like we've talked about through proper governance, proper location, proper storage—those bedrock elements that don't occur in a lot of our legacy network environments—once those things are settled into place after implementing a successful cloud strategy, those worries go away.
ED: The landscape has really changed over the last few years where physical security simply isn’t enough anymore and we’re seeing the convergence of virtual and physical security being necessary. What do you see with this convergence in the industry?
DF: Oftentimes, the physical security and the information security models are two totally different teams. They're teams who have never really talked and oftentimes culturally, they don't really exchange ideas very well. The very nature of the people running each one of those organizations is honestly very different. Now, we have operational technology or IoT a lot of times driving what's going on in that physical security world. And I think that's a great question because we want those networks to be as organized as the larger network storage in whatever system they're protecting. Are they properly segmented or is that after they now created a threat vector by installing digital access controls right into the main backbone of their data?
Now is the time to use or to look at modernizing where data's stored and cloud environments are the perfect way to do that.
Unfortunately, oftentimes they have [created a threat vector] and that's simply because of a lack of understanding of how these different elements work: how these card readers work, how they're sold by vendors. So you want to slow down and make sure before your physical security teams are implementing those types of things that first of all there's a strategic look at it, but also that you're using that data to control access in a logical way. So what do we mean by that? Same thing we want to do with data. If someone doesn't have a role or a proper entry element, then they should be able to have access to it. But the easiest way to set up a digital card reader to default mode is if you have that card, you can come in. Segmenting those physical spaces is just as important.
To learn more about MarketplaceLIVE and to stay in the loop, sign up at www.marketplacelive.com