Rapid7 Presents:

Cloud Adoption and Cloud Security Panel Discussion

July 21, 2017

The cloud. Everyone’s talking about it, things are moving to it, and some people are skeptical of it. At Rapid7, we understand the uncertainty that can arise from evolutions like this, and as a result, we’ve made it a priority to hear what others are saying, thinking, and feeling about this disruptive technology and how it’s changing both business and the threat landscape.

For this panel, filmed at the NASDAQ MarketSite in Times Square, we’ve brought together two CISOs and a CIO from three different industries to discuss how their organizations are approaching the cloud and how it’s evolved their security and IT practices. 

Throughout this discussion the panelists hit on:

  • Adopting cloud applications
  • How cloud enables agility
  • IT and security considerations for moving processes or applications to the cloud
  • Evaluating cloud vendors
  • The future of cloud security and technology

Moderator:
Martin Liutermoza, VP information security engineering and operations at NASDAQ

Panelists:
Terrence Driscoll, CISO at MacAndrews & Forbes
Jim Rutt, CIO at The Dana Foundation
Nick Salian, Global CISO at Tower Research Capital


Video Transcript

Martin Liutermoza:
Show more Show less
Hi, I'm Martin Liutermoza. I'm global head of information security engineering and operations here at Nasdaq, and today we're going to be discussing the cloud and cloud adoption with three distinguished guests. We have Nick Salian, who's global CISO of Tower Research Capital. Welcome.
Nick Salian:
Thank you.
Martin Liutermoza:
Jim Rutt; CIO, The Dana Foundation. Welcome.
Jim Rutt:
Thank you.
Martin Liutermoza:
And we have Terrence Driscoll; CISO of MacAndrews & Forbes.
Terrence Driscoll:
Thank you.
Martin Liutermoza:
So I would like to have you guys introduce yourselves, and tell us what you do and why you do it.
Terrence Driscoll:
Sure. Thank you for having me. I'm Terrence Driscoll, I'm the chief information security officer for MacAndrews & Forbes. We are a holding company. Our portfolio crosses many industries, from defense, financial, cosmetics, consumer good, casinos and gaming, all the way down to pharmaceuticals. So how we adopt the cloud, and how we think about cloud security really varies based on the company and the industry that they're in.
Martin Liutermoza:
Very interesting. Jim.
Jim Rutt:
Thank you for having me. My name is Jim Rutt, I'm the CIO of The Dana Foundation. We are an endowment-based foundation. We've been in business since 1950, and we fund grants for neuroscience, brain research, brain awareness; we do publications around that, and we also do program management around that. So we have a very interesting story to tell around cloud adoption, having really started about six, seven years ago. It's going to be very interesting to kind of take a look at that.
Martin Liutermoza:
Very interesting.
Nick Salian:
Hi. My name is Nick Salian, I'm the global CISO for Tower Research Capital. We are down in the SoHo. We are a high-frequency trading forum. We trade in many markets. Thank you for having me.
Martin Liutermoza:
Thank you, gentlemen. So we have a very diverse group and it's a pleasure to have you here. So, Nick, what's your perspective on using third-party cloud-based applications?
Nick Salian:
My perspective is, I mean, there are cloud providers, and there are different types. So software-as-a-service is always attractive, but it comes with its own bag of, what I would say, accountability that a CISO has to take care of. So my notion is, when you take any service provider into your realm, you really need to look forward to their contracts and agreements. Specifically read through that, and ensure that they are the right place. And you should know that, when there's an incident, how can you react to that incident, and how fast. So that's my two cents on software service providers.
Martin Liutermoza:
Thank you. And Terrence, same question. What's your perspective on adopting cloud applications, with your environment?
Terrence Driscoll:
You know, for us, it really depends on the company that we're working with, but really is the path we need to go. Whether it's back-end infrastructure, moving specific applications to the cloud, or using software-as-a-service, we really have to look at both the industry that they're in, the regulation around it, and the compliance that we have to do for the customers and the markets that we're working in. But it enables us to be more agile and efficient with the resources that we have. We don't have to really look at the operation of maintenance of the back-end infrastructure, the back-end application. We can really focus on our end-user experience, making sure that they're getting what they need. Then, our teams are very focused on their primary mission, which is making sure that our employees, and our business, have everything available to excel and keep growing revenue.
Martin Liutermoza:
Thank you. Jim, what do you consider the biggest IT considerations when moving applications into the cloud?
Jim Rutt:
Well, I think of the benefits that you get out of cloud adoption, which we have realized quite a few of. From a software or service perspective, it's the ability to de-abstract all those kind of units that we've had to manage in the past, and we really don't want to have a core competency around anymore. The biggest kind of goals that I want to accomplish is delivery of data and applications in a safe and secure manner, and without having to manage any of the lower layers of abstraction that kind of come with an on-premise solution that we've typically managed.
Martin Liutermoza:
Which brings up a good point. What pitfalls have you identified in moving some applications to the cloud?
Jim Rutt:
Well, most of the pitfalls have been in the actual application layer, not in the lower layers like in an infrastructure or even security; from that perspective. Because, when you think about a security posture, principles don't change, techniques do. So we keep the same risk posture that we've had when we had non-premise environment. Tweaking our principles and how we do our day-to-day procedures, standards, and baselines. That's kind of a little bit of the challenge there.
Martin Liutermoza:
So keeping the same control structures, but moving that into something equivalent-
Jim Rutt:
Exactly. Translating them to more of an application layer focus rather than all the way up and down the stack.
Martin Liutermoza:
Right. Makes sense. And what have you found about the price of going to the cloud? Has that really become the reduction in cost that you thought it was going to be?
Jim Rutt:
Well, it's an interesting talk ... We're talking about total cost of ownership. So, for us, net ... There's probably the minimal amount of savings, I would say, in moving to the cloud, from a pure cost perspective. But when you factor in ... To me, what's most important is the continuity factors of not having to worry about duplication of effort, redundant sites from a physical perspective. I think the costs definitely are ... That calculation is definitely advantageous.
Martin Liutermoza:
So, Nick, you have a very unique company that you're working for.
Nick Salian:
Yes.
Martin Liutermoza:
In high-frequency trading. Can you tell us what applications you've moved to the cloud?
Nick Salian:
We have, at the get go, I would say started using some chatting-based applications in the cloud. We've been a bit careful on that, because it comes with some responsibilities. We do have regulated requirements that we need to follow. So the first step we did was how nicely we could surveil the entire transactions from our broker dealers, and how do the mathematicians, when they trade, the low latency network, how can we really track their chats across? That's the first step we have taken. We are moving towards using business applications in the cloud. But the company looks at me to give them the green light. I haven't given the green light yet, just because I feel that we need to solve the problem of having good compute in the cloud first, which is the keys to the kingdom, I would say. And, as Jim said, your cloud provider is just an extension of your data center.
Martin Liutermoza:
Right.
Nick Salian:
It's nothing less, nothing more. So security doesn't ... Your responsibility shouldn’t change. You shouldn't feel that you've outsourced your security to the cloud provider.
Martin Liutermoza:
Right. Have you moved any regulated applications into the cloud? Or you haven't gone that direction?
Nick Salian:
Not yet. As you said, we are very unique. We do HFT, so we see some players trying to test different models. We are out there, but we have not yet put anything in the cloud.
Martin Liutermoza:
Okay. Thank you. Terrence, what questions do you ask when you start evaluating a cloud provider?
Terrence Driscoll:
Really, there's always an element of compliance in policy that they have. But really, for me, the thing I look for the most is how their security program is structured. I'm looking for a company that is looking at the threat space, and has a threat-based approach to how they're managing their security program. I like to see a governance model where they are evaluating controls, taking into account not just the technology, but also the people and the process that's underlying their security organization. And I like to know that it's a company that we can partner with. It goes beyond just the contractual obligations that we have. But when there's an issue that comes up, or when we have a need, I want to be able to reach out, get in touch with someone, and work the problem together.
Like others have mentioned, using the cloud or cloud application, it's really just an extension of your environment. And you have to kind of think of it as encompassing of your environment. Yeah, I want to make sure that their security program and their approach is in line with the way I'm thinking about security, and my approach to security within all of our corporations.
Martin Liutermoza:
Now, because you have a number of different businesses, do you subscribe to any standards like ITIL or NIST or anything? Do you make your providers show documentation that they are also aligning with those types of frameworks?
Terrence Driscoll:
Yeah, you know, for some companies where they're required to abide by whether it's an ISO standard or a NIST standard for any of our companies that work with a federal institution. We are looking that they're doing those things too. But, for me, the approach that I'm taking with my company, with my security organization, and kind of the overall strategy and vision is looking at the NIST cybersecurity framework. It's a way to evaluate each company, using the same terminology. We're looking at controls the same way, we're speaking the same language, we can gather metrics across the same way, and we can present what we're doing and measure that we're making a progress in a similar fashion.
It makes it easier for me and my counterparts in the company to present it to their leadership, but it also enables me to show the executives at the corporate level what we're doing across the entire portfolio. So they can see it in the same pane of glass, and they can see it with the same language and terminology measures that the companies are abiding by.
Martin Liutermoza:
It makes it easy for the boards to understand it?
Terrence Driscoll:
Yes. Exactly.
Martin Liutermoza:
Jim, what questions or information do you suggest companies address when evaluating cloud vendors?
Jim Rutt:
Well, I think governance, obviously is the first one. I mean, making sure that there's some kind of a baseline of standards that they're following. I think Terrence said it well, I think ISO 2701 is definitely a great baseline, if the vendor's able to achieve that. It's expensive. Some of the other things is how willing they to bend on an SLA. For us, it's absolutely tantamount that we have the right to audit and to do penetration tests against any of our instances.
Martin Liutermoza:
Right.
Jim Rutt:
Whether or not they're willing to negotiate on those terms, I think it's kind of the battleground of an SLA. I mean, operationally, everybody's got a baseline that they're going to guarantee out of the gate, but it's all about risk and governance, making sure that they're able to adopt that.
Martin Liutermoza:
Maybe on like a percent base, it's 50/50 or something similar, how often, when you have those conversations with providers are they flexible?
Jim Rutt:
It depends on the tier where they're as. So if they're a tier one SaaS, like Microsoft or in that realm, they're a little less willing to bend than say, somebody in a platform as a service, or an infrastructure as a service model that is willing to get some of our business.
Martin Liutermoza:
Okay. Interesting. Nick, how would you sum up the cloud's effect on your security program?
Nick Salian:
Good question. I was at RSA this year, and I did see a lot of innovation in terms of different products out there. I would take it with a pinch of salt, for now. But you cannot stop innovation. We are talking about machine learning now. In the future we'll talk about cognitive learning. It's not going to stop. So strategy has to be bare bones, which means, as we say, ISO 2701 controls really follow right through the stack, right from physical all the way to logical, and encryption standards. So my take is that, I need to have an information security policy which, at this moment in 2017, needs to be a bit hybrid. Which takes care of both on-prem and cloud requirements all set together. But I think five years down the line, I'll see a very cloud-centric information security policy.
Martin Liutermoza:
Right. So it's not longer if we're going to the cloud, it's simply how we're going to the cloud.
Nick Salian:
No. As CISOs, it's our job to not put fear in the belly of the CIOs. We are supposed to support the crowd, we are supposed to educate the vendors and help them make right decisions.
Martin Liutermoza:
Excellent. Terrence, same question to you. How would you sum up the cloud's effect on your security policy?
Terrence Driscoll:
For us, it's really rethinking some of the core aspects of security. You have to think identity and access management. How do you provide things like single sign-on in a secure way? How do you incorporate things like multi-factor authentication into an environment that has mixed on-prem and cloud. It's also scanning. How can you scan an environment that's not solely under your control anymore, where maybe some of the infrastructure using the cloud is shared? Where it might be public, versus private? It's looking at things like that. And it's also looking at? How do we collect log data from the various platforms, how do we normalize it and how we'll be able to analyze it to look for anomalies or threats that might be happening.
A big piece, too, is manage devices. Now, with cloud applications, people can access those things on a variety of devices, whether it's mobile or your traditional desktop or laptop. We have to think how we define a manage device, how we're able to monitor, how we're able to have controls on it. Whether it's an employee-owned device, or whether it's a corporate-owned device, we want to make sure that we have similar capabilities across all those devices. So you really have to rethink your approach to some of the core aspects of security to incorporate some of these cloud concepts.
Martin Liutermoza:
Thank you. Jim, what's your take on the future of cloud technology and security in today's technology landscape?
Jim Rutt:
I think one of them is the rapid improvement in federation, as Terrence kind of alluded to. Federated identify management, absolutely key to the further adoption of these hybrid kind of cloud structures. Encryption is kind of ... I kind of think of it as a double-edged sword. Obviously, it's a baseline prerequisite for most organizations that are heavily regulated, but the challenge of key management definitely is still out there. And anybody that can think of a good solution for that will do very well. Other than that, identity I kind of covered. It's just educating the users. I mean, most of the fears we have, as security professionals, are social engineering, user-based kind of situations where the user is the key threat, whether intended or unintended. Constant education about this new cloud world that we live in is probably one of the best defenses that we can raise.
Martin Liutermoza:
So there's a lot of free tools that the cloud provides. But some of those tools may get us locked into a specific technology. Is that something you typically watch out for? Because you mentioned hybrid cloud.
Jim Rutt:
Yes. So, in terms of tools for ...
Martin Liutermoza:
Tools for anything. One vendor may have a specific tool for security, another vendor may not. Or an orchestration tool in one vendor-
Jim Rutt:
Okay. So, not limited security. So we use a cloud access security broker. I mean, it has a great functionality for a number of reasons. One is, obviously, we can provide some level of assurance that the services that are folks are using, they've at least been vetted by somebody. So that's one. The other thing is, we can kind of track what new software-as-a-service applications are desired by our user community, and target them for possible adoption. So it kind of fits both realms, from that perspective. And that's one of the most different kind of innovations that I've seen for cloud. Especially software-as-a-service.
Martin Liutermoza:
And, Terrence, with a CASB, cloud access service broker, with such a broad number of companies, do you worry about shadow IT, and shadow IT going to some of these cloud providers?
Terrence Driscoll:
Yeah. You know, visibility into your enterprise is key. It's not just with on-prem and cloud, but also, as talked, with shadow IT and the perforation of more consumer devices, and folks wanted to use those in more of a corporate environment; it gets tricky. So where you can increase visibility into your network, into your data, into your users, helps from a security perspective manage those threats and manage those risks. That's really a challenge, is getting the visibility to the level that you need to be able to access that information and really have awareness of what's on your network at any given time. But also, historically. What's coming on and off of your network with things like shadow IT devices.
Martin Liutermoza:
And do you have part of your security team focused on cloud, at this point? Or is it still part of the general security.
Terrence Driscoll:
We look at it as part of our program. It's really a tenant of our overall security program.
Martin Liutermoza:
Interesting. Thank you gentlemen.

Toolkit: Cloud Security

From the CISO perspective to cloud security assessments. Learn how to make the leap with confidence.

Learn More

Cloud Security Overview: The Rapid7 Insight Platform

Whether you’re a Rapid7 customer today or tomorrow, it is important to us that you understand how Rapid7 secures the data you entrust to our Insight platform.

Learn More