The ongoing incident at London's Hackney Council has been repeated many times elsewhere, but the Mayor's quote might be handy for slides in managing a hybrid cloud/Legacy approach.
"What we know so far is that the attack has impacted our 'legacy' and non-cloud-based systems – including many systems that are needed for essential services that residents depend on, whether that's taking or making payments, logging repairs for our tenants, or approving applications ─ from licensing to planning."
https://news.hackney.gov.uk/cyberattack-that-organised-criminals-have-chosen-to-attack-us-in-this-way-is-morally-repugnant/
I made an analogy when discussing this between transferring capital cost to operating expense with Cloud, and similarly the risks of centralised collapse should be mitigated (although might want to know where providers are operating from for SAAS), although you may get issues with individual providers.
Been busy writing reports with organisations starting on migration to Cloud services, and there is a definite need for clear leadership, and just understanding the basic changes and advantages that should be sought in a cloud environment. I see old habits moved into the virtualisation world, where the cost model has completely changed, I see lack of knowledge of the ideas of Zero Trust (which whatever your views, I think CTO type roles should be at least familiar). I see a lot of following the herd, when I'm not confident the herd know what they are doing, and I know for a fact that even modest changes in the service configurations, and levels of service, they are buying make large differences to the security that they will achieve.
Ditto reading multiple Pen Test reports about problematic local infrastructure being mismanaged in very similar ways across multiple organisations who could do so much better if they just stopped doing that stuff and migrated those tasks to services which specialise.
So is there a need for a primer at this level covering self education, and how Cloud should impact the IT strategy still? Business value of Cloud, before business value of cloud security? These are senior IT folk who haven't heard of OKTA, Duo, don't know their Auth0 from their Oauth, but who do understand business value, planning, project & people management.
------------------------------
Simon Waters
Founder
Insufficient Entropy
------------------------------
Original Message:
Sent: Oct 22, 2020 12:44:11 PM
From: Jim Reavis
Subject: Key C-Level Challenges in Cloud
This is a teaser for what I believe will be a new CSA working group to focus on C-Level challenges, appreciate your thoughts as always. We recently engaged with a newly retired CISO to get better insights into C Level pain points and how we can help. The person in question came up with an initial list of Key C-Level Challenges in Cloud:
- Explaining Cloud Strategy to the Board of Directors
- Reducing IT Footprint and Drive Efficiencies Moving to the Cloud
- Managing Risk from 3rd Party Cloud Providers
- Developing a Secure, Enterprise Cloud Operating Model
- Cultivating Skills to Support Cloud Environments
- Impact of Digital Transformation on Security Strategy
- Top 5 Critical Security Considerations for Cloud Migration
- Top Cloud Specific Compliance Requirements
- Business Value of Cloud Security
- Taking Advantage of Cloud Automation
- How does digital transformation change my approach to security?
- Manage a hybrid cloud/legacy IT technology stack
I think what we want to do to start is perform vetting of this list, create a regular "Key C-Level Challenges in Cloud" report like our Top Threats. We will link it to relevant solutions we have already built and start building tools for the areas we have not addressed yet. Some good slide decks for the board of directors would be an example. Let me know what you think!
------------------------------
Jim Reavis CCSK
Cloud Security Alliance
Bellingham WA
------------------------------