We’ve heard this debate for years. Which computing environment is easier to protect your sensitive data: public cloud or on premise?
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Our sponsored guest is Michael Johnson, CISO, Novi (the financial arm of Meta, formerly Facebook)
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Anjuna
Full transcript
David Spark
We’ve heard this debate for years. Which computing environment is easier to protect your sensitive data? Is it the public cloud or on premise?
Voiceover
You’re listening to Defense in Depth.
David Spark
Welcome to Defense in Depth. My name is David Spark; I am the producer of the CISO series. Joining me for this very episode is Geoff Belknap. He’s also known as the CISO of LinkedIn, and his voice sounds like this.
Geoff Belknap
Hello. I am not a pre-recorded voice recording of Geoffrey Belknap.
David Spark
Let’s hope not. Our sponsor for today’s episode is Anjuna. They make the public cloud private. Ah. So perfect of them sponsoring this episode. In fact, they also brought our guest; that person in a moment. But first, Geoff, you posted a poll asking whether public cloud or on-premise takes the least effort to keep, quote, secure. And I like how you put secure in quotes. And overwhelmingly, 71% felt that the public cloud was the choice. But we got a lot of “it depends” answers. So, that’s why there was almost a third that still lean towards on-premise. You put the poll up. By the way, were you surprised by the overwhelming response? Tons of comments on this.
Geoff Belknap
I was very happy to have this conversation, as I always am, to sort of check in and see how are people feeling about this. Because if you go back five years or even ten years, people had very different opinions. And I think it’s shifted quite a bit, but it is actually very interesting to me that we had almost 30% of the respondents say, “No, on-premise is the way to go,” or, “It really depends.” So, it’ll be interesting to get into this with our guest.
David Spark
Yes. This is not a new debate by any stretch, but what’s interesting about it, like what you just said, is it changes year by year. And I think it’s not because on premise is developing; I think it’s because the cloud is developing.
Geoff Belknap
Indeed.
David Spark
So, now let me introduce our guest. He’s actually the CISO for Novi which, I don’t know if you knew, but Novi is actually the financial arm of Meta. So, wherever there’s anything financial like ads or the marketplace, Meta, by the way, formerly being Facebook. Anyway, it is Michael Johnson. He is the CISO of Novi, who is all of that that I just described. Michael, thank you so much for joining us.
Michael Johnson
David, great to be here.
Can there ever be agreement on this?
00:02:24:21
David Spark
Matthew B. over at Long View Systems said, “They are equal,” referring to on-prem and cloud. “If someone does not have the skills to be secure, it does not matter where their stuff is hosted.” Very good point. And Bruce Gibson over at Ermetic said, quote, “Public cloud. In execution, it requires a paradigm shift for traditional businesses, which is usually hard.” And Toto C. over at Integrated Oil and Gas said, quote, “The balance still favors cloud because the controls are easily accessible compared to on-prem. Cloud wins but depends on people having the skill and knowledge to secure it.” We heard that a lot, Geoff. So, if you got the people, go cloud. Is that the way?
Geoff Belknap
Well, I think if you have an essential business, I think, and again, this is just my opinion, it’s go cloud. I think regardless, what history is telling us is we are going to scale up all of our businesses. And the thing we should be focused on is operating our business, scaling the business up, not operating a data center. So, I think naturally it leans towards you should probably be running in the public cloud. But I think there are some great points here from the conversation about how it is a whole different animal to operate in the cloud, and it takes a whole different set of skills.
David Spark
Good point. By the way, I should also mention what we hear on our shows all the time: the number one skill desired is cloud security skills. Michael, I’m throwing this to you. This is a theme we hear a lot, “Yeah, go cloud if you’ve got the people who can handle it.”
Michael Johnson
Yes, absolutely. I think Geoff’s point is spot on. You absolutely have to have the talent, and it’s not the same talent as it takes to run and maintain an on-site data center. But I think it’s pretty clear, though, I have a pretty strong opinion about this that we’re measurably safer being in the cloud if you account for reduced attack surface, seamlessly integrated monitoring, improved data protections, and all the things that are built in. Not to mention the fact that the cloud itself by definition is designed to be resilient to current and modern threats, as opposed to most antiquated data centers. It’s go with the cloud.
David Spark
Dig into that just a little bit for me. In terms of why do you believe that, and correct me if I’m wrong, you said surface area is less, but also about dealing with more modern threats. How exactly is cloud environment set up for that?
Michael Johnson
Great question. There’s really four or five elements to that. So, constant hardware refreshes that are being done on your behalf by the engineering teams of the cloud service providers in the back end as opposed to owning and running your own data center where you’re really basically only doing CapEx refresh, like, every five years. There’s also speed of deployment and automated patches. Most of the major three cloud service providers will patch literally in seconds, whereas most institutions as you know take maybe a week or maybe as much as a month to do critical patching. It’s also a dynamic attack surface, right? So, at any one time, depending on where you’re running, based on availability zones, geographies, etc. you have workload spread out all around the world. There’s also a spread out attack service depending on how you spread your data, spread your applications, how you divide up the workload you do. You can have it across multiple availabilities in multiple areas. And then there’s just the basic scale, right? If you look at how hard is it to DDoS a data center versus how hard is it to DDoS all of AWS? There’s a big difference there.
David Spark
Geoff, I’ve written tons about this topic, and it’s been a very popular topic. There are tons of myths around cloud and security at cloud. Do you have a favorite one?
Geoff Belknap
Oh, I think my favorite myth has always been, “Cloud is insecure.” Can’t be secure because it’s the cloud and it’s not in that loving embrace of your firewalls and your own data center.
David Spark
And people also use the line, and we hear this all the time, “Just think cloud, somebody else’s computer.” But it isn’t just that.
Geoff Belknap
Exactly right. It is somebody else’s computer. But it’s somebody else whose whole business value prop is operating that compute, securing that compute, managing it at scale. Like Michael said, upgrading it fast and at scale. And the research and development hours they’re putting in is discovering flaws and bugs and security issues and things that can make that environment better. And your value prop as a business is to sell or offer whatever service you’re offering. It’s not to invest the millions and in fact billions of dollars that these cloud providers do into that business. If you just look at the economics, I think a spreadsheet is all you really need here to tell you that this is the way you should be going.
Why is this so darn hard?
00:07:11:21
David Spark
Arti S. over at Tevora said, “Unless you are operating an air tight data center facility, it’s likely that your on prem assets are vulnerable to a whole host of significant physical security threats like theft, environmental damage, unauthorized physical access, that you just don’t have to worry about with public cloud.” And Matthew B. again from Long View Systems said, “Many on prem companies do not have the IT skills to cover all areas,” which we touched upon in the last segment. And, lastly, Rasmus Holst of Wire said, quote, “We see governments being a lot more focused on data sovereignty, no, quote, “man in the middle” and running an on-prem infrastructure. On the enterprise side it is still primarily public cloud… the real reason we developed an on-prem solution was due to demand from the customers.” So, let me throw this to you, Michael. There is still demand. Again, one third of the poll said on-prem was better. There is still demand for on-prem. Is this based on fear or legitimate reasons?
Michael Johnson
It’s a great question, and this gets to the crux of the debate we’re having, right? As we already pointed out, both on-prem and public cloud require unique, distinct talent and capabilities. They’re not the same and you can’t mix them. To my experience, and I’ve tried it three times in various different industries and government, you can’t translate those, either. I think it’s around two things. First is understanding the real threat and capability intent and the use cases that are coming at your unique business, and then also understanding the context of your business. If you’re running a very insular business where you’re doing back end transactions, etc, you don’t have a large public interface, yes, maybe on-prem works better for you, given that context and the threats and capabilities. If you’re running a large bank and you’re doing hundreds of millions of transactions every hour across three continents, it’s just folly not to be in the cloud, right? And fundamentally what that comes down to is not understanding what the enabling arguments are for the cloud, which traditional CISOs and CIOs from ten years ago don’t understand. Speed to market and leveraging the countless services and products that are already available, scalability, as Geoff pointed out, leveraging the cloud service provider’s world class pace of innovation and operational excellence, etc.
David Spark
I’m going to take the example that Michael just put: the multinational bank, but also add the expertise question. I’m throwing this to you, Geoff: imagine you have a multinational bank, but your expertise is fully on-prem, and you’ve got a lot of capital expenditures on equipment. Are you migrating to the cloud or are you saying, “All our experience and equipment is on prem. Why not just stay there?” Where would you land?
Geoff Belknap
I think in that case you are embracing the cloud where it makes sense for your business. Especially if you’ve been around for a while, you’ve got legacy systems that either use network technology that’s not going to be applicable to the cloud. You might be using something custom; I’m not going to name any names. And then you might have legacy systems. Maybe you have a mainframe or a Zeos machine or something like that. You’re not going to be able to move architecture that was designed for that to the cloud. And that’s fine. But what you’re definitely doing is looking at your application development teams or your software engineering teams and saying, “For this next thing we’re going to build, does the cloud make sense? Does getting rid of all the infrastructure overhead for that make sense for us?” And then you’re getting to what is really the heart of this discussion. It’s not whether you’re going to move to the cloud or whether cloud is safe enough. It’s how do you move to the cloud? How do you make the cloud safe for you. And then you look at exactly what Michael said: do I have the talent? If I don’t have the talent, do I have technology that mitigates the need for raw talent to power this? Do I have vendors or other assets at my disposal to make this easier for me? And then you’re going to put together a fulsome picture of what is possible for you right now in the cloud.
Sponsor – Anjuna
00:11:17:18
Steve Prentice
What’s in store for 2022 for your data and your business? Anjuna wants you to know. According to Anjuna customer Michael Schrenk, who is group CISO of Adidas, one thing to watch out for is a specific segment of the blockchain.
Michael Schrenk
My prediction for 2022 is that we will see some traditional large-scale companies launching crypto programs and blockchain related use cases. We will see them losing more than 100 million in 2022.
Steve Prentice
This is not just about robbing crypto currency exchanges. It’s also about NFTs.
Michael Schrenk
We have seen all of those NFT launches, but what only few people realize is that there were also first fraud cases. It’s not always a fraud because some people just know the system really well. So, they know how to reverse-engineer the contracts that are used for the NFTs. They are really fast in doing so. And then they are tweaking certain things, which is how they get more of those NFTs. But we are still talking about the early stages of the technology. So, for companies using this technology, those fraud cases could be really dangerous.
Steve Prentice
This insight has been brought to you by Anjuna Security. Anjuna provides software that builds completely private, confidential clouds on the public cloud. Protect against attacks and fines by securing your data in any cloud. Learn more at anjuna.io. That’s A-N-J-U-N-A dot io.
Who’s affected?
00:12:55:13
David Spark
Jonathan Waldrop of Insight Global said, quote, “The only problem with automation is, you can very quickly automate the wrong configuration!” And Ronald Otto of Tuxis Internet Engineering adds to that, quote, “You will notice it when the, quote, “pay as you go” bill comes.” Which, by the way, as I understand with AWS, they give you a one-time slide of making a mistake like that, because I know a lot of people who have made those kinds of mistakes. Jonathan Weeks of Lazard said, quote, “Cloud systems are also audited multiple times a year for compliance with multiple regulations such as FedRamp, NIST, SOC, etc., but it is easier to have a resource exposed to the public internet by mistake.” So, I’m going to throw this one to you, Michael. These are complaints we’ve heard a lot. “Yes, cloud wonderful, but, wow, the speed that one tiny mistake can make, and the spread of that is extraordinary.” What do you say to that common fear?
Michael Johnson
Yes, I think this gets back to what we discussed already, which is unique and distinct talent and capabilities.
David Spark
Hold on. I would just say humans are doing this. People make mistakes, I do want to throw that out.
Geoff Belknap
Never.
David Spark
Even the most talented people. Even Geoff.
Geoff Belknap
No one here.
David Spark
Geoff, you haven’t made any mistakes, though, have you?
Geoff Belknap
Not in the last 30 seconds.
David Spark
Okay, good.
Michael Johnson
Right, so, yes, human beings make mistakes, of course. But the issue is do you have the talent to benefit from those enabling arguments that we talked about before: leveraging the provider services, etc. And do you want to succeed in the market? Because at the end of the day when we talk about speed to market and all those other things, that’s around how fast can you enable your staff and then behind the scenes as seamlessly and quietly and unobtrusively as possible safeguard them at the same time? That absolutely points to the cloud for lots and lots of reasons. For example, most of the cloud providers, as you know, provide lots and lots of services, thousands of which are released every year, depending on which cloud provider you’re talking about. I know a Fortune 100 company that built and deployed an entire call center infrastructure based on one of those capabilities in two weeks. There’s no way a company that’s staying in a data center can do that. It’s impossible.
David Spark
What about you, Geoff? When you hear this chronic fear of, “I love the cloud but, man, one mistake and the card house comes down.”
Geoff Belknap
It’s a lot like one of the earlier shows that we did with Anne Marie Zettlemoyer that I was looking at earlier today, and we had this guest that said, “What if you leave a door open?” If you leave a door open you’re going to be held accountable for an issue versus where you click on a phish. And I go back to that same discussion. Yes, the cloud definitely gives you plenty of opportunity at scale to make a mistake. The mistake surface increases as much as the risk surface does. But this is why we build systems to be resilient and to help us respond or mitigate the risk from a simple mistake. In my case, I have access to an amazing wealth of talented engineers. If you’re listening to this and you’re thinking about the cloud, you have access to talent, but you also have access to vendors and tools and lots of best practices and guides that you can read to help mitigate this kind of issue. And I think the reality is you’re in business to take risks and add value and to generate revenue for your shareholders. You’re not in business to never take a risk. And the fact that you could make a mistake should really not be a reason that you’re not going to do something that’s great.
David Spark
That’s a very good point. And I want to quickly throw out what I thought was a good point that was actually mentioned this last segment and this segment. Cloud avoids physical security issues, and what was mentioned in this segment that cloud DDoS are constantly audited, which is two really big things, Michael. Those are two big bonuses right there.
Michael Johnson
Totally agree. I totally agree with the first one, which is your first argument around physical security. It’s around where is the dividing line, if you will, between the shared responsibility between the customer or the owner of the business and the cloud provider. Your second point’s a really important one, especially in highly regulated businesses, where the attestation of your safeguards needs to be really, really clear, well-documented, etc. Nothing’s more well documented than what you do in the public cloud because, obviously, they need to bill you for all the cycles you’re using, and, therefore, all of the logs, etc. are easily accessible.
Geoff Belknap
I’ll just add onto this and say, knowing my friends in Azure, there are way more people working on this kind of thing at Azure than at any of your companies, unless you’re also working in Microsoft. And they are so good at this that you could just never touch this. And I think it’s one of those things that’s hard to overlook.
Whose issue is this?
00:17:44:24
David Spark
Tom Quinn of National Express Group brings up a good point that I like here. “My initial thought was public cloud,” preferring the public cloud, “because it’s less likely to contain a decade plus of technical debt.” Oh, that’s a good one. I like that. And Dmitriy Sokolovskiy of Avid Technology said, quote, “A very generic statement is that properly deployed and controlled cloud is more secure, because of abundance of automation and control options. Having said that, most companies do not have necessary levels of maturity to be able to, quote, “properly deploy and control,” combined with the speed of business this means that they will be less secure for a significant amount of time, until they (and this must be a concentrated effort) can reach necessary level of maturity.” So, that’s a really good point, too, by Dmitriy, Geoff, in that, yes, go cloud, but you’re not going to get to that level of security out of the box. It’s going to take you a while for your own maturity and for how you configure the cloud in that time. Yes?
Geoff Belknap
Yes, this really underscores the point we were making earlier of how it’s a different paradigm. You have to think about it differently. You cannot be successful if you just say, “I’m going to pick up all my running computers and just move them to be running over in this other data center.” And while that certainly was the right way to think about it at the advent of public cloud, it’s the wrong way to think about it now, if you really want as much value as you possibly can get from it. The thought here, going back to Tom’s point, is, yes, this is someone else’s computer that you’re running on, but you know what else is missing is all of your decade or two decades of technical debt running on someone else’s computer. You have the opportunity to have a fresh start, and especially if you think about the cloud primitives that are there, the different databases and products you can use, you have a wealth of opportunity to be better off than you were on-prem.
David Spark
And by the way, let me quickly ask you, Geoff, and then I want to go to you, Michael. If all your data is in the cloud, your data destruction process of getting rid of old stuff, when it’s on physical equipment, that is a major headache, too, on top of it, because you need to essentially catalog this stuff and get rid of it and have it destroyed.
Geoff Belknap
It gets a lot easier in the cloud because now you’re moving from destroying drives to using encryption to destroying data, right? So, now instead of having to send drives off and get them certified that they were destroyed and make your customers happy, you can lean on cryptography to do that for you, where you securely destroy the key and all that data is no longer recoverable. And that’s a significant benefit.
David Spark
Michael, your thoughts on both Tom and Dmitriy’s comments, Dmitiry’s comments essentially about there’s an evolution to your security in the cloud, and Tom’s comments about no technical debt, which I very much liked.
Michael Johnson
Absolutely. First of all, to get to the point that was originally started in that segment, when you have a commitment to going to the cloud, you’re going to have to run two tech stacks at the same time for a period of time, which means you have to be well-heeled enough to get through that journey so you can transition from one to the other. To the point around the evolution of getting away from the technical debt and the evolution of maturing, there’s really great technology now that exists. So, one of the advantages of going to the cloud, too, is you can by default take advantage of confidential computing capabilities that are built into all of the major cloud service providers. The beauty of confidential computing is it creates a security perimeter around the application, requiring no other changes to the application, where all your application data code is protected, whether it is local or distributed across the world. It would be almost impossible to replicate that without a lot of software engineering expertise in your own personal or private data center, but in the cloud you get that for free. So, there’s lots of elimination of threats and vulnerabilities broadly within the environment that going to the cloud just buys you, which instantly makes you safer.
Closing
David Spark
Excellent. Well, that brings us to a nice closing point of this show, and it’s the point where I like to talk about what your favorite quote was and why. Michael, I’ll start with you: which one was your favorite quote and why?
Michael Johnson
I really liked the quote that was from Toto C. from Integrated Oil and Gas where he said, quote, “The balance still favors cloud because the controls
are easily accessible compared to on-prem. Cloud wins but depends on people having the skills and the knowledge to secure it.” Which, of course, has been a theme we’ve talked about several times here. The reason I really like that is, as I’ve mentioned before, I’ve multiple times tried to convert on-prem expertise to cloud expertise. It doesn’t really work. So, making sure you’re about to get the buy-in from your board and your shareholders to make the investment, to make that leap and run two stacks at the same time is super important to your success in getting to cloud.
David Spark
Excellent. Geoff, your favorite quote and why.
Geoff Belknap
I’ve got two, and I’m going to indulge myself or this will end up being edited right here, and you’ll hear someone else’s voice. I think Jonathan Waldrop from Insight Global makes a great point. He says, “The only problem with automation is, you can very quickly automate the wrong configuration!” And my favorite variation of this is the beauty of being able to do things in the public cloud at scale is you can shoot yourself in the foot at scale in a way that just wasn’t possible on-prem. And I think that’s lovely but also a great lesson. But I also want to come back to Tom Quinn from National Express Group, where he said, “My initial thought was public cloud because it’s less likely to contain a decade plus of technical debt.” And if I could draw and underline and circle that and highlight it with my finger, I would. That’s one of the beauties. You get to let go of a lot of your infrastructure’s technical debt by moving to the public cloud and in many ways, you get a fresh start at so many things that just aren’t fixable or aren’t really tractable problems to fix in your on-premise infrastructure.
David Spark
And I was thinking about that, just the weight off your shoulders, just the stress of knowing that. That is a huge, huge, thing, that alone.
Geoff Belknap
Yes, absolutely, and you still need a lot of the technologists that were supporting you on prem, but now they’re doing it slightly differently. They are adapting their skills to the cloud, which I think can be done. I’ve had a little more positive experience maybe than Michael. But now you have a whole world of failures and failure modes that you don’t have to deal with. That’s part of the shared responsibility model. Your partner now, the public cloud provider, gets to handle that for you. And it’s almost worth any price to hand off some of those problems so you can focus on what really matters to your business.
David Spark
Please take care of this for me. People love that. All right. Now, I want to conclude and I’ll let both of you have some final thoughts. But first I’m going to thank our sponsor Anjuna. You can find more of Anjuna at anjuna.io. They make the public cloud private. First, Geoff, any final thoughts on today’s conversation or anything else? I know you’re always hiring.
Geoff Belknap
I am always hiring. And, as it happens, LinkedIn is in the midst of moving from our own data centers to the public cloud. And if that’s something that interests you, guess where you can go? LinkedIn.com/jobs.
David Spark
How perfectly appropriate.
Geoff Belknap
And you can join the team also.
David Spark
There you go. By the way, actually, by the time this airs, people will hear it, but we also at CISO series are going to be looking for someone new, and hopefully by the time you hear this, that person will be hired. But we’ll find out. Michael, I’m going to assume that you’re hiring, because I always ask my guests, “Are you hiring?”
Michael Johnson
Absolutely. Meta is definitely hiring and Novi is hiring as well. So, please reach out.
David Spark
Has there been a time you’re never hiring?
Michael Johnson
No, there’s never been a time.
David Spark
There’s never been a time. So, if we want to find a job, where would we look?
Michael Johnson
Go to meta.com and all our openings are posted publicly.
David Spark
Excellent, very good. Can you explain your relationship with Anjuna here?
Michael Johnson
I have been a big supporter of Anjuna almost the entire part of my career that Anjuna has been existing, but, really, the support I have for Anjuna is the following. I have had to run very important datasets, including banking datasets, in untrusted environments, in foreign environments, etc., and I’ve never been able to prove, cryptographically prove, to our regulators that that was safe and with solutions like Anjuna, which relies on secure enclaves, etc, you are able to do that. So, I think it’s really revolutionary what we’ll be able to do going forward with this type of technology.
David Spark
Awesome. Any other last thoughts on today’s topic?
Michael Johnson
I’ll just say one of the things we didn’t get to on prem, when you look at the cost basis, usually the argument made by CIOs for why you want to go to the cloud is that you’re trading off CapEx investments for OpEx investments, which for most people is much easier to do. The other thing to remember about on-prem is as on-prem is aging, your tech debt is increasing. The cost to maintain that continues to go up over time, which means the differential investment you have for innovation going forward is getting smaller. It’s exactly the opposite with the cloud.
David Spark
Great point. Excellent point. Very good point. Thank you very much, Michael. Thank you very much, Geoff, thank you very much, Anjuna, our sponsor, and thank you very much to our audience. We always greatly appreciate your contributions and for listening to Defense in Depth.
Voiceover
We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cybersecurity. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site: CISOSeries.com where you’ll also see plenty of ways to participate, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@Cisoseries.com. Thank you for listening to Defense in Depth.