When your business enters the cloud, you are transferring risk, but also adding new risk. How do you deal with sharing your security obligations with cloud vendors?
Check out this LinkedIn post for the basis of this show’s conversation on shared responsibility of security with a digital transformation to the cloud.
This episode is co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our sponsored guest for this episode is Paul Calatayud (@paulcatalayud), CSO for Americas, Palo Alto Networks.
Got feedback? Join the conversation on LinkedIn.
Thanks to this week’s podcast sponsor, Palo Alto Networks
On this episode of Defense in Depth, you’ll learn:
- You have to have a business reason to go to the cloud. Usually it’s done as a business imperative in order to stay competitive.
- Security is rarely the primary reason businesses move to the cloud. It’s often an adjunct reason.
- Moving to the cloud may transfer risk, but it also introduces new risk.
- Security professionals have long avoided the cloud because they feel they give up perceived control. If I can’t see or touch it, how can I secure it?
- One issue security people need to grapple with during digital transformation and a move to the cloud is what does it mean to manage risk when you don’t own the program?
- Much of the online discussion was about getting your service license agreements (SLAs) in place. But if you’re a small- to medium-sized businss (SMB) you’re going to have a hard if not impossible time negotiating.
- Don’t lean on SLAs to be your entire risk profile. It’s like using insurance as your only means of security.
- Cloud security requires setting up automation guard rails.
- For cloud evolution you’ll need a change in talent and it probably won’t be your traditional network engineers.
- Because of performance, privacy, and data protection issues you’re probably going to find your business moving apps in and out of the cloud.
- The Cloud Controls Matrix (CCM), from the Cloud Security Alliance (CSA) is a controls framework designed to help you assess the risk of a cloud security provider.