Kevin L. Jackson doesn’t believe in ‘Wall and Moat’ security
How can companies moving from legacy infrastructure secure their data in the cloud? I had a chance to catch up with Kevin L. Jackson at the RSA Conference in San Francisco in March 2019 on the subject. Here is what he had to say:
Shira: Today, we are speaking with Kevin L. Jackson, the founder and CEO of GovCloud Network. Kevin started the company six years ago with the goal of helping organizations transition to the emerging world of cloud computing. Welcome Kevin.
Kevin: Thank you Shira. It’s amazing to witness what has transpired over the past six years. When I started off in 2013, I was focused on helping organizations understand and adapt to the highly standardized service-oriented architecture, which we have all come to know as The Cloud. Cloud computing is both standardized and automated, and it really represents the industrialization of information technology.
Shira: What made you get involved with this area of technology at such an early stage?
Kevin: I started working in the US federal government when they established the Cloud First policy under Vivek Kundra, who was the federal CIO at the time. I had the unique opportunity of working closely with the government as they developed their policies. And naturally, it expanded, as it was able to support just about every industry since cloud computing is not just a way of doing information technology, it's really the way, because the economics and the business model or transitioning to an industrialized IP infrastructure is just too compelling.
I started by doing a lot of training and education. I worked with ISC Squared to develop the cloud computing security professional certification, which is the most rigorous and most recognized cloud computing security certification in the world. It was put together by the Cloud Security Alliance and ISC Squared.
Shira: ISC Squared?
Kevin: Their full name is the International Information System Security Certification Consortium. A long title, but they're world-renowned for one of their earlier certifications, the CISSP, which is the gold standard for enterprise security certification when it comes to information technology. The equivalent to the CISSP in cloud is CCSP. I was able to help develop that certification, and by teaching it, I found myself engaging more frequently on social media. I’ve taken my expertise and have recently come out with my fourth book on transitioning to cloud and the development of secure architectures.
Shira: Through your experience, what do you consider the chief challenges facing enterprise, in terms of its cybersecurity processes, when transitioning to a cloud-based infrastructure?
Kevin: First and foremost, and there’s no avoiding it, the biggest issue is usually the need to adapt to a completely different mindset that focuses on the cloud. There is also a radical and significant change in the application development paradigm that many organizations don't understand, recognize, or have the budgets to address. Furthermore, these companies are trying to take applications designed on bespoke infrastructures, applications that actually utilize the built-in security aspects of old infrastructures. They're taking these exact applications and putting them on cloud infrastructure that somebody else built and designed, and that may not have the same security features that were on their prior custom infrastructure. That results in their applications becoming porous, considered like cybersecurity sieves in the cloud.
Shira: That’s quite unsettling.
Kevin: Yes, and that’s just the beginning. Many companies don't change their applications, thinking that the infrastructure in the cloud is identical to their original infrastructure. Before cloud, they protected their infrastructure with what I refer to as infrastructure-centric security or even a “wall and moat” approach. They figured that if their walls are high enough and their moats wide enough, then all the bad people will be kept out and only the good allowed in. Of course, that is an over-simplification, but they were relying on their networks for their infrastructure security. The problem is that, once a bad guy gains access to a network, they can get to virtually anything they want.
Security is never one size fits all. Learn how to build a cyberdefense plan to meet your unique needs.
Shira: Even as we advance, this remains one of the key challenges companies face. In that vein, what are the critical cybersecurity and risk assessment questions that people need to be asking ahead of transitioning to cloud?
Kevin: The very first thing everyone must do is change from infrastructure-centric to data-centric security, and begin focusing on the data. Data must be classified, and organizations need to determine the value of their data and assign specific security controls based on those values. Once that is complete, decisions can be made as to whether the data, along with the associated applications, should transition to the cloud environments and utilize the software-defined networks. It’s all about matching data with the appropriate security controls and selecting the providers that can effectively provide those security controls.
Shira: That’s a very relatable way of explaining it. It sounds like, given the data-centric approach, that security might have to be segmented as not all data is equal.
Kevin: Correct, you can no longer assume the same level of protection of all your data. It's not economically viable. Because the other thing that's happened is, first, we are creating so much data. I read a report from DOMO that said every individual on earth will create 1.7 megabytes of data every second by 2020. On top of that, today 90% of all the data we produce is unstructured.
Shira: Unstructured? How is that different from the way we operated over the past few decades?
Kevin: In the '80s, '90s, early 2000s, all of the data in business was considered structured data, because we put it into relational databases. By design, those relational databases were built to mimic business processes, which created the structure. Today, we are transitioning from using structured data in relational databases to using unstructured data with no sequel data repositories, like Fiduc or Mongo.
Shira: This is truly a paradigm shift. How are these changes beneficial to business?
Kevin: The agility that the lack of rigid structure provides. We now can take social media data and use it to create business processes that can deliver customized solutions to the marketplace of one demanded by today’s savvy consumer. That’s why it all comes back to the critical cybersecurity question, "Have you classified your data?"
Shira: We spoke earlier about the cyber-vulnerabilities associated with an inadequately prepared transition to the cloud. Are there any discrepancies in terms of specific industries that are nailing cybersecurity as they manage their transitions, while others are falling behind?
Kevin: It all comes down to understanding the data, the value of that data, and how regularly the data is viewed. Each industry has embedded business models, and within those business models are embedded data types. Regulatory organizations place restrictions on various data types, which is why data classification is so critical. Data must be strategically classified based on the data types that are important to and accepted by the specific industry's regulatory requirements. Many companies are not doing this yet.
Many companies don't change their applications, thinking that the infrastructure in the cloud is identical to their original infrastructure. The problem is that, once a bad guy gains access to a network, they can get to virtually anything they want.Share this quote
Shira: It sounds fairly straight-forward. Then why are we still hearing about so many cybersecurity breaches?
Kevin: What's happening right now is that although we are still having these cybersecurity problems, like breaches and leaks, companies chalk them up to the cost of doing business. Too many companies out there have proven that they really don't care if they lost your records. They only care how much it cost them if they lose your records. As long as the losses remain below a certain level, they won't do anything about them and write them off.
Shira: I imagine that this cannot continue, especially given the negative media attention some big box companies have received recently in the wake of their security breaches. It seems like many businesses think they can handle their transitions to cloud technology and associated cybersecurity internally, while others refer to third parties to get them through the process. What are your thoughts on the optimal approach?
Kevin: I’ll start by stating that hybrid IT expertise is needed. Businesses need to know both how to manage their traditional data centers, and how to consume and manage cloud-based services. While larger companies that are in the position of setting aside appropriate resources to build in-house expertise are at an advantage, most businesses are not able to do so. For businesses without those resources, the identification of a third party to provide the expertise would be ideal. The third party should be a cloud service broker or an IT services broker, and a company that has made it their business to help companies manage hybrid IT environments over the long-haul.
Shira: And when seeking a reliable and effective third party, what are the key questions one might ask to provide that that they can deliver the services and security required?
Kevin: Number one is all about experience. Do they have experience delivering and managing this type of hybrid IT environment within the specific industry, remembering that every industry has different data types? They need to understand the security controls and their relevance within the particular industry, and across the various IT services. I would also inquire as to how many hybrid IT environments they’ve managed and request customer referrals. The third area I would examine is how they keep up with the inevitable changes that occur. Technology continues to evolve at a dizzying pace, and it is essential to form long-term relationships with service providers who will be there for the long run, not just fly by night. And lastly, communications. What are their customer communications protocols and standards? What is the frequency of their communications and what channels do they most use? If you are satisfied with the answers to all four of these key areas, then you are likely good to go.
Shira: Well, thank you Kevin. This has been a robust conversation that I hope many businesses will take heed of and sounds like the cybersecurity aspects of the transitioning to the cloud are being overlooked by too many, and that the key is really in providing for an appropriate, systematic, and thorough approach to the process.
Kevin: That’s right, at the end of the day, you either do it the right way or you go out of business. Simple as that.