Introduction to Security and Compliance in the Cloud Series

Recorded February 24, 2018

#spotpodnewsbrief <– join the conversation

Summary

In today’s On the SPOT News Brief, Jay Leask and Craig Jahnke introduce a new series of upcoming episodes around Security and Compliance in the Cloud. We know the cloud offers the combined resources and finances of hundreds of thousands of organizations, but why does that give it a chance to be more secure than your on premises infrastructure? And what considerations do you need to keep in mind when you plan your move? In the coming weeks we will dig into each of the topics discussed today.

ARTICLES FOR THIS WEEK

Cloud Workloads at Risk [Beta News]

Security, Management, and Compliance Challenges are Impacting Cloud Benefits [Help Net Security]

  • An average 50 percent of their infrastructure on cloud systems.
  • 58 percent say security is their top concern, followed by protecting sensitive data from unauthorized access (55 percent) and the increased complexity of infrastructure (44 percent).
  • Only 39 percent consider themselves ultimately responsible for the compliance of data stored on cloud services
  • A worrying 20 percent believe it’s solely the responsibility of the cloud service provider.
  • Only 25 percent of respondents have automated tools in place to ensure compliance rules are not broken.
  • 39% reported their infrastructure was more complex since using the cloud, and 53% spend more time on management tasks than they have done previously

We appreciate you joining us today, and if you have a topic you want us to discuss ping us on Twitter to let us know!

Full Transcript

Jay Leask – 00:09 – Not on purpose, oh Lord. Good morning, good evening, or good afternoon, I don’t know what time it is for you but today is February 21st, today is February 24th. This is Jay Leask and you’re listening to the Speed of Technology.

Craig Jahnke – 00:27 – Hey this is Craig Jahnke and I’m on the spot with Jay, here today on a beautiful Saturday morning to talk about our favorite subject, technology. Jay, what do you think we’re gonna talk about in the area of technology today?

Jay Leask – 00:41 – Well pulling through my magical bag of hat and topic, my magical bag of topics, magical bag of hats, that would be awesome. I think we have the most notes and capable show on is considerations for security and compliance in, you’ll never guess it, on premises infrastructure. I’m kidding. Security and compliance in the cloud, Craig.

Craig Jahnke – 01:02 – Yeah so it seems like everybody I talk to wants to go to the cloud, get to the cloud, be in the cloud, or want to know something about getting there. So just outta curiosity Jay, what do you think would be, how many people are in the cloud.

Jay Leask – 01:19 – Well it depends on what you’re asking there. I think if you were to ask how many people-

Craig Jahnke – 01:23 – How many companies have made the move to the cloud?

Jay Leask – 01:25 – Yeah, well again, if you’re asking how many IT organizations have moved their company to the cloud, I think you probably have a much lower number, but I think realistically, any IT manager who is sitting there thinking about what his employees do from the day to day, I think you’re damn near 100%. From moving to Office 365 for email or Amazon Web Services for distributed content, to Joe down the hall using Dropbox to share files with people across the company, I think you’re almost at 100% these days.

Craig Jahnke – 02:00 – Yeah I think when people, good answer, I was just testing your knowledge there, I think when people stop and think about what it means to be in the cloud, you know a lot of people I hear are worried about going to the cloud, and they have concerns about it not being safe. But I don’t necessarily think they realize all the effort that some of the industries put into, or some of the big players like Amazon or Microsoft put into being safe and secure in the cloud.

Jay Leask – 02:24 – So Craig let’s play Captain Obvious for a while. Level setting this conversation, why are people moving to the cloud?

Craig Jahnke – 02:33 – Because it is in theory, it is cheaper. We can put our infrastructure up in the cloud. I don’t have to maintain it. I don’t have to pay for it to warehouse it. I don’t have to pay to upgrade it, and let’s face it, as the speed of technology increases, you know companies like Amazon and Microsoft, they’re just rolling out some pretty cool services and upgrades to their infrastructure, well beyond the means of a regular company to keep up. That would be part of your answer.

Jay Leask – 03:03 – I still remember going to Micro Center or Best Buy or whatever to buy Office, the latest version of Office. Going in and getting a box that was far to big so it would take up shelf space, to get a CD out of it, to install Office whatever or Windows whatever on my computer when I was buying the legit version. And instead nowadays, you’ve got Office 365, you’re a member, you get updates constantly. Like you just get a message on your computer that reminds you to restart your Office, you have the latest features.

Craig Jahnke – 03:37 – Yeah, it’s that and you know, especially with cloud Azure services and Amazon Web Services, you’re getting more and more new features and new technologies when you receive one, you’re talking about BI and AI and big data, and stuff like that. That stuff’s rolling increasingly every day, so you would have to go out and buy that stuff every day, and then you would have to buy the hardware to hold that on, and upgrade your systems all the time. But I have a question Jay, what do you tell companies when they say, “Is it secure?”

Jay Leask – 04:11 – So I was at a forum last month with a series of quote, unquote experts, and I quote, unquote experts, not because they were questionable, but the term expert makes me laugh. It’s not a real term, it’s subjective, it doesn’t mean anything.

Craig Jahnke – 04:25 – Yeah ’cause you have to be a guru or a ninja, right?

Jay Leask – 04:27 – That’s, I’m gonna start, my new title is Solutions Guru. Anyway, what I responded, because someone actually asked me that question specifically, and the response is very straightforward, tell me what your budget is to secure your infrastructure. Because I guarantee, a company like Microsoft or Amazon or Google, are spending more on securing the infrastructure from hackers, than everyone in your industry has for gross revenue. You can’t compete with the amount of money that a company like Microsoft is spending to make sure that someone can’t break into their network. Now it doesn’t mean that they’re 100% good, 100% set. But if you think about what that means, if they’re only 98 to 99% set, where are you? Just because you have a smaller target doesn’t mean that you have a more secure infrastructure.

Craig Jahnke – 05:26 – Yeah I agree. I always tell people, think about it. Microsoft hires, and Amazon, they hire the best of the best right? They get the brightest guys, come out of MIT and Stanford, and they’re working 24/7 to make sure that their system is secure, because you know they can’t have a hack, and they can’t, it can’t be publicized. They lose billions of dollars in stock revenue and stock prices if that happens, so and look at your company. What do you probably have, three or four people who are pretty good, maybe one superstar, and they can’t work 24/7 if you don’t have the budget to pay them to be 24/7.

Jay Leask – 06:02 – That’s right, even if you go multinational and you’re a big organization with billions in revenue, you’ve got data centers all over the world, and each of those data centers need to have, you know specialists in security, in network traffic, in hardware, in operating systems, in the code that you’re using. So it just keeps growing, and while moving to the cloud, I will always say, moving to the cloud isn’t necessarily a cost savings. It is in the comparison to how much you’re getting out of moving to the cloud. For you as an organization to write the code, similar to Microsoft’s cognitive services, you’re gonna go out of business. But when you move to the cloud, you get a technology you probably wouldn’t have had access to otherwise.

Craig Jahnke – 06:52 – Right, so yeah they gotta lot of cool stuff that you can work on, but it was interesting that you said something that it might not be a cost saving. Well of course it’s a cost saving Jay, I just put all my data up in the cloud and I don’t have to worry about the security or anything, right? It’s just all me, you know once it’s there, Microsoft takes care of it, is that, that’s what a lot of people think, and I think that’s scary.

Jay Leask – 07:13 – It is really scary. It is the starting point, you’re right. You put your data in the cloud, Microsoft is gonna guarantee uptime, they’re gonna tell you the network is secure, they’re gonna patch their systems so that the latest security patches are available to you, but frankly the majority of data spills these days aren’t a hacker getting into a network, which is what Microsoft is concerned with. It’s an employee downloading a spreadsheet to a thumb drive and dropping it off at, leaving it at Starbucks, where it’s picked up by a no do gooder, and it’s put on the internet for everyone to see.

Jay Leask – 07:50 – So now everyone’s got your, not just your employee pay rates. They’ve got their social security numbers. They might have stored credit card numbers, and all of this data, this is where the majority of hacks come from these days. Is that kind of information being left for others to see. I talked about the physical security, but think about the number of AWS servers that haven’t been patched by consultants and, oops, there’s all that test data, I use air quotes, sitting, waiting for someone to find it.

Craig Jahnke – 08:18 – Yeah, no I agree, that’s a problem, the also problem I’ve seen is, employees fall victim to phishing scams, right. We don’t know how it happens still, but the phishing people, the phisher men I guess, or the security guys …

Jay Leask – 08:32 – The phisher men.

Craig Jahnke – 08:34 – I don’t know what you call that, the bad guys that put out those emails, are getting more and more sophisticated, so you know like I have seen that they are trying to hack health care providers because, they get that information like, well when’s the last time you went to the doctor. Oh, you came on for a knee, to have your knee looked at right. So a week later, they send an email saying, “Hey, you know what? We don’t have your social security number. You came in and we can’t file your claim, can you give us that?” And people give it to them. Or they’ll click on links that will be malicious. And the scary thing is, I believe about a third of people who fall for it once will fall for it again. So, it’s proper training in that kind of stuff, but it’s amazing how many organizations, and I saw a stat on this that said 20% of organizations don’t feel they have any responsibility once they get to the cloud. It’s all on the cloud service provider.

Jay Leask – 09:30 – This is, that literally is one of my favorite stories to tell when I’m talking to customers. When I’m talking about data governance. One of the things, so there was a hack for the, hopefully I haven’t said this story on the podcast. I probably have. I apologize for boring you more than once. So there was a hack in the US government in the last five to eight years now, I lose track of time. And a spreadsheet with social security numbers was taken from a major government agency, and when they found the hacker, they were able to trace it back to a specific hacker, they started talk to them about, it was a teenager. First and foremost, it was a teenager.

Craig Jahnke – 10:14 – Yes, they’re clever.

Jay Leask – 10:17 – They are clever. So they’re talking to this teenager about, why did you do it, how did you do it, what did you do? He said, “Okay, so it was easy. I went on this website that belongs to the agency, I found their contact page, and that contact page had a bunch of phone numbers on it for people in the agency to call if you have problems with something. So I started going down the list. And I would call and I’d say hi, this is Joe from IT and I’m, we’re doing a reset for the exchange server, and I need your password. Most of the people, the first 9 or 10 people, they hung up on me. They said this sounded weird and they hung up. But I hit someone around 10 or 11 who answered the phone, who was excited because they’ve been having problems with their computer. And they asked oh, is this gonna solve the problem I’m having with Outlook, and of course it’s yes.”

Craig Jahnke – 11:04 – Yes, the answer’s always yes.

Jay Leask – 11:05 – The answer’s yes, it will solve your problem. They gave him his password. He went to the email webpage that you can utilize to get to their email from out of the office, and this kind of shows you what we’re talking about, right? How many people go to something like Outlook Web Access anymore on a daily basis to use, to access their email? No, you’ve got a computer with Outlook, you take it home, you still access it through Outlook. But, you know five, eight years ago, that was the common thing to do was you would go to the same website, like OWA.mycompany.com or something like that. Not even obscured. So he went to the website, he put in their commonly, there was find email address, first name dot last name at agency dot gov, and then he put in the new password he had, and boom, he has access to their email.

Jay Leask – 11:56 – Well, continuing down the story of social engineering, he did a quick search for SSN, and he found that this person had recently emailed a spreadsheet of employee data, with social security numbers to HR. Like, this is the simplest story of why you need to govern your data. This isn’t even what most people would consider the cloud. This is simply putting stuff in your infrastructure, and this is an employee using bad practices, sending an unencrypted spreadsheet of social security numbers through email.

Craig Jahnke – 12:30 – Yeah and the bad thing is, once he was in there, you know he could have randomly been emailing people in the organization through that person’s account, gotten even more information if he really would have wanted to. It doesn’t take that much effort, and you know it’s gonna be a while before anyone would question why he would need that. And I think the bigger, the bigger takeaway from this story is, that’s why you have two factor authentication turned on, so that if somebody’s logging in from a different place, then there should be more than one check by password to see if that person should actually be accessing your network.

Jay Leask – 13:04 – So you’ve got two things there. One, you’re absolutely right as a technical solution, more and more companies are finally starting to institute two factor authentication. If you’re listening to this podcast and you have gmail or Outlook mail, or iMail and you’re not using two factor authentication, go set it up. It’s easy, it’ll send you a text to your phone whenever you log in from a new device. It’s silly not to be using it these days. But with that said, the other thing we’re talking about there, is the importance of governing your data. Securing your data. Making sure your company has policies to keep that data secure. And then using tools to automate that.

Jay Leask – 13:48 – So you need tools that scan your email to make sure you’re not sending social security number. You need tools that enable you to, when you do send a social security number, fix that problem instead of making it harder for your employees, because that’s the other problem is, okay companies who get that they have to be concerned about their data, they put in rules to secure their data, but then don’t give their employees a solution that makes it easy to handle the data in a secure fashion.

Craig Jahnke – 14:17 – Yeah so definitely giving your employees tools to make their job easier to do the right thing, so you know for the company what does that mean as far as the cloud, and are they going all in yet? We’re talking hybrid, some companies are getting there, but we wanna make sure that they have access to their data and they’re doing their data secure, both on premises, and in the cloud too, because we can’t forget about on premises. On premises is still a big part of the organization and you know, we work at Ad Point, and we have tools like Compliance Guardian that will scan your data and look for PPI, or PII, I’m sorry. Personal information to make sure people aren’t sharing or putting data at risk, and Microsoft and other places have tools too, once you get in the cloud for kind of alerting you to data that is bad and shouldn’t be there, and can take some kind of reporting or action on I to make sure that your employees are doing or using data appropriately, in the most appropriate places.

Craig Jahnke – 15:17 – And I believe there’s regulations, well I know there’s regulations, that are getting even more and more strict on the companies have to comply, too, or they will get hit with some pretty heavy fines.

Jay Leask – 15:29 – There’s a survey that we’ll link to in our show notes, and one of the things that was said in that survey is, 39% of organizations that have moved to the cloud have said, that their infrastructure was more complex since moving to the cloud. Some of that is because they’re now working in a hybrid infrastructure, because for example, SharePoint. A lot of companies who really take advantage of SharePoint, have something custom in there, and you can’t push that custom code into Office 365 or SharePoint online. So now you’ve got that hybrid infrastructure, but you might also have a more complex infrastructure because Office 365 or Amazon Web Services gives you a certain amount of security, but tools like that are only build for the 80 to 90%.

Jay Leask – 16:13 – Microsoft and Amazon aren’t making money by meeting every requirement of every agency. So now you’re using third party tools like Compliance Guardian and Governance Automation from Ad Point, to meet the requirements that you as an organization have that are beyond the capabilities of the cloud platform that you’ve selected. And then you’re looking at things like the regulations you mentioned. GDPR is a great example of, in the next few months companies around the globe are going to have to meet this regulation. You’re now looking at global regulations. If you’re an American company doing business in America, it doesn’t matter. You probably have a European data, a European’s information, in your network. Which means you have to worry about GDPR. The perfect example is, an electric company in the DC area has European data in their network because European citizens live in this area and pay their bill to their electric company.

Craig Jahnke – 17:13 – Yeah, health care providers also fall into that, you know.

Jay Leask – 17:16 – Yes, although health care, health care is an industry that’s used to regulation at least, but you’re absolutely right.

Craig Jahnke – 17:22 – Yeah but they’re not always thinking that their patients or their doctors are European for that matter, or European citizens, so I’ve had a couple discussions where some of them weren’t quite sure that, that counted, but they do.

Jay Leask – 17:35 – Yep, absolutely. Alright, so Craig, let me ask you. This, I think this was a good introduction to looking at the cloud, and having security and compliance in the cloud, we didn’t get into anything in depth and I think we should do that in future episodes, but let’s close this out Craig. What are five things you as an organization, you as an IT manager, can do to make sure you’re actually ready for the cloud?

Craig Jahnke – 18:00 – Five things that I typically look at, and you know first thing I would say, if you’re thinking about moving to the cloud, take the time and do what we call a readiness assessment, right. Look at why you’re moving to the cloud, what are your priorities, how’re you gonna get there, and how’re you gonna manage it. And if you don’t really have a plan for it, make one. That’s the first step, make sure that you’re ready. Know what data you have, what data you wanna move, and what’s the priority, and set reasonable time frames.

Craig Jahnke – 18:27 – The second thing is, pick a vendor or multiple vendors to go to and then real their SLAs. Do you know what you need to get there? What are they going to do? What are you going to be responsible for? And if there is some kind of issue, what is their time frame for getting back to you on solving any issues? Training is obviously another important thing. Cloud is different from on premises. You know a lot of people worry about IT people losing their job, right because oh now, everything’s going to the cloud.

Craig Jahnke – 18:56 – No, you just got a whole different set of job requirements and things that you have to look at, and I think as you mentioned too before, it can be more complex, so it’s retraining on what you’re doing. It’s retraining your users on how to use things. It’s even retraining on your communications team to make sure that they’re able to roll out to your users on what they’re going to do and what kind of new features as those come out.

Craig Jahnke – 19:22 – Tools we’ve talked about, would be number four on my list. Make sure that you’re doing everything you can to make your IT job easier. As things get more and more complex, you wanna have easier ways to manage them. I mean Air Point itself, coming from experience, like on premises used to use a lot of PowerShell scripts. When you get to the cloud, that becomes more and more difficult, and then if you’re talking about Amazon Web Services, ’cause you might be using them as a hoster for some of your services at Microsoft, you want tools that are gonna just make your job easier.

Craig Jahnke – 19:53 – And alongside the tools, I would say, think about reporting. Make sure you have a way of getting the reports that you need to monitor and examine your data. Monitor who’s using it, what are they using it for, and start making plans off that, and that way you can see where you’re having expenditures that you weren’t expecting, ’cause everything you do in the cloud costs you money, so you wanna make sure that you’re not doing things that you don’t need to do, and you wanna make things that people are accessing things that they should be, and aren’t accessing things that they shouldn’t. So there’s a whole lot of reporting around that, and sometimes out of the box from your service providers, the reporting’s not always the best, so you know, just look for ways to make your reporting clear.

Jay Leask – 20:40 – So in the next couple weeks, we’re going to keep digging into this conversation. We’re gonna go into regulations, we’re gonna go into some of these five things that you talked about. Tools, reporting, I can talk on and on about the importance of reporting and auditing, and being able to show the work that you’re doing. I’ve got a really good use case of a government agency that saved millions of dollars in fines by showing, “Hey, no, no, no, no, we’ve installed this tool to help make sure we don’t do that ever again.”

Craig Jahnke – 21:10 – Yeah, that’s what I was gonna say, the big thing about compliance is, not only doing it, but being able to prove that you do it.

Jay Leask – 21:16 – Yep, so this was really good. We’ll have some good links in the show notes about cloud and big data, about workloads at risk from security, why moving to the cloud helps boost security, so there’s some really good stuff that we’ve been looking at. Hopefully you’ve enjoyed this conversation.

Craig Jahnke – 21:36 – I found it very interesting Jay. If nothing else, I liked it.

Jay Leask – 21:40 – Craig, I don’t care if you enjoyed the conversation, I care if our three listeners enjoyed it.

Craig Jahnke – 21:45 – We may be up to four now.

Jay Leask – 21:48 – But and hopefully, we’ve gotten through the holiday season, the job transition, the coming life transitions might get in the way, I apologize in advance if we may have to miss a couple weeks, but long story short, I’m excited to get the Speed of Technology podcast again, and …

Craig Jahnke – 22:08 – If the baby comes, do you expect to be live podcasting?

Jay Leask – 22:11 – Oh you want me to Facebook Live that event, huh?

Craig Jahnke – 22:15 – Yeah, while you’re in the room.

Jay Leask – 22:18 – I’m gonna guess my wife will kill you for even suggesting it. But today is February 24th, and it’s a good day to start the podcast again.

Craig Jahnke – 22:28 – Yes, and that’s the way it is.

Voiceover – 22:55 – This episode brought to you by Jay Leask and Craig Jahnke. Two guys who like to talk technology and live in a connected world. The opinions expressed in this podcast are those of the speakers only, and in no way do they represent the opinions of their employers, their customers, or their wives. This has been an On The Spot Podcast production.

One thought on “Introduction to Security and Compliance in the Cloud Series

Add yours

Leave a Reply

Your email address will not be published. Required fields are marked *

Proudly powered by WordPress | Theme: Baskerville 2 by Anders Noren.

Up ↑

%d bloggers like this: