Cloud security: what’s the big deal? 5 questions with Dwight Koop
By Dwight Koop, COO at Cohesive Networks
Why, from a security standpoint, are people typically hesitant about moving their operations to the cloud?
Fear, uncertainty and doubt (or FUD). The news can sound pretty scary: 43% of companies worldwide have reported being breached in 2014 (Ponemon Institute report), the Sony hack cost over $100M to correct (Reuters), and systems are vulnerable for an average of 229 days before IT teams detect a data breach (Tripwire).
But, the good news from all this FUD is that there is more attention from the board level down. A 2015 PwC survey reports that 76% of respondents are more concerned about cybersecurity threats this year, up from 59% the year before. Plus, companies are moving to the cloud. 42% of respondents to 451 Research’s Voice of the Enterprise survey rated cloud services as being ‘very important’ to strategic objectives.
When we first started using AWS other public clouds in 2008, we weren’t sure what kind of data and workloads our enterprise customers would migrate to the cloud. Some early industry watchers predicted the entire IT operation would move in one leap, others thought only non-critical, internal operating systems would migrate.
Now as more mission-critical systems and operations move, enterprises must be able to prove that their data is secure. Cloud providers spend far more on security than a small business ever could, so it makes sense to use the cloud rather than trying to build and maintain your own data center.
What steps can companies take to mitigate these concerns?
Use layers of security. Usually, providers offer firewalls, edge protection, isolation, and hypervisor rules. But, who really owns those security features? Cloud providers. Service providers often write in their SLAs that the ultimate responsibility for security lies with the cloud users. Build your own layer of security on top of all the security features in the cloud. Use things like VPNs, network firewall, data encryption, and cryptographic keys that you alone control.
What are your best tips for cloud security?
- Start thinking about risk-based security, not audit compliance. Traditional compliance-based procedures focused on audits, objectives, policies, and transactions. A risk-based approach of cybersecurity focuses on the business and customer, emphasizes risk management over compliance tracking, and incorporates diverse knowledge and experiences. Or, put another way: the Ponemon Institute estimates the actual costs of compliance with regulations such as PCI-DSS, SoX, HIPAA for a mid-size organizations averages $3.5 million while the cost of non-compliance was estimated at $9.4 million (3 times the cost to comply!).
- Get everyone involved. Put that increased board scrutiny to good use and have the entire organization participate in security awareness and prevention. Delegate security assessment tasks across the organization to ease the workload, raise awareness, and help everyone involved shift security thinking toward actionable risk management.
- Learn from others, and use the NIST Framework. After the publicity of big hacks, more regulatory and government agencies and are updating security standards to match modern cybercrime. Some of the best, most comprehensive guides include the National Institute of Standards and Technology (NIST) Cybersecurity Framework, the European Banking Authority (EBA), and the Payment Card Industry (PCI) Data Security Standard 3.0. By using the NIST Framework in particular, IT organizations can do their own cybersecurity “health check” to compare their current security procedures with industry best practices.
Why are you passionate about this topic?
My co-founders and I created our first network security product in 2008 because we saw that cloud technologies could help enterprises demand more scalable, secure, on-demand and easily consumed computing capabilities. Our backgrounds in networking, enterprise IT, and global financial services allowed us to watch organizations “grow into cloud” from concept to reality. Reality has really set in now — with news of expensive and embarrassing hacks happening almost weekly. Since the beginning we’ve advocated for user-controlled security, and now is the time for enterprises to really start listening.
What’s your security / enterprise background?
You can say I enjoy taking risks and embracing technological change. I am a member of the Secret Services’ Chicago Electronic Crimes Task Force, member of the Chicago FBI Infragard group, was VP of Operations for the Swiss Bank Corporation, and WCIU- TV cameraman for the ’68 Democratic Convention riots.
In my day job, I’m COO at Cohesive Networks and have been working in enterprise IT and startups for longer than I’ll admit. I helped build RabbitMQ and sold Rabbit Technologies Limited to VMware. I was global head of data center operations and security for Swiss Banks capital markets and O’Connor and Associates. I helped found the Chicago Board Options Exchange during its early and rapid growth years. As COO of Signet Assurance, the crypto company predecessor of BitTorrent, I am proud to say my engineering team consisted of Eric Hughes, the noted cryptographer, and Bram Cohen, the founder of BitTorrent.
Lately, I’ve been working on projects with the NIST Cybersecurity Framework as a guide for security policies for companies in all industries. Check out my other Medium posts about it, as well as the white paper on my research.
