Companies are accelerating their use of the cloud, but should slow down and make sure security is built in from the beginning.
TechRepublic’s Karen Roby spoke with Ron Bennatan, general manager for data security at Imperva, a cybersecurity company, about cybersecurity in the cloud. The following is an edited transcript of their conversation.
Ron Bennatan: We all know that the transformation, the move to cloud, the move of the workloads to the cloud, I mean, it’s something that’s been happening for the last five years and more. It’s just accelerating like crazy. It’s accelerating because the cloud just allows businesses to go so much faster and solve so many issues. It got even a further acceleration with COVID. It’s very, very clear. You can see how companies are driving, through incentives, moving everything into the cloud. I think what we’re also seeing is that there’s more complexity as that is happening, because it’s just new. Anything new is something that people will just have less experience with.
And one of the hardest things is to deal with that complexity, and the cloud gives you so many options and so much freedom and so much flexibility that it’s great to drive business, but it’s not always clear whether all the security controls are catching up as quickly as they should be with that transformation and the workloads going in the cloud. It’s always hard when you see all these stats to say, is this correlation or is this causality? But I’m not sure it matters that much. I mean, if we’re driving everything to the cloud, we need to make sure that the security controls are going with the data into the cloud, not coming two years later.
Karen Roby: When we talk about the number of leaks, the number of incidents, I mean, it’s going up significantly.
Ron Bennatan: We’re seeing a very large increase. I think some of it is related to that complexity. Some of it is related to sophistication of the attacks. I keep hearing about, “When are we going to stop seeing leaky buckets?” It is not that the cloud infrastructure is less secure. It’s actually more secure, in my opinion. It’s far more secure because it’s standardized, it’s clear, it’s well documented. It’s just, we’re doing things really, really fast. And so this increase that we’re seeing is natural. It’s addressable. I don’t think anybody should be really surprised about it. And it is addressable, which is also good. It’s not like, “Oh, we’re going to have to develop a vaccine now for two years?” We just have to always remember to, as we’re migrating data, to migrate the security controls around those data, or the risk management programs need to go with the data and with the workloads. And then I think we’ll start to see things being contained in a better way.
SEE: AWS Lambda, a serverless computing framework: A cheat sheet (free PDF) (TechRepublic)
Karen Roby: All right, well, Ron, when we break it down a little bit here, talk about the remedy a little bit more. What does the answer look like for us in terms of getting to that point where we don’t always talk about data leaks and how this is such a problem? Also talk a little bit about your position specifically when it comes to the cloud and security.
Ron Bennatan: We know in security that answers are not… I mean, sometimes the answer is technology, and sometimes the answer is process, and sometimes the answer is people. And I think in this case, it’s no different. Part of my job is building products that keep up with the variety of the type of repositories that pop up in the cloud, and working with the cloud vendors to make sure that we understand what they’re releasing and we release support for that. But part of it is also people. And on the people side, something that’s very clear is that a lot of companies, because they want to move faster into the cloud, they create a separate cloud architecture group, and they’re responsible for kind of that platform, that infrastructure, how it adapts, how it’s ingested or consumed within the company.
But then on the other side, you have the people who have been tasked with security all these years. And in my case, the data security people, they have certain patterns, they have certain programs, they have certain methods. And when you get two different people or two different groups of people that have to talk to each other, that’s often the hardest thing, is just, so really, who is it that’s now responsible? Is it these guys who are responsible for cloud? Or these guys who have always been responsible for data security? And that mashup needs to occur. It’s not that I’m a psychologist so I’m not going to create that mashup, but if we can think about how we make products that are consumed better by both parties, okay.
Because one of the things that is fundamental to this motion into the cloud is just operationalization from the start, or shift left, or everything is code. The way people deploy things on prem is from the way people deploy things on cloud. So part of my job on a daily basis is understanding almost the psychology of these different groups and making sure that what we provide fits with the way that they’re thinking, because the way they’re thinking is a little different. And then on the third side, the process side, we don’t need to invent things from scratch. They’ve been doing this, we’ve been doing this, for two decades now. But it is going to require a difference because the process of deploying things and moving things and migrate things in the cloud is different. So things need to be frictionless. That’s really what it’s about.