Sitting Securely on Cloud Nine

Sitting Securely on Cloud Nine
Jeffrey Wright, SVP & CISO, Allstate

Allstate is one of largest publicly held personal lines property and casualty insurer which offers insurance for your home, motorcycle, RV, auto, as well as wealth transfer, financial management & accumulation and many more needs.

Every day, exciting new capabilities entice businesses to move to the cloud with the promise of speed and agility. But sometimes teams jump into this new territory without taking into consideration the risks. In some cases these risks could involve the proper understanding and utilization of availability zones, the proper criteria for selecting cloud-ready applications or simply establishing and maintaining the talent needed to operate a cloud environment. However, in the board room, much of the conversation is focused on understanding and ensuring the security of information placed in the cloud.

How can we make sure that businesses are taking security into consideration when choosing to move to the cloud?
Last year, I spoke about the unique opportunity that moving to the cloud presents to reestablish your security footing by creating patterns based on standards. Being intentional and purposeful about building out a framework that leverages patterns is ultimately what will keep your environment secure against cyberattacks. However, in the increasingly fast paced world of technology, the benefits of cloud (scalability, resiliency and the hope of reduced cost) often outweigh security concerns for the business. They want things now, and they don’t want to cut through the 'security red tape' to get what they want. And, it's becoming easier for them to get what they want as cloud providers increasingly market and sell solutions directly to the business.

The fact that these solutions don’t always comply with the security frameworks often means that security and
IT teams are left looking like the 'bad guys'- standing in the way of productivity and innovation when solutions are declined or held up, or costs skyrocket when IT steps-in.

Ultimately, providing a secure environment comes down to discipline. You have to hold the line, and work with the business to get them to understand that it is critical to their success to adhere to a framework based on patterns. A rigorous adherence to standards relies on synthesizing standards from a variety of places (cloud security frameworks, application development frameworks, infrastructure frameworks, and others) in a way that is cohesive and relevant to your environment. Developing a predictable framework that is aligned to your intended business outcomes, and then communicating this with the business, will help them understand these elements before they find themselves across the table from a cloud provider selling them a solution.

Properly securing applications is about understanding your risks and being able to have an informed conversation with the business about how leveraging cloud technology may ultimately increase the risk of a cyber-attack or data breach. Aligning on your crown jewels and developing asset risk profiles is a good way to establish accountability and have an objective conversation with the business about opportunities to utilize cloud strategies when solving business challenges. Asset risk profiles are the linchpin to cloud viability they help you make decisions around the adoption of cloud and the manner in which that environment needs to be maintained.

In an ideal world, business partners would understand their application's risk profile and know to ask the right questions before diving into the cloud. However, most have n't reached that level of understanding yet, so we need to work on driving this accountability into the business. We need to help business partners understand their applications and the risk profile before they go adding it to the cloud.

It’s not uncommon for large organizations to acquiesce to the business' desire to move quickly, but if they do so haphazardly, they find themselves in a situation where large amounts of data and functionality exists on an insecure cloud structure and little thought was given to how to protect it over time. Reworking this is a costly and time-consuming process. It is easier, and cheaper, to include security in the conversation to move to cloud from the beginning.

Current Magazine