Shared Responsibility: Delivering Cloud Security Architecture

During the Cybersecurity Midwest Summit 2022, hosted by CDO Magazine and ComSpark, leading cybersecurity experts discussed current cybersecurity issues and best practices. The session "Shared Responsibility: Delivering Cloud Security Architecture" features the following distinguished panelists discussing cloud security architecture: 

• Cedric Wells, Director, Infrastructure Services, The Gorilla Glue Company

• Anthony Fisic, CISO, Battelle

• Doug Neiheisel, Delta Team Lead, Advanced Technology Consulting (ATC)

• John Allen, Vice President, Cyber Risk & Compliance, Darktrace

Nick Enger, CTO of Advanced Technology Consulting (ATC), moderated the session.

The speakers collectively consider cybersecurity to be a shared responsibility. Expounding on the topic, Neiheisel explains the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF). He says it boils down to identifying data, protecting it with appropriate tools, and knowing how to respond and recover.

According to Neiheisel, clients and providers must assume responsibility in a shared responsibility model. Fisic states that understanding the business needs is critical to evaluate the security framework. He mentions that the current cloud space has tools but needs more governance, which organizations can address by adopting compliance frameworks for better business outcomes.

According to Wells, choosing a provider that aligns with the business needs is crucial. Fisic advises using existing services that fulfill business needs rather than investing in building a new tool.

Discussing cloud providers further, Allen refers to them as commodities and notes that sourcing the best providers is a task. “Cloud technology is getting more commoditized as a business,” notes. 

Sharing Darktrace’s perspective, Allen states that the cloud is an extension of the business and technology journey that needs protection. He points out that a consequence of speed, agility, and flexibility is irresponsibility.

“The cloud is for everyone, but not everything,” Neiheisel adds. He says organizations should evaluate cloud providers to determine which one best suits their needs and consider the following factors: 

• How the organization operates

• How the organization does business

• What applications are used

• Where the users are

• How to control users’ access to applications to ensure security

Highlighting the CSF controls, Fisic says it is necessary to understand the business context while refining security needs. Whether data is generic or the crown jewels, it is fundamental to define the use case to protect it better, he maintains.

Wells points out that most businesses don't speak the data language, which is why compliance is crucial. Allen shares that compliance comes in the form of legal statutes, regulations, and internal policies.

With cloud — unlike traditional on-prem culture — organizations must ensure having all controls in place, Allen continues. According to Nieheisel, compliance and governance are the top cloud challenges, followed by security,  resources, and spend management.

For better business outcomes, Wells emphasizes the importance of IT involvement in marketing and business decisions to control costs in cloud architecture. Fisic clarifies that it's about how well the IT or security governance aligns with procurement processes.

Allen concludes by saying that cost savings in the cloud cannot be guaranteed and should be mentioned earlier in discussions about the cloud. He asks organizations to use AI and work with the required metadata because moving data in and out of the cloud is expensive. Neiheisel suggests opting for third-party assistance to optimize spending.

Watch other Cybersecurity Midwest Summit 2022 sessions HERE