Cloud security is like an ‘all-you-can-eat buffet’
A group of cybersecurity and IT officials on Wednesday likened the challenge of securing ever-expanding cloud operations to a series of culinary experiences, including a Las Vegas casino buffet, as they noted the growing numbers of steps required to secure an environment and tools available to get the job done.
“It’s like you’re at an all-you-can-eat buffet, except you get full fast,” Sol Bermann, the chief information security officer at the University of Michigan, said during an online conference hosted by the cybersecurity firm CrowdStrike. He listed a series of measures his university uses to manage its computing environments, including single sign-on, two-factor authentication, risk assessments and data log analysis as some of the many options on the menu.
But an organization’s appetite for a bottomless feast of cloud security may only be as great as its maturity, said Las Vegas Chief Innovation Officer Michael Sherwood. Speaking from his city, where the buffets are gradually reopening after more than a year closed due to the coronavirus pandemic, Sherwood said Las Vegas’ local government has sometimes struggled as it built up a hybrid of on-premises servers and cloud usage — a mixed plate he said raises the risk of error, like a January 2020 cybersecurity incident that led to a brief interruption of some city services.
“We were late to the game,” he said. “We have multiple clouds we’re using. When you start adding on-prem, hybrid, all the different logs and frameworks, the chances for error multiply.”
Bermann said a large university like Michigan is more comfortable with cloud-based systems, and offered another culinary comparison when noting the many participants it takes to maintain a safe environment.
“It feels like we’ve been in cloud forever, because there’s pots of IT all over the place,” he said. “There’s a shared responsibility, getting the community to understand what part of the pie they’re responsible for.”
Bermann said Michigan has been using single sign-on — with two-factor authentication — “for years,” and that the university’s also made recent investments in anti-phishing software and email filtering. Combined with Michigan’s use of a variety of operating systems, he said, the buffet is just getting bigger.
“You just need more, and you need more better product,” he said. “The amount of information we have to parse through is legion.”
But Bermann disagreed slightly with the third speaker, Shane Barney, the CISO of U.S. Citizenship and Immigration Services, who said cloud environments need to be approached differently than traditional, on-premise systems.
“For a long time people said cloud is just another data center in the sky,” said Barney, adding that about 90% of USCIS’ enterprise is now cloud-based. “It’s not, it’s so not. It’s so radically different from anything you’ll see on-prem. The data flow coming at you, it’s impossible for any group of people to comprehend.”
Berman replied that the “security pieces are generally the same, how you integrate them is different.”
Sherwood tried to split the difference, noting that responding to incidents takes a mix of virtual tools that can scale up quickly and staff members, who are a finite resource.
“More people are accommodating to learning cybersecurity when you get your user base to start taking these things seriously,” he said. “When we had our breach, we had services that called us, got our SOC on board. Having the right tools is a force multiplier, we only have so much money for on-prem staff.”