“Cloud is the greatest transformation of all time,” said Daniel Conroy, VP and CTO at Raytheon Technologies. The journey to the cloud helps organizations increase productivity, get digital products to market faster and improve customer experiences. However, it also creates an environment where security and compliance have a hard time keeping up, often slowing down the process. How can we have all the benefits and meet the challenges? That’s one of the topics a collaborative of various organizations got together to discuss. Their first project focused on a framework for automated cloud governance.
Conway was joined by fellow team members James Beeson of Cigna and Gene Sun of FedEx at last Spring’s ONUG Conference. They joined ONUG’s Nick Lippis to share the collaborative’s goals and discuss why automated cloud governance will define all corporate technology supply chains moving forward. Watch their entire discussion here. Below is a summary of their comments.
Beeson emphasized that many challenges arise because a lot of variation exists among cloud providers. One of the team’s goals is to reduce some of that variation. “It’s not our friend in this space,” he said. “Better standardization across the big players would force the smaller players to come along too. The result would be more automation and speed.” Governance creates the right conversation that will keep companies from getting into trouble part way through their cloud journey. It forces teams to talk about the right controls and metrics that must be in place. Having the right requirements to build the right model for each tenant ensures the cloud journey will be smooth.
Conroy explained that moving to the cloud means thousands of different things to thousands of different companies. For example, Raytheon Technologies must use only people in the US to handle the administration of their servers. They must move to Gov cloud. However, other companies may choose different methodologies. Many companies have run into challenges because they dive right in, not having the conversations that governance creates. “Governance forces people to ask questions they probably haven’t answered about their aging architecture, and that’s a good thing,” said Conway.
Sun agreed, adding “If the CISO is not viewed as a speed bump on the road to the cloud, he/she is not doing their job.” The CISO must act as a risk manager. While the intention of the cloud transition may have been to make the developer’s life easier, the reality is that it pushes a lot of complexity to the surface for infrastructure and security managers. Sun emphasized the importance of finding a balance where the developer’s world gets easier, but infrastructure and security remain in control. “Our team’s goal was to alleviate some of the complexity and the challenges that security teams face, not become a roadblock for the cloud adoption journey,” explained Sun.
All participants emphasized the need for automation. Beeson said automating the controls is like “mistake-proofing the services we’re consuming with cloud players.” Most breaches are human error. “Automate as many controls as possible with a lot of alerting and checking to ensure we stay mistake-proof,” added Beeson.
Conroy focused on organizational structures that must change. “If you are automating stuff you have people doing today, then they must do something different going forward. Cycles are moving faster. They are more complex. You must develop a different skill set to manage IT in this new environment.” Being agile also applies to tool adoption, patching and upgrading. Governance helps companies leverage those benefits.
Sun gave a very applicable analogy to illustrate the importance of automating governance. CISOs are like the heads of a household. They are responsible for safeguarding the organization and performing risk management. Previously, companies were like a single family home, housing everyone. The CISO knew everything going on, when the landscaper was coming or when the plumber was arriving to perform maintenance. Moving to the cloud is like moving your large family to an apartment complex. Now, you must deal with the landlord and the super. Having an agreement in place ensures you still know when the AC is getting repaired and any time anyone is entering one of your apartments. Similarly, you must have governance and contracts in place to safeguard your organization. If the cloud provider stops a virtual machine, the CISO must know why. Was it on purpose? Was it authorized? “This not only leaves the CISO feeling secure, but it also allows him/her to demonstrate a digital trail to regulators for everything that happens.”
The intent of the collaborative was to pull CISOs together. They experience many of the same pain points. By coming together, everyone can get better. “We can raise the watermark,” says Conroy.
Sun went back to his apartment complex analogy. “Just as we need an early warning from the landlord about issues, we need an early warning from providers.” Provide early warnings via a constant data feed. Large data providers must agree to provide enterprises with info about what’s happening within their “apartment building.” All public cloud providers must agree to certain standardization that comes in the same format.
Cloud providers must realize that CISOs want a single pane of glass to look at warning indicators. “We’re turning the table on cloud providers. We want them to work with us since we are their big consumers,” explained Sun. “Let’s work together to define some kind of standardization. It would make our life easier and boost our confidence in cloud providers.” Sun emphasized if consumers come together to express this need, cloud providers will be forced to listen.
Beeson agreed, and added that accountability must be included. All large providers say they are not responsible for your data. “We must apply pressure, so they have skin in the game,” added Conroy.
Sun appealed to both cloud providers and large consumers to get involved in the collaborative. He emphasized that when CISOs feel more secure, providers will get more business. In turn, when we achieve standardization, life gets easier for large consumers. It’s a win-win.
For more information on the Collaborative and the Automated Cloud Governance Working Group, visit here
Sign up for the ONUG Fall 2020 Conference, or learn more about ONUG involvement by contacting us here.