VIDEO TRANSCRIPT
So question number two and richard we'll start with you is how should we run a cloud security assessment to quantify our level of potential risk and how frequent frequently should we run such an assessment
This question ties to the first one and what's been said by lee you know we need these new toolings these new tools so if you go back to the poll most people are taking up infrastructure as a service and platform as a service it doesn't apply to sas but where organizations are trying to use the benefits of cloud they need to posture that cloud and they need to do that with there's plenty of tooling out there now but they have to do it agnostically and it has to be in real time has to integrate into operations so you see the alerts so for example if an if you're in amazon and aws and an s3 bucket becomes public and it's against your policy you need to shut that down and there's tooling that can do that it can even automate run jobs to do that to automatically you know put you back into good posture but the problem is is that most organizations don't trust automation so they always want a human being there to click the button so there's a maturity step for people to build confidence in that but quite simply you need to posture the cloud with these tools you can't expect your internal uh operations to posture everything there's gonna be a with your hybrid cloud you're gonna have multiple cloud providers so you can have a multi-cloud strategy with most organizations even if you run say you go to aws because of microsoft its applications are so sticky you're almost certainly going to have a multi-cloud strategy for large global institutions unless you're starting from a greenish out and so you need one pane of glass that can uh posture all the all the main three at least uh so you're not having a separate tooling for one because it's just unsustainable you know to have your operations look at different cloud providers and try and understand how they provide all their solutions so to put short you need to posture you need to invest in that tooling and that will give you the real-time assessment and put against policies for your operations to act for when there is a a breach of policy
Okay lee
You just said it already yeah it is it is understanding what you've got so the security assessment you need to understand where your plant where where all your workloads are both in the public cloud and those sas providers so utilizing uh the the tools that are out there to assess what are your users accessing um what are the authorized sas platforms they're accessing what unauthorized sas platforms are they accessing that is harder these days with everyone now work from home but it is still possible with the tools out there what are you what are you running in those public clouds what are your workflows in aws gcp and azure for example and how are you accessing it the question around how frequently should be doing this assessment this should be running constantly you should be constantly assessing what your workloads are where your users are going when when does a user access that new sas platform if you're if your policies are around using um onedrive for example as your as your repository for documents if you start seeing access to dropbox or box for example you need to be on top of that you need to be locking that down and controlling where your data is is stored you need to be constantly posture accessing your um your azure blob storages your amazon s3 buckets and those sort of things to ensure that they are always locked down and the access to them is secure so it's not a case of running an assessment every six months or every 12 months doing a penetration test on your plan environment you've got to be doing it all the time
Right okay craig
Yeah um you know i i think lee kind of starts with a good point you know visibility is king in this uh and we're moving from a world where you know we changed an operating system or application every few years too uh i saw there was a question from dave lundy uh you know which i think is very topical this you know racist adoption how do you deal with shadow i.t uh you know i think that's a problem for everybody and i break it into two halves i think one half and it's kind of growing but still fairly new is how do i do the outside in assessment uh you know actually how do i leverage uh you know third parties to do ongoing assessments to say what is visible about my organization from the outside world and that almost kind of gives you the first bit of other places visible that i never even knew existed and if i you know if i didn't know they existed then i don't know what to do so you need that outside in view and that's an ongoing assessment to say what does the rest of the world see and and actually do i have the right controls but then you also need the inside out view and i think that really starts by saying um i think about all of my edge points uh you know because the shadow i.t is the the challenge we go i can just go buy this to myself but they're still connecting to that sas application from your edge point so if i've got that thing on my edge point saying you know what sas applications are they connecting to and this comes back to richard's point are they business trusted this is almost down the xero trust model should i allow that or are they non-business trusted and actually uh you know we often kind of we go well it's not trusted they shouldn't use it there's often a middle ground maybe it's kind of the it's not blocked but it's not trusted so they should have it but how do i segment that away from what is trusted so you know you need the visibility on the inside across your estate you know whether it's multi-cloud i think the sas application bit is the hardest bit one of the easiest ways i see is you know if i can see they're going through corporate credentials to using the sas application then generally i've got the right controls in because hopefully i've got the the hooks in to those sas applications uh you know whatever security capability should have the api integrations into those to go how do i control the security capabilities they provide and how do i enrich what they can't provide and then if they're not part of your suite you know they're in that shadow i.t really it becomes a question of how do i gain visibility to that and that means you know that edge security to see what they're connecting to making the decision of should i allow that and if i allow it how do i segment it off from the things that are core to the business so i actually really protect what's important to the business