Digital innovation has been accelerating across all industries for several years now, but the COVID-19 pandemic made that trend move even faster—something we might have thought was impossible a year ago. As a result, cloud-based services are being added at a dizzying pace, making cloud infrastructures even more complex at many organizations. The CISO’s team must keep up with these changes in order to protect corporate assets and keep risk at an acceptable level.
To explore the challenges of cloud security in 2021, we spoke with two Executive Cyber Exchange members to learn about their cloud security challenges and what they plan to do about them. Their organizations are very different in terms of both industry and geography, but their challenges and plans for the coming year are remarkably similar.
Josep Bardallo is CISO and IT director at Grupo Hospitalario Recoletas, which serves approximately 500,000 patients annually at 24 hospitals in the autonomous communities of Castilla y León and Castilla-La Mancha in central Spain. Josep has served in his current role since 2015, and also serves as a professor of cybersecurity at the University of Seville, where he thoroughly enjoys mentoring young security professionals.
Rod Hynes is director of information security at Bell Canada, where he has worked for more than 20 years. Rod’s team is responsible for cybersecurity strategy, planning, governance, architecture, risk management, compliance, and cybersecurity awareness programs. In a prior role, he was the primary architect for Bell Canada’s corporate network, the largest in the country. Before that, he designed and deployed Bell’s first corporate Wi-Fi network.
Bardallo - We are working on a project to provide better security for traffic that moves outside our network perimeter—to cloud-based resources, for instance. To do this, we need to have more visibility into how much traffic moves outside the network, where it is going, and how it gets there. That is the part of the project we are working on now.
Another initiative for the coming year is to secure all devices—including myriad medical IoT devices—independently of their vendors, using our own internal controls. With so many device types in a hospital setting, this is a complicated endeavor. Finally, we are looking to automate compliance reporting to improve real-time visibility and save manual work in preparing reports for auditors.
Hynes - In the business we’re in, 5G is the biggest initiative that we’re working on. Most carriers are planning to use high grid and public cloud to manage their 5G architecture. This means we will be consuming public cloud resources in different ways than we have up to now with traditional telephone networks. We have a lot of work to do, but we have a robust plan that we have developed alongside many partners.
Connected to the whole move to 5G is IoT devices. As a carrier, we provide IoT services to customers, and also support IoT devices on our internal networks. We want to make sure that these devices and the network connections with them are secure. We don’t want to be the source of the next Mirai botnet.
Finally, we have been trying to get our arms around what has been a very sprawling cloud architecture. I have been leading an effort to develop a formal cloud governance practice so that security protocols are consistent across the board when it comes to controls.
Hynes - Across the organization, our different businesses use SaaS, IaaS, and PaaS services extensively. As I mentioned, we will be using the cloud in different ways with the buildout of 5G. Until recently, subsidiaries and business units had quite a bit autonomy as to their cloud strategy. Our new cloud governance strategy aims to continue enabling flexibility and agility for the business while implementing consistency in contracts with providers and technical security controls from solution to solution.
Bardallo - Since GDPR [the E.U.’s General Data Protection Regulation] assesses steep fines for disclosure of patients’ medical or financial information, we have not allowed any of that data to be stored in public cloud infrastructure. Instead, we have built a private cloud for that information. However, both clinical and non-clinical departments use SaaS tools for everything from marketing automation and business intelligence to monitoring medical devices that have been implanted in patients. Given that we are in the business of protecting human life, securing all these systems is vital—even when there are not compliance implications.
Bardallo - People are accustomed to using cloud-based services in their personal lives, and they usually put no thought into whether a particular service is secure. Unfortunately, this lack of thought follows them into their work life, and they don’t think about where the data goes and what the impact is. I wish employees understood the complexity of making those interactions secure before they use a corporate credit card to subscribe to a cloud-based service.
Hynes - There are two fallacies that I see: Some think that the cloud is totally safe and every cloud-based service is automatically secure. Others still believe that the cloud cannot be protected at all and should not be used. Neither of these perspectives is really true. For most enterprises, the hyperscalers offer more security than a homegrown system. The problem is managing everything effectively—which is a challenge in a large organization regardless of industry.
Hynes - The fundamental thing for me is visibility—in terms of both asset management and security operations. The question is not whether the cloud can be secured, but rather whether you understand how the cloud is being used in the organization. Visibility is an ongoing focus because the cloud infrastructure is so fluid and dynamic. In the past, business units acquired SaaS applications without consulting much with the security team. Our new governance model is an attempt to paint lines on the road without setting up roadblocks, and the overarching goal is centralized visibility for all cloud assets.
Bardallo - I agree that the biggest focus is visibility—of the traffic to and from various cloud deployments, and of the cloud security infrastructure. We do not have control of public clouds, and each of them uses different protocols. It is very dangerous. As a result, we need to be able to see everything in our cloud infrastructure in a central place. This visibility is also critical for us to demonstrate compliance with GDPR.
Bardallo - I think the top three issues are visibility, compliance, and business continuity. I’ve talked about the importance of visibility and compliance, and building an integrated architecture with opportunities for automation are critical for both objectives. Our project to control the security of all devices ourselves lends to both of these objectives also. Many medical devices are expensive, costing as much as millions of euros or dollars. Yet too many of them still run on outdated—and inadequately secured—technology. Integration is key when people’s lives are at stake.
Business continuity is equally important, illustrated by the recent rash of ransomware attacks on healthcare organizations. If an attacker shuts down a hospital’s network, it is critical to be able to bring it back up quickly—without paying a high ransom. Security practitioners should not ignore things like backup and recovery and infrastructure management protocols, which can be critical elements in incident response.
Hynes - I would say that organizations should focus on identity services, cloud provider relationships, and protection of data. Federating identity is so critical for us—especially given our large portfolio of third-party risk. We are highly outsourced for functions like development and telephone customer service, for example, and we have myriad suppliers that have access to our network. It is critical that we play our “A” game with identity management, identity life-cycle management, and network segmentation. And the proper controls must be in place for any organization before they move to the cloud. GDPR-like legislation is likely to be passed in Canada in 2021, and the word is that the fines will be even heftier than in Europe.
Cloud provider relationships are critical, and this means that contract terms need to be standardized with cloud suppliers. Our new cloud governance policy states that no Bell service will be stood up without confirmation that a specific list of controls is being provided—the same controls provided by every cloud provider we do business with. As one of the largest companies in Canada, cloud providers tend to listen to us, but even smaller companies need to find a way to standardize the services provided in these contracts.
Data protection may seem straightforward, but it is actually quite complex for us. Again, it is as important to get the process right as to deploy the right technology. All data must be encrypted in transit, and we must constantly ensure that suppliers and partners are doing the right life cycling and patching.
Hynes - Bell Canada’s business is unusually broad. We are Canada’s largest media company, Canada’s largest ISP, and Canada’s largest telco. Digital transformation is at the heart of all we do, and our cloud infrastructure will only grow. I foresee the need to deepen the relationship with our hyperscale partners, building tight linkages to promote visibility and effective incident response.
Bardallo - I am a big defender of the cloud and think it represents the future—even for the healthcare industry. I believe that our hybrid cloud model will continue and become more robust in the next several years. This is why we are bolstering cloud security today, and that work will need to continue into the future. In the end, visibility will be the key to providing adequate controls.