For many organizations, especially fast-paced hyper growth companies like Rapid7, the appropriate use of Cloud services can be the difference between success and failure. As these products and solutions revolutionize the way we do business, CISOs must contemplate what constitutes appropriate use. In the past five years we have watched Human Resource, Customer Management, Learning Management, and other major business functions move into the Cloud. This has forced CISOs to push their comfort levels, and has methodically eliminated our ability to halt deployment.
Security teams are uneasy with third-parties consuming business data and operations, yet great CISOs must have an understanding of risk across their organizations. We must understand how decisions impact business partners, customer commitments, regulatory compliance, and overall risk posture. It has taken several years, but many of us are beginning to accept and operationalize the era of a new perimeter - people and data.
This perimeter shift is evident in the frequency in which CISOs are approached about adding additional Cloud services to their respective toolkits. These requested services often lead the pack in usability and affordability, and the only remaining ‘roadblock' would be lack of security sign-off. Most CISOs evaluate Cloud services with (at least) these core questions:
- Does implementing this service increase or decrease my overall risk-level?
- Does this service utilize or require any sensitive or protected data?
- Do the benefits justify any additional risk that may be incurred?
Each proposed service has an inherently unique set of responses to these questions and the final disposition is rarely clear. For services increasing aggregate risk and involving sensitive data, it becomes a much scarier (but frequently necessary) proposition to verify that benefits outweigh increased risk levels.
Interestingly, as these tools flourish and operate without major security incidents we become more comfortable with Cloud-based products, to the point of leveraging them in to enhance our operational security posture.
Migrating into Security Operations
As I started deliberating the use of Cloud solutions to support Rapid7's security operations, I had a hard time getting comfortable with a third party service, hosted where I have little visibility, managing sensitive components of my Security program. I had to wrestle past the emotional static, and focus on the pragmatic and data powered risk perspective - and that is not as simple as it seems.
Looking at the bigger picture, I started to believe that letting an established Cloud provider, with a proven track-record, contribute to security operations may actually reduce risk to Rapid7. Established Cloud services generally allow for a swift roll-out, orders of magnitude faster than on-premise offerings, and day-to-day operations can take significantly less time, so engineers are freed up to invest energy in reducing other risks.
Even with a fractured consensus on what the ‘right' approach to the Cloud looks like, it is pretty clear that adoption is increasing, and every decision a CISO will be placing a bet. Every environment is different, and frequently the use of Cloud services can free up engineering cycles. We never know when the extra time a security engineer has to operate will prevent a compromise or if the same decision that freed up that time will ultimately result in a data-loss event. I do believe there is help on the horizon, and candidly Rapid7's UserInsight tool is a fantastic example of the type of help we need.