Security in the cloud: the CISO view on a rapidly changing security paradigm with Chris Hodson

Chris Hodson spent nearly his whole career as a security leader. Earlier this year he joined Zscaler to run the office of CISO in EMEA. Zscaler is one of BT’s pivotal partners in the BT’s Cloud of Clouds security solutions. 

In this interview, Chris, shares his views on the challenges and evolutions in the market from a Cloud of Clouds perspective. Zscaler offers a comprehensive security solution in the cloud which increasingly responds to evolving needs of organisations.

That’s why the platform is now embedded in the cloud offering. Time for an update on the security challenges of organisations and why a new security paradigm is increasingly being adopted.

What the CISO wants – away from pizza box architectures

Chris, could you start by explaining your views as an experienced CISO on the evolution, challenges and security needs regarding the cloud?

Chris Hodson: As I have worked my entire career as a CISO in an end user environment before joining Zscaler, I think that I’m well positioned to give a broad view of what security executives need when they are looking at the cloud. The answer: visibility. With this in mind, the benefit of a platform like ours is that single pane of glass for your client’s security requirements.

The reason why visibility is a requirement from a CISO perspective is that we inherited a culture of pizza box architectures, as I call it, whereby we have best of breed components for each of our layers of security. In principle and in theory that works very well but then we are left with a situation with many different systems, all reporting individually and not having that consistency or aggregation point. So the cloud adds an additional challenge to that for most users within their existing environments.

If you look back five to ten years ago, CISOs and their security departments lived in a world where applications and networks were internal. As the security leader of, for instance a large international bank, I knew the how and where of my network.

The reason why visibility is a requirement from a CISO perspective is that we inherited a culture of pizza box architectures

I knew how because users connected via my desktops, laptops and maybe phones that I had issued them. I knew the where because users were in my my regional offices or my headquarters. Today, the cloud has entirely changed that model, eroding the traditional internet perimeter. In some organisations up to 80 percent of the data makes an onward journey to the internet and we see that the use of data centres has dramatically reduced for core applications and certainly for collaboration applications.

Each day I talk to a CISO or CIO who says “we are going cloud”. It’s a CIO-driven mandate that we have to pick up in security and work with. And visibility is the greatest challenge in it all.

The problem with appliance-based security – a sophisticated threat landscape

How does Zscaler’s platform fit in BT Cloud of Clouds approach and what are its benefits?

Chris Hodson: Zscaler offers a cloud-based security solution as opposed to appliance-based security. Since this year our platform is part of BT’s Cloud of Clouds offering. Managed Cloud Security with Zscaler offers customers improved application performance over secure internet connectivity

The threat landscape is evolving and advanced threats are growing. Almost 60 percent of advanced threats are coming in over encrypted traffic. On top of the challenges with encrypted traffic, we have problems in regards with content delivery networks, problems associated with users being on the road all the time, the list goes on.

In an appliance-based model the numbers of appliances we need are growing each of year because of all the advanced threats we are seeing. By having a multi-tenant cloud based architecture we can deliver all of the components that you need to mitigate or remove the threats in just one place. So, the Zscaler cloud platform, which is now part of Managed Cloud Security proposition and BT’s Cloud of Clouds, delivers your clients security stack from one interface in one place, that one place being everywhere, being the cloud. And that is a powerful message.

Almost 60 percent of advanced threats are coming in over encrypted traffic.

Dispelling security myths regarding the cloud

As BT and OVUM research indicated last year, many organisations expect to manage a hybrid multi-cloud environment within two years. Control, compliance and security are among the questions that are still raised. What are your thoughts?

Chris Hodson: A while ago I spoke about some myths regarding the cloud. What we are seeing is that some heavily regulated industries now pro-actively support the use of cloud. Not too long ago the Financial Conduct Authority in the UK released a white paper around the fact that public cloud services could be used for the processing of financial and transactional information, obviously with some caveat. You see organisations like Salesforce who have the capabilities for strong audits in their logging. We see that most, if not all, web providers now offer strong multifactor authentication for email. So the cloud market definitely catches up.

I always held the view as a CISO that if I have something that is highly sensitive, it shouldn’t really matter if it’s in my data centre, on my mobile phone, in the cloud or written down. You need a core set of controls which need to be applied wherever that data is transmitted to. In the cloud we are now in a position to provide that capability.

In the past the problems were really more about supply chain due diligence, the contractual terms. A point with cloud which I found is that often the security capabilities are offered à la carte. If you don’t buy those capabilities, the provider isn’t going to give them away for free. If you have extremely sensitive data you need to ensure that those security controls are there, whether if it’s in the cloud or if it’s in the data centre.

All too often requirements gathering is overlooked and the business is focusing on TCO and various business-related issues. I regularly see that people are buying the cheapest option from the cloud and only let the security team pick it up a few months later and try to retrofit those requirements.

So, the capabilities are there, I just think that sometimes the ability for someone to select those capabilities differs between an on-premise and cloud platform. Part of the education regarding cloud and the business should be to embed security early on in the life cycle.

Often people are buying the cheapest option from the cloud and only let the security team pick it up a few months later and try to retrofit security requirements.

The shift in perceptions regarding cloud security when CIOs want to focus on the business

Where there used to be a lot of discussion about security and the cloud, nowadays it is increasingly said that security in the cloud is actually safer. Organisations can best focus on the business and leave the security concerns to the security experts.

Chris Hodson: There is this famous quote from the CEO of Amazon who essentially said that he can guarantee that the security of his data centre for AWS (Amazon Web Services) is more secure than the clients who are saying that cloud is about things.

What we have to bear in mind with this kind of data centre provisioning or SaaS is that we use the term cloud but the cloud means many different things to many different people. We have public cloud, private cloud, community cloud, hybrid cloud; we have many different ways of defining it and the requirements for each of those are very different.

So I tend to agree with his statement. Leave security and provisioning to the best of breed in that space and, indeed, focus on your core deliverable as a business, while becoming more agile and leaner, which is what organisations want.

I am glad to see that shift and that people see that the cloud can be secure. The issue is that of course there are bad cloud implementations but there are just as many bad data centre implementations that I’m seeing. In other words: it’s all about understanding your requirements and about integration.

Leave security and provisioning to the best of breed in that space and focus on your core deliverable as a business, while becoming more agile and leaner.

I work for an organisation which has a cloud-based security platform, for the cloud and that lives in the cloud. What we see that matters is that you have some form of centralised aggregation point with information about the components in your data centre and your components in the cloud with, from a security perspective, that single pane of glass view. And that is where we excel.

The challenge for CISOs and appliance-based security: the mobile user is here

You mentioned the erosion of the security perimeter earlier and how it’s important to focus security on wherever the user may be. Is this a CISO priority, on top of the need for visibility?

Chris HodsonIt is and it is important from the perspective of the capabilities that we offer in the cloud too. There are appliance-based vendors who say they have similar capabilities but the concept of having an IPS or a sandboxing capability or URL filtering or antivirus, these are not new capabilities. And, even if some of the established vendors have been doing very well with these capabilities over a number of years, the problem of the CISO is that users are mobile.

There are two ways to address the challenges which come with that mobility:

  1. Either you can work appliance-based but that is slow and cumbersome and there is a lot to maintain in the architectures, which are needed to work this way.
  2. Either you provide your mobile users and facilitate that localised breakout of their traffic, wherever they are and that’s what I believe we are uniquely positioned to do. If that user is out on the road or is working remotely somewhere they have the localised breakout by going through the Zscaler cloud.

It is a challenge and also goes back to the need of the CISO to see everything. I often talk to organisations who have best of breed security architectures in their DMZ. When I look at it, it’s all very impressive but as soon as the user goes out, which happens 40 percent of the time, he is coming straight out on the internet or has very slow fiddly configurations, coming back through over the VPNs or MPLS.

So that’s the challenge. It’s applying the same level of control wherever you are and that’s what we really need today to maintain a consistent cyber security posture.

Leaving security to the people who are specialised in it

To conclude, what are the messages you would like to get across regarding security in the cloud?

Chris Hodson of Zscaler on 

Chris Hodson: There are several. The possibility for organisations to focus on the business while saving costs at the same time.

The fact that Zscaler and BT give companies the same level of flexibility and elasticity they want in regards to their security needs. The crucial role of visibility and having a single pane of glass view. The fact that the traditional layered security defences at the data centre pose problems as soon as users start traveling, which can be easily solved with cloud-based security.

When you look at the evolutions in the security space you see that the market is growing in a really explosive way the next few years but the priorities are changing. Where the importance of several areas is declining; mobility, cloud security and helping the business so it can focus on its core activities are all becoming more important. And it’s here that Zscaler and BT have what organisations need in order to succeed. Moreover, it’s not about viruses anymore, it’s about specialised and skilled gangs who are hacking into companies to get critical information.

Visibility and a single pane of glass view is crucial for the Chief Information Security Officer.

Realising all these evolutions and the fact that they need to be addresses in new ways as the old ways alone don’t cut it anymore, has to become part of the DNA. And I think that Zscaler and BT have been pioneering here and can further educate the market.

Given all the changes and the speed at which it all happens, companies can’t progress as fast as security challenges and evolutions do. That’s why it’s more interesting for them to move towards security in the cloud, have maximum visibility and at the same time focus on their business, leaving security to the people who are really specialised in it.

Join the discussion on Twitter #DigitalPossible.

You can connect with Chris on LinkedIn and share your views in ourBT Let’s Talk LinkedIn Group.

This interview is conducted at the occasion of the BT Cloud Summit 2016 in The Netherlands on October 12, 2016. Impressions from the event.

Interview by BT Let’s Talk guest blogger, J-P De Clerck. J-P is a digital marketing and business analyst. He’s active on the crossroads where marketing, business, customer experience, technologies, IT, media and digital transformation meet. You can connect with him onTwitter and in our Benelux LinkedIn Group.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s