Cloud security rebuttal: Don't rebuke the many for the sins of the few

Did CSOonline's 7 deadly sins of cloud computing story lack enlightenment?

One well-respected cloud security figure --Christopher Hoff, Chief Architect for Security at Juniper Networks--tweeted a response to the story, saying "Reading stuff like this sucks my will to live."

We asked Hoff to elaborate. It appears that the cardinal offense was castigating the innocent together with the guilty, when many organizations already refrain from committing the seven cloud mistakes the feature calls out.

But, how do we separate the innocent from the guilty? According to Hoff, the innocent include any number of well-initiated CSOs, CISOs, and CIOs at large enterprises, while the guilty are almost certainly among the scrappy-if-under-resourced SMEs / SMBs and start-ups. Read on as CSO magazine explores Christofer Hoff's analysis of the "7 deadly sins" story's targeting and audience--and what to do better next time.

Wait a Minute--Who's Doing This Stuff?

In a recent conversation with CSO magazine, Hoff argued the need to clarify the real audience for basic cloud security information.

"A CIO of a Fortune 500 company--and I will pick any one of the twenty I have spoken to in the last three months--would probably be offended by the notion that you are making them seem like they don't do their job," says Hoff. Hoff makes a respectable three-part argument for why the article offends large enterprise C-levels, based in part on why they are unlikely to commit the seven sins to begin with.

[Also read 5 more key cloud security issues]

First, according to Hoff, every one of the sins can be applied in generic logic to any case where a security C-level is outsourcing any new service or bringing any new disruption in technology online.

"There is nothing particularly unique about the difference between ASP [and] SaaS from a security perspective that we haven't dealt with iteratively every time we've had an inflection point in compute," Hoff says. So, by the time an IT or security leader reaches C-level status at a large enterprise, he has already learned to apply the same logic elsewhere, and thus has the drop on those seven deadly sins.

Second in Hoff's argument is the premise that the amount of written advice, guidance, and enumeration of these issues and others like them is already extensive. The Cloud Security Alliance (CSA), which Hoff participates in, put together a cloud security guidance covering three major areas including architecting the cloud, using the cloud, and governing the cloud.

"There are 13 categories [within those areas] in the CSA Guidance that go into in-depth detail," says Hoff. The first chapter of the guidance about architecture summarizes what is the same, and what is different, in the cloud as well as what a C-level leaders should anticipate from a security perspective and a compliance perspective.

So, in summary, Hoff adds, these first two points suggest what is tiresome about the seven deadly sins article: This logic is already apparent in IT in general, and the industry has done a lot of writing on the subject.

Now the third premise. "When we look at why we are still required to bring this up over and over again," Hoff explains, "it is [because] we tend to generalize. Your article talks about CXOs and kind of almost indicts [them] as a group ... and not just your article, but lots of them, right?"

If there is a segment with members who could benefit from the seven deadly sins feature, Hoff continues, it's the SME / SMB market. "Where your article rings true and is probably more realistic is with the smaller enterprise that doesn't actually have a CIO or a formal, rigorous [security planning] process. They listen to stories and hype and take [them] at face value and they make make those mistakes because they don't have the process, the bandwidth, and the expertise" to avoid them, says Hoff.

Go Forth and Stop Doing That

Rather than the generalization, Hoff would like to see some specificity broken down by market segments.

"If I take survey studies based on market segments of SMBs / SMEs or startups vs. established enterprises, how do they map against these concerns, these seven sins?" Hoff asks. Which market segments are making these cloud mistakes? Does each cloud sin really have the same potential outcome--the same risk associated with it based on the types of applications, activity, intellectual property, and business impact it may generate--in each market segment?

"So, say I am a Mom & Pop plumbing supply store," Hoff says by way of illustration. Hoff's store balances its risk and exposure against the seven deadly sins. In this scenario it will cost the store $25 a month, plus associated risks, for a service that it would otherwise have to spend thousands of dollars on to properly administer and buy the right hardware (and everything else). "Your sins are irrelevant to me. I am going to commit every single one of them and 200 more," Hoff says, laughing.

"Now, if I am an enterprise, it is a different story," Hoff continues. There is more complexity; the enterprise is more highly regulated. It has different priorities, different assets to protect, and the customer base is different.

"Here is the thing of interest," Hoff summarizes: "Tell me what I can do as measured against the target market. You say, hey, you shouldn't sign up a cloud solution product without going through IT security enrollment. But what if I do? What does that mean? What are the potential outcomes?" Do likewise for all the sins.

Read more about cloud security in CSOonline's Cloud Security section.

Join the CSO newsletter!

Error: Please check your email address.

Tags 7 deadly sinsapplicationsData Protection | Cloud Securitycloud securityCISOsoftwareCSOCIOdata protectionDavid Geerchristofer hoff

More about CSACSOJuniperJuniper

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Geer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts