Announcing June's Cloud Security Champion
The purpose of techUK’s Cloud Security Champion campaign is to celebrate the work of UK cloud security specialists in helping build a culture of trust and confidence in cloud computing and showcase how they are supporting organisations to adopt, deploy and use cloud services securely.
A new techUK 'Cloud Security Champion’ will be chosen every month, so if you would like to nominate a friend or colleague to be the next Champion please drop us a line.
What are your current responsibilities as Head of Cyber and what does a typical day involve?
As Head of Cyber, my job often spans many disciplines, so no day is the same. I am responsible for the design and implementation of our secure public, private and hybrid cloud platforms across all security classification levels, and the cross-domain components between them. I also head our Cyber Operations unit – where we Red Team our and our customers’ infrastructure, monitor Threat Intelligence and assist our customers in threat modelling.
What do you most enjoy about your work?
SiXworks specialise in innovation and I enjoy working at the bleeding edge – we are always working with customers to de-risk emerging products and technologies. I have been privileged to work with the latest and greatest in Artificial Intelligence/Machine Learning platforms and the complexities of the infrastructure required to support them.
I enjoy being able to work in a very agile environment which means that we are able rapidly to integrate systems that benefit our overall security posture – for example implementing Passwordless authentication across all our cloud platforms.
Why is cloud important to UK’s economic growth and what does the future hold for adoption and maturity of cloud in the UK?
The work we do with our customers in the defence and security environment aims to improve access to mission and business-critical intelligence, information and data, and then bring modern tools to bear to enable better decisions and activity management. Carefully designed cloud services allow access to multiple sources, rapid scaling, the agile on and off-boarding of tools, and the ability for operators to provision and adjust services in real time. These benefits apply equally in the wider public and private sectors and should drive faster growth, not least by allowing intelligent customers safely to exploit public, hybrid and private cloud.
Would you agree that the conversation about cloud security has shifted, and cloud users increasingly recognise the security benefits of cloud services?
I would agree completely. We have seen a remarkable change in mindset over the last 5 years with our National Security & Defence customers who are increasingly becoming more willing to adopt public cloud services when they can be demonstrated as sufficiently secure.
We particularly note the security benefits of cloud services available for authentication and identity – for example Passwordless authentication with FIDO2 and WebAuthN are game changers for secure authentication – but are unique to cloud services. Likewise, identity and device aware service proxies (like Microsoft’s Conditional Access) provide benefits that are difficult and costly to replicate outside of cloud.
What are the key security concerns affecting greater cloud adoption and how can these issues be addressed?
Every organisation has a different view on the risks of cloud. SiXworks are big proponents of threat modelling – we work with customers to analyse trust boundaries and information flows – and then identify the potential vulnerabilities and threats to these.
We know that public cloud is not right for everyone or in every circumstance – there are organisations whose threat model mean that they are at considerable risk from nation state actors, and we know that no system is perfectly secure. We work with those to enable private cloud platforms with as many applicable surrounding services to make them as comparable to public cloud as possible so that they can gain the benefits of security, flexibility, insight, automation and mobility.
What steps should organisations take to adapt their cloud security posture to the rapidly changing online environment?
We’ve seen the DevSecOps industry adopt the shift-left security approach. In short, this means moving security to the earliest possible point in the development process. SiXworks try to apply this methodology across our work, as seen with our company mantra being ‘Secure By Design’. Effectively, organisations need to ensure that Information Security teams are involved throughout the lifecycle of a new product or platform used in cloud. The InfoSec teams should be keeping abreast of new technologies available in cloud platforms and software as a service offerings to ensure that they are appropriately consumed if they give a business benefit. COVID-19 has been a catalyst for digital transformation and we have seen organisations prove that they are able to adapt rapidly – it is now a matter of ensuring that same mindset is applied to security and is continued to be applied going forward.
How can the cloud market equip organisations with the understanding, skills and knowledge to make the right cloud decisions for now and for the future?
Adoption and understanding is all about transparency – it would benefit all our customers who are adopting cloud to know more about the day to day implementation of the shared services models in public cloud providers. For example, how do they go about supporting the backend services, how do they gain access to customer data should it be required, and what processes do they go through to ensure this is appropriate?
For helping customers I would like to see public cloud providers make process about security accessible – if you’re not a technical individual it can be incredibly hard to understand the products and solutions available. I think that providers should provide users with a simple sliding scale implementation to determine how much risk they are willing to take (potentially at a detriment to usability) across their products.
Building trust and confidence in the security of cloud computing services remains fundamental to the continued use of cloud services by organisations. What would you suggest is the one thing all companies should do to improve their cloud security?
We are big advocates of threat modelling. We would like to see more organisations spend the time and effort to confirm what they are building, how it can go wrong, what they’re doing to mitigate that; and then validate that they are doing them. On the last step, we spend a great deal of time applying the offensive mindset to our cloud platforms and infrastructure – carrying out Red Team Cyber Operations against our users and our system implementations. Applying this methodology, we have uncovered many potential improvements. We would recommend other organisations take this approach if they are able.
How can the cloud industry encourage someone considering a career focussed on cloud?
I would like to see more cloud providers release free, easy to access training materials alongside test environments to be able to learn in. The free credits that most cloud providers will give for students and new users are not enough to cover what is required to be exposed to a meaningful amount of technology that would allow them to get a strong start in the sector. I believe the cloud providers would see an excellent return on investment from these individuals as they bring the skills they have established and the loyalty to the cloud providers they have worked with into their future careers.
Laura Foster
Laura is techUK’s Associate Director for Technology and Innovation.
