By: Carol Vercellino, CEO & Co-Founder
Because of COVID19, companies of all sizes are accelerating their digital transformation programs.
Many are moving their data to the cloud without all the security controls necessary to protect theirs and their customer’s data because it could slow down the digital transformation process.
But, this leaves them vulnerable to cyber attacks and being out of compliance with data protection regulations.
Our CEO and Co-Founder, Carol Vercellino hosted a Q&A with Josh Wyatt, the Chief Information Security Officer with InfiniaML, a machine learning business solutions company.
Watch the video below or read through our condensed transcription to learn what you need to know to manage your company’s data security as you migrate to Amazon Web Services or the cloud.
Oak City Labs: Could you give us a quick introduction to InfiniaML and what you do there?
Josh Wyatt: We’re a technology enabled services company.
We do a lot of high-level client projects focused around machine learning and other aspects of artificial intelligence, usually to solve some kind of business problem that [a company] has had trouble solving in conventional ways.
We also have a product suite that includes a library and some other toolings that we use in conjunction with delivery of these services.
We have a pretty healthy client base. We have an outstanding team, and what I would estimate is probably the top 0.5 % of machine learning talent in the country, if not the world.
OCL: What do you think, in terms of data and security, matters now more than ever?
JW: Going back historically, there was a huge focus on centralized security. When you have people in a central location, it’s a lot easier to monitor activity on the network, for example. With server-centric infrastructure, it’s also very similar.
These days – and this necessarily wasn’t started by the COVID-19 situation, but it certainly made it more interesting – things are more decentralized. There’s Google’s initiatives that strongly espouse endpoint security, and I think that’s where things are headed. COVID-19 brought it even more to the forefront because employee bases are now 100% remote for a lot of technology organizations.
Monitoring activity in distributed scenarios is also pretty challenging. There are tool sets out there in the space that I would not call quite mature. I’m sure some vendors would disagree with that in regards to their offerings, but it’s more challenging than ever on that front.
And obviously, cloud has made that more challenging with people embracing Amazon Web Services and Infrastructure in the Cloud and distributed environments.
OCL: When you say endpoint security, what’s the definition of that?
JW: A great example is data loss prevention tooling. In the old days, that was pretty easy to do. You’d set some kind of sensor on a centralized point or a chokepoint, and watch for behavioral patterns, like large outbound data transfers or things of that nature.
That’s much, much more challenging with a distributed workforce where people are working from home or working from other places and there’s no single chokepoint.
The chokepoint actually moves out to the edge of the network where people are doing their work and in a distributed fashion versus more centralized.
OCL: Do you have a recommendation for companies who want to better manage their data security? Do they speak to a vendor, purchase software tools, or manage via their policies and procedures for staff?
JW: Great question. I think 100% start with culture and training. Let your organization know that this is something you value and is important. The tools don’t matter because you could evaluate and choose a tool, and then 6 months later, choose a different one based on who’s the frontrunner in the space. I’m a little loath to recommend specific tools because of the variability in the market right now.
OCL: Do you think there’s an opportunity in the data security space for better innovation when it comes to data security software?
JW: I do. The trend I see is that the larger entities that are big in the network space, they have solutions, but they generally tend to be heavy handed. And for someone like us with 35 employees, we’re probably not going to deploy some massive heavy-handed solution to basically spy on our employee base. We want to have an environment where we trust people to do their work and make sure they are aware of the consequences of any kind of failure on that front.
In your initial intro, you were talking about how folks are racing to move data or infrastructure out to the cloud to accommodate these remote working scenarios. That doesn’t “ad hoc” happen – it happens quickly – but it’s usually part of a plan, and that plan needs to include management around risk.
OCL: What do you think are some of the top security threats when moving to the cloud?
JW: The biggest one is you have to be an informed consumer of any kind of service or product before you give your money or your crown jewels, the data for your business, to someone. You need to understand the risk you’re assuming.
Every service offers some level of control, and so, there’s just diligence you need to do. It’s like anything else you buy, a car or insurance, you need to understand the value proposition and what the risks are, and have a plan for managing that risk as you make that move.
OCL: Is there anything specific you would look for in an AWS infrastructure to manage risks?
JW: As always, understand the architecture of what you’re moving. In the first place, it’s never just a lift and shift from on premises to the cloud. It frequently requires a re-architecture of your application. Remember, you’re in a shared environment instead of a dedicated environment, and that comes with some risks.
Always review the compliance standards from wherever you’re moving to. Amazon’s are pretty good, and they have to be. Ideally, anyone who is making this move also understands their compliance landscape too. Health organizations and CRO’s, they’re going to know about HIPAA, HITECH & HITRUST. Anyone that’s into ecommerce understands the implications of PCI, and things of that nature. You’re going to do some diligence.
Specific to Amazon, though, I’d recommend making sure that you have a threat assessment program that involves audits and testing. You can hire a consultant who can give you best practices, you implement them, put those best practices in your backlog, and then prioritize them and implement them. Or you can hire a penetration tester to come in every quarter to give you a full report of your exposure, which could also feed a backlog.
OCL: Do you have recommendations for creating a data security budget?
JW: You need to understand your industry, business landscape, and what your competition looks like. That’s always the case with budgets too, right? Is your competitor spending more or less than you are?
For us, the nature of our business is data, and we deal with a lot of data, and our customers are very sensitive about it. You won’t see very many 35-person companies with a Chief Information Security Officer. You may want to position data security as a competitive advantage.
The budget also comes down to the value system of the leadership. What do they value? What is important? That’s frequently driven by the customer base. Some customers may have no requirements and some may have stringent requirements.
For a larger organization, you may have many, many clients that demand something from you, and they will drive what your trajectory looks like when it comes to data security.
OCL: What are some common mistakes companies make when shifting from on premise to the cloud?
JW: Like any other set of risks, the key piece is you want everybody on the same page. For example, you say, this product we’re building is going to be in production, and there’ll be no defects in it, security or otherwise.
You also don’t want a surprise on day 10 after a release that there’s a huge security breach. All your client data has been released and somebody knew about that defect, but it wasn’t managed. That’s shockingly common.
OCL: When should someone bring in a security consultant?
JW: This is a question of generalization versus specialization. At the concept stage, someone needs to have a mindset around security. It may not be a dedicated individual, but it has to be a consideration. At the point where you perceive the risk is too high for you to manage with the expertise you have on hand, that’s when you start having a discussion internally with the leadership team about the strategy for managing the risks.
OCL: Do you have any resources people check out if they want to learn more about security and data protection?
JW: A very important one is just to stay aware of what’s going on in the threat landscape. The U.S. Cybersecurity & Infrastructure Security Agency is an excellent resource for staying up to date.
Another great resource for me is Brian Kreb’s security blog. He’s a cross between a security technologist and an investigative journalist. His writing style is accessible, and he posts frequent updates.
If you’re in a sensitive space, most law enforcement type organizations will have resources. And it’s better to establish that relationship early and often, so if and when you have a security breach, you have an established relationship.
OCL: What’s one step a company or person could take right now to move forward in putting the proper protections or security controls in place?
JW: The very first thing is to do an assessment. You can do it yourself or hire an external entity to do it for you.
Assessment is a very broad term. It could mean anything from asking someone’s opinion of your environment or infrastructure configuration, all the way up to organized penetration tests.
But do some sort of assessment. Imagine if you walk into a dark room, and you have a flashlight and shine it around a bit. What are some things you can stump your toe on? What are the things you might fall over? Is there someone hiding in the corner?
There are lots of different flashlights and lots of different ways to do exploratory things. You probably already have an idea of what you’re concerned or not concerned about, and that’s a great place to start.
An assessment will give you something actionable to walk away with and plan some work around.
**The above interview has been transcribed for clarity and brevity.**