Status Go: Ep. 218 – The Cloud is Not Secure Expert Perspective | Stan Smith

Summary

In this episode of “Status Go,” host Jeff Ton invites Stan Smith, a seasoned cybersecurity expert to debunk the myth that the cloud is not secure. As an IT professional, you understand the importance of cloud security, and this episode offers valuable insights and expert guidance on how to assess and control access levels, conduct effective training, and strengthen your organization’s cybersecurity posture. Stan has a background in military service and experience in integrating security postures for large systems, shares their wealth of knowledge on evaluating an organization’s preparedness. You’ll learn about essential documents to have in place, including a change management program and an incident response program, as well as the connection between cybersecurity and disaster recovery. Discover why conversations with organizations are crucial in uncovering their cybersecurity culture and focus. Gain practical advice on conducting assessments, including asking specific questions about security training and using infrastructure and data flow diagrams as effective tools.


About Stan Smith

Stanley Smith is a security-focused and solutions-oriented leader with more than two decades of experience establishing and facilitating IT solutions. Stanley transforms technical jargon into business-appropriate language and has an extensive background in directing and leading organizational improvements focused on cybersecurity oversight, governance, protection, and defense.

Professional Experience

  • Security Architect for Integrated Air & Missile Defense Program.
  • Security Officer for hyperspectral aircraft integration for United States Army Intelligence and Security Command.
  • Lead Cybersecurity Trainer for the National Aeronautics and Space Administration (NASA), and several Army and defense contracting organizations.
  • US Army First Sergeant (ret.)
  • Advisor to the US Army Research and Development Command’s Space and Terrestrial Communications Directorate.
  • Network and Security Operations Center Manager.
  • US Army Satellite Communications Operations Manager.

 

Episode Transcript

[00:00:00]: Introduction

[00:00:45]: Myth Busters: The Cloud is Not Secure

[00:01:55]: Stan Smith’s Career Journey

[00:03:31]: Origin of the Myth

[00:06:42]: The Shared Responsibility Model

[00:10:36]: Security is STILL Your Responsibility

[00:12:42]: Security Audit in the Cloud

[00:16:46]: Common Security Issues

[00:19:39]: Where Do You Start?

[00:23:03]: Horror Stories from the Trenches

[00:26:47]: Office of Civil Rights and Cyber Security

[00:31:32]: Message to the Skeptic

[00:33:17]: Actions for Tomorrow

[00:35:03]: Closing

 

Episode Transcript

Stan Smith [00:00:00]:

The cloud is secure as long as you fulfill Your responsibility. In the shared responsibility model of cloud security and it’s more secure than on-premise[s]. Those providers, especially the big boys, they are ready to secure your data, but you need to be ready to do your part.

Voice Over – Ben Miller [00:00:27]:

Technology is transforming how we think, how we lead, and how we win. From InterVision, this is Status Go, the show helping IT leaders move beyond the status quo, master Their craft, and propel Their IT vision.

Jeff Ton [00:00:45]:

Welcome back to Myth Busters: Cloud, Security, and Innovation. This month, we are focused on the intersection of cloud and security. A prevailing myth is that the cloud is not secure. We are here today with InterVision expert Stan Smith to bust that myth.

It’s true that security is one of the biggest concerns businesses have about technology in general. In fact, security is always top of mind for the “What Keeps You Up at Night List,” For CIOs and CISOs alike. Security is a top concern for many businesses when it comes to cloud computing. But this is often based on a misunderstanding of how cloud security works. Stan is a vCISO, a virtual chief information security officer, and cybersecurity consultant for InterVision. He has not only helped many of our clients bust that myth, but he has helped marquee organizations like NASA and Northrop Grumman as well.

Stan. Welcome to Status Go.

 Stan Smith [00:01:51]:

Hey. Hi, Jeff. It’s really nice to be here.

Jeff Ton [00:01:55]:

I am really looking forward to our conversation today. Stan, I know when we chatted a couple of weeks ago, we were really diving deep into cybersecurity, and some of the common misconceptions. Before we get into that, was wondering if you would share a bit about your career journey and what brought you to where you are today.

Stan Smith [00:02:15]:

Sure, Jeff. So, believe it or not, I had a couple of decades of military service. During that military service, I was essentially IT…support-type work, focused on satellite communications. But with that, all of those services that we used to provide a long, long time ago, not to date myself, used to be very disparate, very separate. But they all began to converge. And then, of course, security became a concern for everyone. So began to focus on security in the later parts of my career. And then, as I transitioned from military after retirement, full-on security. Right. I taught security at NASA. I did things like integrate and create security postures for hyperspectral aircraft. I’ve done that for other large systems in DoD. I’ve trained and taught all sorts of security courses and classes for those same types of organizations. And now here I am, InterVision, helping guide and lead organizations through risk assessments and security postures, let them know where they are, and where they need to get. So, we’ve done pretty good work, and I absolutely love it.

Jeff Ton [00:03:31]:

I’m glad to hear that. I’m glad you’re on our side in all of this, man. I do appreciate that. As you know, we’re here to talk about the myth that some people still hold close that the cloud is not secure. I’d like to start with the roots of that myth. Where did this come from? Why do you think there are still folks out there that think the cloud is not secure?

Stan Smith [00:04:02]:

I believe that people believe the cloud is not secure because they have not, and the “they” is proverbial it’s not everyone, the people who believe that don’t quite understand the shared security bottom. They don’t understand how we share that responsibility. And if they feel they don’t have control of or can’t ask how a provider is securing their data or securing their access, they don’t think it’s secure. So that’s one myth. And then let’s be clear. At the initiation of cloud resources and people moving their things into the cloud, the postures in the security practices were not what they are now. That has changed dramatically, and that’s why some people say the cloud is not secure.

Jeff Ton [00:04:54]:

Well, I believe it’s also true that when we hear about breaches in the cloud, most of the time, it’s either the client of the cloud lost or had their credentials compromised, or they had some setting that was exposing things publicly that shouldn’t have been. Am I perceiving that properly?

Stan Smith [00:05:26]:

So, you are absolutely correct. Right. So, what you probably found and what you’re referencing is, once again, we’re going right back to the shared responsibility model, the part that is owned by an organization versus the part that is secured by the cloud provider. That depends on the service that you have. And when you see a cloud breach, in all likelihood, it’s a misconfiguration from the client side. Right. And there can be all sorts of misconfigurations. You can do identity access misconfiguration. You can have insecure API, keys, depending on what type of service you’re using. There’s all sorts of things that can go wrong. And it’s typically the client side because the cloud service providers, especially AWS and Azure, they have made some heavy, heavy investments into security. Heavy investments into security. And it’s very well done, and I trust it. It’s done well. And as long as you do your part, it’s secure.

Jeff Ton [00:06:42]:

That was part of what won me over years ago as a CIO. I’ll date myself and say it was the early days of the cloud…was this whole concept of comparing my cybersecurity budget to their cybersecurity budget. And when you started talking in budget amounts in the b’s of billions, it was like, no question. Well, let’s dive into this shared security model. For those that might not be familiar with it, what is the shared security model and where does that mean my responsibility begins and end?

Stan Smith [00:07:23]:

So, your shared security model really circles around the level of service, the service that you have purchased from your provider. So, let’s compare them with on-premises first. If you have your servers on-premise[s], what are you responsible for? You’re responsible for all of it, right? Everything from the network controls to making sure the infrastructure is up to date, the physical security, identity, access management, endpoint protection, all of that is yours because you own it all.

Now when we move into the cloud, and in this example, I’ll start at the not as much of the client’s responsibility stuff. So, SaaS, right? Software as a service, for software as a service, the physical security is most certainly not yours, right? Because where does that hardware live? In somebody else’s data center. They have their own guards; they have their own stuff. The infrastructure that that device lives in guess what…that is for the provider. Why? Because they have it. And you know that’s, right? From the hardware itself, the power to that hardware, the hypervisor, everything, all of it, the underlying operating system, everything belongs to the provider. Now when we start talking about, when we say SaaS, that means now you have to concern yourself with the ID, and access management probably belongs to the client, not the provider. So that’s one of the core differences for something like a SaaS and data classification and accountability, that’s always going to be a client because you know your data, you choose what’s important to you inside of your own, relating to your own data.

Then moving up to platform as a service, it changes ever so slightly, right? Everything from physical security now that’s still on the provider side, infrastructure, network, monitoring your network. Now when we start looking at what applications are doing, right? And what applications are allowed to do and the controls implemented upon them. So now we’re really sharing that because depending upon what that app has to do, that’s a shared piece. But then, when we start talking about endpoint protection, that is definitely on the client.

And then I guess the other one is mostly infrastructure as a service itself, where you have everything except the hypervisor is really on the client, right? So, the provider got your physical security, probably got you up to the hypervisor after that, as far as software is concerned…it’s on the client to maintain that security posture, patch everything, make sure everything is up to date.

And that’s what we mean by this shared security model. And there are also mixes in there that as you select the provider, you ensure that they are absolutely 100%, everybody knows who’s responsible for what and where that demarcation line is. And that is essentially what the shared responsibility model is.

Jeff Ton [00:10:36]:

Now as a vCISO and a CISO for previous organizations, even with the shared responsibility model security across the spectrum, that’s still on you, right? You have to do your due diligence and check to make sure that you understand where the line is. And you have to check to be sure…kind of that trust but verify…make sure that the cloud providers are doing what they say they’re doing, right?

Stan Smith [00:11:10]:

That is exactly it. I was going to use that exact same line because I love that. Yeah. You can audit your security. You can audit your cloud provider. Right. It is still upon you and your efforts to ensure that what they are doing, what they claim to be doing, is what they are doing. It is still your data. It is still your organization’s lifeblood. So, guess what? It is still your responsibility to ensure that what they are doing is in line, what you needed to do.

The best part about that in general, is some of the more stringent requirements, either regulatory or voluntary compliance requirements, the cloud guys do a great job of handling a lot of that for you. So, it’s a wonderful way to be in the cloud. And that’s another piece of why the cloud is, is so, so good for so many people because it makes auditing a lot easier. It makes, when I say compliance, things like PCI for sure, easier. HIPAA easier, right. CMMC easier. All of that stuff is significantly easier because like Azure, AWS, they have built in its, built into it the way they do business. The architecture makes it compliant with some of these requirements and frameworks.

Jeff Ton [00:12:42]:

Well, it’s in their best interest to make sure that they’re following those protocols and those security procedures because that’s their whole business model, right, is that I’m going to put my crown jewels in their data center, so they’re going to make sure that they dot the I’s, cross the T’s, and do all of those things. When you mentioned compliance, and I know we’re going to talk about this a little bit further here in a few minutes, it does help with some of those compliance certifications that you have to go through. But you also mentioned auditing. How does that work? When I’m a customer of AWS, what does that look like for me to say? I want to audit their security.

Stan Smith [00:13:34]:

Yeah. So that’s a request. So, depending upon your level of service, you have an opportunity to say, hey, AWS, hey Azure, I would like to see what you’re doing. And typically, it’s going to be a formalized request. And they say, this is what we are doing. They show you what they’re doing, and they can literally show you what they’re doing and how they are securing your data. And that is just your request and your due diligence to give you that ability to sleep at night, that your data is secure.

Jeff Ton [00:14:07]:

And how often do you recommend a client ask AWS or Azure, or Google for that kind of due diligence on auditing what they’re doing for securely? Yearly?

Stan Smith [00:14:24]:

Absolutely.

Jeff Ton [00:14:25]:

Okay, so it should be part of my annual health checkup. I know you’re checking on things more often than annually. I’m not saying you should do that only once a year, but once a year, you should do that like some of your other compliance frameworks, right?

Stan Smith [00:14:40]:

Absolutely. Yeah. And that’s fine. And the reason it’s once a year, how can I put it? Let me make sure I say this the right way. Guess that probably not any less frequent than a year. This is a fast-moving target. The target of security moves fast. So definitely don’t do it any less than a year. But your year is truly a minimum. You pay attention, watch the changes, stay up to date, and then make sure your provider stays up to date.

Also because in the shared security model, you may have some requirements that you aren’t aware of that your provider is. You may want to keep that going. Yeah, about a year is good. More if you’d like. If you have more strict requirements or you have, I would say that probably the best term is if you fall under regulatory compliance, that can result in monetary fines. We probably want to do that more often. HIPAA, some of the fines that can come from PCI, DSS, those are I would check that more than those can.

Jeff Ton [00:16:06]:

Be significant depending on your volume.

Stan Smith [00:16:09]:

For sure.

Jeff Ton [00:16:09]:

Well, Stan, we’re going to pause right there for a word from InterVision. InterVision, as our listeners know, is the publisher of the Status Go podcast.

Voice Over – Ben Miller [00:16:25]:

Unlock The Power of More with InterVision systems. We provide the cutting-edge technology and expert guidance you need to take your business to the next level. Don’t settle for less. Choose InterVision Systems and discover what’s possible. Contact us now to learn more.

Jeff Ton [00:16:46]:

All right! And if you do want to contact InterVision, go to InterVision.com/myths. You can find additional information about this myth that we are busting this month. You can also look at some of the myths that we have buster in past months. It’s a great resource for you as you’re contemplating your cloud journey, no matter where you are in that cloud journey.

Today we’re talking with Stan Smith. Stan is a vCISO here at InterVision, and we’ve been talking about the shared security model. And now, Stan, I’d like to pivot, and I’d like to talk a little bit about what are some of the common issues that you see with the implementation of this shared responsibility model. When you go into a customer site, what are some things that you see that are most common?

Stan Smith [00:17:39]:

Without a doubt, the biggest one and the most glaring one is identity access management misconfiguration. There can be a disconnect between the SaaS service itself and the people who are purchasing that service. Typically, what happens is…as can happen in any – you can do this on-premise[s]. You can do this in the cloud. It doesn’t matter. You see a proliferation or privilege that people do not need to have. You see people attempting to not use multifactor authentication. And we know that in this day and age you should be using multifactor authentication at this point. So those are the things, right?

It’s the same stuff that causes the most concerns on-premise[s]. It’s the same thing that you see in the cloud, to be honest. Right. I guess behind that one, I would say, because there is a bit of a problem with and it’s not the cloud, right? It’s just, once again, another misconfiguration is you have a tendency to see insecure access to once again, it’s kind of identity access management to VMs, right? Not securing access to your virtual machines. That’s another really tough one that we see happening. And I would say last thing that we see is dealing with backups. People aren’t doing the greatest work in securing their backups as they push them or pull them from the cloud as far as how it is being secured in transit. They have a tendency to do that incorrectly. So that’s the things that I notice right off the bat most of the time.

Jeff Ton [00:19:39]:

Yeah, well, and I know from talking with Adam Scamihorn from InterVision, Adam is the product manager for Disaster Recovery and Backups. That’s a huge part of cybersecurity that sometimes gets overlooked, right? You want to make sure that you’ve got an immutable copy of your backup…that can’t be changed so that you protect your data.

When you walk into a client, say this is the first time, and you’ve been engaged, where do you start? What’s that process look like?

Stan Smith [00:20:14]:

So, if you want to know the total and complete truth, start with a conversation. Okay, so a lot of people, when you think about cybersecurity, and you go in, and you want to see how everybody’s doing, and you want to immediately hop on a machine and check out servers and what’s going on and all no, I sit down, and we have a conversation. Because one of the things you can do with a conversation focused on security and the business itself and what they do is you can ascertain culture quickly. Doesn’t take long. We will know. I want to say I’ll know if an organization has a focus on security, I will know if an organization is taking it seriously, right?

And from there, I’m able to ask the right questions. How do you guys do security training? Do you train your security personnel in addition to something like phishing training, right? Because your security analyst, he’s got to do his phishing training, but you should also give him something else, right? So, you ask those types of questions, and then once you get a lay of the land, culture wise, it has a tendency to let you know where you need to go from there. You know where to point. Because once you have a lot of the ideas and you get, and I’ll tell you, anybody who’s going to go assess anything, you need two things immediately. You need an infrastructure diagram and a data flow diagram, right? You’re going to start there and then.

Jeff Ton [00:21:50]:

Hopefully, they have those and hopefully they.

Stan Smith [00:21:53]:

Have those because that’s another indication, right? If you don’t have those. I guarantee you don’t have a change management program. I guarantee you may not even have an Incident Response program. But ultimately, when we’re talking about disaster recovery, being part of Cybersecurity, right, that’s where ultimately it typically ends up, right? I say, hey, can you share your business continuity plan? Can you share your risk assessment? Can I see your incident response plan?

Those things, when you go through those and if they are clearly thought out, make sense and line up with the people, technology, and processes that that organization has in place. You know, that is an organization that cares or has the funds to do it, right? Because there’s a balance. They have to take a balance between the funds they’re able to do and the things they’re able to purchase versus what they would like to do.

But anywhere in there, then that’s where I pivot from. I pivot from those conversations, those particular documents, and then I know where to go to dig deeper to really get a good idea of the gaps and how we’re going to fill them.

Jeff Ton [00:23:03]:

I love that you start with a conversation to find out where they are, right? Because we want to meet them where they are. So, without sharing any names, Stan, any company names, what’s kind of the nightmare scenario that you walked into in your career? What were some of the things that were going on, or not going on, as the case may be?

Stan Smith [00:23:27]:

I would say my nightmare scenario, I would say the worst. Yeah, no names. Definitely no names. No name was an organization that had to be compliant with PCI DSS of all of the requirements. And PCI DSS is a very prescriptive framework. It is unrelenting. It tells you exactly what you should do. Right. And I would have to say that they were probably in accordance with and following the rules in maybe one place. Wow, it was bad. It was very bad.

What had occurred was that they decided to go in the opposite direction of what a lot of people do. A lot of people have card data environments, and they get it all built up, and it’s firewalled the right way, it’s scoped out right, it’s good. And then eventually they say, we’re going to give this all to a third party. And then all of the point-of-sale machines show up, and the software shows up, and they say, get these servers out of here, we’re going to let this big organization do it for us. They went the other way. So they had point-of-sale stuff, some software had third parties, and then they decided to build their own. They perceived that there would be some savings if they dropped the third-party provider and tried to build it on their own. That was not the case. They believed they had gotten a quick assessment to say how they were doing. The person went in and said, oh, you guys are great. And then the QSA came in, and yeah, they weren’t so great. It was pretty bad, right?

Jeff Ton [00:25:34]:

Is that why they called you in?

Stan Smith [00:25:36]:

So I get called in not because I’m a QSA, I am no QSA. Right. After that, yeah, I get called in to assist with the help. Can someone start guiding us? QSA is going to tell you where you went wrong. Right. They’re going to show you where you went wrong. But as far as implementing and understanding, those aren’t the same thing. Right? And you have to understand the implementation. And the unfortunate part was they didn’t know, didn’t know what they were supposed to do. And they thought they had got an honest assessment from someone, and they hadn’t.

So, we began to parse through the data, parse through the requirements, making certain that and then telling them, hey, this is what you’re going to have to do. You must have this. You must. Right? And long story short, they went back to the third-party provider, and the game was over. So those servers were gone. None of that. They just stopped, and they just started using the third-party provider. And I can’t blame them. It’s a mountain to climb.

Jeff Ton [00:26:47]:

It is. And again, it points to the value of having a lot of your applications and a lot of your data in the cloud because some of that onerous compliance framework gets shifted to the cloud provider. Now, Stan, when you and I talked a couple of weeks ago, you blew my mind with something that you told me about the fact that the Office for Civil Rights gets involved in cyber breaches. First of all, why and how did you come to learn about this?

Stan Smith [00:27:27]:

So, the why is really not all that complicated. Right? The why is because it is your right to have access to your medical information and your medical data. If someone refuses to give that to you, that’s a breach of your civil rights. The Health and Human Services Office of Civil Rights will absolutely come knocking on your door when you have something like a breach. And you’re required to be compliant with HIPAA, especially if there’s electronic private health information involved because you have lost personal health records. Right. And they will come, and they will make certain that you have done what you said you were going to do through several steps, but you get opportunities to get it right. If you don’t get it right, or you clearly show no due diligence, then they turn to their bigger brother, the Department of Justice. And the Department of Justice can? Absolutely. And that’s where the heavy fines, all the other stuff comes from, and nobody wants that. Right?

And how did I come to learn that? Walked the first time, walked into an environment where I was just a consultant, and they had had a breach. I did my best to do all the research I could into HIPAA because I hadn’t had a lot of knowledge on it. Right. But, you know, in the cybersecurity world, the best thing you can do is read, and learn. So, they had had a breach, and as I am sitting, not leading the charge, but off of the main table as everybody discussing what needs to happen, look who calls into the at the time, I think it was like a Cisco telepresence. It was the Office of Civil Rights. And I was taken, I was shocked. I didn’t know that it had gotten to that level. So, I dug deeper and realized, wow, this is real. Right. So now I have a pretty deep understanding of HIPAA Security rules. HIPAA privacy rule. Right. And I do my best to help those organizations where those things have happened to them.

But more importantly, I like preventive. Right. So, when you go into the organization, and they are bound by that regulatory requirement, there are some key things I go after immediately. Right. And that’s the key. Right. It’s all about the prevention of and in a lot of cases, for when you have to deal with the OCR, it’s really about did you put forth the effort.

Jeff Ton [00:30:23]:

Yeah.

Stan Smith [00:30:24]:

They understand [that] breaches occur. That organization does not appear to go after anyone just because you were breached. Right. They want to make sure that you make yourself whole and that you’ve done what’s necessary. But if you have really put forth a true best effort into securing your systems and you were still breached, right? I don’t believe that it’s in their, in their, in their I can’t, I can’t say I’m not certain about the term. I do not believe it is in their charter to go after that. Right. Because breaches occur all the time. And until we overall decide that we follow certain standards, and we are able there, and we get our cybersecurity workforce to a level where everybody has someone, or at least most everybody has someone, and the knowledge is proliferated enough, it’s going to continue well, even for ours.

Jeff Ton [00:31:32]:

Listeners who are not in the traditional healthcare industry. They may have personal health information in their HRIS system or in their email system, for Pete’s sake. So, it is something that you have to pay attention to. And we will put a link to the Office of Civil Rights, to that page that talks about the cybersecurity breaches. We’ll put a link to that in the show notes.

We are here to bust the myth that the cloud is not secure. So, Stan, you’re talking with an IT leader, and he or she tells you, I’m not putting anything in the cloud. It’s not secure. How do you respond to that?

Stan Smith [00:32:23]:

I respond to them by saying the cloud is secure as long as you fulfill your responsibility in the shared responsibility model of cloud security. And it’s more secure than on-premise[s] because, let’s call it what it is, those providers, especially the big boys, they watch it constantly. They have experts watching it constantly. They are updating more quickly than you possibly could imagine. And the investments they’ve put into security are probably more than you can do at your level with on-premise[s] things. They are ready to secure your data, but you need to be ready to do your part.

Jeff Ton [00:33:17]:

I love that. That’s a perfect response. Now for our listeners out there that are thinking, man, I really need to do something. What’s one or two things that they should go do tomorrow? Because they listen to our conversation about cloud security today?

Stan Smith [00:33:34]:

I would say immediately, look at your own organization’s level of access by role. That’s what I would do. Make certain that everybody in your organization has the least privileged access for what they do, right? That’s the first thing. And make certain that people have changed roles, do not have several different levels of access because they’ve been in several different roles, right? It’s a typical audit thing, but that’s something they can do on their own. So that’s number one.

And honestly, number two is because the true soft, gooey, vulnerable center of any good security practice is people. Make certain your people are trained, right? And that’s in two ways. One, train your overall organization to be the number one vector of attack phishing. Do it often and do it well. And then the other part of the training, your cyber professionals, give them some training. Do not force them to go to YouTube to learn a thing. Bring in some professionals, and pay for some of the training that they require to make your organization more secure.

Those are the two things I would tell people to do immediately.

Jeff Ton [00:35:03]:

I love that. It reminds me of an episode that we had a couple of months ago with author George Finney. He wrote The Zero Trust Project, and he talks about the saying that people are the weakest link. And he says, no, people are the only link. They’re the ones that you have to focus on. So, Stan, thank you so much for carving out to talk with us today. Really appreciate it, man.

Stan Smith [00:35:32]:

Hey, anytime, anytime, Jeff. This was great. This is very interesting to me. I get to talk. It’s nice.

Jeff Ton [00:35:40]:

Well, there you have it. Myth busted! The cloud is secure if you understand the shared responsibility model. If you have a question or want to learn more, visit InterVision.com/myths. As I mentioned earlier, you can see some of the myths that we are busting and maybe a preview of some of the myths that are still upcoming. To see the show notes for this episode, visit InterVision.com/status-go. Those show notes will provide links and contact information. This is Jeff for Stan Smith. Thank you very much for listening.

Voice Over – Ben Miller [00:36:24]:

You’ve been listening to the Status Go podcast. You can subscribe on iTunes or get more information at InterVision.com. If you’d like to contribute to the conversation, find InterVision on Facebook, LinkedIn, or Twitter.