RSAC 2015: RSA Conference (Day 2)

Shadow IT isn't the problem, complacency is

1 2 3 4 5 Page 3
Page 3 of 5

Ken Baylor, CISO, Pivotal

Q: With all the FUD around shadow IT, are we focused on the “wrong suspects” with cloud security?

Ken Baylor (KB): Information security does not have a moral right to dictate what is acceptable to the business.

They serve the business, they advise the business, they assist with crystallizing the risk-appetite of the company and they enforce the agreed upon standards. If the business is investing heavily in Shadow IT, then something is out of alignment. The culprit could be Information Security.

SaaS adoption is rapid. InfoSec should focus on protecting the critical data, rather than serve as a doorstop.

Q: What advice do you have for organizations assessing their SaaS contracts in order to establish a clear and actionable model of shared responsibility?

KB: First establish what data is proposed to go into the cloud. That sets the tone for all due diligence. Second establish how people authenticate. Multifactor authentication is preferred. Also there are tools that should be employed to tell you who is accessing which documents, from which device and from a certain location.

Third, focus on de-provisioning users: ensuring ex employees do not have access to current data is key. Fourth focus on logging: is there a log on which users touched which documents? Can you have access to them? Will the SaaS provider notify you in the event of an attempted breach? If so what is the SLA? Can you enforce it?

Q: What do you see as one of the biggest security risks that organizations should be addressing with SaaS deployments?

KB: Losing control of critical IP including trade secrets. Having these breached through careless sharing or by hacking the provider or customer endpoint.

Q: Lack of security budget is often cited as an obstacle. What can CISOs do to get the budget they need for cloud security?

KB: The data they seek to protect is the data that is critical to the brand and goodwill of the company. It is a small price to keep it safe.

1 2 3 4 5 Page 3
Page 3 of 5
8 pitfalls that undermine security program success