After the Cloud Wars Expo (CWE), I wanted to reflect on the event through the lens of cybersecurity. The expo featured speakers and attendees from some of the biggest names in the industry, including SAP, IBM, and Microsoft. The event also included many individuals eager to learn about the future of technology, cloud computing, and cybersecurity. Attempting to summarize all of the great conversations and dialogue that occurred in a single article would be challenging, but I’ll reflect back on some of the core cybersecurity topics discussed and key takeaways.
If there’s one thing that was evident regarding cybersecurity and the community at the event, it’s that Zero Trust is top of mind for nearly every organization and individual. That’s a far cry from the origins of the concept and term from early pioneers such as the Jericho Forum, John Kindervaag, and Forrester.
Participants were taken through a talk on the fundamentals of Zero Trust. This included a timeline of its origins to where we are today, with a fully published Federal Zero Trust Strategy and a robust ecosystem of vendor solutions to help organizations on their Zero Trust journey.
Conversations around what Zero Trust is leveraged some of the leading industry guidance such as NIST’s Zero Trust Architecture guide 800-207, the Cybersecurity and Infrastructure Security Agency’s (CISA)’s Zero Trust Maturity Model, and other key sources such as Google, Forrester, and others. Participants then heard from a panel of experts discussing Zero Trust business outcomes and the role Zero Trust plays in securely enabling the remote and distributed workforce of the modern digital economy.
Multi-Cloud Identity and Access Management (IAM)
Another key cornerstone of conversation was that the future is multi-cloud. Organizations are increasingly relying on the cloud for critical business processes, hosting their most sensitive workloads and powering their innovation in the ecosystem and marketplace. That said, managing IAM in a multi-cloud construct can be challenging, complex, and downright overwhelming for some.
CWE participants were able to hear from some of the emerging practices of multi-cloud IAM, such as those from industry leaders like HashiCorp, NIST, and others as well as some of the ever-present challenges of managing IAM across multi-cloud providers. Key concepts such as SSO, Federation, and least-permissive access control were all central to the conversation.
Cloud and Compliance Innovation
As organizations continue the rush to the cloud and mature their organizational practices and policies, one evident problem is that the legacy-based approach to compliance hasn’t kept pace and is disjointed by the dynamic nature of the cloud.
CWE attendees got to both hear about and discuss compliance innovations that cloud provides, including near real-time compliance assessments, inheriting security controls via the Shared Responsibility Model, Infrastructure-as-a-Code (IaC), and Compliance-as-a-Code (CaC). There was also an emphasis on the frequent misunderstandings of the Shared Responsibility Model and the need for cloud consumers to understand where the cloud provider’s responsibility ends and the consumers begins, as well as what responsibilities are shared.
Lastly, it was clear that while responsibilities may be shared, accountability isn’t. Consumers need to understand they own the risk from a regulatory and reputation perspective. This reality requires due diligence when selecting a CSP (content security policy) and working closely together to avoid common pitfalls and challenges.
Building on the conversation about enabling the remote workforce, minimizing security friction, and enhancing pursuits of Zero Trust, the CWE audience got to discuss passwordless authentication. Attendees heard stark statistics regarding the number of man hours wasted on trivial activities, such as password resets, that impede productivity and distract from value delivery to customers and stakeholders.
There was an emphasis on the number of data breaches and compromises that are tied to compromised credentials, largely usernames and passwords, and why it is an antiquated approach to modern authentication. The audience heard about innovative vendors operating in the passwordless authentication space, where the industry is headed, and how they can begin to adopt passwordless solutions to enable their workforce.
Minimizing Security Friction
An ever-present topic of discussion in the industry is how to minimize the causes of friction on the business and customers, both internally and externally. This topic was front and center at Cloud Wars Expo, as we dove into the topic of doing just that.
The discussion revolved around minimizing security friction for internal development teams through implementing guardrails for secure development over gates, empowering developers with modern security tooling, such as Snyk, and utilizing DevSecOps practices to bake security in vs. bolt it on. This ensures vulnerabilities are caught earlier in the system development life cycle (SDLC). It also ensures security isn’t seen as an inhibitor that comes in at the end of development and testing just to block deployments.
Shifting to the external customer focus, we discussed utilizing modern authentication, such as passwordless, to streamline the customer experience as well as enabling SSO to avoid authentication headaches. Discussions around minimizing the data collection for customers were paramount, with an emphasis on evolving privacy regulations, such as GDPR and CCPA, and soon others to follow, as customers get increasingly privacy-conscious.