March 17, 2021

Preparing for Cloud Migrations from a CISO Perspective, Part 1



Topics covered:

  • Why do you think so many CISOs of traditional organizations fear cloud migrations?
  • What is your best advice to a CISO who wants to migrate to the cloud using the on-premise playbook, or lift and shift? 
  • What are the real tradeoffs in this decision such as using familiar tools/practices vs cloud benefits/effectiveness? 
  • What would you recommend reading for a CISO managing their first cloud migration?

Do you have something cool to share? Some questions? Let us know:


Peacock: Hi, there. Welcome to the Cloud Security Podcast. Thank you for joining us today. Your hosts here are myself, Tim Peacock, product manager for threat detection here at Google Cloud, and Anton Chuvakin, a tamed and reformed former Gartner analyst and member of the cloud security team here at Google. You can find this podcast wherever podcasts are distributed and at our website when, we promise, eventually launch it. Until then and after, you can follow us on Twitter, Our guests today, I couldn't be more excited about them. We've got Phil Venables, Vice President Chief Information Security Officer--see-so, kee-so, I don't know if we want a hard or soft "c" here--at Google Cloud, and Nick Godfrey, Director of Financial Services Security and Compliance, both, and a member of the office of the CISO here at Google Cloud.

Chuvakin: Thank you, Tim. And I want to give a quick inspiration for this episode. So one of the challenges I've encountered is that many security leaders, CISOs, directors of security are kinda still struggling with migration to the cloud, and sometimes what I've observed is they struggle specifically with the on-premise thinking that sort of pervades their migration to the cloud so they kind of move to the cloud, but in their minds, they're still in the data center. So we wanted to chat with our CISO experts about how to solve those problems. It's probably gonna be a two-part episode. We're gonna chat with our CISOs here about cloud migration challenges and hopefully help our clients prospects to migrate to the cloud with security in mind and using the cloud playbook. So our first question is why do you think so many CISOs of traditional organizations fear cloud migrations?

Venables: Let's be honest, and I'm being perhaps slightly cynical here, but anyone that's been a CISO in any sizable organization like Nick and I have for a long time on the enterprise side have learnt through kind of lots of experience that new is rarely something great from a security perspective, and so I can empathize with a lot of the careful reaction of CISOs when faced with kind of anything new, in particular cloud. And I think in that same vein, a lot of CISOs have had experience of migrations and large-scale change that have historically also not been pleasant experiences, and I would say up until the past few years cloud migrations were often especially difficult migrations. Again, up until recently, there's also been quite a significant absence of tools and services to help not just IT teams but specifically security teams about whole migration, so I can definitely understand the fear and in my prior roles have certainly had quite a high degree of trepidation about doing some of these migrations. The one thing I would say though over the past at least two years, I would say all of the cloud providers, but of course especially Google Cloud, we've done a lot more in terms of helping CISOs think through that whole security transformation journey and then to help people realize the security opportunities that do actually come with a cloud migration given the capabilities and tooling. And I think also we've made a lot more advances in making available more secured defaults, more layered defense in depth, and also broader tools and services for their IT colleagues and business colleagues to help with the whole migration, so I actually think there's, like with any change, there's reason to be cautious and plan appropriately, but I think ultimately now the balance is tipped, and we see this in a lot of major customers that are starting to realize the significant opportunities that they get in terms of improving security by a cloud migration. And I think we're starting to see many CISO now realizing that they should get behind this and push as fast as they can because that's their path to improving security.

Chuvakin: But does it mean that they are kind of becoming more aware of the cloud playbook rather than an on-prem playbook for moving to the cloud?

Venables: I think again as part of the security transformation, I think many people are realizing that there's a different and often improved way of doing security in the cloud, and in many respects, they're starting to try and bring that back into the on-premise environment for environments that may not be transitioning soon or that are staying where they are but are connected to the cloud environment. So I think the cloud playbook is making its way inside the enterprise.

Chuvakin: So Nick, got anything to add?

Godfrey: Phil said it spot on I think. One thing I'll add is the period of transition for the CISO is pretty daunting as well. There's even if you can understand and accept that the end state of being cloud native is better as Phil said. You know, there's no CISO that I've ever met that feel that they're work here is done, you know managing their current environments and the current complexities and the technical and the threats and everything. And so they're already very, very busy and what transitioning to the cloud means in some respects is instead of having that mess to manage, that complexity to manage, you've also now got a new control paradigm and new control planes to oversee as well, the cloud and on-premise concurrently, and you may have that for some period of time before you get to a majority cloud-based environment. So that's quite a daunting thing for a CISO to work through I think

Peacock: That makes a ton of sense, and Nick, the next question's for you. Aside from perhaps some therapy for the years of accumulated cloud trauma, what your advice for a CISO who wants to migrate to the cloud using a more traditional approach? Like, what would you say to somebody who's trying to do a lift and shift?

Godfrey: Irrespective of what you think the approach is, I think the first thing that the CISO has gotta do is kinda look up and out at what's actually gonna be going on within their wider company. All right, so what's driving the cloud migrations is often a kinda a digital transformation of some shape or form and all the benefits you get from a digital transformation in terms of the changes to the way business products and services are delivered and the speed and iteration around that and as part of all of that, the IT organization is trying to move to a more agile way of delivering IT and higher release frequencies and cycles. And so when you start thinking about what's gonna happen there with those parts of the businesses and where the IT functions and when the infrastructure in my environment is now just code that's declared into the cloud rather than physical stuff that's managed, as a security leader, you think you need to be thinking what are the consequences of those trained years on the security organization and security operating model. And if you try and apply existing, you know, sometimes highly centralized security operating models and security techniques and approaches to that, you'll get potentially one of two bad outcomes. The first being the organization becomes overly constrained in its use of cloud, and we don't realize the benefits of cloud in terms of speech and agility and responsiveness to the customers in the markets. And the other is you get circumventive and the organization starts doing cloud in kind of less safe ways. So you've gotta take a step back and understand what's going to be going on around you and how that's gonna have a bearing on you. Once you understand that, then you can start thinking about, you know, your old model and your operating model and, you know, to give you one example of the types of things that you need to think about in many CISO functions they'll be a team that [inaudible] they do pen tests of an application before its deployed. It's a good independent check and balance, and in traditional IT, delivery approach is like kind of hand off process doesn't really matter 'cause the whole life cycle of delivering IT is longer and slower. Arguably, in a cloud-enabled IT team with an active team, they're wanting to release that application much more frequently, and so having a kinda centralized pen test team with a handshake is not necessarily gonna get them where they want to. So you might need to be thinking about how you move the pen testing function people, tools, and everyone else back into the active team so that it's done right at the point at which it needs to be done. That's kinda your already operating model, and then once you've figured out that at a higher level, you can get into the tools and the techniques and the skills you need, and you can focus more on designing the right control environments to enable that federated approach to security, and you can focus on building higher quality assurance approaches so you can validate that what's in the cloud has been through those security and control gates and that the configurations are the configurations you expected to see. So at the end of the day is your team structure, shape, and operating models going to evolve because of the nature of what's going on with the business and IT functions and you need to double down on making sure that the design of the controls is such that you can operate them in that more federated fashion and that you've got a very, very solid approach to the assurance of the security in the cloud driven through the data that you can discover about that cloud environment compared to what you would've expected to see.
Chuvakin: Well, let's get through a quick clarification of this. So your tools will change, your practices will change, your people's skills may change, but you mentioned the word operating model. Could you connect the operating model to the stuff that I mentioned? So operating model kind of implies all of this, correct?
Godfrey: Yeah, operating model implies all of it. I mean what I was talking about in terms of operating model is there's two ways of describing how the CISO executes, or if you like, discharges his or her responsibility whereas in terms of organization it's called the CISO organization and has skillsets and teams and [indistinct] responsibilities. The other is kinda the broader kind of security operating model for the organization where the CISO still has that overarching remit to make sure that the operating model is fit for purpose and getting you where you need to be but that does not necessarily mean the CISO owns all of the staff, the people, the tooling, and everything else that goes into making that operating model work.

Chuvakin: Perfect. Thank you for that. Phil, got anything to add to this one?

Venables: Often more and more it's about taking advantage of new solutions whether it's high performance data analytics, more business-focused solutions, different ways of digitizing businesses and supporting customers. So there's a whole array of things that is a compelling reason to move to the cloud and one of the things that many security organizations for many years have always been looking for is that means of enabling business through security, that means of enabling agility in the organization, and the cloud migrations from what we're seeing for many, many organizations is exactly that. It's delivering a whole range of new means of supporting customers and encouraging business agility, and this is just a tremendous opportunity for CISOs and the security teams in general to be a visible part of enabling that in a secure, resilient, and risk-managed way to deliver on their business promises. It's almost like, you know, everything Nick was saying about the framework for how to do this is almost too good of an opportunity for the CISOs to not get behind because it checks all the boxes about what leading-edge CISOs are and want to be around business--using security to enable business. It's exactly what a cloud migration is.

Peacock: This is a case for CISOs who have never faced* a crisis where they can really grab this thing by the horns and become a business enabler. How does their team structure have to change when they do that? Do we see CISO teams changing with a cloud migration?

Venables: You know, I'll let Nick comment as well, but I mean I think many large enterprises are quite well positioned in how they've started embedding security roles in business lines, how they've shifted left in the software development process to get security embedded more in the design life cycle. I think, though, what they are finding with many security teams is they're learning how to integrate with a cloud infrastructure engineering team that manages the orchestration layer from the enterprise to one or more clouds. I think as well, and again Nick touched on this, is one of the big challenges we see in many organizations is not so much on the business enablement and the developer engineer enablement in the use of the cloud is how they factor in that kind of hybrid security operations model from on-premise to cloud or even across multiple clouds. And that's something where again many of the products that we're pushing out and many of the advice we're pushing out is it's not so much only on the migration but also on the post migration security operations advice, and I think everybody will see more content from us coming out on that in the future.
Godfrey: The point you made at the top of that was the teams needing to work with the cloud-focused target-skilled infrastructure engineering teams. The phrase that we use your policy is embedded in code that is used to manage your infrastructure is a nice phrase to use, but actually the mechanics of translating policies and standards that are oriented towards human beings even to code that's managed as part of your own structure I think is quite a sizable thing for teams to get their head around. It's kinda the new bit of cloud that's kinda different to doing other forms of more agile IT I guess isn't it.

Chuvakin: That makes sense to me, and I see why this is challenging for enough organizations to kind of shift into that. So if people still cling to the old mindset, there are tradeoffs presumably. So for example, I may be a leader and I have some familiar tools so I want to go to the cloud with those tools in my hands. So what are the real tradeoffs in these decisions such as using familiar tools, using maybe familiar practices versus achieving full cloud benefits? How do you do this kinda scaled in a way and exercise where you think, "Yeah but I have people now who are skilled in this. Yeah, I know I need to have that but I don't have that." How do I do this balancing act?

Venables: One of the interesting challenges this whole concept of revalidating your mental model for how your security design pattern works on-premise versus in the cloud and a classic example is DMZ. So many large enterprises on-premise have multi-tier DMZs in which there's basically perimeter firewall and other infrastructure, then the web server, then another layer, then the app server, then another layer, then the internal network and data servers. And I think the interesting thing about that is occasionally you see customers try to replicate that physical infrastructure logically in the cloud, and that doesn't necessarily mean they end up with bad security, but it's actually more importantly, it's missing the opportunity to take advantages of much deeper levels of finer-grain control that you can construct the same security objective in the cloud. And you see similar things with the cloud and more particular many of the application level technologies that you would get from a cloud-based service give you a lot of opportunities to do more finer-grain segmentation, integrating more security into your software life cycle, doing things like binary authorization to make sure that the software you've produced is exactly the software that ends up in production, a whole different level of monitoring and consumption of logging and other streamed data from your environment to let you do anomaly detection. So there's a whole host of opportunities, and I think it requires organizations to shift their mental models just like when you think about zero trust architectures that were co-defined at Google under the BeyondCorp and the BeyondProd banners. They similarly have a whole capability that you can deliver, you probably can't always do on-premise and so I think a big part of that environment is for CISOs to really think about what does it take and what models can they use in the cloud. And in fact, in many cases in my former role as a CISO on the enterprise side, some of the capabilities that we can offer now in cloud services, and again particularly Google Cloud 'cause we're talking about Google, I would love to have been able to deploy those at scale across all of the on-premise environment, but I could only get to take advantage of them during and after a cloud deployment. But one of the nice things you see in the cloud space now is a lot of these cloud technologies being made available on-premise and across hybrid clouds, so you don't have to choose that cloud versus on-premise anymore, and so I think looking at all of the new technologies that are available to implement security objectives gives you a lot richer set of tooling, a lot more flexibility than I think has been available in the past, and it's almost like it's too good an opportunity to waste not to go back to first principles and say can we do this even better in the cloud because you've got a richer set of tooling.

Chuvakin: Nick, do you have anything to add on the tradeoffs?

Godfrey: No, I think Phil has covered it well. There's so many things you can do with cloud that you just can't really economically or commercially or technically do on-prem, and I think it's just a case of how do we with our peers in the industry sort of refigure out the paradigm shifts and get ourselves comfortable with the wider organization around us, you know, the risk functions, the compliance functions, the audit functions, regulators and so on and so forth to be as comfortable with those new paradigms as they are with kinda the old ones that we sort of built our stories around what perimeters those security in the past, right. I think there's a lot of work to do that.

Peacock: The conversation for a CISO around a cloud migration doesn't end at the end of our podcast. What would you recommend as reading material or an advice column for a CISO who is, you know, about to do this for the first time? This being a cloud migration.

Godfrey: I think a couple of things, and I'll be selfish and tell them about Google Cloud and Google, both Phil and I recognize that the security and risk transformation aspects of a successful cloud migration are very important, almost as important as the broader digital transformation that gets a lot of air time, a lot of press. So we've published a paper, and we're gonna publish other papers on the same sort of topics around how do you think about affecting the security transformation, so there's a CISO's guide to security transformation white paper, and then to learn a little bit more about how generally Google Cloud inclusive operates and thinks about security, there is a very good book called Secure and Reliable Systems which our Google security team has published I think last year. That's a very long read with a lot more detail about some of the things that we've talked about today and lots of case studies and examples of how we've tackled some of these challenges within Google.

Venables: You know, in the same kind of SRE-type series, there was another book our Google SRE team just put out recently Practical Cloud Migration, which we should obviously kinda make sure goes in the show notes, which is actually a really good book. I mean it's obviously more broadly about how to organize an overall migration but all the way through it are various kinds of tips and practical guidance on not just security steps to take but broader risk mitigation and control practices that can manage all of the risks of the migration 'cause I think we all recognize that CISOs in most organizations these days are not just on the hook for security, they probably also have other broader technology risk responsibilities, usually resilience responsibilities, and perhaps even some compliance responsibilities and so thinking about all of those things and a lot of the material Nick referenced as well as this Practical Cloud Migration guide really go through a lot of that information. And I think it's definitely worth a read and they're usually written by people not only Google engineers that have been at Google a long time but a lot of people like us that have spent most of our careers on the other side of the fence consuming these services, and so they're written from a perspective of how to do this from experience as well as being informed by the services that we have at Google.

Chuvakin: Thank you very much for this. I think that the second book is a great reminder. I completely forgot about it, but it's a great resource. I've downloaded it. I'm gonna be reading it because the risks and mistakes covered there kinda go beyond the domain of cyber, right? There are other things that can go very wrong in cloud migration, so to me, this is a very useful resource indeed. So one thing I wanted to say that we're gonna do a second part to this podcast likely focusing on how to actually teach the quote-on-quote on-premise CISOs to speak cloud. How do you teach those mental models? How do you learn to do what Phil just did with say DMZ or with a SOC or with other pre-cloud constructs? How do you translate them to the cloud language? How do you make people more cloud native or cloud focused? So to me, this is a useful second part we're gonna record later. So thank you very much for being here to both of our guests. We will post links to all the materials we discussed at the podcast site and in the show notes. As we said before, you can find this podcast at Google podcasts, Apple podcasts, or wherever else you get your podcasts. You can follow us on Twitter, You can also find out individual handles at anton_chuvakin and _timpeacock. Tweet at us. Email us. Argue with us, and if you like what you hear, we might just invite you to a new episode here at Cloud Security Podcast. See you at the next Cloud Security Podcast episode. Thank you very much for listening.

View more episodes