The CISO Speaks: Adobe's Brad Arkin on the Challenges in Securing Multi-Cloud Environments

Posted on by Tony Kontzer

During the early years of cloud computing, companies often hid behind security concerns as a reason not to adopt this strange new computing platform. More recently, that perspective has reversed, and most organizations acknowledge they can't possibly secure their own assets as effectively as cloud providers can.

But everything changes when a company takes on the complexity of a multi-cloud strategy. Based on surveys such as this one from IT management vendor Flexera, we've crossed well into critical mass territory when it comes to adoption of multi-cloud environments. And as a recent report from Business Performance Innovation Network makes it clear, this aggressive expansion of multi-cloud environments presents enormous security challenges.

Brad Arkin, CSO at Adobe, has grappled with this issue, both as a user and a provider, and our new CISO Speaks blog series provides an ideal forum to share his perspectives. What follows is a lightly edited transcript of my email interview with him:

TK: To what extent do you see multi-cloud environments presenting the next big security challenge? Is that Adobe's experience?

BA: When it comes to multi-cloud, a major priority for the security team is helping ensure we have clear visibility into our environment, whether that’s private or public cloud. This security challenge in and of itself hasn’t changed, but the catalysts do with new innovations in multi-cloud. 

For instance, we need to balance the benefits of newer cloud-based collaboration tools with the security rules we have in place. Not only do we need to help ensure these new collaboration platforms are configured correctly and secure-by-default, but we need visibility into these tools to help make sure they are at pace with our overall security structure and posture.

TK: What do companies making the move need to know about securing multi-cloud environments? What kinds of security threats could they introduce?

BA: Multi-cloud brings the same familiar challenges from the on-premise/private cloud world with a few new additions. The public cloud “control plane” brings a new set of configuration options and capabilities that can help a great deal with topics like inventory management, but also bring the potential for mistakes and misconfigurations that could impact a larger landscape.

When a company is looking to secure their multi-cloud environments, the most important thing to consider is the scale at which they’re operating. This will help to determine the infrastructure and resources necessary to sustain security-by-default long-term. The solutions that companies deployed today should be able to last for years to come.

Additionally, companies should work to ensure that when deploying these security tools and services, there are strategies in place to help measure, monitor and remediate potential security gaps in the operational environments. This will inform whether shifts in the security strategy are needed and what changes are being made to their environments.

TK: How do security needs evolve as multi-cloud environments grow more complex? When security issues arise, how do mitigation efforts differ from on-premise?

BA: Security needs continue to grow as a company’s size and potential increases. Managing multi-cloud security means understanding what is happening in each cloud environment, while consistently being able to identify a potential security weakness before an incident occurs.

One way to manage evolving potential security issues in multi-cloud systems is through the foundation of an operational security stack that allows for consistent configuration and control across cloud environments. This helps establish methodology and compliance that can be uniform throughout the organization while combating potential issues.

The Adobe Operational Security Stack helps us deliver consistent security assurance at different levels in the multi-cloud environment. One example of an element from the security stack is vulnerability scanning that allows systems to be assessed automatically so we can see whether they’re operating as intended or require intervention. Automated vulnerability scanning decreases room for human error and gives more opportunity for clear escalation and mitigation paths. When these scanning alerts are brought to our attention, we can analyze the process and quickly make improvements as needed.

Public cloud environments offer new log sources and monitoring capabilities that can be very helpful during a response. A well-built environment running in public clouds tends to have highly automated functions, so tearing down and redeploying a “clean” infrastructure can be much easier than previous legacy environments.

TK: What do you see companies doing right/wrong in security multi-cloud environments today?

BA: One thing that companies should avoid when securing multi-cloud environments is following a siloed strategy where each team picks their own security solutions. We follow a uniform “best-of-breed” security stack that provides a consistent strategy for teams to follow and accomplish our goals.

When it comes to building versus buying security solutions, this is down to an organization’s objectives and what strategy best suits their organization. Things to consider in this case would be whether an in-house solution might be more suited to the company versus purchasing a security solution. With an in-house solution, this might be best suited if a company has specific needs and can open-source the tool.

At Adobe, we’ve created the Common Control Framework (CCF), the cornerstone of our compliance strategy. This is a comprehensive set of simple control requirements, rationalized from the alphabet soup of different industry information security and privacy standards. We wanted to open-source this tool/framework to help other organizations simplify their compliance work.

TK: How has widespread multi-cloud adoption affected the job of the CISO? Has it changed core security strategy?

BA: The CISO job is constantly evolving along with the technologies that organizations rely on and the threats they are working to combat. The public cloud offers a new knowledge domain to learn, but the fundamentals of needing to understand and provide the right level of monitoring and response capabilities are very familiar.

Moving to the cloud was a fun challenge as a security team. We’re always working to achieve clear visibility into our security posture, but when we first looked at our multi-cloud strategy, we saw that teams were using different tools and services, making it challenging for the central security team to monitor and optimize the stack.

With this in mind, we set out to achieve a best-of-breed security stack that would provide consistency across the company. While this required a uniform architecture, flexibility was crucial in supporting various environments. To do this, we created an inventory of what tools we were using and went through a process of selecting the best-of-breed—and from there on, we required teams to use that solution.

This was an intensive process that took months from start to finish, but it has helped our team establish the right solutions and escalation paths.

TK: How do you view the shared security responsibility of companies and their numerous cloud vendors? Who's responsible for what?

BA: Each service offered by a cloud operator brings a specific shared responsibility matrix that the client of the service needs to understand and work with. Whenever there is ambiguity or confusion around the shared responsibility boundaries, this can lead to disappointment. Security teams should make sure they understand their role and how best to work with the services offered by their public cloud providers to achieve the desired security outcomes.

Tony Kontzer

, RSA Conference

Cloud Security & Virtualization C-Suite View

cloud security

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community