Securosis Guide: Escape from Cloud City

Posted on February 11, 2016 by Securosis Team

This post is part of a multi-part series about the Securosis Guide to the RSA Conference (download the RSAC-G PDF). Please scroll to the bottom for links to other posts in the series.

Cloud computing has been a pretty steady theme in both this RSAC Guide and the conference itself. Heck, it was our very first theme in our very first Guide back in 2010, and has shown up as a theme every year since. As much as we'd love to move past it to something "new" we strongly suspect you will see more cloud, not less, this year. Besides, while we eagerly anticipate the impending emergence of portable Fitbit firewalls, we really aren't looking forward to the competitive analysis charts as they battle automobile combination firewalls and breathalyzer interlocks for budget.

Oh please, you know they're coming.

Cloud security is right about at that point on Bespin where C3PO disappears, Lando is smiling too much, and that dinner invitation showed up on suspiciously black stationary with the Imperial logo covered up with a marker. It looks great on the surface, but underneath something just doesn't feel right.

In past years, the conference sessions haven't always been overly strong; with too many people shouting "WARNING! CLOUD! DANGER!" without telling you what to do about it. Vendors wrote "cloud ready" on their marketing banners with a sharpie and kind of left it at that. In the meantime, cloud capabilities, including security capabilities, evolve so quickly that this year alone on three occasions major security features appeared overnight in the middle of one of our two-day training classes or client engagements.

The problem isn't the ridiculous rate of change in cloud computing, but that we still see that security professionals are behind the curve on working natively with cloud computing platforms. This isn't a criticism, it simply takes time. It requires a new skills set while retaining and converting the knowledge and experience many of you have spent decades building. That doesn't happen overnight. It also isn't limited to security, we see traditional ops and even dev experiencing the same struggles.

But just as Luke had to make the judgment call and abandon his training with Yoda to go try and save his friends (and hopefully not make out with his sister again), vendors are desperately throwing their products into the mix as security teams jump into projects and learn on the fly.

Like Lando's slick smile and hug, everything looks good on the surface, but underneath all is not right in Cloud City. Few products are both cloud native and ready for native cloud architectures. There is a massive difference between running a virtual machine on a cloud provider and improving the security of a microservices architecture deployed in Docker containers and using various PaaS products. Sign a multi-year contract and you might find the deal changes, and you're told to pray they don't alter it any further. There are some good cloud-native tools out there, you just need to find a needle in a pile of Bantha fodder.

The good news? The Cloud and Virtualization track this year is chock-full of (potentially) strong sessions. It's the strongest looking agenda since the track was created, and we aren't just saying that because we are speaking. Easily half or more of the sessions are technical, practical, and being delivered by people we know have real, on-the-ground experience.

It's a great time to trust your instincts, feel the cloud flowing around and through you, and start seeing how the cloud can improve security. Cloud providers offer more for security than you might think, and in some cases can wipe out traditional security problems or the need for third party products. This is probably the best year at the RSA Conference to improve your cloud skills, save your organization, and not lose a hand in the process.

— Rich Mogull

Check out the complete series: Introduction
Theme posts: Threat Intelligence & Bothan Spies, R2DevOps, Escape from Cloud City, The Beginning of the End(point) for the Empire, Training Security Jedi, Attack of the (Analytics) Clones
Deep Dives: All Threats, All the Time..., Data Security Deep Dive, Cloud Security Deep Dive

Contributors

Securosis Team

, Securosis

cloud security

View More Blogs

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.