Interview with Ashish Rajan
Cloud data security requires rethinking the approach to the problem given that either no team is responsible for it or every team is, and the supporting security tools don’t consider the collaboration between the data owner(s), security, and compliance teams.
Securing data in the cloud is a lofty task for sure, but there are industry leaders like Ashish Rajan, CISO, and host of Cloud Security Podcast, who are advancing the conversation daily.
Read the insights from Ashish during a discussion with Dasera’s April Mitchell, VP of Engineering and Operations, and join the conversation around transforming data security in the cloud.
Q1. Why is public cloud security still an unsolved problem?
We have a human problem; a new toy or technology doesn't change our behavior or habits.
The whole idea around cloud was an abstraction of owning a data center. We realized it was cheaper and more efficient to move to the cloud. So, we’ve upgraded the way we handle data, but we haven't upgraded ourselves.
Q2. What are the specific challenges or opportunities with data security in the cloud?
- Data classification - Broad categorization, sensitive or non-sensitive, doesn’t provide enough context.
- Access controls - Role or function-based permissions often grant more access than is needed for the day-to-day of the job. For example, as a CISO, I get extra access even though I may not need extra access.
- Data loss prevention (DLP) - Security will say they have a data loss prevention (DLP) solution, but what they don't say is that DLP restricts itself to certain aspects of the environment. For example, it may be decent or even do a good job at your email level, it may do some more in your file directories. To my knowledge, there is no DLP for the cloud.
- Data Sprawl - Data is laid out everywhere. I may have a copy of the exact same data set as 5 other people. I can consider myself secure, but I can't guarantee the security or intent of the other 5 people.
- Silos Across Teams & Technology - We create siloes between cloud and on-prem and between different teams that have shared responsibilities. There are no clear responsibilities for data classification; who owns data security? Is it the CISO, Legal, or Privacy Officer?
- Shared Responsibility - Security isn't the only team responsible for data security. They may have a specific data security solution for which they have the approved budget, but that does not make them solely responsible.
Q3. How have you seen teams collaborating to address the challenges today?
It's grey - we have not had a lot of conversation around data security in the cloud, specifically. We talk about compliance and policy because there are a lot of legal requirements, like GDPR and other privacy laws. By nature, people assume that you’re covered if you have your Legal, Privacy and Compliance departments all working together.
In reality, if you think about how the budget is allocated; there is no separate budget allocated for data security. In my previous roles and from talking to CISOs at other organizations, there’s no budget for data security because it’s not looked at as a challenge to solve. This is an area for education.
A Thought Exercise for CISOs from Asish
People make risk profiles based on the money generated from applications instead of understanding the type of data that the application has. Next time there is a breach, think about it from the perspective of:
“Is my risk profile based on the data that the [vulnerable] application has?”
“Is my risk profile based on if this application makes us money or not?”
Watch the 24-minute interview for Ashish’s insights here.
Learn more about Dasera.