Episode Description
What We Discuss with Monica Verma:
- How do you explain risk management to people?
- Can an organisation be risk free?
- What are some of the building blocks of risk management that people can start with?
- Which risk assessment strategy would you suggest for a new business?
- What are the top 10 risks in cloud security?
- Is there a security strategy roadmap for cloud security business leaders?
THANKS, Monica Verma!
If you enjoyed this session with Monica Verma, let him know by clicking on the link below and sending her a quick shout out at Twitter:
Click here to thank Monica Verma on Twitter!
Click here to let Ashish know about your number one takeaway from this episode!
And if you want us to answer your questions on one of our upcoming weekly Feedback Friday episodes, drop us a line at ashish@kaizenteq.com.
Resources from This Episode:
- Tools & services, discussed during the Interview
- Cloud Security Alliance
- Cloud Security Academy
Ashish Rajan: Hello, and welcome to another episode of cloud security podcast. Virtual Coffee with Ashish ? So for people who don’t know me, my name is Ashish and we are part of a Podcast called Cloud Security Podcast . Today’s the 50th episode as well. And today we’re talking about risk management in cloud.
I’ve got a really special guest for me. she’s awake quite late in the night for this. So I’m not going to hold off, too long, but before I bring her on, but I do have something. If you guys haven’t followed us before, follow us on your favorite podcast, channel Spotify, iTunes, it’s you name it?
We’re there or subscribe to the YouTube channel. It’s basically the live interviews. All right, enough about me and the show. But for the moment, let me introduce to you Monica and Hey Monica. Welcome, How are you?
Monica Verma: I’m good Ashish. Thank you. Thank you for inviting me.
Ashish Rajan: No, it’s our pleasure. And I’m so glad you could join us. I want to start with the obvious for people who don’t know Monica, how did you get into cyber security, Monica?
Monica Verma: Oh, that’s a very long story, [00:01:00] but, it starts actually very early.
I’ve told the story to a couple of people in the know it very well. I got very interested in technology when I was kind of like a kid. I was around 10 years old and I got the opportunity as a 10 year old kid to see the cockpit of a plane for the very first time. I was flying and one of the pilots just came to me and literally asked me, do you want to see the cockpit?
And I was like, yeah, absolutely. And as a kid, I was so excited to just jump in and I helped him with the cockpit and I was expecting to be more surprised by the. View from there, but I was really spelled bond with the technology inside. That’s literally the first thing that caught my attention. And I was like, Oh my God, there’s so much technology in here.
How do the pilots even know what is for what and how are they doing it? I mean, that’s attending a call. I just did not understand. So I just got very interested in technology. I started learning programming, already in school and I got into computer science. That’s when I actually got interested into hacking. [00:02:00]
I mean, I understood very quickly that the other programs can be misused abused, made to do things that they’re not supposed to do. And that’s what I got into information security. I did my masters and I wrote my thesis on the application security, which is basically. As a tribute. I did it on the forum, Jeremiah Grossman, who was my big hero at that time, literally.
we have known each other now for more than 10 years. And, he was also my external supervisor for my, thesis, but anyway, long story short. So I got into hacking. And then when I was doing ethical hacking for many years at Siemens in Germany, I learned very quickly, risk management, because we used to talk a lot to the management there and that’s how I got into then all the different areas of cloud security, risk management, and so on.
Ashish Rajan: So, and now, I think you’re quite deep insecurity is a great thing. Cause we definitely want to dive deep into risk management as well for people who don’t know I’m going to start from the very basic, because we have a few people who are probably new to security and [00:03:00] probably people who spent a lot of time in this as well.
But because this is cloud security podcast, what does cloud security mean for you?
Monica Verma: Yeah, that’s actually a very interesting question, because if you would ask people like normal people and maybe I’m not considering myself normally in that sense, but if you were to ask normal people of security in general and they would go like, okay, CIA, confidentiality, integrity, and availability, and then you add the word cloud to it and they go like, okay, you have to now manage all these things with cloud computing technologies when you’re doing IAS.
platform as a service software as a service service. So that’s cloud security, but if you ask me, I’m going, not going to give you a normal answer for me, cloud security are three things and they’re kind of like interconnected. number one is mindset. The security mindset that you apply on an on premise solution or the way you’ve been doing security.
traditionally doesn’t work. One-to-one in cloud. So you absolutely have the right mindset and you don’t understand [00:04:00] what cloud technology really brings, what challenges it brings and why it doesn’t work that way. and we can come to that, but just to tick off the three things that I believe are important aspects of Cloud Security, one is I said, mindset.
The second for me is football. And I’ll tell you why. And the third for me is a shared responsibility. These are the three most important things for me with cloud security. Now, the coming back and football thing, because one of the key things with Cloud security is that now you are. Kind of leveraging your cloud service providers or other technology providers for lifting or taking some of the load from you and doing that for you in their data centers.
Right? we have obviously heard the meme cloud is just someone else’s computer. It’s not just someone else’s computer. I definitely don’t believe in that myth. And actually the word just is what makes it kind of like, not exactly correct. Because as I said, the principles that you use on a traditional perimeter based [00:05:00] security, do not really apply directly in the cloud environment.
when I say football is because when you look just to take the game of football, right? Do you have a player? You have the teams. And my favorite ball player is messy. I’m the reason he’s my favorite people of air is not because he is the best one. Some of the American guys on here, a soccer,
what football game is messy.
But the reason I say that is because he’s not into making goals just to make the goals, but he’s really into assisting. And that’s really what the game is about. I mean, the team spirit. So when you’re in cloud, your organizations, a digital environment is now a part of different players.
Your security, your organization, security and risk profile is very much dependent on other players within this whole playfield. And you cannot succeed alone anymore. It just doesn’t work. And that’s where you come into the shared responsibility model, which is the Holy grail for understanding cloud security.
If you don’t [00:06:00] understand shared responsibility model, you will definitely not succeed with it. So that’s how I define mindset football or soccer and shared responsibility.
Ashish Rajan: All right. So switching gears, so we’ve kind of clarified whats cloud security means for you. But what about risk management in cloud for people who don’t know about risk management ? How do you explain risk management to people?
Monica Verma: in very layman terms I would explain it in this way. what things you need to do today to prevent massive losses tomorrow or how you can realize certain opportunities.
Because ultimately opportunities are risks, but some risks are worth taking good example is cloud. I mean, cloud technology brings with itself massive risks as well and challenges. But if done, right, these risks are opportunities that are worth taking. So risk management basically helps you understand, identify various potential in our sense, cyber risks, cyber [00:07:00] cybersecurity, risks that could be there for your organization to identify them, to evaluate them, to prioritize them, and then to be able to treat them.
So these are the basic risk management like process. And I would recommend for people who don’t know risk management, the ISO 2705 risk process, management, document is a really good one because it just gives you a simple, process which I said is basically identification, evaluation, prioritization and, and treatment.
when it comes to cloud security, obviously the risks are different or slightly different so your risks very much also depend on how they manage their risks. So there are different aspects you need to take into account when you’re thinking of what cloud security and risk management for cloud.
Ashish Rajan: That’s interesting. So kind of like the on-premise world, you know, how many people talk about the fact that. I guess you can never have is zero risk. Like you, there’s always some risk you’re [00:08:00] carrying as long as it’s not even a thing where I guess an organization can be risk free for lack of a better word ever.
Monica Verma: No, I don’t think so. Even in cloud, I mean, you’re thinking about zero risk in terms of security. I mean, there are different kinds of risks in the world, financial and project, but let’s, let’s focus on cybersecurity risks. Sayings zero risk basically means you’re a hundred percent secure. And I think that, I mean, that state doesn’t exist and it’s really not about having zero risks.
It’s about identifying the risks and knowing which are worth taking. And here comes the point of the treatment because the treatments are usually categorized into four categories. you can either accept the risk, say that, okay. It’s worth taking it. So we’re going to take it. Second base, you can transfer the risk.
So for example, get like a cyber insurance. The third is, and you’ll say, okay, I cannot accept it. I need to mitigate it. So then you put in security controls to reduce the inherent risk to residual risk, which now is okay because you’ve reduced it by some mitigating [00:09:00] controls. And the fourth is that you’re avoiding the entire activity in itself.
So if you don’t go to cloud, you don’t have cloud. Related risks. So you can just not go to cloud to avoid the risk entirely. So these are the four categories that you have, and you can definitely accept it. It’s the same analogy that if you want to be super secure, you can just lock everything in and put it in a safe on your basement.
Ashish Rajan: Yeah, exactly. Oh my God. Yeah. I think that’s really interesting. Right. And I’ve found this being asked by a lot of people about, Oh why carry a risk at all? And you almost wonder coming from a product land as well. I feel like it’s always. It’s not about the goal is not to eliminate risk, is to identify and manage the risks.
Right. Because , as a society, I don’t think we can ever eliminate all the risk. Right.
Monica Verma: No. I mean, think about the global risks. I mean, the world economic forum comes every year with their top 10 global risks, cyber attacks and infrastructural related attacks and technology related risks are a part of those.
[00:10:00] And they have been for now many years, but nobody says that you have to have them zero. it’s just not feasible.
Ashish Rajan: Yeah, I don’t think so either, people understand now risk management and I have a handbook that I can go to to understand what it’s about, but how do you explain the importance of it to anyone?
why is it important for organisations to know about risk management? Well, let’s say it this way. I usually use an example, which is not specific to cloud, but in general, for investing in security. And how do you invest in security? If you don’t know which risks you actually have, or how do you correctly and efficiently invest in the security?
Monica Verma: You can obviously invest in security and there are different ways to invest in security. One is. Looking at what are your low hanging fruits? What are the best practices or good practices that, that the standard that comes from this or from different frameworks and you evaluate in your organization, okay, these are, these are the obvious ones.
What we know we don’t have in place. These are the low hanging fruits. We [00:11:00] need to fix them. But about the other ones, how do you actually invest? Because this is the biggest thing, a particular vulnerability for. An application a same application, same vulnerability will have a different likelihood and a different impact on two different organizations.
So just knowing vulnerabilities and zero days and security issues that are out there, doesn’t help you prioritize investing in security. If you don’t do risk management, So , that’s really the simple answer to know how to effectively invest in the security. You need to do risk management because it’s not the same for every organization,
a hundred percent on the money over there.
Monica, I think it’s really interesting that we can’t talk about, I guess, what is this management and why it’s important, but I think we probably need to call out the fact that are there any obvious risk management things people should consider? Like, for example, if someone’s moving into cloud now, And are there obvious risk [00:12:00] management considerations or challenges people should consider that they would face when they would move to cloud?
Yeah, I mean, cost is definitely one and which is interesting because historically, if you see the trend, how people have moved into cloud, initially it used to be, Oh, we are going to cloud to save money. That was the number one reason people had of moving to cloud. And while it does obviously help you with scalability and, leveraging a lot of functionality and features and reducing certain responsibility areas.
and the word is responsibility, not accountability. And we can come to that later. we have seen that it’s really not necessarily reducing cost, but also recently, if you see in surveys and if you’ve seen over the last decade, what has happened is now people are moving to cloud due to security. But that’s also another thing that they consider that just because I moved to cloud, I’m, I’m secure by default and that’s, that’s one of the biggest, Things in, when you’re moving to cloud, that’s been the [00:13:00] biggest risks.
The second biggest thing is people don’t understand the shared responsibility model. And that comes back to the point that I just mentioned that they assume the moment I moved to cloud. Okay. I am, I have nothing more. I need to worry about. I’ve put it in the cloud, Amazon and Microsoft, whatever. They will take care of the security for me.
I have no more responsibility, accountability, liability, so I can just. Remove it and put it there, but, but that’s the issue and I believe that’s one of the challenges. The other important thing is also that when people move to cloud, one of the biggest things is because they don’t do risk management or they don’t do, classification of assets, or they don’t understand the criticality of the functions that they’re moving to cloud.
They don’t have any kind of strategy in place. they’re not doing migration to cloud based on criticality of the functions or based on sensitivity of the data. But they’re just putting everything in one goal. There is no phase vice risk-based strategy or approach from regulating the cloud, which is recommended for various reasons.
I [00:14:00] mean, this could be because of security because of compliance because of data breach because of what kind of data you’re putting, because you don’t understand. I mean, there are so many reasons of why. You should do that. So there are these overall challenges that, that are there with regards to migrating to cloud, and then, then obviously risks after you’ve migrated into cloud.
Ashish Rajan: Yep and to your point, there’s lot of consideration before you move into cloud, a lot of strategy. work that goes into it and probably to your point when you’re in it as well, because cloud is consistently changing. We have more challenges that people PX it’s almost like, it feels like it’s an ongoing processes, but it’s thought that.
Oh, you do it in the beginning. And do you do it in the end? And that’s it? thats risk management done. Guys, you can wrap up and get close the risk management department straight after that.
Monica Verma: I mean, there is one key rule or key guidance that I give to people with regards to risk management is that you have to do it in the beginning.
Before you start, whatever, but before you’re putting out your applications into production before you migrate into cloud before whatever big, [00:15:00] basic, thing has happened, that is some kind of risk related to it. Do risk management before do a risk assessment before and then do risk assessment regularly.
So it’s before and regularly, and that’s literally the basic. things everybody should follow just to be sure because it’s risk before migrating to cloud and it’s risk regular assessments when you’re already in cloud. So are there any building blocks for these things? I mean, cause obviously we have people who are starting off and some people may already have some idea of what risk management is like starting off to move in cloud. And it started to consider risk management because you may not have not considered it before. What are some of the building blocks people can start with? Yeah. I mean, there are actually, it is obviously complicated. Cloud security is not an easy topic and I’m not by no means trying to say that it’s or trying to oversimplify it.
we have to accept that there are obviously challenges. And so the key really is having a phasewise approach. That’s that’s [00:16:00] one really important thing. The same way in our building security, in one goal. I also recommend that for building security, do a phasewise security, maturity, increase the same way, do a kind of risk assessment over time.
Certain risks that you accept today. you might actually manage them tomorrow. It’s fine. But when it comes to challenges with cloud security or recommendations for building blocks for risk assessment is look into a very important guidance that I say is this cloud security Alliance has, there release every year.
They stopped and threats to cloud computing. One of them that obviously came on did this year is the egregious top 11. I think it’s called, but it’s top threats of cloud computing, understanding that. More importantly, understanding shared responsibility from whichever cloud service provider that you’re using, whether it’s Microsoft, whether it’s Amazon, whether it is Google, they have provided all this documentation in place.
It’s important for you to really understand. And I usually tell [00:17:00] this very simple way of knowing the shared responsibility, because it can obviously vary a little bit based on all the different stacks, but the very simple way of doing it as. Wherever at whichever level, the service lies, that’s the shared level.
And that’s where the shared responsibility starts. And consumers go upwards and call service provider go downward. So if you look at it, infrastructure as a service infrastructure is the level at which you both have responsibility. And then consumer will have infrastructure, upwards and service probably will have infrastructure downwards.
Same with PAAS. So platform is a level where platform upwards is consumer platform downwards is then cloud service provider and so on. So, and then when he go upwards applications, assassination, the top most layer, right. Application upward is all of us consumers. So compliance, risk management, data security governance.
These are [00:18:00] always consumer’s responsibility. So when you are looking into, moving to cloud or assessing a cloud service provider first understand. What the shared responsibility model looks like, understand what if the cloud service provider is providing you? What kind of, control they have in place?.
What kind of security are they providing you? What kind of auditing are they providing you? What kind of visibility are they providing you? Because these are very big challenges because visibility is definitely one of the big challenges in cloud access management is a big challenge in the cloud. So understand what the providing, and then you have to assess.
what other controls that comes to the risk in place, right? What other controls in each of these areas, you need to have access management. Let’s take that as an example, right? you can’t really think like perimeter based, traditional security. You just can’t that just doesn’t work in cloud.
People are accessing things from everywhere, from BYOD from this country, that country, that changing VPNs or all these things, IOT is in place. And so much there are shadow IT and all these things. So identity [00:19:00] is the logical perimeter the basic thing that I tell people is have a good control of access management.
The same with privileged accesses, reduce them, ensure that you don’t have a shared password. You don’t have reusable passwords and show that you have MFA in place. And especially with cloud, we can do these just in time and just enough accesses. I mean, different lots of responders provide that. So use those things into play.
So access management is definitely one area to focus into the other, I would say, is data security. Because one of the key things that happens with cloud is that now your data is going into, somebody else’s processing the data on your behalf, the data is lying and its being transport into different countries and so on.
So there is the aspect of security, but then there is an aspect of compliance and legality. So there are all these things that one is to look into and then map that to the top cloud threats that I just mentioned from CSA and see which of these are relevant for you and where you need to build your security blocks.
Ashish Rajan: Ive got a question here from Vineet, which risk [00:20:00] assessment strategy would you suggest for a new business? They don’t have any clear indicators at basic levels. yeah,
Monica Verma: that’s actually a good question. is it like in general or are you asking about cloud
Ashish Rajan: in general I think so to start off with that , so from a tech business perspective what risk management strategies would you suggest for a new business?.
Monica Verma: Right so what I said
from the process perspective, I think the ISO 2705 is quite simple. it’s suitable also for new businesses, from a process perspective when it comes to the framework perspective, what kind of risk I should think of? I actually have developed, a framework for risk management, which takes into account six basic, just six basic, types of risks from cybersecurity perspective.
Think about, one is data breach. The other one is financial crime. The third one is disruption hacktivism, supply chain is one of them. , but thing is starting with these basic, overall key.
I call them key risks [00:21:00] scenarios, which means whenever a vulnerability is basically, abused and there is some kind of cyber attack happening or some kind of abuse or event happening, . This can lead to ultimately, The consequence, the overall consequences of these impact of these events are categorized as these key cyber risk scenarios.
And they are very top level cyber risks scenarios, which are basically a part of enterprise risk management. So if you don’t have any kind of risk management in your company, start with these basic six key cyber risk scenarios and see, and map them to what kind of assets do you have? What kind of critical business functions do you have and what kind of sensitive data do you have both personal and other kinds of business, sensitive data.
And then see which of these when abused would lead to the scenarios, that’s the basic thing to start. But the second thing you can do is if you do have an enterprise risk management in place, But not a cybersecurity risk [00:22:00] management in place. Then use these key cyber risk scenarios to put them as a part of, erm, and NIST just literally came out this year, I think last month or this month, if I remember they came up with the new, paper that talks about how to integrate cybersecurity risk management with enterprise risk management.
That’s a really beautiful document. I would recommend reading that one.
Ashish Rajan: Awesome. And I think Vineet just message that the 5th risk was it insider, by any chance.
Monica Verma: Yes, that’s actually, absolutely. That was the 6th one okay. So I have to tell you that one, thats fantastic – insider risk. I usually, put the insider risk as two subcategories, intentional.
And a unintentional insider. The reason I do that is because insider risk is a very, very important topic, a very important risk, but very difficult to communicate and communication is a very important part of cybersecurity, more important technology, if I can say so. So when you’re talking to your employees, I feel with my experience that [00:23:00] I’ve had over the years just doing this as intentional unintentional basically gives the employees, transparency and openness to talk about insider risks without feeling threatened.
Great job Vineet. Good segway into the next question from Darpan here, how has insider risk management evolved with clouded option?
Hmm, that’s a good one. I mean, key word visibility. I mean more lack of visibility. The thing is that obviously there are insider risk, both on premise and cloud and with cloud and reduction of visibility or lack of visibility when.
Insiders are doing things, adding applications or trying to access stuff or abusing cloud services without proper log management in place, but without proper visibility in place, then obviously it makes it much more complicated. So that is really how it has evolved. And that’s where we need [00:24:00] to, work towards log management, monitoring visibility tool, detect that better.
Ashish Rajan: So interesting. I think, it’s funny how all the questions that related. Ive got a good question from Francesco aswell. What are the top 10 risks in cloud security?
Monica Verma: top 10. It’s it’s interesting. I think for, Francesco is asking me basically that if I remember or read the, actually the
Top 10, but I can obviously say, data security is important. data leakage is important and also the compliance and the legality controls with terms of e-discovery and, what laws apply is important. Misconfiguration and abuse of APIs is important. there is obviously the misuse or abuse of cloud services.
As well in terms of using that from crypto mining and other purposes. And I dunno, six more
management access management is definitely there. I know that I have read the document. I know,
Ashish Rajan: definitely tested you
but it’s really interesting, right? There’s so many assets through, [00:25:00] I guess, cloud security, that we’re talking about risk as well. I’m glad I’ve brought you in here. Talk about like, almost like zooming out a bit and talking about what does this mean from a risk perspective, from an organization perspective, we spoke about the building blocks as well.
I’m curious to know that I kind of have spoken about what is risk management and the top 10 risks as well insider risk as well. , but what about road mapping? , I know some of the listeners are leaders in cloud cyber security and they thinking more like.
from a security strategy roadmap perspective of addressing these risks, do you, do we need a roadmap or is this like, should be helping us with responsibility? Like what’s an effective approach you can approach or you can use for this.
Monica Verma: Mm. And that’s a very good question. I feel from a security leader perspective, it definitely helps, having a strategy in place.
Which is based on your business and your risk profile. Plus the threat profile that the threat [00:26:00] landscape that we see out there, right at that time, let’s get more, this includes insider threats and external threats and so on. the advantage of having a roadmap. So what I usually recommend to security leaders and this is important here.
This strategy or roadmap has to include. most of the organizations are in a hybrid form right they have some kind of on-premise, they have some kind of cloud services. They have multiple cloud services and multiple public cloud services and so on. So it’s not like it’s not like you will only think of cloud when you’re defining a strategy for cybersecurity, but your cybersecurity strategy should be, kind of like, independent and should basically scale to all kinds of technologies.
And that’s. It should be like suitable for cloud. It should be suitable for IOT to be suitable for different kinds of technologies that you’re using in your business. That’s where your business and what you’re using. The business context is the key. You must understand the business context. If you have to do a risk management, you cannot do that at the business context.
And then, as I [00:27:00] said, developing a strategy that is based on your risk profile. That’s important. So let me give you an example, what I usually suggest, and in my experience, what I’ve done is that based on , the low hanging fruit and the key recommendations that usually the industry professionals provide based on my business’s risk profile, based on the threat landscape and based on, the business complex , first assess where you are today.
what is your maturity today? What kind of controls do you have in place, both with trumps of cloud and what you’re lacking because of understanding where you are today, then you have to kind of define where you want to be in say one year and where you want to be in say three years. I mean, I wouldn’t say longer than that, I mean, the landscape is changing so fast.
It’s very difficult to say more than that , based on that, this in between is the gap and that’s where the strategy, the roadmap comes into place. So it’s important to have a short-term, strategy in place, a short-term project plan in place basically helps you both address the low hanging fruit and your [00:28:00] critical risks right away.
So you have to start with these kinds of like, whether the issue is that you don’t have enough security awareness in your organization, whether people are not competent to work with cloud because you are using cloud, because let’s say you’re using AWS or you’re using Microsoft, and then you don’t have architects or security artists that understand the platform.
Then you need to obviously make sure that they do to have the right security architecture in place. So you define that for very near short term, process. A plan. And then you develop also a plan for like say three years. Where do you want to be in terms of maturity, whether you’re talking about resilience already, want to go in the future, but have enough flexibility in that.
So you can adapt it because after one year time you would already be able to point and see, Oh, you know what? We need to make these modifications because. The landscape has changed. So massively now it just, maybe these things are still actual and they’re still a valid, but these things aren’t. So it definitely plays an important part, especially if in terms of risk management, because if you don’t [00:29:00] understand your risks again, back to my point, you will not be able to invest in security efficiently and correctly.
There’s so many majority models out there and you can use obviously. but independent on what frame of use, you have to understand where you are today, and you have to understand where you want to be in one year. And this has to be ideally based on your business.
Your organization, definitely the good practices and the, practice advice that you’d get from the professionals, but based on your risk profile, because if you don’t have that aspect, then you’re basically doing what everybody else is doing. And that might not be a valid risk for your organisation at all.
Ive got a comment here from Darpan. Oftentimes
Ashish Rajan: a roadmap for other players would also have to be taken into account for a roadmap. Yeah for a big organization. So just like cybersecurity is the only thing people are working on, but any comments on that?
Monica Verma: Absolutely. the thing with cloud is that you have now a complex supply chain. So your risk profile is obviously dependent on every other service providers, risk profile, independent of [00:30:00] Cloud aswell if they’re not cloud service provider, every other service provider that you have, your risk profile is dependent on their risk profile.
So having, a third party risk management and having third-party security assurance and security audits in place, knowing how they are in terms of maturity will affect your maturity and will affect your risk. So definitely that has to be taken into account, and that will be a part of your strategy.
Ashish Rajan: Awesome. You are preaching to the crowd, so on 25th of November, AWS had like the whole, one of the major services go down. And to your point, if someone has a concern of their supply chain risk at that point, what does it mean? when AWS goes down or Azure goes down or Google cloud goes down. That’s massive and people assume these are too big to fail, but it does happen.
Monica Verma: the biggest example is also what happened with the cloud hopper attack. I mean, I think if I remember, like eight. service providers were attacked, they gained access to customer, networks through the cloud and the service providers.
we will see more and more of these [00:31:00] things because you’re again, trying to go through the weakest link and the easiest place in the entire cloud supply chain, which now I can think of football or soccer. You have different players. they will try to go into whichever is the attack surface is now more complex.
It’s much larger, much more area that can be used and abused in that sense. So whatever way they find in to attack different organizations. I mean, instead of attacking a single organization, if you’re going to tag a service provider and then have an impact on the whole world, I mean, that’s a big gain, right?
Ashish Rajan: Thats a good segway into my next question about how do you explain cyberrisk?
Monica Verma: That’s actually a good question as well. When we talk about, security incidents or security or potential cyber attacks when that happened, right. security incident management in place, we’ll talk about, okay, what kind of a response we should have in place? How do we, do the triage? How do we identify what’s going on?
What’s the impact? How do we contain this and, and the whole process of going up to the problem management? [00:32:00] When I think about cyber resilience, the difference a bit is. Think of the pandemic that we’re going through. the whole concept of what cyber resilience is having cybersecurity in place, but then able to withstand a cyber attacks and ability to not only detect and not only just respond, but respond in time and adapt to a cyber attack so that you’re able to minimize any kind of downtime or any kind of impact to your organization and that adaptability.
in that response is what tells a little bit about how resilient you are to cyber attacks. And that’s an aspect that definitely needs to be taken into account if you’re going forward in terms of maturity, because, and I’ve said this in many of my talks, it’s not a question of if, and it’s no longer also just a question of when
it’s a question of already thinking when that happens, what, capabilities we have in place to detect. The potential [00:33:00] attacker already in my infrastructure before there is even a incident in place, how early I can adapt to it, how quickly I can respond to that, how I can make sure that my business operations are still functioning or whatever is important to my organization.
Is in place before it actually, comes to a complete impact on the organization. So all these questions are important because you’re already assuming a breach. You’re already assuming an attack. So it’s not a question of if and when, but all these points to ensure that you have resilience in place and resilience is not built in a day.
So you have to start and grow it and make it more mature over time.
Ashish Rajan: So cyberresilience should be a state that people should be planning a security roadmap towards?
every organization is obviously very different from each other, right? from the perspective of, if you’re a target, yes. Every organization is a target, right?
So people or organizations that are small or that [00:34:00] thing that they’re not valuable. That just is a myth. Every organization is either a direct target or a indirect target or a collateral or a step to somebody else’s network or whatever. So everybody’s potentially a target. So yes, as you, that you are a target and that you will get hacked.
So from that perspective, yes, everybody should be moving towards resilience. But the question really is how important is resilience for your organization? If a particular financial system or infrastructure goes down and there’s a lot of, issues with the trading or with the kind of financial processes that will have much higher impact on some other systems that may be just like a shopping website that went down for like, I don’t know what two hours, so the resilience will not still mean the same thing for different organizations.
It’s a bit different for different organisations. So you have to define what does resilience for your organization. And then yes, you have to, or you should ideally move towards that.
[00:35:00] And so to your point, cyber secure was to cyber resilience, right? where do you want to put your, put your money on this, poker game?
Monica Verma: I guess. I mean, it’s, it’s kind of both because. You cannot be cyber resilient if you’re not thinking about the basic cybersecurity in place anyway, because a lot of people also have this misconception or, you know, what are we going to do? These fancy things because new things have come out before you start doing any of that.
Please have first basic hygiene in place. So don’t think of cyber resilience. If you don’t have cyber hygiene and cyber security in place. But then this obviously builds towards cyber resilience. And so you’re, you should be thinking cyber resilience, but a part of that is to have the basic hygiene in place, and then assuming an attack and knowing what capabilities you need, if an attack happens and how we will manage that, how will you respond and adapt to that, which is in accordance to your core business, the criticality of your business, the operations that you’re doing and [00:36:00] the sensitivity of data and so on.
So your risks basically,
Ashish Rajan: And I think, it’s good for me to go into. What do you think are the misconceptions that are cloud that people haven’t been de-mystified yet?
Monica Verma: Yeah, I mean, I think I kind of like mentioned them and I think my top three myths are one cloud cloud is not secure.
I don’t want to go into cloud because it’s not secure. the other is cloud is secure by default. No, it’s not. You have a lot of responsibility of security when you’re moving to cloud and you should know that before you’re going to cloud, what is your responsibility? Because another thing is that you can transfer responsibility, but you will never transfer accountability.
So for example, if I put my customer’s data into cloud, independent of who’s fault it is I am liable for the data breach to my customers. So you cannot shift accountability. So that, that is very important to know. And I really wish people stop using the meme cloud is just somebody else’s computer. This is really, [00:37:00] to me, you’d really hate that.
I think I’ve used that in every of my
is it kind of gives a misconception. To what is really required to actually have security in cloud. Because if you look from a very basic, overall perspective, right? Even if the SSL that or Amazon has said that that security of cloud is cloud service provider’s responsibility, but security in cloud is cloud consumers responsibility.
And just saying that in moving into, putting into somebody else’s computer, yes, you are shifting from your data center to somebody else’s data center. That part is correct. I’m not doubting that, but the point is that you cannot necessarily always use the same security controls, the same type of, risk management.
When you’re moving into cloud, I mean, your controls vary what type of risks you have very, there’s so many aspects here that varies. So saying, just basically says that it’s identical and it’s not. And tits not identical. [00:38:00] So there are a lot of aspects that are so hugely different, so basically promotes that misconception and it basically says that, or you can just use the traditional security and then go to somebody else.
I mean, you can just put it there, but you just can’t. So that’s why it really irritates me because promoting misconceptions,
Ashish Rajan: I can definitely sense your passion against it lets just say that.. Ive got one more final question. What are peole not talking enough about in risk management specially when it comes to cloud security?
Monica Verma: Yeah, it’s,
I think risk management is generally a topic not talked enough. in, in general, I feel like I, I know very few organizations that actually have done risk assessment before moving to cloud. And okay. If you have actually done that, then do it. At least when you’re in cloud. And very few people do that and I feel.
Not really understanding that is what makes it difficult, because then you’re trying to, then you’re really missing all these, [00:39:00] the top 10, basically the risks for cloud that are there. It they’re very easy to miss without knowing what kind of risks you really have. So I feel that a lot of topics, actually, the risk management in general, the risk assessment in general is a very less spoken topic.
Both. Well in security also a little bit, but definitely in cloud security, especially when migrating to cloud. And then obviously after as well,
Ashish Rajan: I feel like, and this is worthwhile calling out and I was talking to someone about risk management ages ago, and this person is like super technical, like super smart.
Right. And I feel like a lot of people think that risk management is all about, if you have an incident you’ve recorded as a risk. And there’s so many, cause I know I’ve been, you spend so much time in technology and you almost say, Oh, you got to have some idea about all the other fields it’s not in your field.
And I feel like you’ve been able to clarify a lot of those, I guess a lot of those doubts. That have come into people’s mind .
Ive [00:40:00] got a question here, about how multi-cloud environment distributes the risk across multiple cloud providers. Or would you rather stick to one cloud vendor? Thats an interesting one? What are you thoughst on that?
Monica Verma: that’s actually very interesting because I mean, just being with one cloud vendor is also, could be a kind of a risk in itself. I mean, if you are using the same cloud vendor for like backups, and if they’re say, that cloud services entirely. None available for whatever reasons would you rather prefer having backup at a different cloud?
vendor? the part to that question, I usually suggest it’s both. Okay. And not okay. Depending on what kind of risks you’re mitigating, don’t go into multiple cloud vendors just to go into multiple cloud vendors. You obviously need to understand what, Applications you want to have and what kind of security they provide you.
So obviously if one cloud security provider, as a cloud service provider provides you better security and provides you the functionality [00:41:00] that you need and the other one is doing it better for another application. Absolutely use it. There is nothing wrong with having multiple vendors and multiple service providers for that.
But then you have to understand that you have to manage both of them as a potential attack surface, and you both, you need to really understand what risk profile they have, how they are complying to the security requirements, how the compliant to regulatory requirements, how they’re managing data for both of them.
And what does it mean for you? So you kind of need to have the understanding, so it definitely makes your environment a bit more complex. also supply chain becomes more complex, but it’s nothing wrong with going into multiple cloud environments, especially also because you don’t want to be most of the cases vendor locked in or just want to be with one cloud service provider.
So there are both pros and cons to both situations, depending on what your needs are.
Ashish Rajan: That’s a great answer. I love it. And I think it’s definitely becoming more reality these days. It’s not easy just for people to be in single cloud these days, , as I like to say that a lot of people with a lot [00:42:00] of egos in the company and they obviously want to everyone want everything that is there.
Well thats kind of the end of the show aswell but where can people find you. And I would love for you to talk to you about your podcast awell if you don’t mind.
I think people should definitely, get to know that as well, so we can people find you.
Monica Verma: So I’m very active on LinkedIn. So please connect with me. Follow me on LinkedIn. it’s just go to linkedin.com/in/MonicaVerma. You’ll find me and my, my profile is public so anybody can, follow me, contact me.
Connect with me, absolutely would love that. So that’s where I’m most active for my podcast. So I’m actually wrapping the first season this December. So I’m coming up with the season finale in three weeks. So that’s going to be just before Christmas. and I already have a huge guest list for season two.
What I usually talk about is in my episodes, I have different guests from all over the world and we talk about both security, privacy, and, risk management. So I [00:43:00] combined all these three topics and I usually, we talk everything what’s happening today. What, what these professionals feeling, what the challenges are, the physicians are facing, what are the recommendations?
So it’s still give a perspective of how to think about these things and we don’t go into all the. Technical controls. That’s what we don’t do, but it is basically for everyone who is either wanting to join the industry or it’s already in the industry and want to understand how they should think of what the, to be thinking about in terms of security, privacy, and risk.
So those are the topics that I covered in a podcast, and it’s called a, we talk cyber with Monica it’s available in all the podcasting platforms. So it’s Apple, Spotify. And I also have my YouTube channel and Monica talk, cyber.
Ashish Rajan: Awesome. Thank you. So feel free to connect with her folks. I think too, there’s definitely throwing some gems in there in her podcast as well.
I think some of the people who’ve interacted with us today have been . From trend micro was basically supporting that as well. So, I think you’re doing a great job, so thank you again [00:44:00] for coming in. I really think it was really valuable. I think it’s always important to kind of cover all aspects of security.
So thank you for being part of my finale episode. to be honest, I think I really appreciate the fact that people take our time all the time, especially like late at night for you as well. You can be eating dinner, your soup caserole that you would have made masterchef just before.
But I do appreciate you spending that with us over here. Thank you so much for this.
Monica Verma: Thank you really appreciate it. And thank you all for joining and asking the questions. Please feel free to connect with me. And as I said, I’m bringing on new blogs on from CISO perspective and also I’ll be writing about cloud security and my website, Monica talk, cyber.com.
So feel free to join, subscribe, or just check it out.
Ashish Rajan: Sounds good. Thank you, Monica. Thank you so much.