Trust the cloud, we’re getting the hang of securing it, says Unisys security chief
Tom Patterson talks the white and fluffy stuff
IPExpo Everyone’s starting to believe in public cloud but security remains an uphill battle, Unisys’ chief trust officer Tom Patterson told The Register this morning.
“There are no four walls any more,” he said, sipping a cappuccino in London’s ExCel conference centre and referring to the traditional security model where threats were - literally and figuratively - external to one’s company.
“As we now know, there are no perimeters so there has to be a new concept, microsegmentation. You can create your own segments within segments no matter who owns the infrastructure,” he said.
The concept essentially refers to Unisys’ own Stealth product, which is intended to make certain devices on your network “invisible” to hackers.
“If malware gets in - and in this day and age, it will, for example through a thumb drive or some clicking onto a poisoned site - if malware gets in, it only gets into your microsegment,” explained Patterson. “Instead of big crashes you’ll see... micro incidents.”
All very enticing, for sure. Patterson was keen to emphasise that the time to implement this “is when you adopt the cloud and go global,” adding that it’s “cheaper and easier to operate in the public cloud that way.” Naturally, he would say that about his own firm’s product.
“IoT is our biggest adopted subsector worldwide for our Stealth product,” he continued. Explaining how M2M and industrial control systems are all run on computers, as we think of them, “they just don’t have a keyboard”, he said.
Take the carrot now or you’ll catch the stick later
Microsegmentation, Patterson’s big theme, is “almost mandatory”, as he told us. Exactly how mandatory would that be?
“The penalties for not complying are becoming substantial. Europe is leading the way with substantial penalties,” he said, referring to the recent £400,000 fine handed out to TalkTalk as a result of its large-scale data breach last year. “That’s the stick,” he added.
As for the carrot? That’s not being “on the front page of the paper”, as Patterson said he had heard from a few executives he had spoken to. He continued: “The biggest change is not looking at it as an it problem but as a business enabler. Design transition to public clouds, implement this new microsegmentation and take that catastrophe off the table.”
Contrasting what he saw as the old approach of on-premises cybersecurity, where firewalls may have “a hundred thousand” rules - an exaggeration for effect, perhaps - Patterson said: “That takes weeks, sometimes months, to go through them all to make a change… they need a way to get into the new, high speed way that business is done today.”
Are people getting the ‘cloud, cloud, cloud’ message yet?
The latest DDoS toolkits - “which anyone can download” - were used for the infamous Brian Krebs DDoS. “That was driven by cameras, people’s thermostats... those were the devices harnessed to go throw all these denial-of-service attacks,” said Patterson. “You’ve just got to have better defences.”
Exactly how that works when even anti-DDoS outfit Akamai slung Krebs, a pro bono customer, off their DDoS mitigation system, is an open question. In terms of avoiding becoming part of such a botnet, Patterson, naturally enough, sees the cloud as the answer.
“What we’re talking about today is being more resilient by being in the cloud,” he said. “Companies are taking this more seriously, there are business drivers now in terms of avoiding catastrophe and competitiveness. They’re trying to operate more efficiently than their competitors.”
Indeed, he sees the growth of semi-automated and automated security as the future - “nirvana points” of software-defined security, as he described them: “What we want to get to is predictive analytics and watch the flow of what’s going on in your world. Your network would actually adapt to your predictive analytics.”
This, he said, could lead to security software spotting a threat, nixing it and then rolling out an update across the network, all with minimal need for slow old humans to get involved.
Job replacement as a service
Grey-bearded Patterson laughed when El Reg put forward the notion that he might be automating himself out of a job. “I’d love to be automated out of a job!” he joked.
“I’ve been in business all my adult life,” he said. “Security was never taken as seriously as it should have been in the early days. I spent time with boards around the world helping them understand how to govern their organisations in a proper way. Security is just one of these things that has to matter along with finance and agility. There has to be a security seat at the table, going forward.”
As much as there is a danger of automating security professionals out of a job, there’s also the very real question of balancing the demands on budgets, particularly for smaller companies. As Patterson put it: “You can’t hire 60 experts to sit at the console. You still need the security expertise at the top, giving the right guidance.”
When it comes to the Unisys-AWS tie-up, Patterson ends on a bold and perhaps marketing-driven note: “We want to choose a cloud that offers the greatest level of security at the cloud level, and take control of your security with your workloads in your cloud… when you use AWS and Stealth, you have one thing to administer.”
And that’s his core message: trust us and drink the cloudy Kool-Aid, it’s no longer the great big cup of insecurity it once was. ®