Guest Post by Jason Chan, former VP of Information Security at Netflix
I recently came back from my first trip to Israel, one of the centers of the cybersecurity industry. In addition to meeting so many peers and talented cyber teams, I also had the chance to speak at CyberWeekTLV with Asaf Kochan, President of Sentra, and former commander of Unit 8200 (Israel’s NSA). We discussed the different security challenges facing cloud first enterprises, but also some of the business opportunities the cloud makes possible and how I tried to use cloud security as a business enabler during my time at Netflix
Organizations move to the cloud or choose to be cloud native because they value speed. They want to be able to spin up thousands of VMs whenever they want and move massive amounts of data through their cloud infrastructure. We can think of the old way of cybersecurity as basically putting a gate on a road. We make the user stop, we inspect them and their data, and then open the gate and let them go wherever the business needs them. I always encouraged my team at Netflix to think in terms of ‘guardrails, not gates’. Let the business move as fast as it needs - with appropriate guardrails to prevent users from ‘flying off the road’, so to speak.
The truth is that the best engineers and security teams want to help the business get to where they’re going as fast as possible. They understand that the business doesn’t exist to serve security. At Netflix, the business model was to put out high quality entertainment at a rapid pace. Our job was to help them do that while staying secure.
Besides the benefit of helping the business, there’s an important talent boost that comes with being cloud first. The best engineers want to work on the newest technologies. It’s going to be harder and harder to find dedicated talent who are passionate about maintaining legacy and on-prem architectures. One of the major advantages I had recruiting talent at Netflix (besides the prestige of the brand) was that we were building security programs for a new type of infrastructure, and that was exciting.
Back to my guardrail metaphor. When you drive along a road you’ll notice that some areas have stronger guardrails. These are the areas where accidents are most likely to happen. Similarly in security, prepositioning is key. The reason new security leaders stay awake at night is because they’re imagining worst case scenarios all the time. But there’s a way to use that type of thinking for good. As Asaf said in my discussion with him, prepositioning by playing the ‘what if’ game is how you minimize the likelihood and impact of breaches. Think about the data that would do the most damage in the event of a breach, think where that data might be, and then make sure it has the proper security posture. Then do that for the next most critical assets, until the risk of the worst case scenario coming true has reached an acceptable level.
Cloud data security is about helping your company leverage the cloud. The whole point of the cloud is speed and scalability. Security leaders for cloud first enterprises that don’t get in the way are the ones that are going to prosper in their careers and allow their companies to reach their full potential.