CISO Talk: Cloud as a Security Enabler

Perfect. So thanks so much and welcome everyone, so both here but also online. Really happy to be here. I actually have two housekeeping items before we get started. I mean it's, it's always important to start with housekeeping, right? So number one, and that's just a request from my side to you. Our communications department doesn't necessarily like to be linked on certain pictures on LinkedIn. I won't be telling you the company I'm working for. You might find some hints actually in the presentation or even here on the floor.

But my request to you would be if you wanna post something on LinkedIn, please don't tag the company I'm working for. That's number one. Number two, hello. Number two, very important one as well. Setting the right expectations. I had a conversation yesterday evening that inspired that part actually as well. So we are talking about clouds today and cloud security and I learned yesterday, I didn't realize that actually that we are here on the technology track of this summit Now if you are hoping that we will look into Terraform script and start debugging them.

This is not your session so feel free to leave if that that was your expectation. And I mean with that being said, I hope you will enjoy the talk. Let's keep it interactive. So whenever you have a question, whenever I make a statement which annoys you and you think you have a completely different opinion, feel free to raise your voice. I can also see the questions that are coming in online. I will check that from time to time. And with that being said, I would say without further review, let's get right into it. For those who don't know me, my name is Michael.

I'm currently the CSO at a major sporting goods brand here in Germany. I've been in the role for one and a half years. Prior to that I used to run the security function at Daimler when they were still one big company. We have some people from one of those companies here. So glad to see you again. Obviously I've mainly been working in information security slash cybersecurity throughout my whole career, so for me the, the fortunate thing was I could make my hobby my job at some point.

So I started out doing it so really full scale it full stack, building everything up for smaller companies when I was younger, but always very curious in the security space already. And that's why I ended also up studying computer science because I wanted to actually understand what I'm doing there. Before that I just did it and it somehow magically worked and also that focus on security was always there for me and I wanted to go deeper into that.

I started my career at Deutsche Bank and I mean obviously banks are quite advanced when it comes to information security and that was a great spot for me to learn this. But let's focus maybe on the, on the more important part, why am I talking to you about cloud security or cloud in general today as a ciso, the company I'm currently working for, and again there might be some hints hidden in the presentation, is one of the German companies that has the biggest cloud footprint.

So in other words, when I joined the company coming from a more traditional company that had actually a quite large on-premise footprint and decentralized on-premise footprint, I was quite surprised because number one, I thought I know everything in security. So I was pretty convinced it's it'll be nice and easy and what should be there to learn more. And then I joined and was surprised because I found a company that has a very high cloud adoption and also, and that's the second thing on that slide as well.

They didn't just adopt the cloud for software as a service as an example, but they are also running a lot of workloads in the cloud on their own. The thing is, if you just move the workloads to the cloud, and I guess we have seen that with many companies, if you just kick the stuff out of your data center, don't refactor it and put it into the cloud. Number one, it doesn't get better. Number two, it costs you more than it did before. Fortunately my company did it in another way. They decided to refactor most of those workloads and actually build a lot of them on their own.

And the reason for that, I will show you on on the next page as well and and go a bit deeper there, that leaves me more or less right now with an environment that is cloud heavy, cloud native. And that's where I as a CISO also had to take a step back and actually think about, well what does that mean for me? Because I mean having been in security functions for a long time, you somehow learned how to do security, so what are the tools you need? How do you deploy them? How do you get your overview, transparency, et cetera.

But all of a sudden those conversations were completely different ones and I wanna be very open and honest with you about that as well. I ended up actually doing a Udemy course for a couple of days in the evening really looking into what those bloody Terraform scripts are, what docker containers are, how Cuban needs works just to get a better understanding around the technology because I think as a CISO you need to have a sound understanding of the technology. Not saying that you need to be the one who can deploy those containers, but at least you should understand how the environment works.

Now why? Why is our business loving the cloud so much? If you think about our business and how it works, we are actually having online stores and our company strategies to go go more direct to consumer. So obviously for us it's better if we sell the products directly to the consumers rather than selling them via Amazon or others. That also means you need to have an online store that scales, and this is where something very specific for my company comes in. We are doing so-called hype drops and you wouldn't imagine it, but there is something out there that is called the Slee Mafia.

And those folks are really just trying one thing. They are trying to get as many of those goods in the hype drops so those come at a limited quantity, get as many of those as they can and then sell them off for a higher amount. Now that comes with a unique challenge from a security perspective. We are talking about people developing bots and using bot nets in order to place orders in our online store and in those hype stores. The interesting thing about it is if we in the past worked with major providers of such e-commerce solutions, they couldn't handle that load.

So their systems are not built for that and that's why the company at some point decided let's build that on our own. Let's build that better than what you have on the market right now. And the teams are very proud of that actually they can handle now more load in those environments that Amazon has on peak days. So we get way more requests, especially because of those bot nets that are behind those requests as well very often for the business that was great because all of a sudden with those cloud environments we had the ability to scale, we could satisfy all the business needs.

And last but not least, and don't forget about that and I think you also need to think about that as someone working in security, you need to be an attractive employer. We all know that there is a talent shortage in security, so obviously if you want to be attractive, those young security folks, they want to work with latest technology and that's what is actually helping me as well. We can offer that. Now why am I giving this talk in general is pretty easy.

Being a German CISO is sometimes a bit complicated because in Germany we love our rules, we love to first plan things a hundred percent and then maybe fail to execute and we somehow also are a bit resistant to this cloud adoption thingy and I'm very self-critical there. I mean, and don't get me wrong, it should also be a bit humorous.

It's not always a hundred percent the truth, but let's face it, we have a slow cloud adoption and what we have also done is security teams very often in the past was we were rather the ones that came late to the party and then said, Oh no, no, no, no, we don't like what you're doing. Let's better stop that for now. That's bad for our business. I mean if you look at the way businesses have changed over the last couple of years, speed is one of the key things. If you can be first to the market, you can win that market.

And from my perspective being the security team that always says no or that comes in late isn't what you can do anymore today. So I'm a huge advocate for rather taking the hand off the business and also the technology teams understanding what they wanna do and supporting them along the way because they will do it anyway and that will come to that point in a moment. Now when we talk about cloud, and that's the tricky part now of this presentation, there is so many things to consider from a security perspective.

When you talk about cloud, you have infrastructure as a service, platform as a service, software as a service. All of you by now for sure know those terms, you love them or you hate them. What is still quite surprising for me is that companies today, despite the fact that everyone is talking about that aren't actively investing in getting it in shape, and I'm really talking about doing the basics and one of the basics for me is that's one of those passwords on there. And I'm sure there are plenty of providers out there that love those words because they have solutions for that.

There is, for example, CASB solutions. CASB solutions have been on the market for what, more than five years now, CASP solution. So cloud access security broker helps you with one very trivial thing as a first step. It helps you understand which cloud environments your users are accessing.

Now, if I would be asking you do you know what your cloud environment is? Some of you might be saying no, and I know why we did some service. For example with the biggest companies in Germany, many of them still don't have a CASP in place or what I will come to next to CSP in place. From my perspective, again going back to what do we need to do as security leaders? We need to know what's out there. We need to understand what our business is doing.

So CASP for me is a starting point actually just as a hint on a or a site note, there is something pretty interesting you can also do in order to get more transparency. And we are doing that together with our enterprise architecture team. We are looking into the credit cards of our employees. Why are we doing that? People can very easily go online, you know it and buy a cloud solution. Many of them get creative and they do it on their company credit card.

We have connected our enterprise architecture system to our credit card charging system so that we know if someone purchases an Azure subscription, AWS or whatnot, we get the transparency, we can make sure that we manage it. And that's for me the starting point where security really starts. Second thing, csp, cloud security, posture management. Now if you have discovered that your teams or your company is using infrastructure as a service platform as a service, you might want to keep that environment in shape.

And the charming thing, and again this presentation is really a bit vouching for cloud environments. In the past when we had everything on premise, it was very hard, number one, to get the proper transparency.

So yes, you could do a vulnerability scan, you could tell me there is a thousand Windows servers, could you really tell me what application is running on them, whether those applications have been properly checked, et cetera. CASB solutions can do that for the cloud. So with CSP solutions, we are taking it to our next step, making sure that the basic configuration of those environments is in good shape. You should all be doing that and I'm, and I'm bluntly saying that because I know we are not all doing that and those are the basic things.

There is solutions on the market that help you with that. If you look into the software as a service story, it becomes way more tricky. Obviously those solutions are for US solutions where we don't know what's going on in the background. So what the providers are doing, it's hard for us to mandate them to implement certain security measures, et cetera. But especially in those environments, security comes back to one very essential point and that's managing identities and also access of those identities.

So if you have those cloud solutions, make sure that you have the proper means from the security team or the identity access management team to properly support those cloud solutions. In terms of identities, there should be central off boarding. So if people are leaving your company, there shouldn't be any accounts left in those cloud environments. It's just basic hygiene. We need to do it. The solutions are out there. It's not tough to do it. In our case, and I will be very open about that, we are heavily relying on Microsoft.

So we are using almost everything in our security stack from Microsoft and also on the identity side and that helped us a lot because we were able to get all of those SA environments, for example, under control, we are steering them via ad, we can provision the users et cetera. So that works like a charm. We can do it, but we need to do it and we need to embrace that the business eventually will go to the cloud. We won't be able to say no at some point.

Now if you want to take it to a bit more advanced level, obviously we as CISOs and also data privacy officers here in Europe are pretty afraid of handing out our data to a foreign country, be it in Europe or worse case outside to a untrusted country. Good news is there is also solutions around that. I mean speaking technically, if we encrypt something and the provider context is it then hey, we are in good shape. Now we all know that homomorphic encryption isn't a thing today and it's not working everywhere, so you can't have all the cloud use cases you wanted.

But again, if you just have a database somewhere where you store for example, consumer records, then hey, you should be encrypting it and yes, you need a key management for that. There are solutions out there that support you with that.

Again, get ready for that cloud journey and have those things in place. That was now the few of the business. So what is the business doing? They are moving to the cloud because they see a lot of benefits. Now let's maybe turn this coin around and look at the other side.

For me, there is one very important part when it comes to security and the cloud and that is consuming services, security services that come from the cloud. We've all been there in the past, we, we had too few people to actually deploy all the fancy solutions those providers wanted to sell us. We had a hard time maintaining it. We had to train our people and it was horrible. It took HS and over time it was always a real big challenge. Now meanwhile, over the last couple of years, security providers obviously also realized, hey, we can offer you SA solutions.

And just giving you one example, we did one deployment a couple of years back in a company of an EDR solution. Deploying an antivirus in the past was something yeah, you could manage, you would install it on your own locally, you would try to roll out the agents, et cetera. Then you would try to keep those agents in shape. We chose to go back then with CrowdStrike, which was still pretty new to the market, but they had their sales offering and they also had auto updates of that client from that cloud.

Despite all the challenges that came with the discussions you need to have be it in Germany with the workers council, with the data privacy officer, et cetera. We eventually made it and got the okay to do it and it changed our security within a matter of days. We were able to deploy that agent globally without any impact and we had full transparency. So for a security operations center, those are the huge things. Those are the big enablers. Could we have done that if we tried to build something up on-prem?

Yes, absolutely. But would it have been as fast as it was just using a cloud solution and deploying the agent for it? It wouldn't have been.

I'm, I'm very convinced about that. And so from that perspective, I'm also a strong advocate. Let's look into those solutions that are there that are cloud ready and use them even if they are built in for example, like you can purchase them on the Azure store, et cetera. Second thing is if we talk about cloud native environments, so also environments like Azure, even if you, So we are a big AWS customer, just one shop. We use everything from aws. If you look into their offerings, everything will come with APIs.

So if you look into security products that are built cloud native, they will use those APIs. There is one very interesting development going on on the market right now and that is you will see companies now coming up that show you where your precious data is. Now everybody who who works in regulated environments will frown because we all have been there trying to deploy solutions that connect to all the databases and all the servers and then scan those and tell you what kind of data is in there.

We've all had the horrors of really keeping that in shape, making sure that yes, it definitely connects to all the databases. Yes, it's still connecting to the servers. Now the nice thing about those cloud environments and cloud native environments is you don't need to take care of this. Losing access to that environment isn't a thing anymore. So scanning such an environment in its entire landscape is a, is a matter of entering an API key and then more or less you're done. I'm exaggerating a bit, but it's the way it works there.

And what those providers offer us now is they will show you in your cloud environment, be it from your e c two instances databases or also really in the cloud native Cuban needs environments. What do you have there? They will do a stock intake, they will go through it and then all of a sudden, and that's where at least the last DPO I was talking to about frowned a bit, they will show you where your data is actually moving.

So if you have data that is GDPR relevant, consumer data for example, in our case, those solutions can tell you yes, it resides in maybe this database and that's where it should be. But hey, there is a certain developer who took five copies and they are lying around somewhere where a lot of people have access to it. Or even worse case, there is another workload in the US that's accessing that data.

And for me that's quite a game changer because in the past we all struggled to figure out where are our crown tools, where is the most precious data we need to really protect and did it move anywhere? I mean even if we knew, yes, this one system is our crown tool, do we know if someone copied the data somewhere? I think those solutions will have a big impact on the way we are doing security because we can do it in a way more focused way.

Lastly, and that's actually already the last slide for the presentation as well. Why did I become such a huge advocate of that whole cloud native story and also the changing mindset? You all remember the time last year when we had lock for Shell, we all went crazy, we got the news, we we knew, we have to figure out how many applications are affected. And for me there is two sides to this story actually. One side of the story is we have those beautiful new cloud native environments and when I asked my application security team, are we affected by lock for shell? Are we using those libraries?

Where are they again, like a snip, within five minutes they could tell me, Hey, those are the workloads that are affected here is lock for shell. They didn't have to start scanning from the outside or or things like that. They were just able to tell me where the problem is and we could go ahead and fix it. That's the positive side of the story. That's where I was cheering and happy and that really helped us the the real truth obviously is we not only have those environments, we also have more traditional environments.

So yes, we kicked off our vulnerability scanners, we asked vendors whether they are affected because we don't know what's in their product, et cetera. Yes, we had that long Excel spreadsheet, we had hundreds of people accessing it, messing it up and we were struggling there. But quite honestly what this incident showed me was, and we, so we treated it as an incident despite the fact that we were not affected in terms of someone abusing one of the vulnerabilities, we treated it as an incident.

And that incident showed me that if we just had those modern environments, if we had control of all the source code, if we wouldn't know what are we deploying in the environment and then also what is there in run time, then our life would've been very easy actually. And what you see on the market now, and that's maybe one of the closing statements as well, what you see on the market is a huge convergence. So right now, if you want to do all the things that I told you about, you would need a lot of different solutions.

What you can see right now is big players are realizing having those pinpoint solutions is again not a good idea. And we saw that in other areas in security as well. And so what you will find is with big players on the market that are doing cloud security, they are really now investing in building end to end cloud security starting with the software development. So they will integrate in your source code repositories, we'll start scanning them for secrets that are in your coat but also already for vulnerabilities. Even integrating in the idea of the developers so they can fix it right away.

When they build, for example the DACA images, you will be able to scan those images. Yes, the technology is already out there, but again, end to end, there were no providers to do that. And lastly, in the run time, once those containers are deployed and running, they can monitor whether they are being changed. And I think this is now the really interesting part for me because we will have those platforms in the future that can show us this end to end.

And what this also actually means is, and that's quite impressive if you look into it, if you have a team that is doing vulnerability scans, number one, please go talk to them and make sure they are ready for tomorrow because you won't need them tomorrow anymore. They are pressures, tenable, quality and whatnot. Scanner maybe not so important anymore in those environments. But what you can ask them to do is find, for example, lock for shell and they will come back with, well, we scan the environment and we found a thousand vulnerabilities coming back to our story.

Why are we so cloud native when we have our hype sales? We are ramping up thousands of machines at once and scale them down afterwards again because we don't need them. If there is one vulnerability in there, guess what? The scanning team will see thousands of machines being affected crazy. They will say, Oh my god, there is a lot to do. If you look into those solutions now that do the end to end, they will pinpoint for you where you need to change the code. And for us very often it means changing one line of code will change those 1000 machines and we will be secure.

And that from my perspective is a game changer when it comes to security, but it's also something where we need to change the mindset. And with that, that's it for my presentation. Thanks so much for listening in and I hope you, I hope you enjoyed it and I'm also happy to take your questions. I know it was a lot of topics to cover unfortunately, but for me it's very important. Let's see it from a positive side, cloud is an enabler, we just need to embrace it. So thank you. Any questions? Thank you for your presentation.

How many people are you allocated to all these barriers, exercises and complexity, et cetera? So could you just disclose a little bit numbers in talking hundreds or thousand or just 20 or where are we?

Yeah, so the, the company overall has by now a couple of thousand people in the tech department. So developing code solution architects, et cetera. My team and I've always tried to have a certain percentage actually related to the overall infrastructure and also budget. We have right now roughly a hundred people. We will be growing. So I think a reasonable target figure depending on how much, how many people we will hire in tech overall.

So in our IT department it might grow further, but right now a finger reasonable target figure would be around 140, 150 people and part of them is taking care of that obviously. Thank you. Hi Michael. How many budgets do you spend for for a year? The calculation you appreciate for cyber security measures in your company? Just approximately?

Okay, so obviously I won't won't share all the exact details, but if you were a board member and you asked me the question, you would be asking me, Hey, how much should we be spending? And I think this is one of the tricky things where most seasons are struggling, they get that question and I mean how do you do that there there is some figures on the market that have been proven to be best practice and it depends on how secure you wanna be. How do you measure how you secure you wanna be?

Yeah, there are those security frameworks out there and you measure yourself and depending on your target maturity, you can also pinpoint how you, how much you should be spending. Now if we talk about financial institutions for example, obviously the military et cetera, if you take into account your overall technology budget you have, so not only the one it's managing but also the one that maybe the business is purchasing something on the internet, then you, those companies usually have above 10% share in security.

But honestly we don't aim for that level of security that that wouldn't make sense for us. After all, we are not running nuclear plants or being responsible for your account, but just selling you all some products. And so essentially you can assume that roughly in the middle of that.

So five, 6% is a target figure and that's what, that's what we are more or less aiming for in total numbers. That means if you, if you assume you have a billion IT budget, well you should be roughly at around 50 million to 60 million, something like that a year. But that covers personal costs, licenses for your beautiful products you're selling and everything that you need. I think we have one more question online before our next presenter. So the question is how much year is your cloud adoption in the manufacturing area? How do you consider network segmentation in your cloud strategy?

Oh, that's an amazing one and and people who talk to me recently, Nova, I find the question amazing. We don't produce any articles. If we would be producing them, we would have more than a million employees and then I would have way more problems than I would want to have. That's the, the funny part of the answer, The more serious part is we are not producing it, but we are strong in logistics. And so for us, if you talk about, for example, OT environments, it's mainly about our warehouses. So where we store those products and how we distribute them globally.

There we do have OT environments and those are today, fortunately not so much in the cloud yet. So those environments are still more traditional. I mean obviously the, the PL stuff you will always have them offline in, in your warehouse environment. I don't think that those will be moving. There is, in our case something like a warehouse management system. That's one of the few systems that's actually still running on premise, but that could be also moved to the cloud, not necessarily saying that it would benefit a lot from that. So from that regard we, we don't have that big challenge there.

One of the topics obviously that comes up is in those environments you will have a lot of small devices, let's call them IOT devices and you somehow need to keep track of them because yes, they will connect back to their cloud. And I mean that's again a point I think the technology is out there that you can keep your environment under control if you plug something or if someone plucks something into your network, you should at least be able to see it if it connects to the internet. If you can't see that today, well you have a different challenge and it's not only the cloud.

So I would say you need to invest in that. The second part of the question was how do you do network segmentation there and how does that come into play? I think obviously for those environments, so iot environments especially, you need to make sure that you're segmented off of your, of the rest of your environment, especially when you know they have vulnerabilities. I mean we all know it. If you search for things in your environment, you will find cameras and they are outdated. They can be easily hacked.

If you go back to the manufacturer of that camera and ask them for an update, either you can't really update that thing or they've never issued an update before. So the only thing that's left for you is either kick it out or put it into a network segment where it can't on the rest of your network. Cool. Thank you Michael for such an interesting presentation. Thanks so much. Feel free to reach out.