ICYMI: Cloud Comfort
Are businesses comfortable utilizing the cloud? Find out what the panel of experts from iCorps' Cybersecurity Summit had to say in this video.
[Chris Stephenson - Moderator] The world is moving so quickly to the cloud, right? And I don't know what numbers or statistics you have on this Jeff, or on our customers versus the populace in general, but the cloud is becoming the place to do business. How is security impacted there? Things like ransomware, or if I'm thinking about going to the cloud, right? What security issues am I facing there? Let's say from a disaster recovery standpoint, or a data storage standpoint, or an email standpoint. If I begin to think about my architecture in the cloud, what am I putting myself at risk for, or what am I actually gaining strength on, or what kind of things are we thinking about in the cloud migration? Maybe start with you, Michael?
[Jeffery Lauria - iCorps] Well, that's a good one!
[Michael DePalma - Datto] Yeah, absolutely. So at this point, we at Datto, we've got our own private data centers, we've got nine around the world. We protect 450 petabytes of data. It's one of the largest private clouds in the world. So in terms of protecting our own cloud, we've got 256-bit military-grade encryption in transit and at rest. So if ransomware hits a device, goes in, and we back up that encrypted data, there's no risk of it getting up to our cloud. So that's, you know, personally what we do.
We are obviously seeing that shift to everyone moving to the cloud, and at this point, we are not backing up third-party clouds. But as an internal, you know, kind of strategy, of course, we're moving towards that. It's not something you can just jump right into, but that's something we've been looking towards because it's, you know, that's going to be the wave of the future. So for us to evolve, and we're talking about small businesses evolving, that's what Datto has to do as well. So we're going to be looking at how we can do that effectively, securely, allow folks to have access to their data, virtualize, and all of the rest.
[Ben Darsigny - Mimecast] Sure, yeah. So, being at Mimecast for a long time now, when I first started there one of our biggest hurdles was actually getting people comfortable with the cloud because we've been a cloud-based organization, cloud-based infrastructure since day one. And seven years ago, people were not okay with that in a lot of places, especially given the industry. Microsoft has made that conversation a lot easier because so many people have adopted Office 365, and it's not really a hurdle for us anymore.
But it does come with a new set of risk factors because you don't own the infrastructure anymore. There's a lot of great reasons to not have it anymore. It makes it a lot easier. It can be a lot more cost-effective. But you no longer can go to a data center or server room and get your hands on the issue if you are hit with ransomware, or if there is some sort of corruption or an outage or whatever it is. So that requires an added layer of oversight and something else that you can rely on in that situation, whether it's added security to make sure to the best of your ability you're not hit with ransomware, or a high availability solution if your mail infrastructure gets hit with ransomware. For instance, can you still send and receive mail so that your business doesn't stop completely? Or do you have a way to restore to a known "good point" so that you can get back to where you were before that happened? So, those kinds of added pieces that come along with not owning the infrastructure have to be taken into account and part of that risk mitigation profile that you're creating.
[Chris Stephenson - Moderator] Alan, just real quick on that. Can you pick up on that? And I want to start by saying, this is your opportunity to get me on the endpoint protection because a lot of people think of Sophos, they think of endpoint protection. This is your opportunity to talk about how you guys handle the cloud.
[Alan Toews - Sophos] Yeah, absolutely. So really what I was thinking about in this question was, as people are moving to the cloud, what we are seeing particularly is if you look at IS, for instance, a lot of companies are moving portions of their data center or their entire data center over time into IS. But they are not always thinking about the consistency of their security policies across their perimeter. They'll still have something on-premises, they'll have something in the cloud, but they may end up with disparate tools to manage both. They end up with inconsistent policies, and when they go to make a change they often forget about one or the other, usually the cloud. And so if you—what you want to do, whatever your strategy is, make sure you're looking at primary tools in the cloud, and on-premise as much as possible. This doesn't apply to SaaS in the same way. You want to make sure that you have something where you can manage all of those policies from a single point. Where you have visibility and consistency, and you don't have gaps, and missteps that are forgotten just from excessive complexity.
The whole point is to—the point of the cloud is to simplify your life, or one of the points is. Don't make it also complicate your infrastructure policy life in the process. So if that means setting up the same policy products in the cloud to manage those virtual networks as you have on-premise to manage your physical networks, then make sure that that's the step you're taking to do it.
[Chris Stephenson - Moderator] Great, and I see Laura fidgeting at the end, and I'm sure she'd like to mention OneDrive or how that is impacted in all of this. I mean, do you have something—your two cents to add in?
[Laura MacDonald - Microsoft] Anything, anything. Alright, yeah. So let's—so thank you for distinguishing SaaS versus IS, because IS absolutely there's still network controls that need to be in place. But when you talk about SaaS, you need to stop thinking network. It's gone. Sorry, you can't hug the firewall, you can't kiss your server. It turns it on its head with what is the one common denominator when I talk about any of this data being accessed - whether it be through OneDrive, Box, Office 365, I don't care. It's an identity. So I've got to start looking at how am I going to look at my security posture through the lens of an identity, and make my risk decisions from that standpoint. And I mentioned one way of doing that earlier was kind of through conditional access, and looking at what's going on with this user before I grant them access to whatever it is I'm granting them access.
[Chris Stephenson - Moderator] Great, ok.
iCorps Video Library