Cloud Security Architecture

This is an interview with Andrew Wilder and Robert Fischer .

What has been your experience with Cloud Security Architecture?

Andrew: In 2019, my peers in IT leadership started to come to me and say that we would soon need Cloud Security Architecture experience as we would be moving systems to Azure.?As we did not have experience in the team, I decided to hire an external resource who was already familiar with Cloud Security Architecture.?When Bob started, I gave him two objectives.?First, to drive change in the IT Teams to embed Cloud Security Architecture and Second, to train and develop other Cloud Security Architects along the way.?

Bob: It's my current role and I do so on multiple levels.?But the one that is the most significant right now is designing our next Generation Platform.?It's a cloud company and we offer Software As A Service and moving away from an IaaS-based solution.?

Andrew: So basically, what everyone did four to five years ago, took all of their servers and just lift and shifted to the cloud…

Bob: Exactly.?Not we are looking at the next generation of serverless technologies for several reasons, but one of the things that it allows for is more agility.?My role has been to guide the security aspect of the project.?

Andrew: Wow!?That sounds like quite a lift.??

How would you say you first got started in cloud security architecture and when?

Bob: It would be as far back as 2016 helping the Texas Department of Transportation.?They were moving to Microsoft Azure Government Cloud, which at the time had only been around for a month.

Andrew: So, right from the beginning??

Bob:?Right.?I did a lot of growth with their teams and made a lot of architectural decisions for them.?And I am still growing in my Cybersecurity journey.?At the time, I had just started my graduate program for Cyber, so I learned a lot through that as well.?I was able to implement in real-time the things we were learning about theoretically in the program.?

The most meaningful project was around 2017 when I was working for Lufthansa.?That had a very high security project that I was asked to put out the architecture for.?It was supposed to be a six-week process and ended up being a year.?It was very rewarding.?And we were successful in design because it was ultra secure.?We needed to secure billions of dollars in confidential information.?

Then I moved on to Security Architecture at Nestle.?

Andrew: Which is where we met!

Bob: That's right.?When I started at Nestle, you gave me those two objectives which we talked about earlier.?What I really started doing was playing the role of CIA.?

Andrew: You mean, Confidentiality, Integrity, and Availability, right??Not the Government entity…

Bob: Yes.?It's one of the things that I picked up from my graduate education that really stuck with me, that Security is really about risk and either accepting, mitigating, or deferring it.?And the conversations at Nestle were at an enterprise level that required security to be a partner rather than just a blocker.?

Andrew: Good point.?We were a strategic partner to the business, allowing them to operate as they needed, but helping them do it in a secure way.??And giving them an understanding of the risks and how to address them.?

Bob: And that was a very valuable experience.?Right now, I work on every aspect of architecture, and the line gets blurred between infrastructure and coding.?I had to come up to speed on Kubernetes and container technology and have worked very hard in the space to get the vendor up to speed on what is needed.

Andrew: Well, we've certainly seen our share of vendors who weren't well prepared for their Cloud Security products.?

Bob: For sure.?It's been interesting from a business perspective because we had looked at two different products and of course were looking for agentless because we have a lot of assets in the cloud and deploying agents can be a challenge.?And once again, I'm working with a vendor to improve their product by finding data errors and identifying shortcomings of the product which has cost a lot of resources.?However, there is an upside in the sense that the company that owns the product owns 20 other products, and we now get a significant discount on those.?

Andrew: Plus the fact, that now all the other consumers of that product will have one that works!

Bob: The reason I bring that up is that it really shows the sphere in which Cloud Security operates.?On the one hand, you've got to be doing security.?And on the other hand, there are tradeoffs.?

Andrew: And getting the business to understand the security risks and the tradeoffs can be the big challenge.?

Bob: If you have an organization with islands of tribal knowledge, you really have to link together the organization which is more than a technical challenge.?

Andrew: Yes, it's an organizational and change management effort even more than a technical challenge!

What is the problem that the two of you were trying to solve when you first started working together???

Andrew: As we've discussed before, we needed to define the Cloud Security Architecture, both culturally and technically, and we needed to ensure we had the resources to carry it out.?

Bob: Right, it was organizational change management and defining the standards.?Developing a trusting relationship with the infrastructure team was key because in many cases, I had to go against what they were proposing.?

Andrew: That's true.?We are both working towards the same goal, but as Cybersecurity we are trying to show them the right way to do it.?Sometimes that conflicts with the fast way or the easy way.?

Bob: We see this over and over in the industry.?We see it everywhere.?And that's the real challenge.?

Andrew: It's the mindset shift, right?

Bob: People are not thinking about the technology differently.?They want to lift and shift.?They don't want to re-architecture.?But that's how you take advantage of next generation technology.?And that's why the transition now to containers is huge.?We are not even talking about virtual machines anymore.?

Andrew: I remember one of the things we did, in the beginning, to try to upskill the teams is that we accepted training offered by Microsoft, Amazon, and Google for Cloud Security Architecture.?What did you think of that?

Bob:?It was not memorable.?

Andrew: That's a fair statement.?But after we got to a certain level of maturity, despite the unmemorable training, how many people do you think we trained along the way using the Learning by Doing methodology??To sort of continue in your footsteps and be able to secure the cloud.?

Bob:?I was sharing advice with people whether they wanted it or not.?But I would say at least ten people.?

Andrew: Which was part of your initial goals that we agreed to!?And I seem to recall that we were recognized on more than one occasion for those efforts.?

Bob:?That's right.?In 2019 we were awarded the CIO Award for Virtual Team Collaboration for Cloud Security Architecture.?And in subsequent years we received honorable mention in those same awards for our continued contribution to the Journey to Cloud and our work with microservices.?

Andrew:?Bob, it was great as always to catch up with you and talk about our work together in Cloud Security Architecture.?Congratulations again on all of your scholastic and professional achievements.?

Bob: Thanks Andrew, you too.??