I was very recently in a friendly meeting in Washington DC with a Federal agency, and we were casually discussing how to stop cyber attacks aimed at their Internet gateway. Since the attendees were all non-technical, a barrage of cringe-worthy analogies was flying around the room so fast that you basically had to duck every two seconds. Here are some of the more painful samples that I’ve been unable to flush from my brain:
“We need a stronger lock on our screen door.”
“We need to hide our keys under the mat.”
“We need to ask the neighbors to keep an eye on our driveway.”
As if this wasn’t bad enough, the discussion soon gravitated to cloud, and things really went downhill from there. I made the huge mistake of trying to introduce the concept of using micro-segmented virtualization of cloud workloads via dynamic, on-demand provisioning through APIs. After I made this pronouncement, the entire room grew silent and I waited for everyone’s brain to explode – and couple, I think, did.
Things re-grouped a bit, and while we all got coffee, the leader of the meeting, a young lady who was both reasonable and helpful, asked that I please revert back to standard English and help them understand how cloud services can be protected. They all understood the cloud, because after all, this was where they parked their vacation photos off their iPhones. So could I please cut out the jargon and be helpful?
I took a deep breath and remembered that I’d just sat down with my good friend Sanjay Beri, CEO of Netskope. As part of my 2017 TAG Cyber Security Annual, which was released today for public download, I’d been talking to his team about cloud access security brokers or CASBs, as the term has been frequently used. The idea of a CASB, as the Netskope team expertly explains, is to create a comprehensive, virtual means for extending security and compliance services into cloud, thus providing what appears to be a physical perimeter, even if you have a collection of publicly hosted applications.
So I figured I’d steal from what I’d learned from the Netskope folks, and I took a shot and started to talk about CASBs. I even drew a picture for these agency staffers on the white board. And amazingly, everyone just seemed to get it. I could tell from their faces and their much more intelligent questions. (“So the CASB sits between the user and application and makes sure everything’s OK?”) This was a great improvement, and I’ll tell you – it’s been my experience that when an idea is correct, you can usually abstract it to the point where anyone can understand what you are talking about. (Remember explaining firewalls? Everyone got the idea on Day One.)
The bottom line here is that the concept of virtualizing perimeter and related security protections into a collection of functionality that resides in the network – also known as cloud, or even software defined network (SDN) infrastructure – is not only an excellent architectural solution to a tough problem, but it might also help some C-Suite brains from exploding all over the place. And in those fancy conference rooms in Washington, this sort of cloud security solution – which the Netskope team will be happy to help you understand – can help you to preserve those expensive paintings on the walls from exploding . . . well, you know what.