Apr 30, 2021
6 Minutes
Jonathan Jaffe, CISO at Lemonade and Andras Cser, vice president and principal analyst at Forrester, discuss the demands of large-scale, multi-cloud deployments and cloud security complexity
Just a few years ago, the cloud was viewed by many as an experiment. Today, organizations have moved beyond trials and proof-of-concept. Enterprises are no longer pondering if or when to move to the cloud, but how’? The cloud is now central to most enterprises’ IT strategy.
The cloud promised and delivered many things: ubiquity, availability, reliability, and scalability. It has also provided simplicity while making compute, network, and storage resources available in minutes with just a few keystrokes.
Migration to the cloud has also brought a degree of unanticipated intricacies, especially when it comes to cloud security complexity. But what does such complexity infer? Does it require a fresh approach?
The answer is yes, according to Andras Cser, vice president and principal analyst at Forrester, and Jonathan Jaffe, CISO at Lemonade. They both recently addressed cloud security complexity and how organizations are evolving to meet the demands of large-scale, multi-cloud deployments. You can watch the entire webinar on-demand and read the highlights below.
Cser thinks it’s a tumultuous time right now in the cloud. One of the biggest challenges he sees is transition. “Five or ten years ago the conversations were, ‘Should we, or should we not move to the cloud? Should we stay on the sidelines and watch what’s going on, or should we jump in?’ Today it’s not a matter of ‘should we,’ but rather ‘How?’”
He says the cloud pulls CISOs in different directions and forces them to think about many aspects, including:
Cser emphasizes the balancing act CISOs need to achieve to increase cloud security while reducing cloud security complexity. “There has been a 100% increase in the number and complexity of all security controls that infrastructure-as-a-service platforms such as AWS, Azure, GCP, IBM, and others provide.” But the onus still falls on their customer organizations to secure their own workloads because of shared security models.
Cloud security veteran Jonathan Jaffe is chief information security officer at Lemonade, a company providing renter, homeowner, pet, and life insurance in the US and Europe. Lemonade, an insurance innovator, was born in the cloud. Jaffe cites this as a competitive advantage that helped create efficiencies to serve a large customer base and pass those efficiencies on in the form of competitive rates.
“In a cloud environment, there is always complexity. By its nature, it’s hard to secure, especially when things are multiplying and changing,” says Jaffe. “Executing 100 different deployments a day is a lot of movement in a live system, and it can be tough to secure.”
Lemonade initially tried an agent-based solution. “I was convinced that agents were good. If you install them comprehensively, you’re going to get really high fidelity. So we elected to go with Lacework.” Having run it for about a year, he and his team ran into problems: too many alerts, too many false positives, and too much time chasing down issues that were not priorities. And he had assumed Lemonade had full coverage with its Lacework deployment.
When Orca debuted its SideScanning technology, Jaffe agreed to a proof of concept.
At first skeptical of Orca’s results, Jaffe says, “I spent a couple of days with DevOps. It found that the staging developers were bringing systems up and down and weren’t using the manifest that DevOps created. What Orca had reported was true, making me realize the value it brings.”
Modern cloud architecture dictates that block storage be separate from the live runtime environment, and Orca Security takes full advantage of this.
Rather than integrate with individual workloads, SideScanning reads all workloads at once directly from shared storage. The result provides immediate visibility into all cloud assets without any performance impact.
How it works:
Orca Security’s revolutionary approach to cloud security – versus yesterday’s on-premise security tools cobbled together to address cloud migrations – is a real game-changer.
Forrester and Lemonade agree the scale of cloud deployments, plus the changing nature of the cloud, makes securing it a Herculean task. Jaffe summarized it best by saying, “Lemonade is an interesting company in terms of technology and scale. The problem with that is the resulting complexity; this is what ultimately brought us to Orca. It proved its worth in just a few minutes.”
A new breed of cloud security has arrived.