[BreachExchange] Digital Transformation Needs Security Transformation, Too

Destry Winant destry at riskbasedsecurity.com
Wed Mar 6 10:25:36 EST 2019


With 27 resorts, 400 bars and restaurants and some 78,000 employees,
MGM Resorts International is pursuing an aggressive cloud and digital
transformation strategy that complements the company's expansion

For Scott Howitt, senior vice president and CISO, MGM's digital
transformation plans need an equally aggressive approach to security.
This includes the company's embrace of DevOps methodologies for
creating new apps and services to meet guest expectations.

"We wanted to do it for innovation velocity," Howitt told a gathering
at the Cloud Security Alliance Monday during the first day of the RSA
Conference 2019 in San Francisco.

"And then, as we acquire or build new properties, we wanted the
innovation to go a lot faster. So, anything we pushed out to the cloud
was automatically ready for the new properties, and we didn't have to
do a lot of infrastructure standup. When you move your first SaaS
applications out to the cloud, the thought process is: 'I don't have
to worry about security. That's their problem.' And then you quickly
realize you are responsible."

Those initial apps were locked down, but as MGM ramped up its DevOps
plans, Howitt needed to come up with new ideas to secure the
infrastructure, which eventually led to using more security
automation. "It's thinking about security as part of your cloud
platform. ... 'How do I move from an on premises device to the cloud,
and how does that security follow?'"

An Emerging Target

But the speed of innovation and making APIs and other services easy to
use for employees means that data uploaded to the cloud becomes a
target for cyberattacks. Rajiv Gupta, senior vice president for
McAfee's cloud security business unit, notes that a recent study by
his company found 12 percent of sensitive data in the cloud is
accessible to anyone who has a link to the file.

Gupta says that in most cases, employees are not maliciously trying to
expose the data, but simply attempting to share it with colleagues as
part of the collaboration process. Inadvertently, these are public

Issues such as these are pushing Howitt and his team at MGM to move
past passwords to two-factor authentication. But the security team is
working to make these methods easy to use for employees and reinforce
their uses through training and reminders.

These types of cloud security issues are also seen by other
enterprises looking to digitally transform their businesses through
services such as IaaS, PaaS and SaaS.

Shadow IT

Andy Kirkland, the deputy CISO of coffee giant Starbucks, tells
Information Security Media Group that shadow IT remains a major
concern. "Anyone with a corporate card can come in and download a
cloud service," he says.

As enterprises increasingly rely on the cloud, Kirkland notes, an
upcoming security challenge will be the use of multicloud
environments, where data will have to synchronize across platforms
created by different cloud providers.

One way to overcome some of the issues, Kirkland says, is better
training for employees.

More information about the BreachExchange mailing list