Multicloud and Cybersecurity Policy: A Q&A with Bikash Koley, CTO of Juniper Networks
If cloud computing is challenging for lawmakers and policymakers to understand, then how about multicloud? As another variation of the most disruptive IT innovation during the last 20 years, multicloud enables organizations to take advantage of multiple cloud providers under a single managed architecture. This evolving technology introduces many questions about security, liability, and policy that Bikash Koley, CTO of Juniper Networks, wants to address and discuss with CISOs and Washington policymakers at the upcoming 2nd Annual NTSC National CISO Policy Conference.
In this preview to his July 17 keynote, Koley talks about what policymakers need to know about multicloud, the issues around using multiple third-party cloud providers, and how regional laws and policies might affect the evolution of multicloud technology.
Why is the topic of multicloud important from a policy perspective?
A multicloud policy has not been fully vetted by the cybersecurity industry at this point. If you look at how enterprises have used IT during the last 15 to 20 years, the overall technology has mostly seen incremental improvements. CIOs and CISOs built their careers around a specific IT paradigm. The move to cloud has been the most disruptive change to IT in the last two decades. And like any disruptive technology change, policy always lags behind the innovation.
Organizations used to make clear boundaries within a well-defined infrastructure such as a data center with clear policies, security providers, a campus, and access for remote users. The infrastructure clearly allowed organizations to define what users could do and what they could stop users from doing.
Today, those well-known boundaries don’t work. Users access the cloud from anywhere and geographical locations blur where data is stored and accessed. When you start thinking about data security and privacy, you realize multicloud requires a radical rethinking of policy. In the past, policies were written around well-defined infrastructure. But traditional policies don’t apply anymore to these new infrastructures. This shift is as radical to IT—and IT policy—as the self-driving car is to the auto industry.
Lawmakers can often struggle to understand new technologies and their implications. What’s the most important thing you feel they need to know about multicloud?
Usually when people think about cloud today, they may think of it as running their infrastructure from one public cloud provider. But that’s not the future. Whether we like it or not, an infrastructure has to be comprised of the public cloud and private cloud (and possibly more than one public cloud). What is used will depend on economics and physics. For example, if there is a need for direct access to user data or a need to keep data confined within a certain geographical location, then a private cloud is needed. If the goal is to keep costs down, have reachability across the world, or improve ease of use, then that infrastructure will rely on a public cloud.
Multicloud simply involves using multiple cloud providers to create the best and most seamless infrastructure for applications and users. That’s a big difference compared to legacy IT infrastructure that’s primarily on-premise—and it’s even different from single cloud implementations with one public cloud operator providing the solution.
What is your perspective on liability issues related to multicloud (such as after a data breach occurs)?
This is one of the biggest challenges that needs to be solved with multicloud. Organizations cannot operate multicloud as a collection of independent clouds because users and applications are distributed across multiple clouds. When a breach happens, it’s not viable to only have visibility into one piece of the infrastructure. Otherwise, it’s impossible to know why or how a breach happened.
For multicloud to work, an organization must have seamless, continuous, and comprehensive visibility and security, regardless of whether applications are running on public cloud A, public cloud B, or a private cloud. Common policy must span private and multiple public clouds. If policies are crafted independently for each cloud instance, then there is a risk because the same policy is not being applied across the board.
It’s difficult to mitigate risk for independent instances of cloud. End-to-end security and visibility is absolutely key for CIOs or CISOs to deal with any liabilities to which they might be exposed as they’re taking advantage of this new infrastructure. A breach may originate from a public cloud, but how do you know if you don’t have end-to-end visibility?
What’s one important way that the evolution of multicloud could be positively or negatively impacted by laws, regulations, and/or national policies?
Disruptive technologies are often followed by policies. Multicloud is no different, and policy is trying to catch up. With any new technology, it’s important to understand the powerful capabilities it brings, along with the risks and vulnerabilities it creates. As laws and policies are crafted, lawmakers and policymakers must understand multicloud enough for the policy language to make contextual sense. These policies need to allow enterprises to continue to leverage the significant power of multicloud while also ensuring that the risks are mitigated.
The cloud can’t be viewed as a single entity any longer—because it’s not. Cloud is no longer one organization, provider, or even an appliance. It’s a fluid infrastructure. If lawmakers and policymakers understand what multicloud enables enterprises to do, then that knowledge will help policymakers craft sensible policies.
What impact do you hope to make by speaking at the NTSC National CISO Policy Conference?
There remains some degree of confusion around public cloud, private cloud, hybrid cloud, and multicloud. When looking at this fundamental technology shift, we need to understand the fundamental principles of multicloud and why it’s powerful.
There are four pillars for a powerful infrastructure: fungibility, reliability, security, and ubiquity. These pillars apply to any infrastructure we use daily, such as electricity or water. We absolutely want these pillars to uphold multicloud technology as it becomes a critical infrastructure that changes how we do business, how we interact with people, and how we interact with applications.
To hear Mr. Koley and other great speakers, join us for our 2nd Annual NTSC National CISO Policy Conference in Washington, D.C. from July 17-18, 2018. Register today.