Okta CSO: Cloud is a security strength, not a weakness

Okta chief security officer, David Baker

Cyber security may not be rocket science, but Cloud-based identity management company, Okta, is fortunate in this respect. Chief security officer, David Baker, was previously a research scientist at NASA. He sat down with ARN to discuss how Cloud could be the ultimate security tool and his transition from NASA engineer to security expert.

“At NASA, I was doing computational fluid dynamics. We used Cray supercomputers to calculate the flow of gases escaping from the nozzle of a rocket launcher or supersonic vehicle,” he explained.

So why did he move away from aerospace and into systems engineering?

Baker said that the budgetary considerations for NASA had changed considerably since the height of the space race, and this meant less jobs for engineers at the organisation.

“Back in the 1960’s, NASA’s budget was 4 per cent of US gross domestic product (GDP). It is now down to about 0.5 per cent. There is not a lot of opportunity any more for NASA engineers.”

A bay area native, he was finding it hard to make ends meet and realised it was not viable to continue in the profession he had dedicated his career to.

“It was really expensive back then, of course it is catastrophically expensive right now, you couldn't buy a house or even a car on rocket scientist wages.”

Baker moved into the private sector during the mid 1990’s when the first tech bubble was taking off.

“A lot of the people that I worked with back then naturally evolved into tech via application programming for different high tech companies. If I look back at all my colleagues from that time, at least 75 per cent of them have become wildly successful with the startups that they joined following their time at NASA."

The evolution of IT

Baker believes the security posture of the industry has changed considerably since he started, the current shift is all about Cloud and the permanent move to infrastructure-as-a-service and platform-as-a-service. This places much more emphasis on the CIO as an agent for change within an organisation.

“Where we are going is changing the way data is handled, and this is when the CIO becomes the business enabler, helping the bottom line of the company. They are transforming the way IT is being done,” he said.

A good example of this shift is Adobe, a vendor that had traditionally sold software licences and had to adapt to the changing market and move to a subscription based model.

“They didn't have to worry about how they were going to authenticate, they didn't have to worry about the complexities of registration, changing passwords, resetting passwords, they didn't have to worry about how APIs were going to touch into those applications, if the user is registered and so on."

How secure is the Cloud, really?

Still one of the overarching concerns when it comes to Cloud is security. Baker said there are a lot of misconceptions in the industry regarding Cloud versus on premises.

“If you look at the largest and most devastating breaches in the past two years, these are all companies that have been focussing on having data within the four walls of the organisation,” he said.

"With the Cloud, you can actually get better security. As a Cloud service, we are inherently a security service. The deal is, you give us some of your data, we give you the service.

“Without your data, we can’t do what we do. So it is critical that we take that data and protect it with the utmost means necessary.

“As you move into the Cloud, the things you need to think about are how you are protecting your devices. The perimeter of your company is going to reside at the user, specifically their identity.

“People have their own mobile phones, their own tablets for getting access to the business applications that they need, they now become the stewards of security, the device itself is ubiquitous.

“It is really about that identity being mapped to the data and that is a big paradigm shift.

You do it in such a way that you assume the device is untrustworthy. It then becomes a very different conversation. We are talking about securing a user’s identity into their specific application so they can have access to that data.

The perimeter of the network is now the user

Baker said the concept of identity is key to security when companies move to the Cloud.

“The security implications are that you need to ensure authentication is very strong, we need to make sure the device itself is secure. However, that’s a little bit of a misnomer because, if you think about Android security for example and the way applications are being attacked by malware, from a security standpoint, you have to assume the device is untrustworthy.

“You have to think about the identity and the data that it is getting access to. From a security perspective, you need to make sure that the device you are using, the administrator knows about first. We also need to make sure that the password for your identity is strong. We can do this by making sure you are using a thumb print, or making sure you are using something that was provided such as a token.

Looking at what endpoints are accessing what, and whether their identities have been cleared, is a key way of protecting a Cloud environment. The network administrator can then respond accordingly.

“When you get down into the nuts and bolts of it, that’s when you are able to encrypt the application, obfuscate it and figure out what users are trying to attack that application," he said.

“So now, you are able to untrust a device and see if that device is being used for nefarious purposes to access data or attack the application. That is a paradigm of understanding the identity and the data is important, the application and the device are merely avenues."