Ask the Experts: Creating a Security and Compliance Strategy

Welcome to Ask the Experts, brought to you by CloudServicesUniversity.com. In this video, Intelisys’ SVP Cloud Transformation Andrew Pryfogle discusses key details to keep in mind when creating a security and compliance strategy for your customers with CenturyLink’s former Product Manager, Jared Ruckle. Find out more about compliance and security from the CenturyLink team here: https://cloudservicesuniversity.com/supplier-directory/centurylink/

Andrew: Okay. Let’s plow ahead with another Ask the Experts session. We’ve been talking a lot about compliance, and the requirements around compliance, and why that’s becoming such a huge pain point for many enterprise customers. We’ve invited the studios here today Jared Ruckle, who is the Product Manager for CenturyLink. Jared, welcome back, man.
Jared: Thanks. Great to be here with you, Andrew.
Andrew: Good deal. I want to talk to you about compliance. It’s a hot topic right now. It seems like it’s an enormous burden on a lot of IT leaders to try to figure out how to make their network and systems, their applications, their data compliant. Whether it be PCI or HIPAA, or others. I want to get your take on that. If you had to boil it down, what are the top two or three, four, things that customers must do when considering compliance and their network and security strategy? Talk about it.
Jared: I think that there’s a couple different things that immediately jump to mind. You really have to think about the security and compliance thing first. If you try and layer on compliance or layer on security provisions after the fact, you’re fighting an uphill battle. Think about how you’re securing data at the API layer, at the network layer, around the perimeter. What type of security and compliance you can get in the control plane of your systems that you’re using. Think about what the compliance architecture looks like up front. Don’t try and just tack on a couple things here and there.
I’d also say have a very open mind about where your data is going to live. A lot of times people will say, “Oh, we’ve got compliance needs and we’re very highly regulated, so I can’t use the public cloud, for example. We’ve got to be able to go on premises.” That was probably true, or at least partially true, five or six years ago. But public cloud providers out there have really advanced their offerings dramatically over time. And if you need that sort of self-service agility of public cloud, there’s a very good chance you can meet a lot of compliance requirements based on some of the add-on virtual appliances and other isolation options offered by cloud vendors today. Absolutely have an open mind about where you can go, and what you actually need that compliant environment and application to do.
Andrew: Got it. Love it. There’s two I heard there: The first is start the conversation early. Have the compliance conversation at the foundational design level of a cloud solution. Is that a fair restatement?
Jared: Yeah, I think so. And I think you also have to look at this from the security point of view. Another thing that I would suggest that you have to do in compliance and security is assume you will be hacked. There are two types of companies out there that I like to say: those that have been hacked, and those that will be. Once you accept this reality, you’re able to get more comfortable about designing things from the ground up, with security being front and center. And what you do and how you can secure data with APIs, and really lock it down at the service level.
Andrew: That is true and a little depressing. Thank you, Jared.
Jared: Sure thing.
Andrew: But absolutely. The foundational planning very early on. Let’s work the compliance piece into the design from the very get-go. The open mind, I think that’s really smart. I would even argue that moving to a public or perhaps even a hybrid cloud solution could be far more secure than what you could ever create at your own prem. When it comes to compliance, it’s perhaps even easier to achieve that leaning on the engineering resources of companies like a CenturyLink.
Jared: Absolutely. The reality is we have a lot of engineers on staff that do this for our platform across all customers. So it’s really, in essence, a shared feature and a shared attribute of the platform. Customers of these cloud services get a lot of this built-in as part of just having VMs or even bare metal servers inside of the platform.
Then with these add-on things, like we talked a little bit earlier, all these capabilities advancing. It’s really easy to add in encryption where you need it. It’s really easy to build in virtual appliances and some of these really advanced firewalls. A lot of those network topologies that IT loved on their on-prem data center, to really meet those security and compliance needs, can be done in the public cloud just with virtual appliances as opposed to dedicated things. That’s why it’s really important to stay on top of what’s happening.
I think when it comes to compliance and security, it’s all about the data. Think about the data that you’re trying to access and lock down, and secure, and have controlled access to. If you need that data to go into, say, new systems for a mobile application, you have to think creatively about how you want to surface that data with APIs. And even looking at platform services like Cloud Foundry that can give you a lot of security for free at the API layer. It’s also about how you want that data to be moved and manipulated around–that’s an important consideration.
Andrew: Very cool. Really, really important stuff to think about because, like you said, if you haven’t been hacked, you’re about to be.
Jared: Right.
Andrew: All right. Very cool. Hey, Jared, thanks for jumping in, man. Really, really good stuff. Great insights. Thank you.
Jared: Enjoyed it. Cheers.
Andrew: Guys, that’s Jared Ruckle. He’s the Product Manager for CenturyLink, one of our go-to smart guys for all things cloud. Do check out the learning center for CenturyLink. They’ve got lots of great information there. They’ve got a really, really robust public and hybrid cloud solution that can help you close big deals. Check it out. We’re big fans. You should be, too. Good selling.