Rackspace CSO: Work Together To Overcome Cloud Security Uncertainty

After joining Rackspace last October, Chief Security Officer Brian Kelly said he sees a big opportunity for cloud providers to step up their approach to security by knitting together physical security, cyber security, risk and compliance and working together with other cloud providers to keep ahead of advanced threats.

Take a look at what he had to say.

How do you view the cloud security market today?

As I'm sure you know, cloud adoption still is relatively low. I hear there's a good number but less than 10 percent of IT budgets are going into the cloud. I think part of the reason that is, and we've seen this in a number of surveys, that one of the greatest inhibitors to cloud adoption is security. My spin on that is it's probably less security and more uncertainty... I'm a firm believer in that the security is and will continue to be better and stronger in cloud environments.

How does that affect cloud companies like Rackspace?

It puts an obligation, I think, on the cloud providers. I think it was Forrester that came out with the phrase of the "uneven handshake," and what they meant by that was the cloud providers will go so far and then there's a clear line of demarcation where you as a customer are responsible for everything else. I don't really believe that...I think, as cloud providers, we've got a responsibility to even out the handshake. I think there's a lot more that we can do to decrease the uncertainty...From a Rackspace point of view, that's where I'm taking this – really focusing on how do we even out the handshake, how do we provide more visibility and more control into customer security workloads to give them that level of comfort, to give them that level of trust. That's one big component of my direction.

What else do you have up your sleeve?

A second big component really has to do with the threat. I'm not a sky is falling guy, but we've all read enough. Just watching the news and the paper, we know this threat is a lot more sophisticated. It's not just the rag tag groups and the college kids, but it's nation states, it's organized crime. It's a different game... The first thing I said when I got to Rackspace is there's a very simple model that security people talk about: it's prevent, detect, respond and then educate or govern. You will not hear me use the word prevent because you can't prevent this. The best we can do is deter. We will make it as difficult as possible through a defense in depth strategy, but we need to be prepared that bad things are going to happen to the best of companies and let's not fool ourselves to think we can prevent it... I would spend disproportionately in detect and respond until we got to a point that I felt that we were as world class as possible.