In his role as SAP chief security officer, Justin Somaini said at the top of his agenda was to "drive an advanced...
security model that adapts to the various technologies that we have, that ultimately secures our customers -- whether it's on premise or cloud." To get there, Somaini said that when asking cloud providers questions about their security standards, businesses shouldn't shy away from having a discussion about an exit strategy if things don't work out.
During a recent conversation, the SAP chief security officer highlighted other key questions that should come up during such discussions with cloud providers, which he said should also include talks about how the provider will secure the supply chain. In this Q&A, he also discusses how the security industry is undergoing a significant transformation that is being driven by agile development and digital transformation.
Editor's note: The following interview has been edited for clarity and length.
What are some of the security-related questions that companies should be asking their cloud providers?
Justin Somaini: The first one is really about the supply chain -- what is the supply chain; do you use third-party vendors; how do you assess them and what are the industry standards assessment models? Is it NIST, or [International Organization for Standardization] or others?
Second, I believe in transparency and asking that cloud provider, 'Hey, we want, for our comfort, to understand your security model and how you drive it -- beyond the standards. What is the architecture? How do you process data?' I believe cloud providers are an extension of their customers and need to act accordingly. Being very transparent and very open about security is critically important to me, and that's why that would be the second question.
Third, which is a little bit tactical, is not the enrollment into the service, but what if the business makes a decision they want to move out? How do they move out? How difficult is it to get your data back and to migrate it to another service?
Can the DevSecOps approach be used to secure the cloud?
Somaini: This is probably a new conversation for the security industry. You need to make sure that the development teams are incredibly security-aware, are empowered and enabled. More importantly, and more realistically, make sure that security individuals are embedded and maybe even report into the development teams themselves.
Justin Somainichief security officer, SAP
What goes beyond that is that the security individual is actually coding solutions or fixing vulnerabilities; they are operationally part of the development team which gives the security function incredible agility, incredible flexibility in being able to resolve problems immediately and not using a six-month roadmap of a plan, for instance.
What are some of the security trends that you are seeing?
Somaini: First and foremost, we're going through a major transformation in the security industry that has been driven by agile development and digital transformation as a whole. What's really happening right now is that security teams are transforming from what I call governance and advisory, and governance and standards, and into governance and product delivery.
You're seeing security teams have more developers than ever before, creating cryptographic, log analytics and these types of functions so that the rest of the business can consume them and own them. This is to drive agility. This is to drive a higher level of security, to drive scalability across the enterprise and that's a significant organizational service as well as skill set changing in our teams.
Beyond that, I think security has always been attached to the underlying technical use or technical waves that we see -- containerization being the latest one.
In this SearchSecurity feature, read what the SAP chief security officer has to say about using blockchain for security.