Digital Transformation Needs Security Transformation, TooCISO Scott Howitt of MGM Resorts Describes Adoption of New DevOps Methods
With 27 resorts, 400 bars and restaurants and some 78,000 employees, MGM Resorts International is pursuing an aggressive cloud and digital transformation strategy that complements the company's expansion ambitions.
For Scott Howitt, senior vice president and CISO, MGM's digital transformation plans need an equally aggressive approach to security. This includes the company's embrace of DevOps methodologies for creating new apps and services to meet guest expectations.
"We wanted to do it for innovation velocity," Howitt told a gathering at the Cloud Security Alliance Monday during the first day of the RSA Conference 2019 in San Francisco.
"And then, as we acquire or build new properties, we wanted the innovation to go a lot faster. So, anything we pushed out to the cloud was automatically ready for the new properties, and we didn't have to do a lot of infrastructure standup. When you move your first SaaS applications out to the cloud, the thought process is: 'I don't have to worry about security. That's their problem.' And then you quickly realize you are responsible."
Those initial apps were locked down, but as MGM ramped up its DevOps plans, Howitt needed to come up with new ideas to secure the infrastructure, which eventually led to using more security automation. "It's thinking about security as part of your cloud platform. ... 'How do I move from an on premises device to the cloud, and how does that security follow?'"
An Emerging Target
But the speed of innovation and making APIs and other services easy to use for employees means that data uploaded to the cloud becomes a target for cyberattacks. Rajiv Gupta, senior vice president for McAfee's cloud security business unit, notes that a recent study by his company found 12 percent of sensitive data in the cloud is accessible to anyone who has a link to the file.
Gupta says that in most cases, employees are not maliciously trying to expose the data, but simply attempting to share it with colleagues as part of the collaboration process. Inadvertently, these are public links.
Issues such as these are pushing Howitt and his team at MGM to move past passwords to two-factor authentication. But the security team is working to make these methods easy to use for employees and reinforce their uses through training and reminders.
These types of cloud security issues are also seen by other enterprises looking to digitally transform their businesses through services such as IaaS, PaaS and SaaS.
Andy Kirkland, the deputy CISO of coffee giant Starbucks, tells Information Security Media Group that shadow IT remains a major concern. "Anyone with a corporate card can come in and download a cloud service," he says.
As enterprises increasingly rely on the cloud, Kirkland notes, an upcoming security challenge will be the use of multicloud environments, where data will have to synchronize across platforms created by different cloud providers.
One way to overcome some of the issues, Kirkland says, is better training for employees.