Cloud Security , DevSecOps , Next-Generation Technologies & Secure Development

Digital Transformation Needs Security Transformation, Too

CISO Scott Howitt of MGM Resorts Describes Adoption of New DevOps Methods
Digital Transformation Needs Security Transformation, Too

With 27 resorts, 400 bars and restaurants and some 78,000 employees, MGM Resorts International is pursuing an aggressive cloud and digital transformation strategy that complements the company's expansion ambitions.

See Also: Enhancing Cyber Defense with AI-Powered SOCs

For Scott Howitt, senior vice president and CISO, MGM's digital transformation plans need an equally aggressive approach to security. This includes the company's embrace of DevOps methodologies for creating new apps and services to meet guest expectations.

"We wanted to do it for innovation velocity," Howitt told a gathering at the Cloud Security Alliance Monday during the first day of the RSA Conference 2019 in San Francisco.

"And then, as we acquire or build new properties, we wanted the innovation to go a lot faster. So, anything we pushed out to the cloud was automatically ready for the new properties, and we didn't have to do a lot of infrastructure standup. When you move your first SaaS applications out to the cloud, the thought process is: 'I don't have to worry about security. That's their problem.' And then you quickly realize you are responsible."

Those initial apps were locked down, but as MGM ramped up its DevOps plans, Howitt needed to come up with new ideas to secure the infrastructure, which eventually led to using more security automation. "It's thinking about security as part of your cloud platform. ... 'How do I move from an on premises device to the cloud, and how does that security follow?'"

An Emerging Target

But the speed of innovation and making APIs and other services easy to use for employees means that data uploaded to the cloud becomes a target for cyberattacks. Rajiv Gupta, senior vice president for McAfee's cloud security business unit, notes that a recent study by his company found 12 percent of sensitive data in the cloud is accessible to anyone who has a link to the file.

Gupta says that in most cases, employees are not maliciously trying to expose the data, but simply attempting to share it with colleagues as part of the collaboration process. Inadvertently, these are public links.

Issues such as these are pushing Howitt and his team at MGM to move past passwords to two-factor authentication. But the security team is working to make these methods easy to use for employees and reinforce their uses through training and reminders.

These types of cloud security issues are also seen by other enterprises looking to digitally transform their businesses through services such as IaaS, PaaS and SaaS.

Shadow IT

Andy Kirkland, the deputy CISO of coffee giant Starbucks, tells Information Security Media Group that shadow IT remains a major concern. "Anyone with a corporate card can come in and download a cloud service," he says.

As enterprises increasingly rely on the cloud, Kirkland notes, an upcoming security challenge will be the use of multicloud environments, where data will have to synchronize across platforms created by different cloud providers.

One way to overcome some of the issues, Kirkland says, is better training for employees.

About the Author

Scott Ferguson

Scott Ferguson

Former Managing Editor, GovInfoSecurity, ISMG

Ferguson was the managing editor for the media website at Information Security Media Group. Before joining ISMG, he was editor-in-chief at eWEEK and director of audience development for InformationWeek. He's also written and edited for Light Reading, Security Now, Enterprise Cloud News, TU-Automotive, Dice Insights and

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.