Jerry Sto. Tomas, Vice President and Chief Information Security Officer (CISO) at Apria Healthcare Group, explored cloud security and what it takes to protect sensitive data stored in the cloud during his keynote presentation to Argyle's CISO membership at the 2017 Chief Information Security Officer Leadership Forum in Los Angeles on November 9. In his presentation, "Sustaining Security Up in the Cloud," Sto. Tomas provided cloud security best practices.
Many organizations prioritize cloud implementations. The cloud provides employees with the ability to access sensitive data on any device, from any location and at any time. Furthermore, the cloud drives increased organizational productivity and efficiency, as it helps workers quickly and effortlessly perform everyday tasks.
Although organizations around the globe are allocating significant time and resources to complete cloud implementations, few CISOs develop cloud security strategies. However, failure to leverage cloud security plans can be costly.
At Apria, the organization wanted to simultaneously embrace cloud and ensure clients' personally identifiable information (PII) was protected. To accomplish this goal, the organization explored ways to integrate cloud into its everyday processes and architecture.
"We need to be agile and nimble," Sto. Tomas said. "The IT leadership team made a decision that we were going to be a cloud-first, mobility-first and social-first organization."
Ultimately, shadow IT is problematic, particularly for organizations that want to reap the benefits of the cloud.
"Granular policies are required for all services, regardless of whether they are on-premises or in the cloud."
If employees are using unauthorized applications on company-issued devices and systems, these workers may expose a business to a myriad of cyber risks. An organization must do everything it can to manage shadow IT.
"Shadow IT is an issue when it comes to the cloud," Sto. Tomas stated. "You have sanctioned applications that IT knows about. But you also have unsanctioned applications that you don't know but your business is using. And you also have a series of questionable applications that are running within your organization."
Conversely, shadow IT can be exceedingly difficult to address. In fact, evaluating the massive amount of applications that employees use day after day makes it tough for a CISO to limit cyber risk.
"When you're dealing with shadow IT, you're dealing with many identities," Sto. Tomas noted. "There are so many identities that you may or may not know that are being used by your business."
When it comes to cloud security, CISOs must emphasize enablement. By doing so, CISOs can develop cloud security strategies that ensure their respective organizations can capitalize on the cloud's benefits and minimize the risk of data leakage.
"I need to make sure that I'm the enabler of the business, not the disabler," Sto. Tomas indicated.
With the right set of cybersecurity policies in place, a CISO can reduce cyber risk across both on-premises and cloud systems.
"Cloud access security brokers will give you a lot of visibility into your environment … and offer visibility into what information users are accessing."
CISOs who develop cybersecurity policies that prioritize data protection help an organization control risk, even as new technologies are deployed across multiple departments.
"Granular policies are required for all services, regardless of whether they are on-premises or in the cloud," Sto. Tomas said. "You need to architect [policies] to any use case."
A cloud security strategy is a work in progress and must be evaluated and updated regularly. If CISOs frequently examine potential cloud security strategy improvements, he or she can address rapidly evolving cyber dangers.
"Many CISOs today don't think about cloud strategy. That's why shadow IT often becomes an issue, because IT is too slow to think about cloud strategy," Sto. Tomas pointed out.
Identity-as-a-service could play a key role in how CISOs addresses cloud security. It offers him or her a simplified view of on-premises and cloud systems, ensuring this professional can act quickly to identify and address potential security problems.
"You need to have a consolidated view," Sto. Tomas stated. " The goal is to have one identity or very few identities."
Moreover, identify-as-a-service can deliver far-flung benefits to employees at all levels of an organization.
"Get an identity-as-a-service [offering] that will allow you to be successful," Sto. Tomas noted. "[Identity-as-a-service] ensures your team won't have to learn lots of different passwords."
CISOs may want to partner with a cloud access security broker as well. This broker can help CISOs understand how employees are using mobile devices, which applications they are leveraging and other security insights. Meanwhile, CISOs can use these insights to further enhance an organization's cloud security strategy.
"Cloud access security brokers will give you a lot of visibility into your environment … and offer visibility into what information users are accessing," Sto. Tomas concluded.
Jerry Sto. Tomas is the Chief Information Security Officer for Apria Healthcare, a leading provider of home respiratory services and medical equipment including oxygen therapy, inhalation therapies, sleep apnea treatment, and negative pressure wound therapy. As the CISO, he is responsible for the development and execution of enterprise information security strategic plan and roadmap.
Jerry has over 25 years of IT, privacy, and information security experience. He spent his first eight years in IT in the Philippines working as an independent IT consultant for various Medical, Financial, Education, and Government sectors. After moving to the U.S. in 1999, Jerry has held various positions both full time and consulting.
- As a consultant for Experian, he worked on various Threat and Vulnerability Management projects, which includes but not limited to the development of computer incident response team (CIRT) framework and processes.
- He was the Global Information Security Advisor for Celestica, Inc. (a former IBM) responsible for overseeing the management of security risks through the execution of internal security audits and reviews, as well as vulnerability assessments and penetration testing across more than 50 manufacturing sites and offices worldwide. He was also responsible for the creation and management of Global CIRT wherein he has conducted numerous computer forensic investigations.
- He was Chief Security Officer (CSO) for The Impac Companies responsible for building and managing physical security and information security.
- He was Global Information Security Officer for Allergan, Inc., a fortune 500 pharmaceutical and specialty health care company. At Allergan, he has established successful security programs such as Global Information Security Awareness, Network Security, Security Operations Center (SOC), Data Loss Prevention and Privacy, Vendor Risk Management, and eDiscovery.
Jerry studied business administration at the University of Santo Tomas, Philippines and Colorado Technical University. He also holds a master’s degree in information assurance from Norwich University and is a CISSP (Certified Information Systems Security Professional) and a CISM (Certified Information Security Manager).