David Cross is the SVP and CISO for Oracle SaaS Cloud Security. Previously, David was the engineering director of the Public Cloud Security Platform at Google Security and Privacy organization, and his preceding 15 years were spent with Microsoft in numerous security platforms, cloud, product and engineering leadership roles.
He is a long-time advocate of security applications and technology, stemming back to his U.S. military service. In addition, David has been a long-time security IP innovator with more than 30 patents and a contributing author on many white papers and industry books regarding security and public key infrastructure.
What are the unique challenges of working in the cloud? Which is more important – end-to-end data protection or end-to-end encryption?
It’s not a question of if people are going to the cloud; it’s a question of when they’re going to the cloud; it’s the future. And it’s how we really talk about what that transition looks like because of their changes in doing things on-premise versus in the cloud. Their expectations are different, and they are also very, very positive. And that’s one of the things — both protection and encryption are pretty much-becoming commodities in a baseline in the cloud.
In a general sense, I think that is how to have end-to-end protection, but it’s also more complex. End-to-end encryption is becoming kind of a standard thing from point-to-point encryption. It’s always going to be in place. Who’s not using HTTPS? Who is not having encryption for their storage in the cloud? What cloud provider doesn’t provide encrypted storage? It’s really a kind of baseline key capability. But now, looking forward, if everyone has encryption, are you fully protected? Well, encryption is not the only protection that you need. So, I think that’s when you discuss end-to-end protection. That’s more important.
You are a veteran yourself. And having veterans onboarded in among the checklist for several companies while hiring. How do veterans make a better fit for several cybersecurity roles?
I think it’s a very interesting topic that I’m quite passionate about as a veteran myself. But looking at the benefit to many companies, speaking specifically to the US, is that veterans are a slice of society. It is a diverse and inclusive organization. And that’s important as a start. The next thing is the fundamentals of the US military — the common values and principles.
It’s about integrity, honesty, attention to detail, passion, and the ability to learn and adapt. And many companies, especially in cybersecurity, are realizing that they need people who have the passion to learn, are dedicated, and are loyal. The veterans, with the other elements of honesty, integrity, and passion, come into play. They’re extremely strong hires; even if they may not have the specific skill set you need on day one, they’re used to always being trained in learning on the go.
How much of your background with the US Navy, and helped you make decisions and initiate new technologies here with Oracle?
One of the things that I always like to call out, for both my service and others and certainly in cybersecurity, is that we’re under pressure, and things go fast. You’re under fire drill. It really matters how you perform under pressure. And that happens very often in high-tech. And I think that training helps you operate and use your muscle memory, playbooks, and tools to get through tough times. Especially when there’s stress or long hours in play. That one really jumps out strongly to me. So that’s a good starting point.
We can see a pattern where organizations are gradually switching to a more SaaS-based model for security. How has this benefitted companies? Do you feel this is the right step?
There’s been enormous progress, both as a consumed and vendor, it is positive. Using cybersecurity as an example, today people want their systems to always be online, available, updated, secure and protected. And now with a lot of businesses, the question is do they have all the capabilities to ensure their systems are updated, patched or monitored 24/7 globally with the right experts? Can every small, and medium businesses have a cybersecurity expert? Can they have someone monitor their systems? That’s extremely difficult. And so are they really getting the value proposition, from their applications that are running versus operating those or having those as SaaS as a subscription who does have the global resources and experts in all the various areas? That’s the transition that we all have to make.
Several SaaS providers use DevSecOps to keep their applications up to date for better functionality among several benefits. As a company, which is about to invest SaaS model of security, what are the boxes they should check first? Also, how do they know if they have chosen the right tool?
Most companies are adopting DevSecOps to a degree and part of it is how you can improve the overall lifecycle. But the biggest thing I like to say, and some people may be surprised, especially in SaaS or cloud environments, is that this is where audits and compliance come into play. You no longer have the hands on, you own the box, the system, the people that are managing it. So how do you know that it’s really up to date through a DevSecOps model and culture?
This is the purpose of third party audits, pen testing and certifications, to have an independent person that can provide you the confidence and trust that they are being performed the way you want them to. And that’s the right thing to do. Even though people say security and audits never go together, but actually they do in this case.
DevSecOps has changed the dynamics of security practices. However, it often does not say how to incorporate good security architecture practices into the system being developed. How far do cybersecurity frameworks and regulations help here?
As you look at major kind of audits and certifications like in a FedRAMP and PCI, and HIPAA, there’s a lot of overlap. If you try to add on each individual regional, province or state or territory that wants another one, there’s 90% overlap, is that helping or not?
Moreover, every country wants their own law that has differences, like the EU digital signature laws. That doesn’t work very well. So, I think it’s how we focus on what’s the most important in baseline ones, versus trying to create very nuances that basically just creates bureaucracy and no real value.
How far do you think Cybersecurity Maturity Model Certification has come into play? Are organizations taking that seriously? Do you think there has been a good amount of activity around its implementation?
We’re seeing some good progress on that but it’s still kind of maturing to a degree. It isn’t mature yet like other historical things such as FIPS 140-2. We’re seeing the adoption in uptake on it, but it’s going to take a little more time.
There are three points, the first being that some people can get overwhelmed by the number of new things that are occurring in this time. The second element is sometimes being the first means not noticing the benefits, because when you are blazing the trail, you don’t know the best path sometimes versus actually being a good or quick follower seeing who helped blaze the trail and learn from those experiences. And the third is to see the greater adoption. That last part is where you need experienced people in the area, and have others do it first. So, then you can get some of their talent to help you.
What are the newest trends in SaaS-based security? What is the future SaaS security?
Certainly, as I mentioned before, several businesses are realizing that with talent, labor and supply chain shortage, is actually maintaining things themselves compared to subscribing to cloud services and SAS services. It makes much more sense now to go to the cloud, where they may have resisted in the past. That’s one.
The second thing what we’re starting to see, and something we do it here at Oracle is, it’s embedding in the overall broader services that are integrated and included in a SaaS services versus being a whole menu, if you have to add A and B and C and D, on your service to have an end to end solution now, versus it being one inclusive, purchase one inclusive service versus, 10 different skews. So, especially in security, we’re starting to see the trend of more and more things being embedded and integrated versus being separate add ons to have a secure solution in the cloud.
Now that you did shed some light on legacy apps. How often do you think there has been even now significant reliance on legacy apps among companies, and where innovation has become a hindrance?
This is an overall continuing problem. We can go back to general industries and ask why did many banks did not have HTTPS or certificates on their websites, that’s because many people were using Windows XP, not even Service Pack 2. So, they had to work that. But we’ve seen that a lot of businesses are still using these legacy applications that only support TLS 1.0. They don’t support even 1.1 or 1.2. And this is actually holding back. So a lot of people look at various services and say why you’re not even running TLS 1.3? Well, because there’s so many legacy apps and all these smaller businesses that don’t have the capabilities or have not updated for 10 years. Is that really safe? But the question is, do they also have the capability to update their medical systems? And I think that’s one of the ongoing problems in our industry.
SMEs are the biggest targeted vectors of late and added to that all small businesses shut the shop within six months after an attack. There’s still a lot of lack of understanding there. So, what are the ways to empower small businesses and, inculcate better cybersecurity awareness among them?
I’m speaking at BlackHat Middle East in Saudi Arabia about the challenges in retail cybersecurity. And one of the things I really want to raise for small and medium businesses that is this now not the time to move on to SaaS, and cloud services, to provide retail services. Because now, at large parts of the world, the internet connectivity, the reliability connection to the cloud is almost 100% reliable. And so, moving away from these legacy systems that aren’t patching are at risk and for all these factors, to cloud-based systems. And I think that’s really the kind of the choice and push that we need to make with some of these smaller businesses.