AWS for Industries
Cybersecurity Awareness Month: Ep. 2: Tips for Managing Your Vendors Securely, While Maintaining Control
Tips for Managing Your Vendors Securely, While Maintaining Control
Today’s episode is a continuation of our conversation with Robert Albach, a leader in product management for secure firewall / industrial security at Cisco Systems. We’ll dive into the complex world of securely managing vendor integration and the importance of doing it while maintaining control within your environment. It’s not uncommon to feel overwhelmed by the complexity of maintaining security in this space. It’s likely you work with a mix of vendors, who range in size and in cloud adoption – some might be pushing boundaries of cloud possibilities while others are focused on perfecting their niche– and this impacts your security profile.
“I think the bigger names have been able to expand into these cloud-based services with all the advantages that are offered there, but I think they’re having to pull their customer base forward. […] And the smaller vendors, the ones who provide equipment, they may not even think about playing in this cloud area.” – Robert
Join us as we discuss strategies for:
– Recognizing the capabilities of your vendors
– Facilitating conversations between your IT and OT teams about vendor security on AWS
– Maximizing your in-house IT resources while reducing security exposure
– Communicating the reason behind the rate of change to on-the-ground teams
– Delivering cloud benefits across teams
Listen now to Part 2: Tips for Managing Your Vendors Securely, While Maintaining Control (featuring Cisco) on Apple Podcasts, Spotify, Stitcher, TuneIn
On security overall:
“It’s no longer just firewalls and antivirus. It’s no longer just, you know, how do I get rid of malware and other things out there? It’s understanding not just that sometimes it’s security from an exterior, but what happens with our interior security.” – Doug
On the rate of change:
“But I think part of the problem is that a lot of the noise that emanates from the IT side is so ephemeral. And it suggests perhaps a lack of permanence when permanence and consistency is exactly what the manufacturing team needs.” – Robert
On how to manage vendors while maintaining control:
“If I’ve got a common platform, like a cloud service, like the U.S., which is geographically dispersed, where everything operates in the same fashion, that honestly I think reduces a lot of the security exposure that we might have versus trying to roll your own in multiple geographical spaces. So I think that’s one part of it. Secondarily, I can centralize. I have got teams with cloud experience in place.” – Robert
Preparing & Responding to security incidents
Ten security golden rules for industrial solutions
Assessing OT and IIoT cybersecurity risk
Ask A Question
Send us your questions at email@example.com. You can also post your question below in the comment section. We will reply to all questions within 1 business day.
What is AWS Industrial Insights?
Welcome to AWS Industrial Insights. In every episode, we interview visionary leaders from industrial companies to share their insights on technology, innovation, and leadership. This podcast is for industrial business leaders who are looking to make data-driven decisions and learn from those who’ve experienced similar challenges. By interviewing leading executives, we’ll uncover their insights and learn exactly how their organization found a solution. You can find all episodes of AWS Industrial Insights on your favorite streaming platform or listen below.
Growing skills gap, increasing cyber threats, supply chain disruption. Do these sound familiar?
It’s a tough industry to be in and we’re here to help.
I’m your host, Caroline.
And I’m your host, Doug.
And you’re listening to AWS Industrial Insights, the podcast for manufacturing and industrial business leaders who aren’t afraid to think big.
We interview executives from well-known companies to share the disruptive ideas and topics like leadership, technology, and innovation.
So let’s get started. Well, thank you guys for joining us again. This is episode two of the October Cybersecurity Awareness Month. Last week we talked about the differences between IT and security and some of the really real threats, you know, that could impact your business and how to protect yourself or at least be aware of that threat landscape.
But today, we’re going to focus a little bit more on something that’s complex and just feels like it’s getting even more out of control. So, you know, I do want to start this episode, but I have to say, during our planning call for this episode, Doug said something that was just like, so spot on that I actually want him to kick it off.
I wrote down the sentence here, Doug, so I’m going to read it to you. You said, “There’s way too many vendors out there doing their own niche thing. So how do you manage that? What do you do to keep that management within control?” And I think that’s a really real problem. So Doug, can you elaborate on that a little bit and then we’ll kind of ask Robert around it too?
I think if you look at the security profile, one, it changes about every day, you know, because people are trying to work around what was launched, trying to, you know, break down the barriers of what somebody might have in place.
Two, I think the other big part of that is that there’s so many different security areas to be aware of and to be planning for, but also to try and be your mitigation as you move forward.
It’s no longer just firewalls and antivirus. It’s no longer just, you know, how do I get rid of malware and other things out there? It’s understanding not just that sometimes it’s security from an exterior, but what happens with our interior security. Even more fun sometimes is security’s no longer just somebody trying to break the walls down or, you know, hack in and do something from there.
But security could even be if a person makes a mistake like Robert mentioned in the last episode, I type in 500 instead of 50. Uh oh, what do I do? And security can help with building that layer and that logic into there, that when that person does hit that 500 instead of the 50, that they actually are able to course correct or work around it from there.
So explode that out to what was the last two years. The big things everybody’s talking about is ransomware and the next big thing that somebody is probably thinking about. So, it’s always something different out there and it just takes hundreds of people to properly manage it and most companies don’t have that many resources to be able to do that.
Interesting. Robert, what are your thoughts on this? Have you experienced this as well?
I think in many respects as we mentioned earlier in the prior podcast, there’s a certain rate of change which people have comfort with and traditionally, the rate of change in the industrial spaces has been relatively slow. And thus, you know, is there going to be a radical change to what I’m going to get in terms of my metrics if I do one thing or another?
But I think part of the problem is that a lot of the noise that emanates from the IT side is so ephemeral. It’s like, oh, we’re talking about this next big thing at this point in time, and now we’re talking about another.
And honestly, if someone were to really sort of step back and just look over time about the messages and the points of emphasis that are coming across, particularly from the tech world–and by tech world, I’m emphasizing the IT tech world as opposed to the tech worlds in factory automation–things change too quickly. Because wait a minute, three years ago we were talking about that and why aren’t we still talking about that now?
And it suggests perhaps a lack of permanence when permanence and consistency is exactly what the manufacturing team needs. We are cranking out widgets at a rapid rate.
Now if you happen to be in a business where your production line changes rapidly, I’m thinking about contract manufacturers and in the electronics industry or arguably a set of pharmaceuticals that are trying to at lightspeed create a COVID vaccine, then you may find yourself a little more open to it.
So it’s going to vary depending upon the nature of the industrial vertical you’re playing in.
So Robert, can you talk a little bit too about, you know, the different types of vendors? You know, we know that there’s some of the big-name automation vendors who, you know, quickly recognize the advantages of cloud across different platforms. And then there’s some that were kind of just doing their own niche thing and they’re slower to adopt that.
So how do you recognize who is who when you’re working with them?
Well, I mean, the big names, of course, are going to get the attention. So there’s people who are absolutely pushing the boundaries out there. You’ve got Rockwell. They have explicitly made some moves in the cloud space. They’ve made actually some interesting acquisitions lately, utilizing cloud-based tools. Plex six[RM1] is the other one that’s out there. And then there’s other vendors like Siemens who have sort of repurposed SAP HANA for MindSphere and other types of pieces that are out there.
And people have been using digital twins. So I think the bigger names have been able to expand into these cloud based services with all the advantages that are offered there. But they’re pulling, I think they’re having to pull their customer base forward as opposed to the customer base saying, hey, we are chomping at the bit to start moving a lot of our data out of our data centers and off to a public cloud platform and such.
And the smaller vendors, the ones who provide equipment, they may not even think about playing in this cloud area. So I think to a large extent, the major automation vendors are frankly trying to pull their customer base to move forward and expand the opportunities there.
Mm hmm. Is there anything that’s, like, encouraging then, or that helps kind of pull them towards it? You know, sometimes when people think about the cloud, they just get scared and think about data going in places where they don’t know, like, you know, how do they have that conversation or how can you facilitate a conversation that, you know, assures that things are going to be okay?
I think it varies by vertical. So if we’re say emphasizing manufacturing, I think the opportunities are there. I think the relationship between the IT department and the OT teams, if it’s strong and if it’s good, they’ll trust the IT teams and they say, “Oh, we’ve been doing this cloud thing for years.” Of course, all of your sales are coming from Salesforce, which is a cloud service.
Yes. Our Outlook mail is, in fact, housed in the cloud. Our Office365 or our Google office things. These are all cloud pieces. So the more comfortable that they may feel from okay, our IT team has this, they understand it, the more comfortable they may feel. Yay, verily let’s participate in that digital twin. Let’s use the cloud as some kind of MES system or something along those lines.
So I think that’s a valuable incentive for, again, for the manufacturing teams to say, yes, we’re comfortable, let’s move forward and to go or expand on this. “IT teams, why don’t you manage what we have to do on the cloud? I don’t really need to worry about it. Do I really have to think about this or are you going to handle it for me?”
And I think if we take with that, though, it’s that cost risk analysis, again, that we talked about a little bit in the first episode where cloud does bring features that you can’t do on premise. An example would be something like high performance computing, where many customers, if they’ve built their own high-performance compute, they suddenly get into an issue with, uh oh, I have to start patching because I have too many users on there.
And cloud suddenly allows people to go, oh great, I get auto expansion of my high-performance compute because there is no realistic ceiling that you’re going to be hitting when you’re doing your compute capabilities from there. But it does open up a security profile or a perceived security profile.
I think from that standpoint, from you know, from your standpoint, going from that on premise into cloud and it’s not a one and done right, it’s a consistent and constant capability. What are two things that somebody who’s moving into the cloud needs to kind of look at from a securitization standpoint?
Well, I think I look at it from an opportunity perspective. And part of this is we could potentially put all of this in-house. But if I’m geographically dispersed, boy, you know, there’s costs of having to backhaul all this data we’re somehow going to potentially have to aggregate locally or we’re going to stand up our own local data centers in South America and Africa, Australia…bing, bang, bang. Those are an increasing number of points of presence that represent yet another point where we could fail and make a mistake and expose ourselves to anyone who may want to be capturing our data, reusing it, and competing with us is an unfair fashion.
If I’ve got a common platform, like a cloud service, like the U.S., which is geographically dispersed, where everything operates in the same fashion, that honestly I think reduces a lot of the security exposure that we might have versus trying to roll your own in multiple geographical spaces. So I think that’s one part of it.
Secondarily, I can centralize. I have got teams with cloud experience in place. We can operate in the same fashion across all these different geographies, across all these different verticals that we might be involved in if we’re a big organization that plays in different places. And I think that’s a great appeal. Commonality, having people with knowledge wherever they may be, and everyone understands this particular cloud platform or another I think is great value and it reduces the risk.
Thank you for tuning in to AWS Industrial Insights. If you want to learn more about today’s episode, head over to the blog for a list of featured resources on this topic. You can also find today’s blog in the episode description and also on our website at aws.amazon.com/industrial/podcast.
[RM1]@AWS – please check name of this.