Tyler Healy, CISO, DigitalOcean in this Interview chats about top challenges in managing cloud infrastructure for startups, solutions to overcome cybersecurity threats facing cloud platforms, and the future of cloud security.
——————
Tyler, tell us about yourself and your role at DigitalOcean.
As Chief Information Security Officer, I lead our Security and IT organization. We’re a public cloud, so our security team stretches across multiple disciplines: from infrastructure and product security, to mitigating abuse and misuse of our platform. I come from a technical background in computer engineering, and spent the early days in my career in cybersecurity roles consulting with the U.S. Government and defense organizations. After a number of years in the private sector with large corporate security teams, I joined DigitalOcean in early 2018 and have helped build the security program through several phases of our journey over the past six years. I also advise tech startups and VCs on when and how to invest in building security capabilities.
Also Read: CIO Influence Interview with Anuj Jaiswal, Vice President of Products at Fortanix
DigitalOcean is known for simplifying cloud computing for developers. What are the top challenges in managing cloud infrastructure for startups and digital businesses, and how does DigitalOcean address these challenges?
Security is complex, expensive, hard to hire for, and operationally challenging to manage. For startups, or even mature small-to-mid tech companies, security requires mindshare across the technical parts of your business – potentially distracting from the core innovation. Although it can be frustrating to get it right, it’s absolutely necessary. For DigitalOcean customers, we focus on simplicity and usability by providing access controls, backups, key-based authentication, and a marketplace with third-party security platforms that makes it easy to integrate with any company’s infrastructure.
Highlight the most pressing cybersecurity threats facing cloud platforms today and how companies can overcome them.
Within the last few years, AI has quickly become critical to our global infrastructure, and consequently, so have the data centers which power these models. To meet the ever-increasing demand for AI, cloud platforms and providers are heavily investing in data centers across the world. They have become so important to the global economy and everyday life that the UK has recently designated them as part of the protected class of critical infrastructure, meaning they’ll be subject to government regulated cybersecurity standards. Running parallel to this are nation-state sponsored attacks upon several countries critical infrastructure intended to disrupt the economy and integral functions such as telecoms, wastewater management, electric grids; this could soon extend to data centers. While data centers are not currently designated as critical infrastructure in all countries, businesses can help migrate the potentially devastating effects of a data center outage by incorporating a hybrid or multi-cloud strategy to minimize any potential downtime or loss.
What proven practices help businesses using cloud platforms, particularly startups, overcome common security challenges, and how can they better prepare for securing their cloud environments?
There are several steps that businesses using cloud platforms, even those with resource constraints, should be doing to overcome common security challenges.
Ensure that your businesses’ data is backed up continuously throughout the day, every day at a system level. This will mitigate the impact of potential security breaches and allow businesses to quickly recover from data loss by keeping the latest backups readily available.
Adopt role-based access control, a method for managing user access to systems and resources within an organization by assigning permissions to roles rather than to individual users. This approach simplifies permission management and helps to enhance security at a company by ensuring that users have only the access necessary to perform their job functions.
Get the basics right. Configure secure, key-based authentication, minimize services running on infrastructure to only that which is necessary to operate. And do not store secrets or tokens in code.
Finally, store logs in a way that you can quickly analyze them in an emergency – with something like OpenSearch. Logs are critical to simplifying troubleshooting, and optimizing application performance. This will enhance reliability and security at an operational level.
For startups scaling rapidly in the IT sector, what security advice would you give to ensure they build resilient systems capable of handling growth while minimizing security risks?
Start by assigning ownership to a technical leader who takes accountability for security, even if it is not their primary, or only, responsibility. Get the basics right: multi-factor authentication everywhere, no exceptions. Protect employee devices. Do not store secrets or tokens in code. And make security simple with architecture choices that minimize a public facing threat surface. Get used to a role-based access model that operates with the concept of least-privilege. And finally, do not let perfect be the enemy of good.
Before we close, share a few thoughts on the future of cloud security—what trends or challenges do you see emerging in the next few years?
Emerging technology in the cloud will continue to move up-stack, away from the core infrastructure supporting it, and AI/ML use cases will only accelerate the pace. That, paired with the shift towards multi-cloud, will create an environment where the attack surface will be about flaws in logic, in data, and in human interaction with agents rather than the exploit of operating system or service vulnerabilities. Of course those traditional vulnerability paths will still exist, attackers always find a way to ‘make what is old, new again’, but the threat surface will become more and more shaped by interaction logic than system logic.
Also Read: CIO Influence Interview with Rafee Tarafdar, EVP and Chief Technology Officer, Infosys
[To share your insights with us as part of editorial or sponsored content, please write to psen@itechseries.com]
Tyler Healy is DigitalOcean’s Chief Information Security Officer, responsible for the global security, IT, and trust functions. In his 17 years as an information security professional, Tyler has held roles driving technical and strategic transformation within public and private sector organizations. Alongside his full-time responsibilities, he has served as a tech startup and VC advisor helping new companies navigate the complexities of when and how to invest in security. Tyler has a passion for scaling security programs with highly automated functions that optimize for risk-to-speed tradeoffs to meet the always evolving challenges in cybersecurity. Tyler holds a Bachelor of Science and Engineering in Computer Engineering from the University of Virginia.
DigitalOcean simplifies cloud computing so businesses can spend more time creating software that changes the world. With its mission-critical infrastructure and fully managed offerings, DigitalOcean helps developers at startups and growing digital businesses rapidly build, deploy and scale, whether creating a digital presence or building digital products. DigitalOcean combines the power of simplicity, security, community and customer support so customers can spend less time managing their infrastructure and more time building innovative applications that drive business growth.
