rvlsoft - Fotolia

Equifax shares 'risk averse' cloud security model post-breach

Equifax explains how it has transformed its data security strategy using multiple clouds and a more focused approach through Google Cloud Platform's hierarchal security.

ORLANDO -- Equifax's highest priority after the 2017 data breach that led to a massive $700 million settlement is to make sure its data in three separate clouds is as secure as it can possibly be.

The credit scoring company is in the midst of a $1.25 billion investment plan to modernize its worldwide technology and security infrastructure through 2020 using a cloud-first, cloud-native strategy.

Using public cloud infrastructure has enabled the company to scale its cloud security program, said Daniel Dubowski, vice president and business information security officer of United States Information Solutions at Equifax. In fact, Equifax was the poster company in a session led by Google about shared responsibility for multi-cloud and hybrid clouds here at the Gartner IT Symposium/Xpo conference this week.

"As you can imagine, we are pretty risk averse at Equifax," Dubowski said. 

The giant credit reporting agency uses Google Cloud Platform (GCP) for its new data Fabric and to deliver data and analytics to customers. Over the years, the company had acquired firms that used Microsoft Azure, and chose not to disrupt those environments. Equifax also made a "huge expansion into AWS to handle the load of people who requested credit freezes" after the data breach, Dubowski said in an interview.

Cloud security close to the data

Equifax has moved from what Dubowski called a broad-spectrum security strategy to one that is much more focused on protecting the data, identities and applications, as close to the data as possible.

As you can imagine, we are pretty risk averse at Equifax.
Daniel DubowskiVice president and business information security officer, United States Information Solutions at Equifax

Google Cloud Platform enables Equifax's business units to create folders with projects within, creating hierarchies of control.

"If anything happens within any of those projects, each one is essentially self-contained, so the scope [of a system compromise] is only extensive to that application," Dubowski said. "That's what allows us to essentially micro-segment everything."

This model strongly prevents lateral movement, and uses Google KMS and different encryption keys for different applications, he said. Every application, even if it's the same data that's being transferred, gets encrypted and decrypted by different keys; if a single key gets compromised, it only affects one area of that application, according to Dubowski.

Equifax's expansion into cloud continues, with the goal to be data center free within two years.

Google spells out shared responsibility

Meanwhile, plenty of organizations, particularly in government, have only just begun their cloud migrations. Some of their hesitation surrounds visibility and not knowing who to blame when cloud security problems inevitably arise.

Executives from Equifax and Google discuss a multi-cloud security strategy.
Daniel Dubowski, VP, Business Information Security Officer, Equifax (left) and Rob Sadowski, trust and security product lead, Google, discuss Equifax’s multi-cloud strategy for data security.

Those questions get trickier when multiple clouds and on-premises systems are involved in supporting applications across an enterprise -- something that's increasingly common. By 2021, more than 75% of mid-sized and large organizations will have adopted a multi-cloud and a hybrid cloud strategy or both, Gartner reports.

One IT professional here at the Gartner IT Symposium who works in network operations for a big government agency said his main concern with the government's ongoing cloud migration project is compliance.

His department has been mandated to set up Comply to Conect (C2C), a Department of Defense internal mandate that requires that patches and hardened configurations be applied to devices before they can connect to a network. That might be difficult if the department doesn't "own" the systems that need to be patched and configured, he said. He also worries about losing visibility into cloud-based systems.

But cloud providers like Google maintain that infrastructure as a service can be more secure than an on-premises data center infrastructure, provide automated patching and varying levels of visibility. At the heart of cloud security is shared responsibility, said Rob Sadowski, trust and security product lead at Google Cloud, during a session here.

Google shared responsibility in the public cloud
Rob Sadowski of Google explains shared responsibility in the public cloud.

To ensure organizations move into the cloud properly, the cloud provider has to be clear about what it is responsible for and what users are responsible for. Securing the underlying infrastructure is typically the provider's responsibility, while the user is responsible for securing the data that's in the cloud, Sadowski said.

He explained that because Google has built its own infrastructure, it can take full responsibility for its services.

"We don't want shared responsibility for our underlying stack, so we design our own servers, storage, networks and data centers to reduce vendor-in-the middle risks; we don't have to wait for Patch Tuesday to update our code," Sadowski said. "We may go so far as to design our own chips, such as Titan, to ensure the integrity of the stuff that runs on that layer."

Google provides access transparency and approvals, and many organizations add third-party audits, certifications and documentation for added assurances, Sadowski said.

Other public cloud providers, including AWS and Microsoft's Azure, also have shared responsibility models and while they are similar, Equifax's Dubowski advised IT pros to review them carefully to understand their differences.

The Gartner conference is being held Oct. 20-24 at the Walt Disney World Swan and Dolphin Resort.

Dig Deeper on Cloud deployment and architecture