Tricks of the trade: Securing cloud-first at Kingfisher

Securing cloud-first at Kingfisher. Source, Wikimedia

Image:
Securing cloud-first at Kingfisher. Source, Wikimedia

Keeping development and cloud teams within the security guardrails takes a bit of know-how, says security lead John Day

"The biggest challenge is getting cloud teams to deliver at pace," said John Day, technical security manager at home improvements gaint Kingfisher, parent company of B&Q and Screwfix in the UK as well as several other brands across eight countries in Europe.

"At pace" means at a sustainable rate rather than simply faster: "If we didn't keep the reins on they would deliver everything very quickly."

Ensuring the cloud teams deliver services within guardrails and to security guidelines rather than simply ploughing ahead requires a great deal of diplomacy from Day and his 25-strong security team. After all, they are outnumbered by the 50 cloud engineers, and dwarfed by the thousand strong collective of application developers and engineers working at Kingfisher.

"We're trying to do a mind shift and ensure security is seen as an enabler, so we're making sure we socialise with the cloud teams and engineers," Day explained.

Image
John Day
Description
John Day

Rather than imposing tick box exercises, his strategy is to focus on reducing technical debt. Kingfisher has grown by acquisition and there is a lot of baggage to clear away on its way to cloud-first, its desired destination. And so far the strategy is working: "It's really winning the hearts and minds of the engineers and the digital teams," Day told Computing during a Qualys event in London last week.

With 1,900 stores and 82,000 employees, Kingfisher is a large and complex organisation. Last year it announced a five-year £80 million deal with Google Cloud Platform to move on-premises services, including its ecommerce platform and test environments, to the cloud, with plans to expand the 300,000 products currently offered through B&Q's website to 4 million and to introduce cloud-based AI tools to help customers match their needs.

But the company also uses services from AWS and Azure. "We're multi-cloud," said Day.

Despite operating in Europe, it's three cloud providers are the US giants; Day says European cloud providers are "too specialised" for the company's needs. Kingfisher has to be very careful to comply with data protection regulations, tracking possible divergence from EU regulations in the UK, post-Brexit, but said the big cloud providers are ahead of the game. "They are really good at where they place their data centres."

Unblocking the pipes

Day, who has a military background, was mobilised into the defence of the company's infrastructure at the time of the pandemic.

Previously running the Azure identity stack for Kingfisher, when Covid hit he was drafted in to roll out the Microsoft E5/F5 Security Suite. He now looks after all the security tools at Kingfisher, "from vulnerability scanning through to endpoint detection and response through to SIEM, proxies and firewalls."

The Covid lockdowns saw a surge in DIY activities, and because opening hours for shops were restricted, everyone went online - leading to huge pressure on the websites.

"We had a massive problem with virtual queuing on the B&Q store online," said Day. "It was hosted in the data centre, you had a limit on the line going into the data centre, and on the compute and on what the front door, the firewall, could actually let through at one time. So during Covid we did a very agile, very quick piece of work to move that front door and our website up into the cloud."

Unencumbered by bandwidth constraints and able to scale up at times of heavy traffic, the company was quickly able to trade normally again.

Naturally this whetted the appetite for more cloud, but in a large company, spread across countries at different levels of development and with a burden of legacy tech, cloud-first is not going to happen overnight.

Security has to encompass multiple clouds and several local data centres. Day's team has been moving towards a zero trust architecture (although he dislikes the term: "I'm not a huge fan, it means something different to everyone"), and uses Qualys TruRisk platform to identify and triage vulnerabilities across the piece.

Bridging the gap

He is also a member of that company's strategic advisory board, meaning he gets to chat behind closed doors with fellow security professionals, along with Qualys senior management, learning about trends and issues and having the opportunity to shape how Qualys might address them through new services.

"It's quite unusual and it's really refreshing to have this insight. It's a bit of a brainstorming session, ideas and strategies. And we get the opportunity to contribute to that."

So what are the issues that are currently troubling CISOs?

"Bridging the gap between security and application and engineering teams," he said. "And then bridging the gap between security and C-level."

The latter is about providing insight and observability, perhaps with added dashboards. The former concerns identifying risk and prioritising action, and is more of a challenge.

"So when you're talking to infrastructure teams, cloud platform teams and application teams, the significant challenges there are in helping them prioritise the work that you want them to do. There's a load of vulnerabilities, all of them critical, which do they work on first?"

Which requires the right tools, and the right intelligence; and also a diplomatic approach if security is not to be seen as the "Department of No".

"We try to make it a partnership. We don't want to be big brother security, right? But we don't want the tail wagging the dog. So it's enthusing them and working with them, trying to find that middle ground where it works for everyone."