Threats to data will change with time, with bigger and more serious challenges appearing daily. So it’s no surprise that every company needs to invest in the best IT security solutions that can grow with their business, that are forward thinking and can be able to handle even the most malicious threats. But no doubt, with tighter budgets and fewer resources, companies are in the midst of the great debate: insource or outsource?
Last year in October, the White House believed that their unclassified computer networks were hacked into by Russian spies. Officials stressed that there was no evidence that the hackers had accessed classified networks or damaged any systems. The White House shut down Intranet and VPN access, and then periodically shut down systems for security upgrades. This cyber breach happened after the U.S. imposed sanctions on Russia as a result of the country’s actions in Ukraine.
A few months ago, a "friend of a friend" left a lofty job at a Fortune 100 company to join a small start-up. Despite – or perhaps because of - the crazy hours, frenetic pace and the feeling of living on the edge, this friend is extraordinarily happy. What this exec is not happy about it is the non-Fortune 100 budget. Over lunch recently, said exec confided how challenging it was to start from scratch….fewer tools, fewer templates, fewer resources overall. So they got creative. Knowing what company we’re with and the products we sell, they were a little more reticent in confiding that seven months later, said exec still had their old laptop and was still accessing the company’s network for files and content. Business ethics aside, we were dumbfounded. SEVEN months later? Conceivably, this person could have caused some damage.
2014 was a banner year for data breaches. It really did seem as though every day a new story hit the press regarding another data breach. And company size and sector didn’t matter. All organizations were vulnerable to external attack, and the consequences were certainly derailing companies and their leaders' careers. Clearly, current methods have become ineffective for proactive awareness and timely remediation of security vulnerabilities. Simply installing traditional security products and meeting compliance checklists are not enough.
When news hit about the security breaches that affected Target, we here at EiQ Networks knew all too well how it would affect those companies and the backlash they would receive due to the thousands upon thousands of consumers that have had their financial cards compromised.
The launch of the newly instated Healthcare.gov website has been a nightmare for IT professionals to watch unfold. The website is plagued with a number of glitches and issues related to the sign up, but a new major concern now being brought to light is the security risk of the information being shared on the website.
EiQ Networks recently released results of its survey, Suffering a Case of SIEM?, that revealed managing the complexity of the product is considered the biggest headache when using SIEM, followed by lack of trained personnel to manage the product. In that same vein, a recent Enterprise Strategy Group post titled The Security Skills Shortage is Worse than You Think by Jon Oltsik indicated that 83 percent of enterprises claim that it is “extremely difficult” or “somewhat difficult” to recruit and/or hire security professionals in the current market. Oltsik also commented, “The data indicates that security products that offer the most intelligence, automation, and ease-of-use will win – not those with tons of complex bells-and-whistles.”
For many years, organizations viewed information security compliance as a “checklist” against a law or industry policy, such as HIPAA, SOX or PCI DDS: if they implemented some specific controls, and could run a few reports to demonstrate these controls were in place when their auditor arrived, the appropriate box would be checked and the auditor would move on.
Mobile computing technologies represent a true paradigm shift for organizations, providing an unprecedented level of autonomy and mobility for users. According to analyst firm, Forrester Research, 53 percent of employees use their own technology for works purposes. Unfortunately there’s a dark side to this increase in productivity: mobile computing technologies represent a rapidly-growing challenge for security, privacy and compliance within the enterprise.
Do IT Professionals Need Different Skills?
Much of what IT people “do for a living” within organizations that are moving to the cloud is changing. One of the most glaring areas is in the realm of vendor management. With less hands-on technology to manage – particularly when acquiring software-as-a-service (SaaS) and platform-as-a-service (PaaS) cloud offerings – organizations are less reliant on the broad swath of traditional “IT guys” (and gals) who do “IT stuff”: there’s less of a need for in-house people who build and manage physical servers, database administrators (DBAs), developers, and other traditional IT tasks. In a cloud-centric world, the valuable IT person is one who can define, negotiate, track and hold their cloud vendors accountable through mechanisms such as contract terms and conditions, as well as service level agreements (SLAs). Of course, this does not mean that the IT function of cloud consumers can be simply handled by other groups such as Legal or Accounting; the contractual components of cloud service management require a fairly deep technical knowledge, to define key performance indicators (KPIs) and other metrics that are critical for ensuring that cloud service providers are held accountable.
For organizations that consume lower-level cloud offerings such as infrastructure-as-a-service (IaaS) or storage-as-a-service (STaaS, such as Amazon’s S3 platform), hands-on, technical IT knowledge is still very much required. What changes in those cases, however, is the type of IT knowledge that’s most important. IT personnel need to be able to package systems in a manner that allows their solutions to be deployed and managed effectively to the cloud. This means understanding how hypervisor-based deployments work (since cloud infrastructures use virtualization to provide elasticity and scalability), and implementing properties such as application partitioning (avoiding monolithic architectures), deployment automation (such as on-demand provisioning), recovery mechanisms, and transportability.
Where is IT Management Happening?
IT management in cloud environments occurs both within the cloud – often provided by the cloud vendor, or a managed service provider – as well as in the corporate IT office. The fact is internal IT teams still need to manage some infrastructure, even when they have cloud application access. For the most part, they’re still using traditional IP networks to connect to the cloud, and they’re (usually) using traditional IT technology – desktops, laptops and tablets – to connect to their cloud-deployed applications through these internal networks. So in that sense, I don’t foresee traditional, technical IT management completely going away, even in organizations which have deep cloud integration.
However, the question of management on the cloud side of the equation will vary greatly. Some cloud providers are “infrastructure only” – they provide the environment and a simplified, self-service provisioning system, and leave it up to the buyer to determine how the cloud resources are used. In such cases, management may be done by the customer’s own IT personnel, or it may be handled by a third-party managed services provider who specializes in management of cloud resources. In other cases – particularly SaaS and PaaS environments – the cloud vendor themselves provides all of the technology management by addressing provisioning, scalability, upgrades and other issues. Vendors such as SalesForce.com and Microsoft Office Online are examples of this model.
Who Handles Security?
Security is one of the most challenging aspects of cloud deployment, and those challenges fall into two broad categories: security controls, and compliance. On the security controls side of the equation, cloud consumers often have no knowledge of the underlying architecture of their cloud service provider; they have access to the environment only through a limited user interface, or programmatic interfaces such as RESTful APIs. Cloud customers don’t – and never will – control hypervisor patching, multi-tenancy configuration (which, if done incorrectly, can allow data “bleed” between customers), aggregate capacity, hardware specifications, power, or other things that can introduce threats to their applications and data. And unfortunately, the cloud is experiencing the same cycle as every other technology developed since the computer revolution began: “focus on monetizing now… worry about security later”. So, I don’t expect wide adoption of any security standards anytime soon.
The other side of the equation – compliance – is a bit different. Organizations worry more about compliance than security, because while there is no guarantee that they will experience a security incident, there is a guarantee that they will be audited against applicable regulations and standards – PCI DSS, FISMA, GLBA/FFIEC, HIPAA, and others – and sanctions will be levied for non-compliance. To that end, many cloud vendors offer “compliant” versions of their offerings: a PCI DSS version, for example, which implements PCI DSS-mandated physical and logical controls to protect data. Another example, FedRAMP, is the federal government’s attempt to develop minimum standards for cloud vendors who provide their services to federal government agencies. In all of these cases, the good news is that the cloud customer can purchase services that are – allegedly – “out-of-box” compliant. The downside is that, because these compliance efforts require deployment of additional security controls, the cost basis goes up for the cloud provider… and you can rest assured that these costs are passed directly to the cloud consumer.