Using the history of computing as a frame of reference, it’s hardly been the blink of a collective eye since the conversation in many organizations has turned from “Cloud computing? No way!” to “Cloud computing? Yes, please.” And it is, at least in part, the attitude toward security that has helped drive that mental shift.
Over a decade ago, when the term cloud computing entered our vernacular, many IT professionals reacted with absolute disbelief. Could it really be within the realms of possibility that organizations would be comfortable with trusting somebody else to manage, operate and secure their servers and applications?
In the following years, the debate around security raged. The almost rhetorical question of “Is the cloud secure?” became the headline topic of many industry event keynotes, breakout sessions and expert panels.
Back then, everyone had an opinion: Some had cloud security war stories, some made a living by mongering fear, uncertainty and doubt, and yet the ones who were smarter and more practical asked the ultimate question in return: "What's more secure than the cloud?"
Seems like a simple thing to ask, doesn’t it? But, in reality, this was a forcing function for those same IT professionals to hold a mirror up to their own security posture and capabilities and take a good look at whether they were in better, equal or worse shape than the cloud providers. Many didn’t like the answers they uncovered. Let’s be honest -- nobody likes being told that his or her baby is ugly.
Security, as most will readily acknowledge, is a very complicated beast. A tangled web of legacy, current and emerging technologies, deployed in myriad ways across a growing number of disparate clouds, adds to the challenge.
How do we make sense of this? How do we deal with this cloud sprawl and balance the growing demands of end users, lines of business and stakeholders with the needs of IT around security, compliance and control?
First, I would suggest we continue to acknowledge that there really is no such thing as “perfect security.” It is a lofty goal, but I wonder if it is truly attainable. Reaching the holy grail of a state where any organization can categorically keep all the bad guys out and the good guys in simply does not exist. The world is not so black and white.
Security is a constant game of cat and mouse, and organizations need to develop new approaches to deliver agility in their security postures. The 2018 Global State of Information Security study conducted by PwC showed that despite how common security breaches are, less than half of the 9,500 CSO and CIO respondents are performing basic security hygiene like penetration tests, threat and vulnerability assessments, and active monitoring and analysis of information security intel. The study also showed that nearly half (48%) don’t have an employee security awareness program. Without basic practices in place, businesses are leaving themselves open to being easy targets for attack and making it impossible to catch up or get ahead of potential threats.
Second, as part of that agile approach, IT departments within all organizations must fundamentally change from being a blocker -- the department of no -- to an enabler of wherever their business needs to go. Cloud is the new reality across all industries, and those businesses that don’t adapt to benefit from it may indeed be disrupted or killed off by it.
Third, we need to shift our focus to user-centric security, concentrating on what users actually do, why they do it, where they do it from and for what reasons. A user-centric approach with user-sized perimeters, rather than only focusing on the corporate firewall as the perimeter, creates a single point of applying centralized policy controls. This vastly simplifies operational complexity when contrasted to the traditional attack-centric approach.
"No conversation regarding security can be complete without the sobering statistic that is brought to us from Verizon's 2016 Data Breach Investigations Report (DBIR)," according to Frank Dickson a research director for IDC. "The report states that '63% of confirmed data breaches involved weak, default or stolen passwords.' The 2017 DBIR was even more sobering as Verizon found that 81% of hacking-related breaches in its data set leveraged either stolen or weak passwords."
With a user-centric approach, the emphasis shifts to controlling user access to enterprise apps, data and services, irrespective of which cloud or clouds they live on. This is especially relevant when considering the axiom among security insiders that the actual biggest threat to a device, system or organization is not a virus or worm but people themselves.
Human error or inexperience is the cause of some of the largest security hacks and breaches ever recorded. Through a user-centric security model, an organization can both minimize and control the deliberate or accidental damage that a person can cause by a policy-based approach to control what they can and can’t do across the range of services and resources available to them.
This significantly minimizes the impact of any successful breach attempt but also delivers the added benefit of mitigating any malicious insider activities.
A recent Citrix study, undertaken with Wakefield Research, revealed that new devices, evolving work practices and cloud-based technologies are changing how we work. The study showed that 57% of flex-work employees and 80% of science and tech workers are using cloud-based apps.
This shows that as technology becomes cloud-delivered, it becomes ever more pervasive and more appealing. The battle to control shadow IT is over.
Savvy IT organizations are embracing and enabling lines of business and the new, dynamic, empowered user base -- all in the name of productivity -- but without giving up on security. The key is a change in mindset, a change in technology and a change in user-centricity to provide the visibility and flexibility needed to be ahead of the game.
