used with permission from IBM ForwardView
Of all the IT buzz words and hot issues streaming across screens these days, there are probably two that have caught a bit of your attention: cloud and security.
Cloud may have piqued your interest because of the potential for cost savings by tapping into leading edge applications offered, managed and maintained by someone else—helping you alleviate some of your IT backlog while enhancing business capabilities. And security, because of the boisterous headlines about breaches and cybercrime that seem to be monthly occurrences—making you wonder if your business’ data is as secure as it needs to be.
“On the surface, for those who are not immersed in these topics, it might seem like the promise of cloud comes with the danger of reduced security,” says Christina Richmond, Program Director, Security Services at IDC. “The logic goes, if cloud means relinquishing control of applications and data, and sometimes placing them in a shared environment, have I just created a security exposure?”
While it may seem illogical, the answer can be no.
The reasons for a secure cloud environment are revealed by exploring the top three cloud security concerns: unrestricted access to cloud services, data and applications outside your control, and damaging security breaches.
Line of business managers may often drive the push for cloud services—thinking of the increase in productivity, revenue, or customer satisfaction that could come with using an advanced, cloud-based CRM application, for example, months or years before their own IT team could satisfy the requirement.
“These executives are well intentioned,” says Richmond. “However, data security isn’t necessarily their area of expertise—for example, who is going to authenticate which users have access to what functionality?”
She says that identity and access management built for cloud environments should provide safeguards, but “it’s a shared risk—businesses must also be prepared to participate in setting up access. A cloud-services provider doesn’t know your business like you do.”
Arguably, the process of instituting or updating access for a new cloud application could provide an opportunity to evaluate and improve a business’ existing approach.
Protect vital data
What may give most organizations pause about shifting work to the cloud is the belief that data and applications are now outside their control. According to an Information Week cloud security and risk survey, fifty-percent of organizations are worried about unauthorized access or leakage of sensitive data.1
“It’s important to do your homework and understand what the most sensitive data is you’re putting on the cloud,” says Richmond. “Then you can wrap the right kind of monitoring and controls around that data to spot anomalies, as well as harden the cloud infrastructure supporting it—not everything needs to be in Fort Knox, but you should know what does.”
Some cloud providers are using innovations in big data, analytics and visualization to stay ahead of threats for the cloud data their clients deem most sensitive—investing in the skills and technology that might be beyond the capabilities of a single business’ IT team.
By one account, seventy-five percent of security breaches can take days, weeks and even months for a business to uncover.2 While this may be partially due to the deviousness of cyber thieves, it is also a function of businesses being overwhelmed.
Data analytics will improve an organization’s visibility of potential areas of exposure. Richmond says that analytics plays an important role in the overall security posture, but it still requires “eyes on screens”, which is becoming increasingly problematic.
A separate IDC3 report on managed security services points out that, “A complication in the security landscape is the shortage of security talent.” The report indicates that the leading organizations offering managed security services “are going far beyond traditional hiring practices to ensure near- and long-term access to a security talent pool.”
For example, IBM has 6,000 security professionals, along with ten security operations centers worldwide to help support a secure cloud environment for their clients—collectively monitoring 20 billion security events every day.
A cloud environment can bring the talent and attention necessary to monitor activity using advanced data security analytics that increases a business’ visibility to potential threats.
Act proactively, think strategically
By managing access, protecting the most vital data and increasing visibility across potential threats, organizations are getting in front of vulnerabilities and adopting a more strategic posture—as opposed to just building walls that are hopefully high enough to repel intruders.
Indeed, there has been an evolution from the wait-and-hope approach to security to one that is more vigilant and alert.
In charting the growth of security solutions, IDC sees a shift from the reactive approaches of the 1970s, like authentication, to proactive technology that includes security-as-a-service and threat intelligence.
“With zero-day threats, how do you mitigate something that hasn’t been seen before?,” asks Richmond. “Threat intelligence will help businesses spot activity that is out of the norm, and analytics can then help identify indicators of threats before they are fully defined.”
One of the conclusions IDC draws is that businesses will need to “acknowledge the necessity of threat intelligence security products and the use of big data” in the matter of security–a quickly growing segment, to form a well-built security posture.
In addition to a proactive stance, businesses will have a more dynamic and strategic approach to security. One that provides layered protection and deep insight across the infrastructure—simplifying and controlling access across multiple cloud services for all users, and helping increase threat visibility in multi-tenant environments.
“The enterprise that stops to consider migration to cloud, envisions security challenges around user access, data privacy, and application protection,” says Richmond. “Many think about these problems one at a time or from a legacy protection perspective. To migrate in a conscious and thoughtful manner, a holistic strategy needs to be employed. This is a seismic shift, and point solutions do not fit the problem.”
1 September, 2013. Information Week, Cloud Security and Risk Survey
2 Verizon 2014 Data Breach Investigation Report
3 IDC MarketScape, Worldwide Managed Security Services 2014 Vendor Assessment Doc# #248646, June 2014