Enterprises Can Gain Competitive Advantages by Having IT Focus on the Things That Matter – Users and Information
Many years ago, what differentiated a business was literally keeping the lights on. Electricity was a critical utility, and the businesses that won were the ones located closest to power generation stations, making it easier to support their machines, products and services. The emergence of the electric grid changed all that. With the ability to plug into a global electricity grid, businesses could then focus on their products and services instead of worrying about their utilities.
Fast forward more than a hundred years later, the parallels are similar to cloud computing as explained in Nicholas Carr’s book, The Big Switch. IT teams used to run applications on server infrastructure that they struggled to maintain. They worried about performance, power, cooling and scale. Things were expensive, time-consuming and slow.
IT’s Evolution to The Information Economy
The next wave of cloud is going to be Software-as-a-Service (SaaS). Instead of focusing on the creation and day to day maintenance of an on premise system, IT can just purchase complete application systems via best of breed cloud providers – Microsoft Office 365 or Google Apps for email and collaboration, Workday for human capital, ZenDesk for customer management and Box for content management. IT is now moving towards an information economy, where they can focus less on infrastructure building but more on the information and resources that can differentiate their business from others.
Part of the move is driven by mobile – a new generation of workers that now expects the ability to access data from any device any time. IT has to address these new needs, and be able to react quickly to changing application demands, and a better way to address this is to just deploy a SaaS application designed (with a formidable engineering team behind it) to deliver one application very very well.
Granted, IaaS will never go away, as there will always be legacy applications that need to be deployed in an infrastructure that is an extension of the enterprise cloud. And many SaaS applications are built on top of IaaS.
But the key point is that as enterprises become more comfortable with ceding control to IaaS providers, they will also begin to trust in SaaS providers for their primary applications. IaaS doesn’t solve a lot of the heavy day-to-day maintenance of deploying an application. SaaS does.
SaaS frees up IT resources to do the things that matter – tapping into the information that provides a competitive advantage. In a recent Gartner CIO event in San Francisco, Leigh McMullen, Managing VP of the CIO research team, described a sports apparel and footwear company profiling the popular song that runners listened to as they jogged up San Francisco hills (if you’ve been on one of these hills, you know that’s a real feat). One song, in particular, was particularly popular and effective in motivating the runners, so they used this same song in commercials when launching a high-end running shoe. These are the types of engagement that IT can enable if they didn’t have to worry about installing or running a piece of software.
A New Framework For Security
If we are to meet the challenges of the information economy, then we also need a new approach to securing the data. Every piece of data now becomes a valuable competitive asset that needs to be protected. This is where IT can also play a key role.
For a cloud application delivered as-a-service, insiders are the weakest link, and the following types of insider threats must be addressed.
• Compromised insiders – Attackers targeting Office 365 users via a phishing or token-hijacking attack and taking over the cloud application account.
• Accidental insiders – A user inadvertently shares a confidential Google Drive file with the public when they meant to share it with an individual.
• Malicious insiders– A sales person who is about to leave for a different company and decides to download all customer data from Salesforce.
So how do you effectively protect from the enemy within? There are no additional security barriers once attackers take over a user’s credentials. Existing solutions like firewalls and IPS are completely ineffective because they don’t understand the difference between a legitimate transaction (Salesperson downloads a Salesforce customer entry) versus one that is abnormal (Salesperson downloading all customer entries). It’s not a cloud service provider’s responsibility to understand what a contextually normal usage pattern is.
Many vendors are focusing on features like encryption, DLP and governance policies. Encryption isn’t a real security solution; it protects the data from cloud providers, but not from the insiders who have full access anyway (think about it: if the application believes the attacker is the end user, and the end user has access to view encrypted data, then the attacker will have that same access). DLP and governance policies suffer from the same limitations (whitelists and blacklists) that have inhibited their success in the datacenter. There is a clear and present need for a security practice focused on cloud.
A new framework for security in the information economy requires several components:
1) Complete visibility into the user and usage of the cloud application – Ideally every user that uses a sanctioned cloud application is being enabled via single sign-on.
2) Governance policies – access control, DLP and data sharing policies provides initial controls over what should and should not be allowed by enterprise security policies or regulatory mandates.
3) Detection of high-risk users and behaviors – this serves to reduce the attack surface by highlighting the bad eggs in the enterprise who are doing bad things, like sharing too many files publicly.
4) Detection of anomalous behavior and threats – a key component of the framework is the ability to “fingerprint” and build a profile baseline of what’s normal for every user, so that the deviation from normal can be understood. This means actual incidents that may be indicative of a breach, such as logins from a blacklisted IPs or simultaneous logins from different locations
Any detection of high-risk users or behaviors in (3) needs to be fed back into policies in (2) as part of a real-time closed loop prevention strategy to ensure that the enterprise is continually reducing and mitigating risks.
In summary, enterprises can gain tremendous competitive advantages by having IT focus on the things that matter – users and information rather than infrastructure maintenance and building. As IT embraces this brave new world, they will need to consider a new approach to security, one that is focused on visibility, governance but more importantly protection against high-risk users, behaviors and threats.