• The traditional way

    The world around us is changing, and many of the “traditional” ways of securing IT and networks just don’t easily apply to today’s new, distributed networks. The challenge we are facing is that the Internet has been using the same protocols and infrastructure for decades. Which means that 95% of today’s data and applications no longer fit with what the original Internet was designed for. And at the same time, the volume of data has increased many times in just the past decade, with much of that occurring during just the last couple of years driven by digital transformation. The first generation of network security started 25 years ago and was all about securing connections to the network. Firewalls were used to control who and what could connect to the network, and was then combined with VPN to encrypt its traffic. Tools like IDS and IPS soon followed to better monitor the traffic coming through those connections.

    Next generation security

    Today, things like mobility, IoT, and cloud computing are requiring us to develop a new generation of security. Data and applications travel between a variety of users and devices and span multiple borderless networks, making visibility and control more difficult. Security needs to be able to dynamically scale and respond to shifting network resources. The majority of data no longer stays inside company networks where it can be protected by edge firewalls. Instead, network security needs to extend out to wherever the data is. And we also need to be able to see and secure all infrastructures and devices, whether virtual or physical, or even temporary, simultaneously, from endpoints to on-premise systems, and out to hybrid-cloud ecosystems.

    Where to start

    Reactions to the problem of security in the cloud range all the way from ignoring the issue completely to clinging so tightly to traditional IT security philosophies and methods as to ban cloud services entirely. Companies that have experienced governance and compliance problems, or outright data breaches, often exert additional scrutiny of the process. And it’s a justifiable concern: Significant security breaches can adversely affect a company’s reputation for years, resulting in low customer confidence, lost current and future revenues, a poor public image, and legal liability.
    On the flip side, in times of tight IT budgets, overpayment for security services must be avoided. What’s the best way to resolve this conflict? We believe that it lies in taking a holistic, risk-based approach to security in the cloud that gives companies a consistent, structured way of deciding which kinds of data can be safely moved there.
    The key to both the problem and the solution lies in the very nature of cloud computing — that critical data must be moved out beyond the corporate firewall and given over to a cloud services provider that offers storage and provides access. As such, cloud computing raises security questions that cannot be resolved with traditional IT security practices. These questions include the following:
     
    • Which services and related data can be moved safely into the cloud, and when?
       
    • How will sensitive data be protected in storage, in transit, and in use?
       
    • How can access to cloud-based data and services through new hard-to-control devices such as smartphones and iPads be managed in line with security requirements?
       
    • What security levers built into cloud architecture components can be pulled to mitigate new risks?
       
    • How can companies be sure that cloud service providers are compliant with their security requirements?

    Summarized

    Cloud computing represents a major opportunity for organizations to provide greater flexibility and value to the business. Yet security will always be a concern when important information assets are no longer under direct control. A proper cloud security program will provide business managers with concrete, factbased solutions to support their business needs and allow them to enjoy the benefits of the cloud without putting the company at undue risk of data breaches or loss. Such a program will identify where the risks of moving information assets into the cloud are too high, which security practices management can put in place to reduce that risk to acceptable levels, and whether the costs of those practices are warranted by the benefits inherent in cloud computing.
All Posts
×