Businesses are still stuck on 'old world' thinking when addressing security issues. Cloud is different, it requires a seamless approach to security and risk management that understands and manages the new virtual perimeter, according to Garry Sidaway, Global Director for Security Strategy, NTT Com Security (formerly known as Integralis).
Information security and risk management needs to be built into cloud models from the beginning. But the challenge, pointed out Sidaway, is the mix of CPE, data centre and cloud and getting consistent information security controls and management across this complex business environment. "This is why it requires a consistent approach to information security and risk management and one that embeds information security into the overall business," he said.
Security remains the biggest concern facing end users transitioning to the cloud. As an information security and risk management company, NTT Com Security sees cloud security concerns and challenges every day. "Businesses have to understand that they are still responsible for the information and data in the cloud environment and put in the necessary controls and governance to protect this data," said Sidaway. "The other concern is the mix of traditional on-premise, data centre and cloud environments and how to get consistent visibility and information security controls and management across these different environments."
Last year NTT Com Security undertook a global research project on cloud and found that UK businesses were falling behind other markets when it came to integrating cloud as part of their IT infrastructure and moving data or services into cloud. The report suggested that issues like security, compliance and regulation were playing their part in this. "High profile breaches relating to the loss or theft of data stored in the cloud isn't helping to ease fears," said Sidaway. "But as our research showed, even those organisations that displayed a distinct lack of enthusiasm for the cloud saw the inevitability of cloud computing. But users must understand the risks and put in appropriate controls and governance to ensure that these risks are managed to an acceptable level."
With many organisations concerned about security and regulation, cloud suppliers need to work harder at addressing these concerns and work closely with customers to help understand their issues and guide them through the cloud process. CSPs and resellers should also be looking to embed information security, compliance and regulatory services into products and solutions. "We work closely with our strategic partners to build solutions and services that help organisations address these concerns," noted Sidaway. "It is not a matter of simply bolting on or virtualising these technologies, they have to be designed and implemented into a coherent cloud architecture.
"We need to move the defences from the perimeter into the cloud, not the traditional network, but the new perimeter of the 'active cloud'. Clouds that can redefine the network in microseconds; clouds that automatically update and reconfigure applications and systems depending on the actual threats rather than what we have seen before; clouds that have information and security built in and can put risk in context to ensure that businesses can work in a world without constraint and fear."
Security is still the number one concern with cloud adoption, but end users are nevertheless embracing cloud because it makes their lives easier, affirmed Sidaway. "The challenge for the businesses we deal with is that in our private lives we use cloud services that we can't use in our business lives," he noted. "The risks are seen to be too high. But with the correct balance of risk and controls businesses can also embrace cloud. There are numerous technology companies and innovations that are addressing these concerns and we are evaluating new services and solutions to meet this new business dynamic."
NTT Com Security's solution, WideAngle Managed Security Services (MSS), offers insight into what is happening at both the network and application layer, providing customers with meaningful information for active threat management. The WideAngle platform provides a single solution for private, public and hybrid models as well as on-premise. Customers can chose a complete managed service model or the SecureCall round the clock telephone and email support service with four levels of support to suit specific requirements.
The visibility customers have of real and potential threats through an MSS model that offers global threat intelligence and shared knowledge and systems, means organisations can take the appropriate action at the appropriate time and get more from their existing security investment. "There is so much pressure on internal resources today, but a third party supplier reduces opex costs while allowing the business to focus on making informed decisions," added Sidaway.
He also works closely with reseller partners to understand what they are seeing in their market segments. "We embed their services into WideAngle MSS to provide clarity and visibility into their cloud offerings," he commented. "We share our experience and knowledge with not only their employees but also their customers, and run education and awareness training sessions."
BYOA (Bring Your Own App) is a trend that Sidaway believes is gaining in momentum. "At the moment, businesses and employees have little or no visibility over the data exchange between the devices they use and the cloud," he said. "Earlier this year our Global Threat Intelligence Report showed that applications pose a real danger to organisations because many applications that send and receive sensitive data to and from the cloud are not being detected by traditional anti-virus software. This means that the security industry needs to step up its game to ensure endpoint solutions are augmented with network malware detection and purpose-built solutions.
"Our threat report without exception found that organisations are still not implementing basic controls. These controls have been the result of years of best practice and can have a significant effect on mitigating risk. Organisations need to test and continue to test these controls to reduce the impact of risk, and individuals need to take responsibility and also be aware of the risks."•