The way we do business is changing, but how does that impact IT security? VMware partners IBM, Computacenter, Softcat and OVH give their perspectives on an industry in need of a rethink
With more clouds, more devices and more applications always changing our working practices, it’s safe to say it’s a radically-changing business world. Security risks coming from this change are high and escalating for businesses in every industry and so protecting applications and data is becoming more critical. This raises the question as to whether traditional security approaches – involving trying to secure the network perimeter and monitoring for known malware – are now fit for purpose.
The growing frequency and cost of security incidents – despite the increasing proportion of generally flat IT budgets being spent on IT security – points to a fundamental flaw in existing security models that focus solely on dealing with known threats.
IT teams need new technologies and solutions that will enable them to secure interactions between users, applications, and data in a much more dynamic, complex, and extended environment than ever before. To bring about that change, channel partners – of all shapes and sizes – need to help enforce it. But what are their perspectives on security models past and present? We wanted to hear it straight from the people who are dealing with end user customers day in, day out. To that end, VMware asked Adam Louca, Chief Technologist – Security, Softcat; Helen Kelisky, VP, Cloud, IBM UK & Ireland, Francois Loiseau, Private Cloud Technical Director, OVH and Colin Williams, Chief Technologist – Networking, Security & Unified Communications, Computacenter to get their thoughts on IT security methods and what needs to change if organisations are to get truly effective protection from breaches and hacks in place.
Softcat: We need to see more vendors identifying this need to build secure infrastructure rather than applying security to the infrastructure as an afterthought. The security principals of least privilege, network segmentation and whitelisting have long-existed as academic best practices, but they have always been too difficult to implement for most organisations. The issue for customers is operational and the security ‘burden’ can be reduced by integrating security into the platforms they already use. Doing that means customers don’t have to make the choice between security best practice or operational efficiency; instead, they can have both.
IBM: We need to evolve the way we approach security traditionally for a cloud-based future, by looking at achieving the same outcomes for different environments. As data is infused into every facet of the business, a homogenous approach is needed to bake security into all areas. Cloud security is not only achievable, but it is now an opportunity to drive the business, improve defences and reduce risk. By transforming security practices that are manual, static and reactive into a more standardised, automated and elastic approach, you can stay ahead of threats in a cloud environment.
Computacenter: A state of confusion currently exists in the enterprise IT security space and the traditional “physical perimeter” approach is certainly being challenged. But any complete solution needs to solve all aspects of keeping an environment secure – prevention, detection, remediation and post-breach response – with the different technologies to handling those things all tightly integrated. That means no “single silver bullet” exists.
OVH: Security is our first thought in any new solution developed at OVH. Our infrastructure design begins with security and then we keep on looking at how we can make the whole estate more and more secure every day. Indeed, industry regulations such as ISO, SOC and PCIDSS were fundamental in making sure all companies respect global security standards. But, while building solutions to meet them, we learnt a lot about creating innovative solutions that are as secure as possible while customers build their on-premise clouds. A few years ago, the benefits of the cloud, (OpEx, time to market, scalability) were key for companies in migrating away from their legacy set-up. Today, we actually sell cloud solutions to customers based on the level of security they will bring to their organisation.
Softcat: Over the last twelve months, we’ve seen customers in two different camps; the first group are really waking up to the fact that they the need to make a serious investment in their cyber-security programs if they’re to reach a base level of resilience – and we’ve seen an increased interest from executive leadership teams within these organisations; that’s great news.
The second camp is slightly different. They had made significant investments in a large set of tools but are still experiencing security incidents. The result is a level of malaise within these organisations, they’re left feeling like cyber-security is a fruitless investment. These are the teams we’re especially focused on helping, ensuring they are simplifying their approach, getting the basics right and only building complexity in when required.
IBM: Our clients want to take advantage of the business benefits of making the transition to the Cloud, but are very aware they need to understand the impact on their security. Mindsets are shifting away from the focus on the perimeter, to look at products which can replace the aspects of the security provided by routers, firewalls and other boundary devices in favour of cloud-based services such as Cloud Access Security Brokers and Cloud Identity Services.
Computacenter: Security conversations are changing. We’re seeing a shift from historical deployment discussions of “point products” to solve discrete problems and are moving to business aligned, architectural consultative engagements. Organisations are realising they need increased visibility of potential threats or actual breaches, but that this will involve estate simplification and tighter solution integration if they’re to achieve this.
OVH: Whereas a couple of years ago, we’d sell a back-up solution as an option, disaster recovery is today seen as intrinsic to any solution. The security ecosystem is changing as well. In this new world, where everything is proposed as a service or anything can be installed in one click, customers don’t want to spend weeks or months taming a complex Firewall or configuring a Load Balancer. They want to create triggers or build intelligence in systems that keep the same security level on a dynamic infrastructure.
Softcat: I believe this is a return to the roots of IT security. What I believe is changing is we are seeing tools catch up to the security models that have existed for since the early 1990s.
IBM: Security needs to be looked at along with development and operations and be part of Agile DevOps processes which are growing in popularity. Treating security in the same way and defining security as code, brings the teams together, brings security to the forefront to ensure that it is as fundamental as Development and Operations.
Computacenter: The radical rethink is already well underway but not radical enough. The endless release of new products from emerging vendors continues to signpost “yet another way”. However, getting the basics right and affecting the right security controls before embarking on another wave of procurement must be a priority for organisations.
OVH: Workload externalisation, hybrid design, and the Cloud in general have changed the game. We often talk about “Cloud Native” implementation and security has to change from being, say, an additional brick to the environment to becoming ‘Cloud Native’. But, to be Cloud Native, it means adapted, compliant, evolutive, simple and (very soon) seamless when rolled out under a multi-cloud approach.
Softcat: Digital transformation can only take place in a secure environment. Transformation requires investment from the organisation and that will only happen if we can manage the risk. A big part of this is the risk of breach. Building security into an organisation’s platform helps them tailor the security requirements of each application and service – based upon the risk and impact of breach. This enables quicker and more secure deployment to take place as the security is built into the process, rather than as an afterthought.
IBM: It is important to consider the context and value of the security controls that are in place. Organisations will benefit from greater control, network access granularity and built-in security such as encryption.
Computacenter: The network in a digital age ‘sees all’ and, with tight coupling with the application layer, a degree of contextual understanding can be achieved. IT security at the network level alone doesn’t solve all, it must exist in a policy-driven / integrated fashion up and down the architectural stack.
OVH: Time-to-market is intrinsically linked with a company’s IT. That means it’s up to IT departments to create an estate that will accelerate the organisation’s time to market, rather than being the bottleneck of the organisation. To that end, we’ve seen a lot of customers deciding to go software-defined, with NSX at the network level, creating a secure, automated approach that permits IT departments to save time in their different platform launches.
Softcat: I worked with a large organisation in the North-West to help it transform its IT security environment from a legacy model of add-on security to a zero-trust approach. The company changed from an organisation that would previously chase threats to one that understood their organisation’s risk, exposure and mitigations. We helped them built an architecture strategy that provides layered protections regardless of the type of threat. All without them investing in tool complexity. It’s amazing what you can do when you stop and go back to basics.
IBM: Most clients who successfully transform their IT security do so by transforming the culture of their business. The mindset has to be that security is there to enable the business. If the business takes security seriously as a whole, it becomes much easier to prepare for, implement and manage.
These observations all point towards one thing: the need to establish a common source of truth between today’s security solutions and the evolving business environment that needs protecting. Business models will keep transforming, and people and devices will continue becoming more connected, as organisations straddle both physical and digital worlds. We’re now seeing companies really push boundaries with new technologies, from IoT to machine learning to full-blown artificial intelligence, to remain competitive.
This presents exciting opportunity but also a more complex and extended environment than ever before, with more potential vulnerabilities, that needs securing. However, establishing a greater ‘truth’ – via new levels of visibility and an increased understanding of context – businesses will be better able to make sense of their increasingly fragmented and complex IT footprints to offer protection at the speed that’s required – to secure, enable, innovate and, ultimately, drive business performance.