
Virtualization and Cloud executives share their predictions for 2016. Read them in this 8th Annual VMblog.com series exclusive.
Contributed by Orlando Scott-Cowley, Cyber-Security Strategist, Mimecast
Phasing Out 'DIY Security' for Cloud-Based Solutions
It's no stretch to say
that in 2016, we'll see more and more companies begin to move their operations
to the cloud - after all, we've already been watching that trend in full force.
Rather, the more interesting development we'll see over the coming months and
beyond is a specific shift to cloud-based security
- not just for standard cyber-security practices, but more targeted security
mechanisms for email, mobile, DLP and the Web.
But, all of this raises
the question, why now? Why are enterprises making the move to the cloud for
security reasons in 2016, and not one year ago or one year in the future?
To put it simply, it's
because more and more companies are beginning to realize that their traditional
means of protecting themselves - their do-it-yourself (DIY) approaches to
cyber-security - just aren't cutting it anymore. And, the more time passes, the
more "not cutting it anymore" becomes a bigger threat factor. Cyber threat
actors, after all, aren't sitting idly by; they're becoming more sophisticated
and deploying attacks with greater impact. The longer enterprises stick to
their usual means of cyber-security, the more they put themselves at risk.
The End of DIY Security on Premises
Perhaps the greatest
example of DIY cyber-security is on premises - the tried-and-true environment
for businesses before the cloud ever came along. There are many enterprises who
don't think their core business merits doing anything special or necessary for
extra cyber-security. Consequently, they may be hesitant to leave behind that
environment for the cloud - especially as the media coverage around data
breaches might
have you believe that the cloud is less secure than on premises.
But, the reality is
much different: regardless of media hype, the cloud is widely recognized within
the industry to be at
least as secure as an on premises environment, if not more so, and does so
while offering greater connectivity between a company's users.
Just consider, how many
businesses even purchase on premises services anymore? Who is actually seeking
out the old ways of locking users and data behind firewalls, keeping them
trapped in that one isolated environment? Gating network and email access just
isn't practical anymore - employers and employees want to be able to access
their data remotely and on mobile devices, so they can connect to and share
with one another freely.
Cyber-security isn't an
impenetrable wall that your data should be locked behind anymore. The cloud
allows to you to secure your communications and protect yourself from threats -
whether spear-phishing,
cybercrime-as-a-service
or whaling
attacks - while still being able to share data with each other.
The On Premises Holdouts
Of course, not everyone
needs to move to the cloud. There are
some industries - particularly government - that will only operate on their
uniquely tailored environments. Agencies like the CIA and NSA, or defense
contractors like B2G partners, use entirely separate communications security
infrastructures to keep themselves insulated from the risk of attack.
For these
organizations, on premises makes sense. There are, after all, stringent
compliance requirements for groups that work in national security. As a result,
these organizations will likely remain with on premises and stay away from the
cloud for a long while.
What a Reputable Cloud Provider Will Look Like
But, your average
enterprise isn't the CIA, and doesn't have the robust on premises
infrastructure that these agencies have. So, for these enterprises, migrating
to the cloud makes sense. But, it's important that those companies looking to
move to the cloud do their homework first - after all, if the type of DIY
security you're used to doesn't make the standard anymore, then they need to
take a look at what does determine
that standard.
Don't just take a cloud
provider's sales' or marketing reps' word at face value. Talk to their CISOs
about how their cloud architectures are set up, how they segregate your data
from others' and prevent cross-contamination of accounts. Run through
cyberattack scenarios with them. Look for ISO
certifications that demonstrate that they're a reputable vendor. And, don't
be afraid to be too much of a control freak in this area.
Cloud Adopters Will Come to Recognize the Need for Supplemental
Security
Hand-in-hand with the
realization that DIY on premises security doesn't cut it anymore is also the
realization that the built-in security features of cloud environments like
Microsoft's Office 365 and Google Apps for Work won't cut it for long, either.
Many businesses not
previously on the cloud are taking their first steps into the cloud environment
through such providers. And, as enamored as users will be with them right out
of the box, more and more will realize - and are already beginning to realize -
that they will need to adopt additional services and tools to supplement their
security needs.
Just as businesses will
be phasing out their DIY means of on premises security for cloud environments, such
cloud adoption will also help inspire discussions about the kinds of cloud
security that these companies need beyond
what their cloud platforms offer.
Those discussions will
continue to take shape as real actions toward multilayered security services in
the year ahead.
##
About the Author
Orlando Scott-Cowley,
a cyber-security strategist, joined Mimecast in 2006 in the company's
infancy and has been a key part of the company's growth in the UK and
USA markets. A technologies graduate, CISSP and CCSK, he has a deep
background in IT
Security and 17 years of high-level Technical Consultancy experience,
ranging from security & risk consultancy to penetration testing and
more.
Orlando
writes and speaks for influential publications and events in the UK and
US on a variety of topics, including security, risk, compliance and the
emergence of cloud and SaaS technologies.