Not a single week goes by without seeing an equal amount of articles decrying the gaps in cloud security and articles praising the benefits of the cloud including how much more secure it can be than an organization’s own data centre. So which is it? And for companies who are trying to define their next IT and security infrastructure, what is the right direction?
The cloud security dilemma
The answer may just not be the same for every company. There are obvious benefits to either side of the equation, and those benefits vary in importance depending on what kind of business you’re considering and which industries that business serves. Ultimately, an organisation will have to consider its risk profile, its security core competencies from an infrastructure perspective as well as from a staffing and resource perspective, its regulatory environment and its potential for a large data breach exposure. Some enterprises naturally have a higher tolerance for balancing risk versus reward whereas others do not. But it will also have to consider its digital transformation journey, its ability to manage its own IT systems and business applications, its growth plan, its user base and, more importantly, its business model.
Let me give you two examples: A financial service company that has a very large data centre with legacy systems and applications, including some that live on the mainframe, will have a large IT security staff and an ample security budget to protect itself from breaches. Its risk profile will be high based on the sensitive and PII (personal identification information) data it deals with, but it will have plenty of security resources to comply to the regulations it operates within. In contrast, a mid-size company with strong growth and high customer acquisition would rely on SaaS applications to support its fast pace and would more than likely favour cloud vs on-premises implementations. This mid-size company will lean towards selecting well-known cloud infrastructure providers to host their business because they would consider their security superior to what the company could deploy itself in a data centre with the resources at hand.
The shift to ‘identity-first.’
But the reality of this million-pound question is that the premise of how we define security is incorrect, or to be exact, it needs to evolve. Let me explain. If you are looking at security as perimeter-based protection, then there is an argument to be made that anything in a data centre, which is surrounded by next-gen firewalls and other threat prevention solutions, will surely be protected. But consider this: once an important piece of data that lives on-premises behind a firewall (think a financial application) is extracted from that system, exported to an Excel spreadsheet, and then emailed around, that data is immediately exposed. In a world where not only employees but contractors, partners and even customers have access to an enterprise’s applications and data, how can perimeter security be enough? How can it make any data centre more secure than the cloud? The short answer: It can’t.
[easy-tweet tweet=”We need to embrace the digitalisation of all corporate data and think identity-first” hashtags=”Data, Digital”]
Today, it is not enough to simply protect data centres, on-premises systems, and cloud apps, we need to embrace the digitalisation of all corporate data and think identity-first. Consider how people work today – everyone has access to data and applications in the cloud or on-premises – the access that needs to be secured is between the user and the data or application. Consider as well that users vary between employees and non-employees like contractors, partners and temporary workers – which makes it even harder to control who has access to what, in the cloud or on-premises for that matter. Then it becomes evident that enterprises need to shift their focus towards safeguarding their users’ access to applications and data — in other words: to safeguard their users’ digital identities.
Here are five things to consider when extending perimeter security to securing digital identities:
- Establish a system of records for digital identities. This should include employees, contractors, suppliers, partners, customers and potentially even RPA (robotic process automation) bots.
- Govern access by all these digital identities to understand who has access now and who should have access. This can be done using an identity governance solution to manage and provision access.
- Consider a vendor who can handle both on-premise and cloud applications to manage any complex, hybrid IT environment.
- Take into account all of your data – both structured data, residing in systems and applications, and the ever-growing amount of unstructured data, from emails, documents and files that enterprises manage today. This is particularly important given how many recent breaches targeted data stored in unstructured systems (such as a cloud-based document file system). Unstructured data is typically much harder for companies to discover and classify, as it is not clear who owns it and who has access to it.
- Balance people, process and technology – understand what your core competencies are and if your company does not have the IT staff to support an identity governance program, a cloud-based solution may be the right choice for you.
Rather than spinning cycles debating cloud vs on-premises security approaches and which is better, it’s high time to take a step back. Today, the most successful attack vectors are the users and their credentials. Protecting digital identities of all users accessing any data has or will very quickly become the priority for most organisations. The more regulated ones will take this direction first, as privacy regulations and data breaches are consuming their boardroom. Being able to manage the user relationship to data, controlling who has access to what, who reads what sees what – well that has become the number one security control.