Securing your IT Organisation for the New Normal

“I tend to believe Mark Twain hit it on the head when he said, “Put all of your eggs in one basket and watch that basket"  ― Andrew S. Grove, Only the Paranoid Survive

Had Mark Twain been alive today in this age and time, he might probably revise this adage and may be say, “Put all your data in one place and protect it." It's increasingly a software-defined world and IT organizations are becoming elastic and agile as CIOs across the world with zeal kick-start their enterprise digital transformation agendas. But anything digital can be up for manipulation and that’s what concerns the CIOs and keeps them awake. With the dawn of the ‘On Demand’ age enterprise security is no longer about securing the perimeter, it’s all about managing the data access intelligently so that it does not fall prey to digital predators.

THE CHANGING LANDSCAPE

Today security is the glue that binds the complex interplay of data and gives it the integrity. And its increasingly becoming difficult to manage the multi-pronged issues associated with security. Let's look at some stats that will drive home the seriousness of security concerns organizations face today. For instance, in its 2015 Data Breach Investigations Report, Verizon found that advanced attacks often start with phishing emails, and a campaign of just 10 emails will typically yield a greater than 90% chance that at least one person will become the criminal’s prey. Additionally, the report showed that in 60% of cases, attackers are able to compromise an organisation within minutes, and 75% of attacks spread from 'Victim 0' to 'Victim 1' within 24 hours.

Another more disturbing finding is the 'detection deficit' between attackers and defenders. According to M-Trends 2016 report, the average number of days that attackers managed to remain incognito on a victim’s network before being discovered has dropped from 205 days in 2014, to 146 in 2015. It is certainly an improvement but the current figure is still alarming. The same report warns that breaches still often go undetected for years.

The above two references only reaffirm that old school security practices are passé and we need radical new interventions that can create a true security paradigm that can secure the digital assets. But with the constantly changing threat landscape, its almost impossible to create a 100% fool proof security paradigm but what experts say is that a paradigm that can with minimal lead-times and that which addresses the security breaches whenever it happens is the need of the hour.

Quips Akshay Aggarwal, Sales Director – Identify Management, Oracle India, “Though most of the organizations usually look at security from outside but we need to address it inside out.  For instance, the most important IT assets of any organisations are their applications and data. Hence, securing these assets from inside from any kind of attacks is most imperative.”

Agrees Rajesh Dhar, Senior Director, Technology Services, Hewlett Packard Enterprise (HPE) India, “With technology at the heart of the modern business, digital assets need complete protection from attackers.  Any breach will have a direct impact to the brand image. Moreover corporate espionage and data breach are the top concerns of the CIO/CISOs. Hence it is important to ensure that information security considerations are interwoven into all major discussions and decisions at the board level.”

REVISTING SECURITY PRACTICES 

So from our interactions with security experts and the CIOs, what became evident is the fact that today’s security concerns need a multi-dimensional approach. It’s a complex interplay of multiple stakeholders within the enterprise and things need to be planned at a granular level.

Reflecting on this Rajesh Dhar says, “Protecting the digital enterprise is more than protection from cyber-threats, it also includes aspects like confidentiality, integrity and availability of your digital assets. Protecting your digital assets requires adaptive, predictive, and dynamic approaches across people, process, technology and policies. Also all businesses must manage the emerging risks created by the proliferation of apps, new consumption models and the shift to mobile and cloud.”

Citing instances from his company, Dhar says that HPE is protecting organizations by building security and resiliency into the fabric of their enterprise, proactively detecting and responding to threats, and safeguarding continuity and compliance to effectively mitigate risk.

Adds Aggarwal, “It is very important to have a unified security strategy for applications and databases which spans across both enterprise datacenter and cloud.”

Talking about Oracle’s competencies in this space, Aggarwal says that, “By using the most complete and best-in-class solutions available from Oracle for identity management and governance, access management, auditing and reporting, masking and encryption, database activity monitoring - organizations can manage the security of all enterprise resources—both within and beyond the firewall. Given Oracle’s spectrum of security solutions in India, we are in a strong position to address the security needs of the industry.”

WHAT HAS CHANGED

The critical question that comes now as a result of the changed security landscape is that when you talk about enterprise security, what essentially has changed and what is the key best practices required for the new normal digital economy? 

Says B S Nagarajan, Senior Director- Systems Engineering, VMware India, “With the pace of business and technological disruption ever accelerating, enterprises around the globe and across many industries seem poised for total digital transformation this year. IT is positioned to lead the adoption of game-changing technology, enabling the business to become more innovative, competitive, and profitable than ever and India is no exception to this trend.  Today’s security challenges cannot be secured with mere incremental thinking. We need a new security architecture that fundamentally changes how we prevent, detect, and respond to threats.”

Experts like Nagarajan believe that protecting a corporate network isn’t as simple as building a wall around it. Threats can still sneak through the network firewall or circumvent security infrastructure altogether. Once they’re inside, they can move around and attack at will since there are few, if any, controls inside the data center to prevent malicious traffic.

“For a lot of security guys, nirvana is the ability to do micro-segmentation within the data center, or build a honeycomb, in effect, so that any threat that gets into the data center is actually captured within the honeycomb and can’t move very much. What we can do with network virtualization is bring that firewalling all the way down to the virtual interface," observes Nagarajan. VMware for instance is pitching hard on its NSX solution. Company sources say that NSX solves the data center challenges by delivering a completely new operational model for networking. This model breaks through current physical network barriers and allows data center operators to achieve orders of magnitude better agility and economics. The set of endpoints that NSX can manage will extend to containers and public cloud workloads. “We’ll also see NSX extending out to branch offices as Software Defined WAN (SD-WAN) solutions take root,” says Nagarajan.

It is also interesting to note that VMware NSX has been around for more than two years now, and in that time software-defined networking and network virtualization have become integrated into modern data center architecture. It seems like an inconceivable amount of progress has been made. But the company says that it’s just the beginning of this journey. Clearly the transformation of networking from a hardware industry into a software industry is having a profound impact on services, security, and IT organizations around the world.

UP AHEAD

Currently the IT organizations the world over are at an intersection of a major technology disruption and irrespective of the domain, one common thread is that the current environment needs a judicial new approach in terms of technologies, policies and decision making. In that order, today many companies are expected to have full-fledged CISOs to specifically address the security concerns. The CISO will work in tandem with the CIOs.

While the last couple of years, the industry and enterprises are talking about security, now it has come to a stage that security is the starting premise of any major IT deployment. What used to be an after-thought those days has now become a focal point.

A survey done by Kaspersky Lab provides ample pointer on why a proactive and new security regimen is important for enterprises. The survey said that over two-thirds of companies prefer to bank with a provider who has a solid security reputation. Those banks that make security a priority and take every effort to ensure measures are in place to safeguard against online financial fraud will have an advantage, when it comes to retaining existing customers and reaching new ones.

When it comes to protecting their information, security plays a key role for companies when choosing whom to bank with. Almost three quarters (72%) of companies questioned stated that they select banks due to their security reputation, and almost nine out of 10 (88%) are willing to pay extra in order to work with a bank that has a strong security policy and a good security track record. 43% of companies also said that they themselves need to take improved measures, in order to protect online financial transactions made with their banks.

This gives ample feelers that security breach has far-reaching ramifications for organizations—right from reputation slide to financial loss. Clearly, a pro-active security infrastructure leveraging on best in class and best of breed technologies will create a ideal security infrastructure that will ensure greater protection to enterprises’ digital assets.