Change your security culture
Paying for a business technology service is convenient and amazing. But it should be your catalyst for new security, not your destination.
SAAS or software-as-a-service is the poster child for the way digital is impacting the business world. Today you can have an exchange-ready, resilient and always-available enterprise-grade e-mail solution for the swipe of a credit card. So many worries go out of the window when deploying one of these services, the market leader being Office365. Not only does it save on infrastructure, administration and contingency plans, but it naturally expands to many devices and is intuitive for employees to use.
One area where SAAS, as well as its relatives PAAS (Platform) and IAAS (Infrastructure) shine is security. It is a fact that the combined skills and scale of XAAS providers present a much stronger and more responsive front against cyber attacks.
New tech, new opportunities
Yet it's also a mistake to believe that such a deployment cures your security pains. It may ease them, but there are new responsibilities to consider. The focus has shifted, says Christo van Staden, Forcepoint's Sub-Saharan Regional Manager.
"Companies must significantly change their approach to security. With the move to Office365 and other cloud services, all of a sudden organisations realise the biggest and most critical asset to protect is their data."
Adopting SAAS, PAAS and IAAS services have pushed the view and control of company data well beyond the traditional parameter. Legacy systems operate behind a company wall, where the business could have a full view of its operations. Securing the operating system, application and infrastructure stacks were the priorities.
But the move to cloud services are challenging this. Businesses move to a new and more effective XAAS offering, then discover their security culture is not in step with the migration. This is not a flaw in the cloud model, but a sign of how times have changed.
"You have one constant in every cyber-security incident: the criminals are after the data. The second constant is that you have a human element: a legitimate employee or a darkhooded figure who hacks or a partner who is working on that asset, or even a customer."
Data is not as easy to confine as it used to be. It moves where the business needs it, often through the hands of employees, and increasingly beyond the traditional infrastructure the business relies on.
Following the data - the intent and interaction of the people and applications using that data - can build a sounder security strategy that aligns with modern technology trends. But since most companies still regard security as a box-dropping or box-checking activity, they not only miss out on this. They actually expose themselves without realising as much.
One view and policy
Cloud systems introduce new levels of security, but they're only parts of a larger whole. This has become a struggle for businesses that hoped to take advantage of the cost and performance of cloud and on-premises systems that follow cloud principles. It can't be avoided: data is the persistent factor here and data must flow if the business can make the most of it.
Hence the adoption of cloud-style services. Yet without the right implementations, companies don't a full view of their data assets and they struggle to maintain coherent security policies across the environment. When they use an IAAS, PAAS or SAAS environment, they often end up with a vanilla policy layer removed from their internal systems.
The need to enforce coherent policy - one policy - and have proper visibility, means investing in your security culture, says Van Staden:
"There are four critical points to new security cultures: greater visibility regardless of the place, all enforcement is based on one single policy, a far more granular level of enforcement (who uses what and set actions accordingly), and the amalgamation of all three to achieve both security and compliance from one single orchestration layer."
An example of this is data leakage protection (DLP). Even though a SAAS service such as Office365 offers enhanced security, it is not focused on the specifics of data leakage. It can't tell you if someone is copying files to Dropbox (and if they are allowed to). This is not a flaw: Office365 is not meant to look after every detail around data protection. That is the job of a company's security culture, which drives the implementations that mitigate various threats.
Changing security's culture
No single solution out there can make up for a lacking security culture. As such, Van Staden calls this an opportunity to address that deficiency and get security right from the start. Using services such as Office365 endears the organisation to the norms of the new data-driven world. But it must harden that security further by establishing a coherent view and policy regime across both its traditional and Web mail components. In the nebulous world of data, this can then be grown to envelop all parts of the business, leading to a single, coherent and reliable security culture.
This is a revolutionary approach to addressing security, because it is not only thorough, but can also be scaled organically. The result is a move away from box-checking and into an appreciation for what new security paradigms can offer:
"What we experience with our data customers, the moment they have visibility of this in the one channel, they want to see more. If they want to transition, it's a simple matter. Once they have one orchestration layer and full visibility of both mail and Web and cloud apps, they start seeing the real potential of having a single orchestration layer. But they can't get there if they don't start looking at security as a data-centric practice, which only happens when they adopt new services such as SAAS."