Welcome!

Cloud Expo Authors: Gilad Parann-Nissany, Paige Leidig, Elizabeth White, Pat Romanski, Trevor Parsons

Related Topics: Cloud Expo, SOA & WOA, Virtualization, Security, Big Data Journal, SDN Journal

Cloud Expo: Article

Seven Causes of IT Security Paralysis & Cloud-Based Cures

From cost to complexity to covered to complacency; the excuses no longer hold up

Over and over again I am confronted with disturbing statistics on how risk is growing in disproportion to security readiness.

-91% of companies have experienced at least one IT security event from an external source.
-90% of all cyber crime costs are those caused by web attacks, malicious code and malicious insiders.
-40% reported rogue cloud issues (shadow IT) experienced the exposure of confidential information as a result
-34% share passwords with their co-workers for applications like FedEx, Twitter, Staples, LinkedIn.

These are real stats from studies by like Gartner, Forrester, Ponemon, Kaspersky, Eschelon and others. But there’s one stat that really curls my hair (what little of it is left).

  • Due to complexity, over 70% of organizations still not adequately securing critical systems.

Wow. It’s a staggering number. But it got me to thinking why. What is causing this universal security paralysis? Now I’m not proclaiming securipocolypse, but knowing what we now about the realities and fragility of an IT environment, I am a bit taken aback at the size of the issue.

I’ve broken it down into seven “excuses.” But rather than bemoaning the problem, I want to  rebut those excuses by promoting cloud-based answers.

  1. It’s expensive
  2. It’s time consuming
  3. It’s resource heavy
  4. There’s perceived imbalance in the risk/reward quotient
  5. We’ve got it covered
  6. We haven’t been attacked/complacency
  7. Expertise difficult to retain

Cost: There is no doubt many companies think that a fully integrated security program is going to force it to open its wallet. It is predominantly this reason alone that so many companies  ”get by” with what they have—be it malware or firewall protection, an email sniffer, or based on compliance requirements, whatever is the smallest investment to  get the alphabet soup of agencies off their back.

How cloud security overcomes the obstacle. It’s simple, really. More bang for the buck.  Using the ability to apply operation expenses over capital ones is a significant savings in itself. No expensive servers to buy, no software to maintain and watch depreciate, etc… More importantly is the realization that a company can incorporate a fully capable enterprise juggernaut for pennies on the dollar they would otherwise spend to manage on-premises. Most of us are already aware of the justifying benefits that cloud-based applications provide. I’ve gone on record before stating that for the amount a mid-size company currently pays in support and maintenance for their on-premise initiative, they can easily deploy a robust, fully integrated, fully-capable suite of enterprise-class security solutions from the cloud. The stumbling block here is the proof that such a deployment can adequately meet the specific needs of the unique company.  However by applying the 80/20 rule, by covering 80 percent of a company’s needs, it is more than likely well ahead of anything they are currently doing. Now on top of all that is all the professional services and consulting costs that ostensibly go away, or at least are tremendously reduced when managing from the cloud.

Time: There’s just never enough of it. Every IT pro I talk to wears many hats. They are installers, monitors, coders, patchers, reporters, developers, and a hundred other chapeau descriptors. And security in the modern enterprise needs to be a fully dedicated concern. Sure there are some companies that can afford this, but most can’t…it’s just another line of job description.

How cloud security overcomes the obstacle. Being proactive takes time. By applying security as a service, you remove any additional headcount. You can take the time that was dedicated to certain security functions and reprioritize them for core business functions. Also the fact that so many of the cloud security functions are automated—from self-service password management to HIPAA/PCI compliance reporting to role-based provisioning to correlated alert escalation— give rise to a surplus of  available resources.

Resources. In many companies this is the premium currency. And, in many companies resources are spread devastatingly thin. Whether we are talking human resources, financial resources, spatial resources, application/functional resources or knowledge resources, the ability to weigh and deploy the right amount of assets towards an issue, directly effects its successful management. In every company resources are finite and typically require hard decisions where best to position assets to ensure the smooth running of an enterprise. This is especially true when applied to security.

How cloud security overcomes the obstacle. Security managed from the cloud relieves a great deal of the resource overload. It provides the additional capabilities at a lesser cost. With this expanded functionality and potential, one can create greater awareness and better visibility across a larger scope of information. So not only are you expending less resources to secure many aspects of your enterprise, but it’s  ability to divine things faster and clearer provides a unique advantage to control a greater  scope of the IT environment. By leveraging and unifying these resources, you now know things that would have remained invisible. Therefore you gain the ability to make better decisions faster—giving you the ability to best marshal resources (minimizing costs and maximizing efficiencies) where they need to be.

Risk/Reward Imbalance. The expense of security does not necessarily pay for itself. It’s a cost center, right? But security must be perceived as more than a purchase of some software and the manpower to run reports. There are other factors to consider. The balance sheet doesn’t show the lost business because of lack of trust or poor security reputation. It doesn’t show the savings as it prevents proprietary secrets like sales databases walking away to the competition when an angry employee can gain access weeks after termination. It doesn’t show the fines and lost time when compliance isn’t met. But the big question is not that you apply a security measure or not. That point is moot, you simply have to. However the question CSOs and CIOs struggle with is how much? Where is the tipping point between peace of mind and overkill?

How cloud security overcomes the obstacle. The biggest reason for the risk-reward imbalance is typically the reasons noted already. It’s costly, it takes a certain percentage of manpower, and it’s complex. But if cloud-based security capabilities remove those obstacles, the balance starts tipping more heavily toward reward. If an organization can deploy a fully-integrated, unified security platform for what it is paying now for its current bits and pieces, AND have it properly monitored and analyzed without adding headcount, AND have it deployed to the company’s unique specifications and scale, then the conversation becomes about performance rather than scope; then the TCO drops and the ROI begins to climb.

Covered: Log management, by itself, won’t cut it. Neither will just web access control or firewall protection. In some cases, it may bring you up to the letter of the law with regard to compliance, but if security is like a house, the door is locked but all the windows are open. If you’re of the 30% who truly are properly secured, then stop reading. But if you are most companies, you really don’t have it covered. The excuse is simply code for I have other fires to put out, and it isn’t a large enough issue for me to raise it up on the priority scale. I should know, I use it as a default setting for most sales calls.

How cloud security overcomes the obstacle. Quick answer is a unified security deployment from the cloud allows you to fill in the gaps of where you currently are lacking. Not consistently monitoring? Check. Not controlling access to certain applications. Check. Not analyzing data and creating escalation alerts in real time? Check. It doesn’t have to be a replacement strategy—get rid of all the investment and hard work you’ve put into a certain systems, solutions, processes and tools. The beauty of the cloud is you can pick and choose the pieces you need easily and have them leverage any existing program. It is scalable, flexible and manageable.

Not attacked: Do you know that for sure? If you are not checking for termites, doesn’t mean your house isn’t infested. Those who think their organizations are too small or too unimportant for hackers to care are only seeing part of the picture. It’s common understanding that it is not an issue of ‘if” anymore, but a measure of “when.” an IT security event will occur. Still not convinced? Hackers are banking on this thought process to use these systems as stepping stones for larger fish. If your system is open and you connect to larger payment systems or applications, you are open to danger. Second, not every danger is some barbarian at the gate. Sometimes the threats (or carelessness) come from within. Again, check the stats. 91%. If you are part of the 9% who hasn’t been touched by an IT security event, I want to know what you’re doing right!

How cloud security overcomes the obstacle. Simply apply one of the free trials of any of the cloud-based SIEM solutions out there that monitor in real time and you will have your eyes opened into how much activity is pinging your system every day. I am fond of telling the story of a significant retailer who had thought they had a pretty good handle on what was going on in their environment. After our SIEM system had been monitoring intrusions and the like for just over a month, the results were starkly different than the client anticipated. It was more than triple the amount of negative activity they thought.

Lack of expertise: Finding the right person to deploy and manage a top notch security program is tough. Stats say (MSP Alliance) that unemployment for pros with these skills is less than 1%. And once you find them, they are expensive to recruit and keep. In fact their salaries have doubled over the past three years.

How cloud security overcomes the obstacle. Security as a service builds in the expertise required to monitor, analyze, and manage a strong security presence. Through this version of outsourcing, you not only save on the hard costs of salary, but the soft costs of training, ramp up, benefits, vacations, etc. Yet  more than the costs, is the propagation of continuous tribal knowledge of orchestrating, manipulating,  analyzing the vast amount of inbound data, and applying the right actions quickly and decisively to keep the IT landscape operating smoothly, in the confines of compliance and strategically viable. In the end, this is one of the most valuable assets cloud security offers.

There’s no longer an excuse to be part of that 70%!

 

Kevin Nikkhoo

www.cloudaccess.com

More Stories By Kevin Nikkhoo

With more than 32 years of experience in information technology, and an extensive and successful entrepreneurial background, Kevin Nikkhoo is the CEO of the dynamic security-as-a-service startup Cloud Access. CloudAccess is at the forefront of the latest evolution of IT asset protection--the cloud.

Kevin holds a Bachelor of Science in Computer Engineering from McGill University, Master of Computer Engineering at California State University, Los Angeles, and an MBA from the University of Southern California with emphasis in entrepreneurial studies.

@CloudExpo Stories
Compute virtualization has been transformational, yet security policy implementation and enforcement has lagged behind in agility and automation. There are a number of key considerations when implementing policy in private and hybrid clouds. In his session at 15th Cloud Expo, Holland Barry, VP of Technology at Catbird, will discuss the impact of this new paradigm and what organizations can do today to safely move to software-defined network and compute architectures, including: How normal ope...
Can we look to the paradigm of cloud computing from a completely different perspective? In his General Session at 15th Cloud Expo, Gundars Kulups, Sales Director at DEAC, will discuss what we can learn from our dining habits when choosing a cloud solution. Gundars Kulups is Sales Director at DEAC, full service data center operator. An IT expert, he specializes in European countries and has worked in the IT industry since 1992. He graduated from Riga Technical University (RTU) in Latvia and com...
SYS-CON Events announced today that SOA Software, an API management leader, will exhibit at SYS-CON's 15th International Cloud Expo®, which will take place on November 4–6, 2014, at the Santa Clara Convention Center in Santa Clara, CA. SOA Software is a leading provider of API Management and SOA Governance products that equip business to deliver APIs and SOA together to drive their company to meet its business strategy quickly and effectively. SOA Software’s technology helps businesses to accel...
As cloud gives an opportunity to businesses to buy services externally - how is cloud impacting your customers? In his General Session at 15th Cloud Expo, Fabio Gori, Director of Worldwide Cloud Marketing at Cisco, will provide answers to big questions: Do you see hybrid cloud as where the world is going? What benefits does it bring? And how does Cisco connect all of these clouds? He will also tell us everything about Intercloud and Cisco investment on it.
SYS-CON Events announced today that TMCnet has been named “Media Sponsor” of SYS-CON's 15th International Cloud Expo®, which will take place on November 4–6, 2014, at the Santa Clara Convention Center in Santa Clara, CA. Technology Marketing Corporation (TMC) is the world's leading business to business and integrated marketing media company, servicing niche markets within the communications and technology industries.
SYS-CON Events announced today that Aria Systems, the recurring revenue expert, has been named "Bronze Sponsor" of SYS-CON's 15th International Cloud Expo®, which will take place on November 4-6, 2014, at the Santa Clara Convention Center in Santa Clara, CA. Aria Systems helps leading businesses connect their customers with the products and services they love. Industry leaders like Pitney Bowes, Experian, AAA NCNU, VMware, HootSuite and many others choose Aria to power their recurring revenue bu...
SYS-CON Events announced today that Parasoft will exhibit at SYS-CON's 15th International Cloud Expo®, which will take place on November 4–6, 2014, at the Santa Clara Convention Center in Santa Clara, CA. For 27 years, Parasoft has researched and developed software solutions that help organizations deliver defect-free software efficiently. By integrating Development Testing, API/cloud/SOA/composite app testing, and service virtualization, we reduce the time, effort, and cost of delivering secur...
The Internet of Things (IoT) promises to evolve the way the world does business; however, understanding how to apply it to your company can be a mystery. Most people struggle with understanding the potential business uses or tend to get caught up in the technology, resulting in solutions that fail to meet even minimum business goals. In his session at Internet of @ThingsExpo, Jesse Shiah, CEO / President / Co-Founder of AgilePoint Inc., will show what is needed to leverage the IoT to transform...
SYS-CON Events announced today that Utimaco will exhibit at SYS-CON's 15th International Cloud Expo®, which will take place on November 4–6, 2014, at the Santa Clara Convention Center in Santa Clara, CA. Utimaco is a leading manufacturer of hardware based security solutions that provide the root of trust to keep cryptographic keys safe, secure critical digital infrastructures and protect high value data assets. Only Utimaco delivers a general-purpose hardware security module (HSM) as a customiz...
One of the biggest challenges when developing connected devices is identifying user value and delivering it through successful user experiences. In his session at Internet of @ThingsExpo, Mike Kuniavsky, Principal Scientist, Innovation Services at PARC, will describe an IoT-specific approach to user experience design that combines approaches from interaction design, industrial design and service design to create experiences that go beyond simple connected gadgets to create lasting, multi-devic...
Until recently, many organizations required specialized departments to perform mapping and geospatial analysis, and they used Esri on-premise solutions for that work. In his session at 15th Cloud Expo, Dave Peters, author of the Esri Press book Building a GIS, System Architecture Design Strategies for Managers, will discuss how Esri has successfully included the cloud as a fully integrated SaaS expansion of the ArcGIS mapping platform. Organizations that have incorporated Esri cloud-based appl...
Once the decision has been made to move part or all of a workload to the cloud, a methodology for selecting that workload needs to be established. How do you move to the cloud? What does the discovery, assessment and planning look like? What workloads make sense? Which cloud model makes sense for each workload? What are the considerations for how to select the right cloud model? And how does that fit in with the overall IT tranformation? In his session at 15th Cloud Expo, John Hatem, head of V...
Dyn solutions are at the core of Internet Performance. Through traffic management, message management and performance assurance, Dyn is connecting people through the Internet and ensuring information gets where it needs to go, faster and more reliably than ever before. Founded in 2001 at WPI, Dyn’s global presence services more than four million enterprise, small business and personal customers.
IBM and Tencent Cloud signed a business cooperation memorandum to collaborate on providing public cloud with Software-as-a-Service solutions for industries. Both parties agreed to focus on emerging small and medium enterprises in the smarter cities and smarter healthcare industries as well as other fields. This will enable these industries to utilize mobile, cloud computing and big data tools to transform internal processes and operations, thus achieving cloud transformation in the era of mobili...
SimpleECM is the only platform to offer a powerful combination of enterprise content management (ECM) services, capture solutions, and third-party business services providing simplified integrations and workflow development for solution providers. SimpleECM is opening the market to businesses of all sizes by reinventing the delivery of ECM services. Our APIs make the development of ECM services simple with the use of familiar technologies for a frictionless integration directly into web applicat...
European data center operator DEAC is the largest in the Baltics. The activities are orientated to provide data center services and IT outsourcing on Eurasia and America scale in order to create the primary or backup or additional data center for customer in the EU, to protect its business and, most importantly, reduce costs up to 40% within 3-5 years. DEAC is an IT outsourcing services and solutions company whose highly experienced and qualified employees offer various groups of services and...
The Internet of Things will greatly expand the opportunities for data collection and new business models driven off of that data. In her session at Internet of @ThingsExpo, Esmeralda Swartz, CMO of MetraTech, will discuss how for this to be effective you not only need to have infrastructure and operational models capable of utilizing this new phenomenon, but increasingly service providers will need to convince a skeptical public to participate. Get ready to show them the money! Speaker Bio: ...
Samsung VP Jacopo Lenzi, who headed the company's recent SmartThings acquisition under the auspices of Samsung's Open Innovaction Center (OIC), answered a few questions we had about the deal. This interview was in conjunction with our interview with SmartThings CEO Alex Hawkinson. IoT Journal: SmartThings was developed in an open, standards-agnostic platform, and will now be part of Samsung's Open Innovation Center. Can you elaborate on your commitment to keep the platform open? Jacopo Lenzi: S...
The major cloud platforms defy a simple, side-by-side analysis. Each of the major IaaS public-cloud platforms offers their own unique strengths and functionality. Options for on-site private cloud are diverse as well, and must be designed and deployed while taking existing legacy architecture and infrastructure into account. Then the reality is that most enterprises are embarking on a hybrid cloud strategy and programs. In this Power Panel at 15th Cloud Expo, moderated by Ashar Baig, Research ...
Things are being built upon cloud foundations to transform organizations. This CEO Power Panel at 15th Cloud Expo, moderated by Roger Strukhoff, Cloud Expo and @ThingsExpo conference chair, will address the big issues involving these technologies and, more important, the results they will achieve. How important are public, private, and hybrid cloud to the enterprise? How does one define Big Data? And how is the IoT tying all this together?